X-Git-Url: https://git.arvados.org/arvados.git/blobdiff_plain/9df4cad4500d092bb07909b6f49e4eaaa6d31984..2c39f766745e853ae216d5489236a98a766f46b9:/lib/controller/integration_test.go

diff --git a/lib/controller/integration_test.go b/lib/controller/integration_test.go
index 4cf6a68328..b7bda3dd16 100644
--- a/lib/controller/integration_test.go
+++ b/lib/controller/integration_test.go
@@ -510,10 +510,18 @@ func (s *IntegrationSuite) TestRequestIDHeader(c *check.C) {
 		{"/arvados/v1/collections/" + coll.UUID, true, false},
 		{"/arvados/v1/specimens/" + specimen.UUID, false, false},
 		{"/arvados/v1/specimens/" + specimen.UUID, true, false},
+		// new code path (lib/controller/router etc) - single-cluster request
 		{"/arvados/v1/collections/z1111-4zz18-0123456789abcde", false, true},
 		{"/arvados/v1/collections/z1111-4zz18-0123456789abcde", true, true},
+		// new code path (lib/controller/router etc) - federated request
+		{"/arvados/v1/collections/z2222-4zz18-0123456789abcde", false, true},
+		{"/arvados/v1/collections/z2222-4zz18-0123456789abcde", true, true},
+		// old code path (proxyRailsAPI) - single-cluster request
 		{"/arvados/v1/specimens/z1111-j58dm-0123456789abcde", false, true},
 		{"/arvados/v1/specimens/z1111-j58dm-0123456789abcde", true, true},
+		// old code path (setupProxyRemoteCluster) - federated request
+		{"/arvados/v1/workflows/z2222-7fd4e-0123456789abcde", false, true},
+		{"/arvados/v1/workflows/z2222-7fd4e-0123456789abcde", true, true},
 	}
 
 	for _, tt := range tests {
@@ -533,24 +541,18 @@ func (s *IntegrationSuite) TestRequestIDHeader(c *check.C) {
 		} else {
 			c.Check(resp.StatusCode, check.Equals, http.StatusOK)
 		}
-		if !tt.reqIdProvided {
-			c.Check(resp.Header.Get("X-Request-Id"), check.Matches, "^req-[0-9a-zA-Z]{20}$")
-			if tt.notFoundRequest {
-				var jresp httpserver.ErrorResponse
-				err := json.NewDecoder(resp.Body).Decode(&jresp)
-				c.Check(err, check.IsNil)
-				c.Assert(jresp.Errors, check.HasLen, 1)
-				c.Check(jresp.Errors[0], check.Matches, "^.*(req-[0-9a-zA-Z]{20}).*$")
-			}
+		respHdr := resp.Header.Get("X-Request-Id")
+		if tt.reqIdProvided {
+			c.Check(respHdr, check.Equals, customReqId)
 		} else {
-			c.Check(resp.Header.Get("X-Request-Id"), check.Equals, customReqId)
-			if tt.notFoundRequest {
-				var jresp httpserver.ErrorResponse
-				err := json.NewDecoder(resp.Body).Decode(&jresp)
-				c.Check(err, check.IsNil)
-				c.Assert(jresp.Errors, check.HasLen, 1)
-				c.Check(jresp.Errors[0], check.Matches, "^.*("+customReqId+").*$")
-			}
+			c.Check(respHdr, check.Matches, `req-[0-9a-zA-Z]{20}`)
+		}
+		if tt.notFoundRequest {
+			var jresp httpserver.ErrorResponse
+			err := json.NewDecoder(resp.Body).Decode(&jresp)
+			c.Check(err, check.IsNil)
+			c.Assert(jresp.Errors, check.HasLen, 1)
+			c.Check(jresp.Errors[0], check.Matches, `.*\(`+respHdr+`\).*`)
 		}
 	}
 }
@@ -662,6 +664,48 @@ func (s *IntegrationSuite) TestIntermediateCluster(c *check.C) {
 	}
 }
 
+// Test for #17785
+func (s *IntegrationSuite) TestFederatedApiClientAuthHandling(c *check.C) {
+	rootctx1, rootclnt1, _ := s.testClusters["z1111"].RootClients()
+	conn1 := s.testClusters["z1111"].Conn()
+
+	// Make sure LoginCluster is properly configured
+	for _, cls := range []string{"z1111", "z3333"} {
+		c.Check(
+			s.testClusters[cls].Config.Clusters[cls].Login.LoginCluster,
+			check.Equals, "z1111",
+			check.Commentf("incorrect LoginCluster config on cluster %q", cls))
+	}
+	// Get user's UUID & attempt to create a token for it on the remote cluster
+	_, _, _, user := s.testClusters["z1111"].UserClients(rootctx1, c, conn1,
+		"user@example.com", true)
+	_, rootclnt3, _ := s.testClusters["z3333"].ClientsWithToken(rootclnt1.AuthToken)
+	var resp arvados.APIClientAuthorization
+	err := rootclnt3.RequestAndDecode(
+		&resp, "POST", "arvados/v1/api_client_authorizations", nil,
+		map[string]interface{}{
+			"api_client_authorization": map[string]string{
+				"owner_uuid": user.UUID,
+			},
+		},
+	)
+	c.Assert(err, check.IsNil)
+	newTok := resp.TokenV2()
+	c.Assert(newTok, check.Not(check.Equals), "")
+
+	// Confirm the token is from z1111
+	c.Assert(strings.HasPrefix(newTok, "v2/z1111-gj3su-"), check.Equals, true)
+
+	// Confirm the token works and is from the correct user
+	_, rootclnt3bis, _ := s.testClusters["z3333"].ClientsWithToken(newTok)
+	var curUser arvados.User
+	err = rootclnt3bis.RequestAndDecode(
+		&curUser, "GET", "arvados/v1/users/current", nil, nil,
+	)
+	c.Assert(err, check.IsNil)
+	c.Assert(curUser.UUID, check.Equals, user.UUID)
+}
+
 // Test for bug #18076
 func (s *IntegrationSuite) TestStaleCachedUserRecord(c *check.C) {
 	rootctx1, _, _ := s.testClusters["z1111"].RootClients()
@@ -670,13 +714,11 @@ func (s *IntegrationSuite) TestStaleCachedUserRecord(c *check.C) {
 	conn3 := s.testClusters["z3333"].Conn()
 
 	// Make sure LoginCluster is properly configured
-	for cls := range s.testClusters {
-		if cls == "z1111" || cls == "z3333" {
-			c.Check(
-				s.testClusters[cls].Config.Clusters[cls].Login.LoginCluster,
-				check.Equals, "z1111",
-				check.Commentf("incorrect LoginCluster config on cluster %q", cls))
-		}
+	for _, cls := range []string{"z1111", "z3333"} {
+		c.Check(
+			s.testClusters[cls].Config.Clusters[cls].Login.LoginCluster,
+			check.Equals, "z1111",
+			check.Commentf("incorrect LoginCluster config on cluster %q", cls))
 	}
 
 	for testCaseNr, testCase := range []struct {