X-Git-Url: https://git.arvados.org/arvados.git/blobdiff_plain/b8de8845c856f7fe1232e5f048824211d1207ee7..59e8b47bee1c9699cbb2d16369481bd688da6e3d:/lib/controller/integration_test.go diff --git a/lib/controller/integration_test.go b/lib/controller/integration_test.go index 3da01ca682..7e719e72ed 100644 --- a/lib/controller/integration_test.go +++ b/lib/controller/integration_test.go @@ -6,40 +6,28 @@ package controller import ( "bytes" - "context" "encoding/json" + "fmt" "io" "io/ioutil" "math" "net" "net/http" - "net/url" "os" + "os/exec" "path/filepath" + "strconv" + "strings" - "git.arvados.org/arvados.git/lib/boot" - "git.arvados.org/arvados.git/lib/config" - "git.arvados.org/arvados.git/lib/controller/rpc" - "git.arvados.org/arvados.git/lib/service" "git.arvados.org/arvados.git/sdk/go/arvados" - "git.arvados.org/arvados.git/sdk/go/arvadosclient" "git.arvados.org/arvados.git/sdk/go/arvadostest" - "git.arvados.org/arvados.git/sdk/go/auth" - "git.arvados.org/arvados.git/sdk/go/ctxlog" - "git.arvados.org/arvados.git/sdk/go/keepclient" check "gopkg.in/check.v1" ) var _ = check.Suite(&IntegrationSuite{}) -type testCluster struct { - super boot.Supervisor - config arvados.Config - controllerURL *url.URL -} - type IntegrationSuite struct { - testClusters map[string]*testCluster + testClusters map[string]*arvadostest.TestCluster oidcprovider *arvadostest.OIDCProvider } @@ -58,7 +46,7 @@ func (s *IntegrationSuite) SetUpSuite(c *check.C) { s.oidcprovider.ValidClientID = "clientid" s.oidcprovider.ValidClientSecret = "clientsecret" - s.testClusters = map[string]*testCluster{ + s.testClusters = map[string]*arvadostest.TestCluster{ "z1111": nil, "z2222": nil, "z3333": nil, @@ -86,8 +74,6 @@ func (s *IntegrationSuite) SetUpSuite(c *check.C) { ExternalURL: https://` + hostport[id] + ` TLS: Insecure: true - Login: - LoginCluster: z1111 SystemLogs: Format: text RemoteClusters: @@ -135,118 +121,30 @@ func (s *IntegrationSuite) SetUpSuite(c *check.C) { ` } - loader := config.NewLoader(bytes.NewBufferString(yaml), ctxlog.TestLogger(c)) - loader.Path = "-" - loader.SkipLegacy = true - loader.SkipAPICalls = true - cfg, err := loader.Load() + tc, err := arvadostest.NewTestCluster( + filepath.Join(cwd, "..", ".."), + id, yaml, "127.0.0."+id[3:], c.Log) c.Assert(err, check.IsNil) - s.testClusters[id] = &testCluster{ - super: boot.Supervisor{ - SourcePath: filepath.Join(cwd, "..", ".."), - ClusterType: "test", - ListenHost: "127.0.0." + id[3:], - ControllerAddr: ":0", - OwnTemporaryDatabase: true, - Stderr: &service.LogPrefixer{Writer: ctxlog.LogWriter(c.Log), Prefix: []byte("[" + id + "] ")}, - }, - config: *cfg, - } - s.testClusters[id].super.Start(context.Background(), &s.testClusters[id].config, "-") + s.testClusters[id] = tc + s.testClusters[id].Start() } for _, tc := range s.testClusters { - au, ok := tc.super.WaitReady() + ok := tc.WaitReady() c.Assert(ok, check.Equals, true) - u := url.URL(*au) - tc.controllerURL = &u } } func (s *IntegrationSuite) TearDownSuite(c *check.C) { for _, c := range s.testClusters { - c.super.Stop() + c.Super.Stop() } } -// Get rpc connection struct initialized to communicate with the -// specified cluster. -func (s *IntegrationSuite) conn(clusterID string) *rpc.Conn { - return rpc.NewConn(clusterID, s.testClusters[clusterID].controllerURL, true, rpc.PassthroughTokenProvider) -} - -// Return Context, Arvados.Client and keepclient structs initialized -// to connect to the specified cluster (by clusterID) using with the supplied -// Arvados token. -func (s *IntegrationSuite) clientsWithToken(clusterID string, token string) (context.Context, *arvados.Client, *keepclient.KeepClient) { - cl := s.testClusters[clusterID].config.Clusters[clusterID] - ctx := auth.NewContext(context.Background(), auth.NewCredentials(token)) - ac, err := arvados.NewClientFromConfig(&cl) - if err != nil { - panic(err) - } - ac.AuthToken = token - arv, err := arvadosclient.New(ac) - if err != nil { - panic(err) - } - kc := keepclient.New(arv) - return ctx, ac, kc -} - -// Log in as a user called "example", get the user's API token, -// initialize clients with the API token, set up the user and -// optionally activate the user. Return client structs for -// communicating with the cluster on behalf of the 'example' user. -func (s *IntegrationSuite) userClients(rootctx context.Context, c *check.C, conn *rpc.Conn, clusterID string, activate bool) (context.Context, *arvados.Client, *keepclient.KeepClient, arvados.User) { - login, err := conn.UserSessionCreate(rootctx, rpc.UserSessionCreateOptions{ - ReturnTo: ",https://example.com", - AuthInfo: rpc.UserSessionAuthInfo{ - Email: "user@example.com", - FirstName: "Example", - LastName: "User", - Username: "example", - }, - }) - c.Assert(err, check.IsNil) - redirURL, err := url.Parse(login.RedirectLocation) - c.Assert(err, check.IsNil) - userToken := redirURL.Query().Get("api_token") - c.Logf("user token: %q", userToken) - ctx, ac, kc := s.clientsWithToken(clusterID, userToken) - user, err := conn.UserGetCurrent(ctx, arvados.GetOptions{}) - c.Assert(err, check.IsNil) - _, err = conn.UserSetup(rootctx, arvados.UserSetupOptions{UUID: user.UUID}) - c.Assert(err, check.IsNil) - if activate { - _, err = conn.UserActivate(rootctx, arvados.UserActivateOptions{UUID: user.UUID}) - c.Assert(err, check.IsNil) - user, err = conn.UserGetCurrent(ctx, arvados.GetOptions{}) - c.Assert(err, check.IsNil) - c.Logf("user UUID: %q", user.UUID) - if !user.IsActive { - c.Fatalf("failed to activate user -- %#v", user) - } - } - return ctx, ac, kc, user -} - -// Return Context, arvados.Client and keepclient structs initialized -// to communicate with the cluster as the system root user. -func (s *IntegrationSuite) rootClients(clusterID string) (context.Context, *arvados.Client, *keepclient.KeepClient) { - return s.clientsWithToken(clusterID, s.testClusters[clusterID].config.Clusters[clusterID].SystemRootToken) -} - -// Return Context, arvados.Client and keepclient structs initialized -// to communicate with the cluster as the anonymous user. -func (s *IntegrationSuite) anonymousClients(clusterID string) (context.Context, *arvados.Client, *keepclient.KeepClient) { - return s.clientsWithToken(clusterID, s.testClusters[clusterID].config.Clusters[clusterID].Users.AnonymousUserToken) -} - func (s *IntegrationSuite) TestGetCollectionByPDH(c *check.C) { - conn1 := s.conn("z1111") - rootctx1, _, _ := s.rootClients("z1111") - conn3 := s.conn("z3333") - userctx1, ac1, kc1, _ := s.userClients(rootctx1, c, conn1, "z1111", true) + conn1 := s.testClusters["z1111"].Conn() + rootctx1, _, _ := s.testClusters["z1111"].RootClients() + conn3 := s.testClusters["z3333"].Conn() + userctx1, ac1, kc1, _ := s.testClusters["z1111"].UserClients(rootctx1, c, conn1, s.oidcprovider.AuthEmail, true) // Create the collection to find its PDH (but don't save it // anywhere yet) @@ -280,11 +178,84 @@ func (s *IntegrationSuite) TestGetCollectionByPDH(c *check.C) { c.Check(coll.PortableDataHash, check.Equals, pdh) } +func (s *IntegrationSuite) TestS3WithFederatedToken(c *check.C) { + if _, err := exec.LookPath("s3cmd"); err != nil { + c.Skip("s3cmd not in PATH") + return + } + + testText := "IntegrationSuite.TestS3WithFederatedToken" + + conn1 := s.testClusters["z1111"].Conn() + rootctx1, _, _ := s.testClusters["z1111"].RootClients() + userctx1, ac1, _, _ := s.testClusters["z1111"].UserClients(rootctx1, c, conn1, s.oidcprovider.AuthEmail, true) + conn3 := s.testClusters["z3333"].Conn() + + createColl := func(clusterID string) arvados.Collection { + _, ac, kc := s.testClusters[clusterID].ClientsWithToken(ac1.AuthToken) + var coll arvados.Collection + fs, err := coll.FileSystem(ac, kc) + c.Assert(err, check.IsNil) + f, err := fs.OpenFile("test.txt", os.O_CREATE|os.O_RDWR, 0777) + c.Assert(err, check.IsNil) + _, err = io.WriteString(f, testText) + c.Assert(err, check.IsNil) + err = f.Close() + c.Assert(err, check.IsNil) + mtxt, err := fs.MarshalManifest(".") + c.Assert(err, check.IsNil) + coll, err = s.testClusters[clusterID].Conn().CollectionCreate(userctx1, arvados.CreateOptions{Attrs: map[string]interface{}{ + "manifest_text": mtxt, + }}) + c.Assert(err, check.IsNil) + return coll + } + + for _, trial := range []struct { + clusterID string // create the collection on this cluster (then use z3333 to access it) + token string + }{ + // Try the hardest test first: z3333 hasn't seen + // z1111's token yet, and we're just passing the + // opaque secret part, so z3333 has to guess that it + // belongs to z1111. + {"z1111", strings.Split(ac1.AuthToken, "/")[2]}, + {"z3333", strings.Split(ac1.AuthToken, "/")[2]}, + {"z1111", strings.Replace(ac1.AuthToken, "/", "_", -1)}, + {"z3333", strings.Replace(ac1.AuthToken, "/", "_", -1)}, + } { + c.Logf("================ %v", trial) + coll := createColl(trial.clusterID) + + cfgjson, err := conn3.ConfigGet(userctx1) + c.Assert(err, check.IsNil) + var cluster arvados.Cluster + err = json.Unmarshal(cfgjson, &cluster) + c.Assert(err, check.IsNil) + + c.Logf("TokenV2 is %s", ac1.AuthToken) + host := cluster.Services.WebDAV.ExternalURL.Host + s3args := []string{ + "--ssl", "--no-check-certificate", + "--host=" + host, "--host-bucket=" + host, + "--access_key=" + trial.token, "--secret_key=" + trial.token, + } + buf, err := exec.Command("s3cmd", append(s3args, "ls", "s3://"+coll.UUID)...).CombinedOutput() + c.Check(err, check.IsNil) + c.Check(string(buf), check.Matches, `.* `+fmt.Sprintf("%d", len(testText))+` +s3://`+coll.UUID+`/test.txt\n`) + + buf, _ = exec.Command("s3cmd", append(s3args, "get", "s3://"+coll.UUID+"/test.txt", c.MkDir()+"/tmpfile")...).CombinedOutput() + // Command fails because we don't return Etag header. + flen := strconv.Itoa(len(testText)) + c.Check(string(buf), check.Matches, `(?ms).*`+flen+` (bytes in|of `+flen+`).*`) + } +} + func (s *IntegrationSuite) TestGetCollectionAsAnonymous(c *check.C) { - conn1 := s.conn("z1111") - conn3 := s.conn("z3333") - rootctx1, rootac1, rootkc1 := s.rootClients("z1111") - anonctx3, anonac3, _ := s.anonymousClients("z3333") + conn1 := s.testClusters["z1111"].Conn() + conn3 := s.testClusters["z3333"].Conn() + rootctx1, rootac1, rootkc1 := s.testClusters["z1111"].RootClients() + anonctx3, anonac3, _ := s.testClusters["z3333"].AnonymousClients() // Make sure anonymous token was set c.Assert(anonac3.AuthToken, check.Not(check.Equals), "") @@ -333,7 +304,7 @@ func (s *IntegrationSuite) TestGetCollectionAsAnonymous(c *check.C) { c.Check(err, check.IsNil) // Make a v2 token of the z3 anonymous user, and use it on z1 - _, anonac1, _ := s.clientsWithToken("z1111", outAuth.TokenV2()) + _, anonac1, _ := s.testClusters["z1111"].ClientsWithToken(outAuth.TokenV2()) outUser2, err := anonac1.CurrentUser() c.Check(err, check.IsNil) // z3 anonymous user will be mapped to the z1 anonymous user @@ -348,14 +319,14 @@ func (s *IntegrationSuite) TestGetCollectionAsAnonymous(c *check.C) { // Get a token from the login cluster (z1111), use it to submit a // container request on z2222. func (s *IntegrationSuite) TestCreateContainerRequestWithFedToken(c *check.C) { - conn1 := s.conn("z1111") - rootctx1, _, _ := s.rootClients("z1111") - _, ac1, _, _ := s.userClients(rootctx1, c, conn1, "z1111", true) + conn1 := s.testClusters["z1111"].Conn() + rootctx1, _, _ := s.testClusters["z1111"].RootClients() + _, ac1, _, _ := s.testClusters["z1111"].UserClients(rootctx1, c, conn1, s.oidcprovider.AuthEmail, true) // Use ac2 to get the discovery doc with a blank token, so the // SDK doesn't magically pass the z1111 token to z2222 before // we're ready to start our test. - _, ac2, _ := s.clientsWithToken("z2222", "") + _, ac2, _ := s.testClusters["z2222"].ClientsWithToken("") var dd map[string]interface{} err := ac2.RequestAndDecode(&dd, "GET", "discovery/v1/apis/arvados/v1/rest", nil, nil) c.Assert(err, check.IsNil) @@ -418,15 +389,15 @@ func (s *IntegrationSuite) TestCreateContainerRequestWithFedToken(c *check.C) { // Test for bug #16263 func (s *IntegrationSuite) TestListUsers(c *check.C) { - rootctx1, _, _ := s.rootClients("z1111") - conn1 := s.conn("z1111") - conn3 := s.conn("z3333") - userctx1, _, _, _ := s.userClients(rootctx1, c, conn1, "z1111", true) + rootctx1, _, _ := s.testClusters["z1111"].RootClients() + conn1 := s.testClusters["z1111"].Conn() + conn3 := s.testClusters["z3333"].Conn() + userctx1, _, _, _ := s.testClusters["z1111"].UserClients(rootctx1, c, conn1, s.oidcprovider.AuthEmail, true) // Make sure LoginCluster is properly configured for cls := range s.testClusters { c.Check( - s.testClusters[cls].config.Clusters[cls].Login.LoginCluster, + s.testClusters[cls].Config.Clusters[cls].Login.LoginCluster, check.Equals, "z1111", check.Commentf("incorrect LoginCluster config on cluster %q", cls)) } @@ -487,12 +458,12 @@ func (s *IntegrationSuite) TestListUsers(c *check.C) { } func (s *IntegrationSuite) TestSetupUserWithVM(c *check.C) { - conn1 := s.conn("z1111") - conn3 := s.conn("z3333") - rootctx1, rootac1, _ := s.rootClients("z1111") + conn1 := s.testClusters["z1111"].Conn() + conn3 := s.testClusters["z3333"].Conn() + rootctx1, rootac1, _ := s.testClusters["z1111"].RootClients() // Create user on LoginCluster z1111 - _, _, _, user := s.userClients(rootctx1, c, conn1, "z1111", false) + _, _, _, user := s.testClusters["z1111"].UserClients(rootctx1, c, conn1, s.oidcprovider.AuthEmail, true) // Make a new root token (because rootClients() uses SystemRootToken) var outAuth arvados.APIClientAuthorization @@ -500,7 +471,7 @@ func (s *IntegrationSuite) TestSetupUserWithVM(c *check.C) { c.Check(err, check.IsNil) // Make a v2 root token to communicate with z3333 - rootctx3, rootac3, _ := s.clientsWithToken("z3333", outAuth.TokenV2()) + rootctx3, rootac3, _ := s.testClusters["z3333"].ClientsWithToken(outAuth.TokenV2()) // Create VM on z3333 var outVM arvados.VirtualMachine @@ -551,17 +522,17 @@ func (s *IntegrationSuite) TestSetupUserWithVM(c *check.C) { } func (s *IntegrationSuite) TestOIDCAccessTokenAuth(c *check.C) { - conn1 := s.conn("z1111") - rootctx1, _, _ := s.rootClients("z1111") - s.userClients(rootctx1, c, conn1, "z1111", true) + conn1 := s.testClusters["z1111"].Conn() + rootctx1, _, _ := s.testClusters["z1111"].RootClients() + s.testClusters["z1111"].UserClients(rootctx1, c, conn1, s.oidcprovider.AuthEmail, true) accesstoken := s.oidcprovider.ValidAccessToken() - for _, clusterid := range []string{"z1111", "z2222"} { - c.Logf("trying clusterid %s", clusterid) + for _, clusterID := range []string{"z1111", "z2222"} { + c.Logf("trying clusterid %s", clusterID) - conn := s.conn(clusterid) - ctx, ac, kc := s.clientsWithToken(clusterid, accesstoken) + conn := s.testClusters[clusterID].Conn() + ctx, ac, kc := s.testClusters[clusterID].ClientsWithToken(accesstoken) var coll arvados.Collection