X-Git-Url: https://git.arvados.org/arvados.git/blobdiff_plain/d3229c7f727f40436cad66fba5f3345e0b3eede5..41bb13b71c8593134c2b34884249ca862b185e04:/services/api/test/functional/arvados/v1/repositories_controller_test.rb diff --git a/services/api/test/functional/arvados/v1/repositories_controller_test.rb b/services/api/test/functional/arvados/v1/repositories_controller_test.rb index 5304bcafc5..514bb66bb2 100644 --- a/services/api/test/functional/arvados/v1/repositories_controller_test.rb +++ b/services/api/test/functional/arvados/v1/repositories_controller_test.rb @@ -42,6 +42,26 @@ class Arvados::V1::RepositoriesControllerTest < ActionController::TestCase end end + test "get_all_permissions takes into account is_active flag" do + r = nil + act_as_user users(:active) do + r = Repository.create! name: 'active/testrepo' + end + act_as_system_user do + u = users(:active) + u.is_active = false + u.save! + end + authorize_with :admin + get :get_all_permissions + assert_response :success + json_response['repositories'].each do |r| + r['user_permissions'].each do |user_uuid, perms| + refute_equal user_uuid, users(:active).uuid + end + end + end + test "get_all_permissions does not give any access to user without permission" do viewer_uuid = users(:project_viewer).uuid assert_equal(authorized_keys(:project_viewer).authorized_user_uuid, @@ -87,4 +107,135 @@ class Arvados::V1::RepositoriesControllerTest < ActionController::TestCase "response public_key does not match fixture #{u}.") end end + + test "get_all_permissions lists all repos regardless of permissions" do + act_as_system_user do + # Create repos that could potentially be left out of the + # permission list by accident. + + # No authorized_key, no username (this can't even be done + # without skipping validations) + r = Repository.create name: 'root/testrepo' + assert r.save validate: false + + r = Repository.create name: 'invalid username / repo name', owner_uuid: users(:inactive).uuid + assert r.save validate: false + end + authorize_with :admin + get :get_all_permissions + assert_response :success + assert_equal(Repository.count, json_response["repositories"].size) + end + + test "get_all_permissions lists user permissions for users with no authorized keys" do + authorize_with :admin + AuthorizedKey.destroy_all + get :get_all_permissions + assert_response :success + assert_equal(Repository.count, json_response["repositories"].size) + repos_with_perms = [] + json_response['repositories'].each do |repo| + if repo['user_permissions'].any? + repos_with_perms << repo['uuid'] + end + end + assert_not_empty repos_with_perms, 'permissions are missing' + end + + # Ensure get_all_permissions correctly describes what the normal + # permission system would do. + test "get_all_permissions obeys group permissions" do + act_as_user system_user do + r = Repository.create!(name: 'admin/groupcanwrite', owner_uuid: users(:admin).uuid) + g = Group.create!(group_class: 'group', name: 'repo-writers') + u1 = users(:active) + u2 = users(:spectator) + Link.create!(tail_uuid: g.uuid, head_uuid: r.uuid, link_class: 'permission', name: 'can_manage') + Link.create!(tail_uuid: u1.uuid, head_uuid: g.uuid, link_class: 'permission', name: 'can_write') + Link.create!(tail_uuid: u2.uuid, head_uuid: g.uuid, link_class: 'permission', name: 'can_read') + + r = Repository.create!(name: 'admin/groupreadonly', owner_uuid: users(:admin).uuid) + g = Group.create!(group_class: 'group', name: 'repo-readers') + u1 = users(:active) + u2 = users(:spectator) + Link.create!(tail_uuid: g.uuid, head_uuid: r.uuid, link_class: 'permission', name: 'can_read') + Link.create!(tail_uuid: u1.uuid, head_uuid: g.uuid, link_class: 'permission', name: 'can_write') + Link.create!(tail_uuid: u2.uuid, head_uuid: g.uuid, link_class: 'permission', name: 'can_read') + end + authorize_with :admin + get :get_all_permissions + assert_response :success + json_response['repositories'].each do |repo| + repo['user_permissions'].each do |user_uuid, perms| + u = User.find_by_uuid(user_uuid) + if perms['can_read'] + assert u.can? read: repo['uuid'] + assert_match /R/, perms['gitolite_permissions'] + else + refute_match /R/, perms['gitolite_permissions'] + end + if perms['can_write'] + assert u.can? write: repo['uuid'] + assert_match /RW/, perms['gitolite_permissions'] + else + refute_match /W/, perms['gitolite_permissions'] + end + if perms['can_manage'] + assert u.can? manage: repo['uuid'] + assert_match /RW/, perms['gitolite_permissions'] + end + end + end + end + + test "default index includes fetch_url" do + authorize_with :active + get(:index) + assert_response :success + assert_includes(json_response["items"].map { |r| r["fetch_url"] }, + "git@git.zzzzz.arvadosapi.com:active/foo.git") + end + + [ + {cfg: :git_repo_ssh_base, cfgval: "git@example.com:", match: %r"^git@example.com:/"}, + {cfg: :git_repo_ssh_base, cfgval: true, match: %r"^git@git.zzzzz.arvadosapi.com:/"}, + {cfg: :git_repo_ssh_base, cfgval: false, refute: /^git@/ }, + {cfg: :git_repo_https_base, cfgval: "https://example.com/", match: %r"https://example.com/"}, + {cfg: :git_repo_https_base, cfgval: true, match: %r"^https://git.zzzzz.arvadosapi.com/"}, + {cfg: :git_repo_https_base, cfgval: false, refute: /^http/ }, + ].each do |expect| + test "set #{expect[:cfg]} to #{expect[:cfgval]}" do + Rails.configuration.send expect[:cfg].to_s+"=", expect[:cfgval] + authorize_with :active + get :index + assert_response :success + json_response['items'].each do |r| + if expect[:refute] + r['clone_urls'].each do |u| + refute_match expect[:refute], u + end + else + assert r['clone_urls'].any? do |u| + expect[:prefix].match u + end + end + end + end + end + + test "select push_url in index" do + authorize_with :active + get(:index, {select: ["uuid", "push_url"]}) + assert_response :success + assert_includes(json_response["items"].map { |r| r["push_url"] }, + "git@git.zzzzz.arvadosapi.com:active/foo.git") + end + + test "select clone_urls in index" do + authorize_with :active + get(:index, {select: ["uuid", "clone_urls"]}) + assert_response :success + assert_includes(json_response["items"].map { |r| r["clone_urls"] }.flatten, + "git@git.zzzzz.arvadosapi.com:active/foo.git") + end end