X-Git-Url: https://git.arvados.org/arvados.git/blobdiff_plain/9acd9d8cdb6425b0ed40ed1800f3fe2d932c5d03..5aa318268437efe1e1a6dac3ff139a0b698f5da5:/lib/controller/integration_test.go

diff --git a/lib/controller/integration_test.go b/lib/controller/integration_test.go
index e679106dce..077493ffc8 100644
--- a/lib/controller/integration_test.go
+++ b/lib/controller/integration_test.go
@@ -7,7 +7,11 @@ package controller
 import (
 	"bytes"
 	"context"
+	"encoding/json"
+	"io"
+	"math"
 	"net"
+	"net/http"
 	"net/url"
 	"os"
 	"path/filepath"
@@ -27,7 +31,7 @@ import (
 var _ = check.Suite(&IntegrationSuite{})
 
 type testCluster struct {
-	booter        boot.Booter
+	super         boot.Supervisor
 	config        arvados.Config
 	controllerURL *url.URL
 }
@@ -72,7 +76,7 @@ func (s *IntegrationSuite) SetUpSuite(c *check.C) {
     TLS:
       Insecure: true
     Login:
-      # LoginCluster: z1111
+      LoginCluster: z1111
     SystemLogs:
       Format: text
     RemoteClusters:
@@ -82,19 +86,26 @@ func (s *IntegrationSuite) SetUpSuite(c *check.C) {
         Insecure: true
         Proxy: true
         ActivateUsers: true
-      z2222:
+`
+		if id != "z2222" {
+			yaml += `      z2222:
         Host: ` + hostport["z2222"] + `
         Scheme: https
         Insecure: true
         Proxy: true
         ActivateUsers: true
-      z3333:
+`
+		}
+		if id != "z3333" {
+			yaml += `      z3333:
         Host: ` + hostport["z3333"] + `
         Scheme: https
         Insecure: true
         Proxy: true
         ActivateUsers: true
 `
+		}
+
 		loader := config.NewLoader(bytes.NewBufferString(yaml), ctxlog.TestLogger(c))
 		loader.Path = "-"
 		loader.SkipLegacy = true
@@ -102,9 +113,8 @@ func (s *IntegrationSuite) SetUpSuite(c *check.C) {
 		cfg, err := loader.Load()
 		c.Assert(err, check.IsNil)
 		s.testClusters[id] = &testCluster{
-			booter: boot.Booter{
+			super: boot.Supervisor{
 				SourcePath:           filepath.Join(cwd, "..", ".."),
-				LibPath:              filepath.Join(cwd, "..", "..", "tmp"),
 				ClusterType:          "test",
 				ListenHost:           "127.0.0." + id[3:],
 				ControllerAddr:       ":0",
@@ -113,10 +123,10 @@ func (s *IntegrationSuite) SetUpSuite(c *check.C) {
 			},
 			config: *cfg,
 		}
-		s.testClusters[id].booter.Start(context.Background(), &s.testClusters[id].config)
+		s.testClusters[id].super.Start(context.Background(), &s.testClusters[id].config, "-")
 	}
 	for _, tc := range s.testClusters {
-		au, ok := tc.booter.WaitReady()
+		au, ok := tc.super.WaitReady()
 		c.Assert(ok, check.Equals, true)
 		u := url.URL(*au)
 		tc.controllerURL = &u
@@ -125,14 +135,19 @@ func (s *IntegrationSuite) SetUpSuite(c *check.C) {
 
 func (s *IntegrationSuite) TearDownSuite(c *check.C) {
 	for _, c := range s.testClusters {
-		c.booter.Stop()
+		c.super.Stop()
 	}
 }
 
+// Get rpc connection struct initialized to communicate with the
+// specified cluster.
 func (s *IntegrationSuite) conn(clusterID string) *rpc.Conn {
 	return rpc.NewConn(clusterID, s.testClusters[clusterID].controllerURL, true, rpc.PassthroughTokenProvider)
 }
 
+// Return Context, Arvados.Client and keepclient structs initialized
+// to connect to the specified cluster (by clusterID) using with the supplied
+// Arvados token.
 func (s *IntegrationSuite) clientsWithToken(clusterID string, token string) (context.Context, *arvados.Client, *keepclient.KeepClient) {
 	cl := s.testClusters[clusterID].config.Clusters[clusterID]
 	ctx := auth.NewContext(context.Background(), auth.NewCredentials(token))
@@ -149,7 +164,11 @@ func (s *IntegrationSuite) clientsWithToken(clusterID string, token string) (con
 	return ctx, ac, kc
 }
 
-func (s *IntegrationSuite) userClients(c *check.C, conn *rpc.Conn, rootctx context.Context, clusterID string, activate bool) (context.Context, *arvados.Client, *keepclient.KeepClient) {
+// Log in as a user called "example", get the user's API token,
+// initialize clients with the API token, set up the user and
+// optionally activate the user.  Return client structs for
+// communicating with the cluster on behalf of the 'example' user.
+func (s *IntegrationSuite) userClients(rootctx context.Context, c *check.C, conn *rpc.Conn, clusterID string, activate bool) (context.Context, *arvados.Client, *keepclient.KeepClient, arvados.User) {
 	login, err := conn.UserSessionCreate(rootctx, rpc.UserSessionCreateOptions{
 		ReturnTo: ",https://example.com",
 		AuthInfo: rpc.UserSessionAuthInfo{
@@ -163,59 +182,341 @@ func (s *IntegrationSuite) userClients(c *check.C, conn *rpc.Conn, rootctx conte
 	redirURL, err := url.Parse(login.RedirectLocation)
 	c.Assert(err, check.IsNil)
 	userToken := redirURL.Query().Get("api_token")
-	c.Logf("userToken: %q", userToken)
+	c.Logf("user token: %q", userToken)
 	ctx, ac, kc := s.clientsWithToken(clusterID, userToken)
 	user, err := conn.UserGetCurrent(ctx, arvados.GetOptions{})
-	if err != nil {
-		panic(err)
-	}
+	c.Assert(err, check.IsNil)
 	_, err = conn.UserSetup(rootctx, arvados.UserSetupOptions{UUID: user.UUID})
-	if err != nil {
-		panic(err)
-	}
-	_, err = conn.UserActivate(rootctx, arvados.UserActivateOptions{UUID: user.UUID})
-	if err != nil {
-		panic(err)
-	}
-	user, err = conn.UserGetCurrent(ctx, arvados.GetOptions{})
-	if err != nil {
-		panic(err)
-	}
-	c.Logf("user: %#v", user)
-	if !user.IsActive {
-		c.Fatal("failed to activate user")
+	c.Assert(err, check.IsNil)
+	if activate {
+		_, err = conn.UserActivate(rootctx, arvados.UserActivateOptions{UUID: user.UUID})
+		c.Assert(err, check.IsNil)
+		user, err = conn.UserGetCurrent(ctx, arvados.GetOptions{})
+		c.Assert(err, check.IsNil)
+		c.Logf("user UUID: %q", user.UUID)
+		if !user.IsActive {
+			c.Fatalf("failed to activate user -- %#v", user)
+		}
 	}
-	return ctx, ac, kc
+	return ctx, ac, kc, user
 }
 
+// Return Context, arvados.Client and keepclient structs initialized
+// to communicate with the cluster as the system root user.
 func (s *IntegrationSuite) rootClients(clusterID string) (context.Context, *arvados.Client, *keepclient.KeepClient) {
 	return s.clientsWithToken(clusterID, s.testClusters[clusterID].config.Clusters[clusterID].SystemRootToken)
 }
 
-func (s *IntegrationSuite) TestLoopDetection(c *check.C) {
+// Return Context, arvados.Client and keepclient structs initialized
+// to communicate with the cluster as the anonymous user.
+func (s *IntegrationSuite) anonymousClients(clusterID string) (context.Context, *arvados.Client, *keepclient.KeepClient) {
+	return s.clientsWithToken(clusterID, s.testClusters[clusterID].config.Clusters[clusterID].Users.AnonymousUserToken)
+}
+
+func (s *IntegrationSuite) TestGetCollectionByPDH(c *check.C) {
 	conn1 := s.conn("z1111")
 	rootctx1, _, _ := s.rootClients("z1111")
 	conn3 := s.conn("z3333")
-	// rootctx3, _, _ := s.rootClients("z3333")
-
-	userctx1, ac1, kc1 := s.userClients(c, conn1, rootctx1, "z1111", true)
-	_, err := conn1.CollectionGet(userctx1, arvados.GetOptions{UUID: "1f4b0bc7583c2a7f9102c395f4ffc5e3+45"})
-	c.Assert(err, check.ErrorMatches, `.*404 Not Found.*`)
+	userctx1, ac1, kc1, _ := s.userClients(rootctx1, c, conn1, "z1111", true)
 
+	// Create the collection to find its PDH (but don't save it
+	// anywhere yet)
 	var coll1 arvados.Collection
 	fs1, err := coll1.FileSystem(ac1, kc1)
-	if err != nil {
-		c.Error(err)
-	}
-	f, err := fs1.OpenFile("foo", os.O_CREATE|os.O_RDWR, 0777)
-	f.Write([]byte("foo"))
-	f.Close()
+	c.Assert(err, check.IsNil)
+	f, err := fs1.OpenFile("test.txt", os.O_CREATE|os.O_RDWR, 0777)
+	c.Assert(err, check.IsNil)
+	_, err = io.WriteString(f, "IntegrationSuite.TestGetCollectionByPDH")
+	c.Assert(err, check.IsNil)
+	err = f.Close()
+	c.Assert(err, check.IsNil)
 	mtxt, err := fs1.MarshalManifest(".")
+	c.Assert(err, check.IsNil)
+	pdh := arvados.PortableDataHash(mtxt)
+
+	// Looking up the PDH before saving returns 404 if cycle
+	// detection is working.
+	_, err = conn1.CollectionGet(userctx1, arvados.GetOptions{UUID: pdh})
+	c.Assert(err, check.ErrorMatches, `.*404 Not Found.*`)
+
+	// Save the collection on cluster z1111.
 	coll1, err = conn1.CollectionCreate(userctx1, arvados.CreateOptions{Attrs: map[string]interface{}{
 		"manifest_text": mtxt,
 	}})
 	c.Assert(err, check.IsNil)
-	coll, err := conn3.CollectionGet(userctx1, arvados.GetOptions{UUID: "1f4b0bc7583c2a7f9102c395f4ffc5e3+45"})
+
+	// Retrieve the collection from cluster z3333.
+	coll, err := conn3.CollectionGet(userctx1, arvados.GetOptions{UUID: pdh})
+	c.Check(err, check.IsNil)
+	c.Check(coll.PortableDataHash, check.Equals, pdh)
+}
+
+func (s *IntegrationSuite) TestGetCollectionAsAnonymous(c *check.C) {
+	conn1 := s.conn("z1111")
+	conn3 := s.conn("z3333")
+	rootctx1, rootac1, rootkc1 := s.rootClients("z1111")
+	anonctx3, anonac3, _ := s.anonymousClients("z3333")
+
+	// Make sure anonymous token was set
+	c.Assert(anonac3.AuthToken, check.Not(check.Equals), "")
+
+	// Create the collection to find its PDH (but don't save it
+	// anywhere yet)
+	var coll1 arvados.Collection
+	fs1, err := coll1.FileSystem(rootac1, rootkc1)
+	c.Assert(err, check.IsNil)
+	f, err := fs1.OpenFile("test.txt", os.O_CREATE|os.O_RDWR, 0777)
+	c.Assert(err, check.IsNil)
+	_, err = io.WriteString(f, "IntegrationSuite.TestGetCollectionAsAnonymous")
+	c.Assert(err, check.IsNil)
+	err = f.Close()
+	c.Assert(err, check.IsNil)
+	mtxt, err := fs1.MarshalManifest(".")
+	c.Assert(err, check.IsNil)
+	pdh := arvados.PortableDataHash(mtxt)
+
+	// Save the collection on cluster z1111.
+	coll1, err = conn1.CollectionCreate(rootctx1, arvados.CreateOptions{Attrs: map[string]interface{}{
+		"manifest_text": mtxt,
+	}})
+	c.Assert(err, check.IsNil)
+
+	// Share it with the anonymous users group.
+	var outLink arvados.Link
+	err = rootac1.RequestAndDecode(&outLink, "POST", "/arvados/v1/links", nil,
+		map[string]interface{}{"link": map[string]interface{}{
+			"link_class": "permission",
+			"name":       "can_read",
+			"tail_uuid":  "z1111-j7d0g-anonymouspublic",
+			"head_uuid":  coll1.UUID,
+		},
+		})
+	c.Check(err, check.IsNil)
+
+	// Current user should be z3 anonymous user
+	outUser, err := anonac3.CurrentUser()
+	c.Check(err, check.IsNil)
+	c.Check(outUser.UUID, check.Equals, "z3333-tpzed-anonymouspublic")
+
+	// Get the token uuid
+	var outAuth arvados.APIClientAuthorization
+	err = anonac3.RequestAndDecode(&outAuth, "GET", "/arvados/v1/api_client_authorizations/current", nil, nil)
+	c.Check(err, check.IsNil)
+
+	// Make a v2 token of the z3 anonymous user, and use it on z1
+	_, anonac1, _ := s.clientsWithToken("z1111", outAuth.TokenV2())
+	outUser2, err := anonac1.CurrentUser()
 	c.Check(err, check.IsNil)
-	c.Check(coll.PortableDataHash, check.Equals, "1f4b0bc7583c2a7f9102c395f4ffc5e3+45")
+	// z3 anonymous user will be mapped to the z1 anonymous user
+	c.Check(outUser2.UUID, check.Equals, "z1111-tpzed-anonymouspublic")
+
+	// Retrieve the collection (which is on z1) using anonymous from cluster z3333.
+	coll, err := conn3.CollectionGet(anonctx3, arvados.GetOptions{UUID: coll1.UUID})
+	c.Check(err, check.IsNil)
+	c.Check(coll.PortableDataHash, check.Equals, pdh)
+}
+
+// Get a token from the login cluster (z1111), use it to submit a
+// container request on z2222.
+func (s *IntegrationSuite) TestCreateContainerRequestWithFedToken(c *check.C) {
+	conn1 := s.conn("z1111")
+	rootctx1, _, _ := s.rootClients("z1111")
+	_, ac1, _, _ := s.userClients(rootctx1, c, conn1, "z1111", true)
+
+	// Use ac2 to get the discovery doc with a blank token, so the
+	// SDK doesn't magically pass the z1111 token to z2222 before
+	// we're ready to start our test.
+	_, ac2, _ := s.clientsWithToken("z2222", "")
+	var dd map[string]interface{}
+	err := ac2.RequestAndDecode(&dd, "GET", "discovery/v1/apis/arvados/v1/rest", nil, nil)
+	c.Assert(err, check.IsNil)
+
+	var (
+		body bytes.Buffer
+		req  *http.Request
+		resp *http.Response
+		u    arvados.User
+		cr   arvados.ContainerRequest
+	)
+	json.NewEncoder(&body).Encode(map[string]interface{}{
+		"container_request": map[string]interface{}{
+			"command":         []string{"echo"},
+			"container_image": "d41d8cd98f00b204e9800998ecf8427e+0",
+			"cwd":             "/",
+			"output_path":     "/",
+		},
+	})
+	ac2.AuthToken = ac1.AuthToken
+
+	c.Log("...post CR with good (but not yet cached) token")
+	cr = arvados.ContainerRequest{}
+	req, err = http.NewRequest("POST", "https://"+ac2.APIHost+"/arvados/v1/container_requests", bytes.NewReader(body.Bytes()))
+	c.Assert(err, check.IsNil)
+	req.Header.Set("Content-Type", "application/json")
+	err = ac2.DoAndDecode(&cr, req)
+	c.Logf("err == %#v", err)
+
+	c.Log("...get user with good token")
+	u = arvados.User{}
+	req, err = http.NewRequest("GET", "https://"+ac2.APIHost+"/arvados/v1/users/current", nil)
+	c.Assert(err, check.IsNil)
+	err = ac2.DoAndDecode(&u, req)
+	c.Check(err, check.IsNil)
+	c.Check(u.UUID, check.Matches, "z1111-tpzed-.*")
+
+	c.Log("...post CR with good cached token")
+	cr = arvados.ContainerRequest{}
+	req, err = http.NewRequest("POST", "https://"+ac2.APIHost+"/arvados/v1/container_requests", bytes.NewReader(body.Bytes()))
+	c.Assert(err, check.IsNil)
+	req.Header.Set("Content-Type", "application/json")
+	err = ac2.DoAndDecode(&cr, req)
+	c.Check(err, check.IsNil)
+	c.Check(cr.UUID, check.Matches, "z2222-.*")
+
+	c.Log("...post with good cached token ('OAuth2 ...')")
+	cr = arvados.ContainerRequest{}
+	req, err = http.NewRequest("POST", "https://"+ac2.APIHost+"/arvados/v1/container_requests", bytes.NewReader(body.Bytes()))
+	c.Assert(err, check.IsNil)
+	req.Header.Set("Content-Type", "application/json")
+	req.Header.Set("Authorization", "OAuth2 "+ac2.AuthToken)
+	resp, err = arvados.InsecureHTTPClient.Do(req)
+	if c.Check(err, check.IsNil) {
+		err = json.NewDecoder(resp.Body).Decode(&cr)
+		c.Check(err, check.IsNil)
+		c.Check(cr.UUID, check.Matches, "z2222-.*")
+	}
+}
+
+// Test for bug #16263
+func (s *IntegrationSuite) TestListUsers(c *check.C) {
+	rootctx1, _, _ := s.rootClients("z1111")
+	conn1 := s.conn("z1111")
+	conn3 := s.conn("z3333")
+	userctx1, _, _, _ := s.userClients(rootctx1, c, conn1, "z1111", true)
+
+	// Make sure LoginCluster is properly configured
+	for cls := range s.testClusters {
+		c.Check(
+			s.testClusters[cls].config.Clusters[cls].Login.LoginCluster,
+			check.Equals, "z1111",
+			check.Commentf("incorrect LoginCluster config on cluster %q", cls))
+	}
+	// Make sure z1111 has users with NULL usernames
+	lst, err := conn1.UserList(rootctx1, arvados.ListOptions{
+		Limit: math.MaxInt64, // check that large limit works (see #16263)
+	})
+	nullUsername := false
+	c.Assert(err, check.IsNil)
+	c.Assert(len(lst.Items), check.Not(check.Equals), 0)
+	for _, user := range lst.Items {
+		if user.Username == "" {
+			nullUsername = true
+		}
+	}
+	c.Assert(nullUsername, check.Equals, true)
+
+	user1, err := conn1.UserGetCurrent(userctx1, arvados.GetOptions{})
+	c.Assert(err, check.IsNil)
+	c.Check(user1.IsActive, check.Equals, true)
+
+	// Ask for the user list on z3333 using z1111's system root token
+	lst, err = conn3.UserList(rootctx1, arvados.ListOptions{Limit: -1})
+	c.Assert(err, check.IsNil)
+	found := false
+	for _, user := range lst.Items {
+		if user.UUID == user1.UUID {
+			c.Check(user.IsActive, check.Equals, true)
+			found = true
+			break
+		}
+	}
+	c.Check(found, check.Equals, true)
+
+	// Deactivate user acct on z1111
+	_, err = conn1.UserUnsetup(rootctx1, arvados.GetOptions{UUID: user1.UUID})
+	c.Assert(err, check.IsNil)
+
+	// Get user list from z3333, check the returned z1111 user is
+	// deactivated
+	lst, err = conn3.UserList(rootctx1, arvados.ListOptions{Limit: -1})
+	c.Assert(err, check.IsNil)
+	found = false
+	for _, user := range lst.Items {
+		if user.UUID == user1.UUID {
+			c.Check(user.IsActive, check.Equals, false)
+			found = true
+			break
+		}
+	}
+	c.Check(found, check.Equals, true)
+
+	// Deactivated user can see is_active==false via "get current
+	// user" API
+	user1, err = conn3.UserGetCurrent(userctx1, arvados.GetOptions{})
+	c.Assert(err, check.IsNil)
+	c.Check(user1.IsActive, check.Equals, false)
+}
+
+func (s *IntegrationSuite) TestSetupUserWithVM(c *check.C) {
+	conn1 := s.conn("z1111")
+	conn3 := s.conn("z3333")
+	rootctx1, rootac1, _ := s.rootClients("z1111")
+
+	// Create user on LoginCluster z1111
+	_, _, _, user := s.userClients(rootctx1, c, conn1, "z1111", false)
+
+	// Make a new root token (because rootClients() uses SystemRootToken)
+	var outAuth arvados.APIClientAuthorization
+	err := rootac1.RequestAndDecode(&outAuth, "POST", "/arvados/v1/api_client_authorizations", nil, nil)
+	c.Check(err, check.IsNil)
+
+	// Make a v2 root token to communicate with z3333
+	rootctx3, rootac3, _ := s.clientsWithToken("z3333", outAuth.TokenV2())
+
+	// Create VM on z3333
+	var outVM arvados.VirtualMachine
+	err = rootac3.RequestAndDecode(&outVM, "POST", "/arvados/v1/virtual_machines", nil,
+		map[string]interface{}{"virtual_machine": map[string]interface{}{
+			"hostname": "example",
+		},
+		})
+	c.Check(outVM.UUID[0:5], check.Equals, "z3333")
+	c.Check(err, check.IsNil)
+
+	// Make sure z3333 user list is up to date
+	_, err = conn3.UserList(rootctx3, arvados.ListOptions{Limit: 1000})
+	c.Check(err, check.IsNil)
+
+	// Try to set up user on z3333 with the VM
+	_, err = conn3.UserSetup(rootctx3, arvados.UserSetupOptions{UUID: user.UUID, VMUUID: outVM.UUID})
+	c.Check(err, check.IsNil)
+
+	var outLinks arvados.LinkList
+	err = rootac3.RequestAndDecode(&outLinks, "GET", "/arvados/v1/links", nil,
+		arvados.ListOptions{
+			Limit: 1000,
+			Filters: []arvados.Filter{
+				{
+					Attr:     "tail_uuid",
+					Operator: "=",
+					Operand:  user.UUID,
+				},
+				{
+					Attr:     "head_uuid",
+					Operator: "=",
+					Operand:  outVM.UUID,
+				},
+				{
+					Attr:     "name",
+					Operator: "=",
+					Operand:  "can_login",
+				},
+				{
+					Attr:     "link_class",
+					Operator: "=",
+					Operand:  "permission",
+				}}})
+	c.Check(err, check.IsNil)
+
+	c.Check(len(outLinks.Items), check.Equals, 1)
 }