X-Git-Url: https://git.arvados.org/arvados.git/blobdiff_plain/b586b7eece173fe0cf0ce5e53aa8969f1239ef16..9b976ee4d3e0c58eaa81f28f13dc4d112dbf804b:/services/api/test/unit/group_test.rb diff --git a/services/api/test/unit/group_test.rb b/services/api/test/unit/group_test.rb index f3367118c5..a3bcd4e356 100644 --- a/services/api/test/unit/group_test.rb +++ b/services/api/test/unit/group_test.rb @@ -317,9 +317,22 @@ update links set tail_uuid='#{g5}' where uuid='#{l1.uuid}' test "freeze project" do act_as_user users(:active) do Rails.configuration.API.UnfreezeProjectRequiresAdmin = false - proj = Group.create!(group_class: 'project', name: 'freeze-test', owner_uuid: users(:active).uuid) + + test_cr_attrs = { + command: ["echo", "foo"], + container_image: links(:docker_image_collection_tag).name, + cwd: "/tmp", + environment: {}, + mounts: {"/out" => {"kind" => "tmp", "capacity" => 1000000}}, + output_path: "/out", + runtime_constraints: {"vcpus" => 1, "ram" => 2}, + name: "foo", + description: "bar", + } + parent = Group.create!(group_class: 'project', name: 'freeze-test-parent', owner_uuid: users(:active).uuid) + proj = Group.create!(group_class: 'project', name: 'freeze-test', owner_uuid: parent.uuid) proj_inner = Group.create!(group_class: 'project', name: 'freeze-test-inner', owner_uuid: proj.uuid) - coll = Collection.create!(name: 'foo', manifest_text: '') + coll = Collection.create!(name: 'freeze-test-collection', manifest_text: '', owner_uuid: proj_inner.uuid) # Cannot set frozen_by_uuid to a different user assert_raises do @@ -327,6 +340,19 @@ update links set tail_uuid='#{g5}' where uuid='#{l1.uuid}' end proj.reload + # Cannot set frozen_by_uuid without can_manage permission + act_as_system_user do + Link.create!(link_class: 'permission', name: 'can_write', tail_uuid: users(:spectator).uuid, head_uuid: proj.uuid) + end + act_as_user users(:spectator) do + # First confirm we have write permission + assert Collection.create(name: 'bar', owner_uuid: proj.uuid) + assert_raises(ArvadosModel::PermissionDeniedError) do + proj.update_attributes!(frozen_by_uuid: users(:spectator).uuid) + end + end + proj.reload + # Cannot set frozen_by_uuid without description (if so configured) Rails.configuration.API.FreezeProjectRequiresDescription = true err = assert_raises do @@ -350,6 +376,21 @@ update links set tail_uuid='#{g5}' where uuid='#{l1.uuid}' assert_match /can only be set if properties\[frobity\] value is non-empty/, err.inspect proj.reload + # Cannot set frozen_by_uuid while project or its parent is + # trashed + [parent, proj].each do |trashed| + trashed.update_attributes!(trash_at: db_current_time) + err = assert_raises do + proj.update_attributes!( + frozen_by_uuid: users(:active).uuid, + description: 'ready to freeze', + properties: {'frobity' => 'bar baz'}) + end + assert_match /cannot be set on a trashed project/, err.inspect + proj.reload + trashed.update_attributes!(trash_at: nil) + end + # Can set frozen_by_uuid if all conditions are met ok = proj.update_attributes( frozen_by_uuid: users(:active).uuid, @@ -357,51 +398,82 @@ update links set tail_uuid='#{g5}' where uuid='#{l1.uuid}' properties: {'frobity' => 'bar baz'}) assert ok, proj.errors.messages.inspect - # Once project is frozen, cannot change name/contents, trash, or - # delete the project or anything beneath it - [proj, proj_inner, coll].each do |frozen| - assert_raises do - frozen.update_attributes!(name: 'foo2') - end - if frozen.is_a?(Collection) - assert_raises do - frozen.update_attributes!(manifest_text: ". d41d8cd98f00b204e9800998ecf8427e+0 0:0:foo\n") + [:active, :admin].each do |u| + act_as_user users(u) do + # Once project is frozen, cannot create new items inside it or + # its descendants + [proj, proj_inner].each do |frozen| + assert_raises do + collections(:collection_owned_by_active).update_attributes!(owner_uuid: frozen.uuid) + end + assert_raises do + Collection.create!(owner_uuid: frozen.uuid, name: 'inside-frozen-project') + end + assert_raises do + Group.create!(owner_uuid: frozen.uuid, group_class: 'project', name: 'inside-frozen-project') + end + cr = ContainerRequest.new(test_cr_attrs.merge(owner_uuid: frozen.uuid)) + assert_raises ArvadosModel::PermissionDeniedError do + cr.save + end + assert_match /frozen/, cr.errors.inspect + # Check the frozen-parent condition is the only reason save failed. + cr.owner_uuid = users(u).uuid + assert cr.save + cr.destroy + end + + # Once project is frozen, cannot change name/contents, move, + # trash, or delete the project or anything beneath it + [proj, proj_inner, coll].each do |frozen| + assert_raises(StandardError, "should reject rename of #{frozen.uuid} (#{frozen.name}) with parent #{frozen.owner_uuid}") do + frozen.update_attributes!(name: 'foo2') + end + frozen.reload + + if frozen.is_a?(Collection) + assert_raises(StandardError, "should reject manifest change of #{frozen.uuid}") do + frozen.update_attributes!(manifest_text: ". d41d8cd98f00b204e9800998ecf8427e+0 0:0:foo\n") + end + else + assert_raises(StandardError, "should reject moving a project into #{frozen.uuid}") do + groups(:private).update_attributes!(owner_uuid: frozen.uuid) + end + end + frozen.reload + + assert_raises(StandardError, "should reject moving #{frozen.uuid} to a different parent project") do + frozen.update_attributes!(owner_uuid: groups(:private).uuid) + end + frozen.reload + assert_raises(StandardError, "should reject setting trash_at of #{frozen.uuid}") do + frozen.update_attributes!(trash_at: db_current_time) + end + frozen.reload + assert_raises(StandardError, "should reject setting delete_at of #{frozen.uuid}") do + frozen.update_attributes!(delete_at: db_current_time) + end + frozen.reload + assert_raises(StandardError, "should reject delete of #{frozen.uuid}") do + frozen.destroy + end + frozen.reload + if frozen != proj + assert_equal [], frozen.writable_by + end end - end - assert_raises do - frozen.update_attributes!(trash_at: db_current_time) - end - assert_raises do - frozen.destroy end end - # Once project is frozen, cannot create new items inside it or - # its descendants - [proj, proj_inner].each do |parent| - assert_raises do - Collection.create!(owner_uuid: parent.uuid, name: 'inside-frozen-project') - end - assert_raises do - Group.create!(owner_uuid: parent.uuid, group_class: 'project', name: 'inside-frozen-project') + # User with write permission (but not manage) cannot unfreeze + act_as_user users(:spectator) do + # First confirm we have write permission on the parent project + assert Collection.create(name: 'bar', owner_uuid: parent.uuid) + assert_raises(ArvadosModel::PermissionDeniedError) do + proj.update_attributes!(frozen_by_uuid: nil) end - cr = ContainerRequest.create( - command: ["echo", "foo"], - container_image: links(:docker_image_collection_tag).name, - cwd: "/tmp", - environment: {}, - mounts: {"/out" => {"kind" => "tmp", "capacity" => 1000000}}, - output_path: "/out", - runtime_constraints: {"vcpus" => 1, "ram" => 2}, - name: "foo", - description: "bar", - owner_uuid: parent.uuid, - ) - assert_raises do - cr.save! - end - assert_match cr.errors.inspect, /frozen/ end + proj.reload # User with manage permission can unfreeze, then create items # inside it and its children @@ -420,6 +492,17 @@ update links set tail_uuid='#{g5}' where uuid='#{l1.uuid}' assert_match /can only be changed by an admin user, once set/, err.inspect proj.reload + # Cannot trash or delete a frozen project's ancestor + assert_raises(StandardError, "should not be able to set trash_at on parent of frozen project") do + parent.update_attributes!(trash_at: db_current_time) + end + parent.reload + assert_raises(StandardError, "should not be able to set delete_at on parent of frozen project") do + parent.update_attributes!(delete_at: db_current_time) + end + parent.reload + assert_nil parent.frozen_by_uuid + act_as_user users(:admin) do # Even admin cannot change frozen_by_uuid to someone else's UUID. err = assert_raises do @@ -431,6 +514,22 @@ update links set tail_uuid='#{g5}' where uuid='#{l1.uuid}' # Admin can unfreeze. assert proj.update_attributes(frozen_by_uuid: nil), proj.errors.messages end + + # Cannot freeze a project if it contains container requests in + # Committed state (this would cause operations on the relevant + # Containers to fail when syncing container request state) + creq_uncommitted = ContainerRequest.create!(test_cr_attrs.merge(owner_uuid: proj_inner.uuid)) + creq_committed = ContainerRequest.create!(test_cr_attrs.merge(owner_uuid: proj_inner.uuid, state: 'Committed')) + err = assert_raises do + proj.update_attributes!(frozen_by_uuid: users(:active).uuid) + end + assert_match /container request zzzzz-xvhdp-.* with state = Committed/, err.inspect + proj.reload + + # Can freeze once all container requests are in Uncommitted or + # Final state + creq_committed.update_attributes!(state: ContainerRequest::Final) + assert proj.update_attributes(frozen_by_uuid: users(:active).uuid) end end end