X-Git-Url: https://git.arvados.org/arvados.git/blobdiff_plain/a7f12322bab34a27863d90de9ddb95f69697bf29..5338c3fe0abbc6599aa290085be13eecfb0044e9:/services/api/test/integration/users_test.rb diff --git a/services/api/test/integration/users_test.rb b/services/api/test/integration/users_test.rb index 0d6c0f360f..6a1d5c8011 100644 --- a/services/api/test/integration/users_test.rb +++ b/services/api/test/integration/users_test.rb @@ -1,3 +1,7 @@ +# Copyright (C) The Arvados Authors. All rights reserved. +# +# SPDX-License-Identifier: AGPL-3.0 + require 'test_helper' require 'helpers/users_test_helper' @@ -5,18 +9,20 @@ class UsersTest < ActionDispatch::IntegrationTest include UsersTestHelper test "setup user multiple times" do - repo_name = 'test_repo' - - post "/arvados/v1/users/setup", { - repo_name: repo_name, - openid_prefix: 'https://www.google.com/accounts/o8/id', - user: { - uuid: 'zzzzz-tpzed-abcdefghijklmno', - first_name: "in_create_test_first_name", - last_name: "test_last_name", - email: "foo@example.com" - } - }, auth(:admin) + repo_name = 'usertestrepo' + + post "/arvados/v1/users/setup", + params: { + repo_name: repo_name, + openid_prefix: 'https://www.google.com/accounts/o8/id', + user: { + uuid: 'zzzzz-tpzed-abcdefghijklmno', + first_name: "in_create_test_first_name", + last_name: "test_last_name", + email: "foo@example.com" + } + }, + headers: auth(:admin) assert_response :success @@ -30,12 +36,10 @@ class UsersTest < ActionDispatch::IntegrationTest assert_not_nil created['email'], 'expected non-nil email' assert_nil created['identity_url'], 'expected no identity_url' - # arvados#user, repo link and link add user to 'All users' group - verify_link response_items, 'arvados#user', true, 'permission', 'can_login', - created['uuid'], created['email'], 'arvados#user', false, 'arvados#user' + # repo link and link add user to 'All users' group verify_link response_items, 'arvados#repository', true, 'permission', 'can_manage', - repo_name, created['uuid'], 'arvados#repository', true, 'Repository' + 'foo/usertestrepo', created['uuid'], 'arvados#repository', true, 'Repository' verify_link response_items, 'arvados#group', true, 'permission', 'can_read', 'All users', created['uuid'], 'arvados#group', true, 'Group' @@ -46,19 +50,30 @@ class UsersTest < ActionDispatch::IntegrationTest verify_system_group_permission_link_for created['uuid'] # invoke setup again with the same data - post "/arvados/v1/users/setup", { - repo_name: repo_name, - vm_uuid: virtual_machines(:testvm).uuid, - openid_prefix: 'https://www.google.com/accounts/o8/id', - user: { + post "/arvados/v1/users/setup", + params: { + repo_name: repo_name, + vm_uuid: virtual_machines(:testvm).uuid, + openid_prefix: 'https://www.google.com/accounts/o8/id', + user: { + uuid: 'zzzzz-tpzed-abcdefghijklmno', + first_name: "in_create_test_first_name", + last_name: "test_last_name", + email: "foo@example.com" + } + }, + headers: auth(:admin) + assert_response 422 # cannot create another user with same UUID + + # invoke setup on the same user + post "/arvados/v1/users/setup", + params: { + repo_name: repo_name, + vm_uuid: virtual_machines(:testvm).uuid, + openid_prefix: 'https://www.google.com/accounts/o8/id', uuid: 'zzzzz-tpzed-abcdefghijklmno', - first_name: "in_create_test_first_name", - last_name: "test_last_name", - email: "foo@example.com" - } - }, auth(:admin) - - assert_response :success + }, + headers: auth(:admin) response_items = json_response['items'] @@ -71,7 +86,7 @@ class UsersTest < ActionDispatch::IntegrationTest # arvados#user, repo link and link add user to 'All users' group verify_link response_items, 'arvados#repository', true, 'permission', 'can_manage', - repo_name, created['uuid'], 'arvados#repository', true, 'Repository' + 'foo/usertestrepo', created['uuid'], 'arvados#repository', true, 'Repository' verify_link response_items, 'arvados#group', true, 'permission', 'can_read', 'All users', created['uuid'], 'arvados#group', true, 'Group' @@ -83,12 +98,14 @@ class UsersTest < ActionDispatch::IntegrationTest end test "setup user in multiple steps and verify response" do - post "/arvados/v1/users/setup", { - openid_prefix: 'http://www.example.com/account', - user: { - email: "foo@example.com" - } - }, auth(:admin) + post "/arvados/v1/users/setup", + params: { + openid_prefix: 'http://www.example.com/account', + user: { + email: "foo@example.com" + } + }, + headers: auth(:admin) assert_response :success response_items = json_response['items'] @@ -98,25 +115,22 @@ class UsersTest < ActionDispatch::IntegrationTest assert_not_nil created['email'], 'expected non-nil email' assert_equal created['email'], 'foo@example.com', 'expected input email' - # three new links: system_group, arvados#user, and 'All users' group. - verify_link response_items, 'arvados#user', true, 'permission', 'can_login', - created['uuid'], created['email'], 'arvados#user', false, 'arvados#user' + # two new links: system_group, and 'All users' group. verify_link response_items, 'arvados#group', true, 'permission', 'can_read', 'All users', created['uuid'], 'arvados#group', true, 'Group' - verify_link response_items, 'arvados#repository', false, 'permission', 'can_manage', - 'test_repo', created['uuid'], 'arvados#repository', true, 'Repository' - verify_link response_items, 'arvados#virtualMachine', false, 'permission', 'can_login', nil, created['uuid'], 'arvados#virtualMachine', false, 'VirtualMachine' # invoke setup with a repository - post "/arvados/v1/users/setup", { - openid_prefix: 'http://www.example.com/account', - repo_name: 'new_repo', - uuid: created['uuid'] - }, auth(:admin) + post "/arvados/v1/users/setup", + params: { + openid_prefix: 'http://www.example.com/account', + repo_name: 'newusertestrepo', + uuid: created['uuid'] + }, + headers: auth(:admin) assert_response :success @@ -130,20 +144,22 @@ class UsersTest < ActionDispatch::IntegrationTest 'All users', created['uuid'], 'arvados#group', true, 'Group' verify_link response_items, 'arvados#repository', true, 'permission', 'can_manage', - 'new_repo', created['uuid'], 'arvados#repository', true, 'Repository' + 'foo/newusertestrepo', created['uuid'], 'arvados#repository', true, 'Repository' verify_link response_items, 'arvados#virtualMachine', false, 'permission', 'can_login', nil, created['uuid'], 'arvados#virtualMachine', false, 'VirtualMachine' # invoke setup with a vm_uuid - post "/arvados/v1/users/setup", { - vm_uuid: virtual_machines(:testvm).uuid, - openid_prefix: 'http://www.example.com/account', - user: { - email: 'junk_email' + post "/arvados/v1/users/setup", + params: { + vm_uuid: virtual_machines(:testvm).uuid, + openid_prefix: 'http://www.example.com/account', + user: { + email: 'junk_email' + }, + uuid: created['uuid'] }, - uuid: created['uuid'] - }, auth(:admin) + headers: auth(:admin) assert_response :success @@ -156,21 +172,19 @@ class UsersTest < ActionDispatch::IntegrationTest verify_link response_items, 'arvados#group', true, 'permission', 'can_read', 'All users', created['uuid'], 'arvados#group', true, 'Group' - # since no repo name in input, we won't get any; even though user has one - verify_link response_items, 'arvados#repository', false, 'permission', 'can_manage', - 'new_repo', created['uuid'], 'arvados#repository', true, 'Repository' - verify_link response_items, 'arvados#virtualMachine', true, 'permission', 'can_login', virtual_machines(:testvm).uuid, created['uuid'], 'arvados#virtualMachine', false, 'VirtualMachine' end test "setup and unsetup user" do - post "/arvados/v1/users/setup", { - repo_name: 'test_repo', - vm_uuid: virtual_machines(:testvm).uuid, - user: {email: 'foo@example.com'}, - openid_prefix: 'https://www.google.com/accounts/o8/id' - }, auth(:admin) + post "/arvados/v1/users/setup", + params: { + repo_name: 'newusertestrepo', + vm_uuid: virtual_machines(:testvm).uuid, + user: {email: 'foo@example.com'}, + openid_prefix: 'https://www.google.com/accounts/o8/id' + }, + headers: auth(:admin) assert_response :success response_items = json_response['items'] @@ -178,22 +192,20 @@ class UsersTest < ActionDispatch::IntegrationTest assert_not_nil created['uuid'], 'expected uuid for the new user' assert_equal created['email'], 'foo@example.com', 'expected given email' - # five extra links: system_group, login, group, repo and vm - verify_link response_items, 'arvados#user', true, 'permission', 'can_login', - created['uuid'], created['email'], 'arvados#user', false, 'arvados#user' + # four extra links: system_group, login, group, repo and vm verify_link response_items, 'arvados#group', true, 'permission', 'can_read', 'All users', created['uuid'], 'arvados#group', true, 'Group' verify_link response_items, 'arvados#repository', true, 'permission', 'can_manage', - 'test_repo', created['uuid'], 'arvados#repository', true, 'Repository' + 'foo/newusertestrepo', created['uuid'], 'arvados#repository', true, 'Repository' verify_link response_items, 'arvados#virtualMachine', true, 'permission', 'can_login', virtual_machines(:testvm).uuid, created['uuid'], 'arvados#virtualMachine', false, 'VirtualMachine' verify_link_existence created['uuid'], created['email'], true, true, true, true, false - post "/arvados/v1/users/#{created['uuid']}/unsetup", {}, auth(:admin) + post "/arvados/v1/users/#{created['uuid']}/unsetup", params: {}, headers: auth(:admin) assert_response :success @@ -213,4 +225,227 @@ class UsersTest < ActionDispatch::IntegrationTest nil end + test 'merge active into project_viewer account' do + post('/arvados/v1/groups', + params: { + group: { + group_class: 'project', + name: "active user's stuff", + }, + }, + headers: auth(:project_viewer)) + assert_response(:success) + project_uuid = json_response['uuid'] + + post('/arvados/v1/users/merge', + params: { + new_user_token: api_client_authorizations(:project_viewer_trustedclient).api_token, + new_owner_uuid: project_uuid, + redirect_to_new_user: true, + }, + headers: auth(:active_trustedclient)) + assert_response(:success) + + get('/arvados/v1/users/current', params: {}, headers: auth(:active)) + assert_response(:success) + assert_equal(users(:project_viewer).uuid, json_response['uuid']) + + get('/arvados/v1/authorized_keys/' + authorized_keys(:active).uuid, + params: {}, + headers: auth(:active)) + assert_response(:success) + assert_equal(users(:project_viewer).uuid, json_response['owner_uuid']) + assert_equal(users(:project_viewer).uuid, json_response['authorized_user_uuid']) + + get('/arvados/v1/repositories/' + repositories(:foo).uuid, + params: {}, + headers: auth(:active)) + assert_response(:success) + assert_equal(users(:project_viewer).uuid, json_response['owner_uuid']) + assert_equal("#{users(:project_viewer).username}/foo", json_response['name']) + + get('/arvados/v1/groups/' + groups(:aproject).uuid, + params: {}, + headers: auth(:active)) + assert_response(:success) + assert_equal(project_uuid, json_response['owner_uuid']) + end + + test 'pre-activate user' do + post '/arvados/v1/users', + params: { + "user" => { + "email" => 'foo@example.com', + "is_active" => true, + "username" => "barney" + } + }, + headers: {'HTTP_AUTHORIZATION' => "OAuth2 #{api_token(:admin)}"} + assert_response :success + rp = json_response + assert_not_nil rp["uuid"] + assert_not_nil rp["is_active"] + assert_nil rp["is_admin"] + + get "/arvados/v1/users/#{rp['uuid']}", + params: {format: 'json'}, + headers: auth(:admin) + assert_response :success + assert_equal rp["uuid"], json_response['uuid'] + assert_nil json_response['is_admin'] + assert_equal true, json_response['is_active'] + assert_equal 'foo@example.com', json_response['email'] + assert_equal 'barney', json_response['username'] + end + + test 'merge with repository name conflict' do + post('/arvados/v1/groups', + params: { + group: { + group_class: 'project', + name: "active user's stuff", + }, + }, + headers: auth(:project_viewer)) + assert_response(:success) + project_uuid = json_response['uuid'] + + post('/arvados/v1/repositories/', + params: { :repository => { :name => "#{users(:project_viewer).username}/foo", :owner_uuid => users(:project_viewer).uuid } }, + headers: auth(:project_viewer)) + assert_response(:success) + + post('/arvados/v1/users/merge', + params: { + new_user_token: api_client_authorizations(:project_viewer_trustedclient).api_token, + new_owner_uuid: project_uuid, + redirect_to_new_user: true, + }, + headers: auth(:active_trustedclient)) + assert_response(:success) + + get('/arvados/v1/repositories/' + repositories(:foo).uuid, + params: {}, + headers: auth(:active)) + assert_response(:success) + assert_equal(users(:project_viewer).uuid, json_response['owner_uuid']) + assert_equal("#{users(:project_viewer).username}/migratedfoo", json_response['name']) + + end + + test "cannot set is_activate to false directly" do + post('/arvados/v1/users', + params: { + user: { + email: "bob@example.com", + username: "bobby" + }, + }, + headers: auth(:admin)) + assert_response(:success) + user = json_response + assert_equal false, user['is_active'] + + post("/arvados/v1/users/#{user['uuid']}/activate", + params: {}, + headers: auth(:admin)) + assert_response(:success) + user = json_response + assert_equal true, user['is_active'] + + put("/arvados/v1/users/#{user['uuid']}", + params: { + user: {is_active: false} + }, + headers: auth(:admin)) + assert_response 422 + end + + test "cannot self activate when AutoSetupNewUsers is false" do + Rails.configuration.Users.NewUsersAreActive = false + Rails.configuration.Users.AutoSetupNewUsers = false + + user = nil + token = nil + act_as_system_user do + user = User.create!(email: "bob@example.com", username: "bobby") + ap = ApiClientAuthorization.create!(user: user, api_client: ApiClient.all.first) + token = ap.api_token + end + + get("/arvados/v1/users/#{user['uuid']}", + params: {}, + headers: {"HTTP_AUTHORIZATION" => "Bearer #{token}"}) + assert_response(:success) + user = json_response + assert_equal false, user['is_active'] + + post("/arvados/v1/users/#{user['uuid']}/activate", + params: {}, + headers: {"HTTP_AUTHORIZATION" => "Bearer #{token}"}) + assert_response 422 + assert_match(/Cannot activate without being invited/, json_response['errors'][0]) + end + + + test "cannot self activate after unsetup" do + Rails.configuration.Users.NewUsersAreActive = false + Rails.configuration.Users.AutoSetupNewUsers = false + + user = nil + token = nil + act_as_system_user do + user = User.create!(email: "bob@example.com", username: "bobby") + ap = ApiClientAuthorization.create!(user: user, api_client_id: 0) + token = ap.api_token + end + + post("/arvados/v1/users/setup", + params: {uuid: user['uuid']}, + headers: auth(:admin)) + assert_response :success + + post("/arvados/v1/users/#{user['uuid']}/activate", + params: {}, + headers: {"HTTP_AUTHORIZATION" => "Bearer #{token}"}) + assert_response 403 + assert_match(/Cannot activate without user agreements/, json_response['errors'][0]) + + post("/arvados/v1/user_agreements/sign", + params: {uuid: 'zzzzz-4zz18-t68oksiu9m80s4y'}, + headers: {"HTTP_AUTHORIZATION" => "Bearer #{token}"}) + assert_response :success + + post("/arvados/v1/users/#{user['uuid']}/activate", + params: {}, + headers: {"HTTP_AUTHORIZATION" => "Bearer #{token}"}) + assert_response :success + + get("/arvados/v1/users/#{user['uuid']}", + params: {}, + headers: {"HTTP_AUTHORIZATION" => "Bearer #{token}"}) + assert_response(:success) + user = json_response + assert_equal true, user['is_active'] + + post("/arvados/v1/users/#{user['uuid']}/unsetup", + params: {}, + headers: auth(:admin)) + assert_response :success + + get("/arvados/v1/users/#{user['uuid']}", + params: {}, + headers: {"HTTP_AUTHORIZATION" => "Bearer #{token}"}) + assert_response(:success) + user = json_response + assert_equal false, user['is_active'] + + post("/arvados/v1/users/#{user['uuid']}/activate", + params: {}, + headers: {"HTTP_AUTHORIZATION" => "Bearer #{token}"}) + assert_response 422 + assert_match(/Cannot activate without being invited/, json_response['errors'][0]) + end + + end