X-Git-Url: https://git.arvados.org/arvados.git/blobdiff_plain/c534e74c5c83f546c65e901f9c93ae2fdfae8d08..bfdecdcaf7dbeabfacc0efefb864e0024dbef9ab:/lib/controller/integration_test.go diff --git a/lib/controller/integration_test.go b/lib/controller/integration_test.go index 7cad7d5f7a..4cf6a68328 100644 --- a/lib/controller/integration_test.go +++ b/lib/controller/integration_test.go @@ -665,6 +665,7 @@ func (s *IntegrationSuite) TestIntermediateCluster(c *check.C) { // Test for bug #18076 func (s *IntegrationSuite) TestStaleCachedUserRecord(c *check.C) { rootctx1, _, _ := s.testClusters["z1111"].RootClients() + _, rootclnt3, _ := s.testClusters["z3333"].RootClients() conn1 := s.testClusters["z1111"].Conn() conn3 := s.testClusters["z3333"].Conn() @@ -678,69 +679,92 @@ func (s *IntegrationSuite) TestStaleCachedUserRecord(c *check.C) { } } - // Create some users, request them on the federated cluster so they're cached. - var users []arvados.User - for userNr := 0; userNr < 2; userNr++ { - _, _, _, user := s.testClusters["z1111"].UserClients( - rootctx1, - c, - conn1, - fmt.Sprintf("user%d@example.com", userNr), - true) - c.Assert(user.Username, check.Not(check.Equals), "") - users = append(users, user) - - lst, err := conn3.UserList(rootctx1, arvados.ListOptions{Limit: -1}) - c.Assert(err, check.Equals, nil) - userFound := false - for _, fedUser := range lst.Items { - if fedUser.UUID == user.UUID { - c.Assert(fedUser.Username, check.Equals, user.Username) - userFound = true - break + for testCaseNr, testCase := range []struct { + name string + withRepository bool + }{ + {"User without local repository", false}, + {"User with local repository", true}, + } { + c.Log(c.TestName() + " " + testCase.name) + // Create some users, request them on the federated cluster so they're cached. + var users []arvados.User + for userNr := 0; userNr < 2; userNr++ { + _, _, _, user := s.testClusters["z1111"].UserClients( + rootctx1, + c, + conn1, + fmt.Sprintf("user%d%d@example.com", testCaseNr, userNr), + true) + c.Assert(user.Username, check.Not(check.Equals), "") + users = append(users, user) + + lst, err := conn3.UserList(rootctx1, arvados.ListOptions{Limit: -1}) + c.Assert(err, check.Equals, nil) + userFound := false + for _, fedUser := range lst.Items { + if fedUser.UUID == user.UUID { + c.Assert(fedUser.Username, check.Equals, user.Username) + userFound = true + break + } + } + c.Assert(userFound, check.Equals, true) + + if testCase.withRepository { + var repo interface{} + err = rootclnt3.RequestAndDecode( + &repo, "POST", "arvados/v1/repositories", nil, + map[string]interface{}{ + "repository": map[string]string{ + "name": fmt.Sprintf("%s/test", user.Username), + "owner_uuid": user.UUID, + }, + }, + ) + c.Assert(err, check.IsNil) } } - c.Assert(userFound, check.Equals, true) - } - // Swap the usernames - _, err := conn1.UserUpdate(rootctx1, arvados.UpdateOptions{ - UUID: users[0].UUID, - Attrs: map[string]interface{}{ - "username": "", - }, - }) - c.Assert(err, check.Equals, nil) - _, err = conn1.UserUpdate(rootctx1, arvados.UpdateOptions{ - UUID: users[1].UUID, - Attrs: map[string]interface{}{ - "username": users[0].Username, - }, - }) - c.Assert(err, check.Equals, nil) - _, err = conn1.UserUpdate(rootctx1, arvados.UpdateOptions{ - UUID: users[0].UUID, - Attrs: map[string]interface{}{ - "username": users[1].Username, - }, - }) - c.Assert(err, check.Equals, nil) + // Swap the usernames + _, err := conn1.UserUpdate(rootctx1, arvados.UpdateOptions{ + UUID: users[0].UUID, + Attrs: map[string]interface{}{ + "username": "", + }, + }) + c.Assert(err, check.Equals, nil) + _, err = conn1.UserUpdate(rootctx1, arvados.UpdateOptions{ + UUID: users[1].UUID, + Attrs: map[string]interface{}{ + "username": users[0].Username, + }, + }) + c.Assert(err, check.Equals, nil) + _, err = conn1.UserUpdate(rootctx1, arvados.UpdateOptions{ + UUID: users[0].UUID, + Attrs: map[string]interface{}{ + "username": users[1].Username, + }, + }) + c.Assert(err, check.Equals, nil) - // Re-request the list on the federated cluster & check for updates - lst, err := conn3.UserList(rootctx1, arvados.ListOptions{Limit: -1}) - c.Assert(err, check.Equals, nil) - var user0Found, user1Found bool - for _, user := range lst.Items { - if user.UUID == users[0].UUID { - user0Found = true - c.Assert(user.Username, check.Equals, users[1].Username) - } else if user.UUID == users[1].UUID { - user1Found = true - c.Assert(user.Username, check.Equals, users[0].Username) + // Re-request the list on the federated cluster & check for updates + lst, err := conn3.UserList(rootctx1, arvados.ListOptions{Limit: -1}) + c.Assert(err, check.Equals, nil) + var user0Found, user1Found bool + for _, user := range lst.Items { + if user.UUID == users[0].UUID { + user0Found = true + c.Assert(user.Username, check.Equals, users[1].Username) + } else if user.UUID == users[1].UUID { + user1Found = true + c.Assert(user.Username, check.Equals, users[0].Username) + } } + c.Assert(user0Found, check.Equals, true) + c.Assert(user1Found, check.Equals, true) } - c.Assert(user0Found, check.Equals, true) - c.Assert(user1Found, check.Equals, true) } // Test for bug #16263 @@ -807,11 +831,9 @@ func (s *IntegrationSuite) TestListUsers(c *check.C) { } c.Check(found, check.Equals, true) - // Deactivated user can see is_active==false via "get current - // user" API + // Deactivated user no longer has working token user1, err = conn3.UserGetCurrent(userctx1, arvados.GetOptions{}) - c.Assert(err, check.IsNil) - c.Check(user1.IsActive, check.Equals, false) + c.Assert(err, check.ErrorMatches, `.*401 Unauthorized.*`) } func (s *IntegrationSuite) TestSetupUserWithVM(c *check.C) { @@ -937,3 +959,63 @@ func (s *IntegrationSuite) TestOIDCAccessTokenAuth(c *check.C) { } } } + +// z3333 should not forward a locally-issued container runtime token, +// associated with a z1111 user, to its login cluster z1111. z1111 +// would only call back to z3333 and then reject the response because +// the user ID does not match the token prefix. See +// dev.arvados.org/issues/18346 +func (s *IntegrationSuite) TestForwardRuntimeTokenToLoginCluster(c *check.C) { + db3, db3conn := s.dbConn(c, "z3333") + defer db3.Close() + defer db3conn.Close() + rootctx1, _, _ := s.testClusters["z1111"].RootClients() + rootctx3, _, _ := s.testClusters["z3333"].RootClients() + conn1 := s.testClusters["z1111"].Conn() + conn3 := s.testClusters["z3333"].Conn() + userctx1, _, _, _ := s.testClusters["z1111"].UserClients(rootctx1, c, conn1, "user@example.com", true) + + user1, err := conn1.UserGetCurrent(userctx1, arvados.GetOptions{}) + c.Assert(err, check.IsNil) + c.Logf("user1 %+v", user1) + + imageColl, err := conn3.CollectionCreate(userctx1, arvados.CreateOptions{Attrs: map[string]interface{}{ + "manifest_text": ". d41d8cd98f00b204e9800998ecf8427e+0 0:0:sha256:e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855.tar\n", + }}) + c.Assert(err, check.IsNil) + c.Logf("imageColl %+v", imageColl) + + cr, err := conn3.ContainerRequestCreate(userctx1, arvados.CreateOptions{Attrs: map[string]interface{}{ + "state": "Committed", + "command": []string{"echo"}, + "container_image": imageColl.PortableDataHash, + "cwd": "/", + "output_path": "/", + "priority": 1, + "runtime_constraints": arvados.RuntimeConstraints{ + VCPUs: 1, + RAM: 1000000000, + }, + }}) + c.Assert(err, check.IsNil) + c.Logf("container request %+v", cr) + ctr, err := conn3.ContainerLock(rootctx3, arvados.GetOptions{UUID: cr.ContainerUUID}) + c.Assert(err, check.IsNil) + c.Logf("container %+v", ctr) + + // We could use conn3.ContainerAuth() here, but that API + // hasn't been added to sdk/go/arvados/api.go yet. + row := db3conn.QueryRowContext(context.Background(), `SELECT api_token from api_client_authorizations where uuid=$1`, ctr.AuthUUID) + c.Check(row, check.NotNil) + var val sql.NullString + row.Scan(&val) + c.Assert(val.Valid, check.Equals, true) + runtimeToken := "v2/" + ctr.AuthUUID + "/" + val.String + ctrctx, _, _ := s.testClusters["z3333"].ClientsWithToken(runtimeToken) + c.Logf("container runtime token %+v", runtimeToken) + + _, err = conn3.UserGet(ctrctx, arvados.GetOptions{UUID: user1.UUID}) + c.Assert(err, check.NotNil) + c.Check(err, check.ErrorMatches, `request failed: .* 401 Unauthorized: cannot use a locally issued token to forward a request to our login cluster \(z1111\)`) + c.Check(err, check.Not(check.ErrorMatches), `(?ms).*127\.0\.0\.11.*`) +}