X-Git-Url: https://git.arvados.org/arvados.git/blobdiff_plain/df8aa6da0173f77aa9f2fcbe2814a07bcdcbf5d9..d7f388108615d981636e464785129ce4a958a7f5:/lib/controller/localdb/container_gateway_test.go

diff --git a/lib/controller/localdb/container_gateway_test.go b/lib/controller/localdb/container_gateway_test.go
index 92065c9ed9..4884eda466 100644
--- a/lib/controller/localdb/container_gateway_test.go
+++ b/lib/controller/localdb/container_gateway_test.go
@@ -5,27 +5,32 @@
 package localdb
 
 import (
-	"context"
+	"bytes"
 	"crypto/hmac"
 	"crypto/sha256"
 	"fmt"
 	"io"
 	"io/ioutil"
 	"net"
+	"net/http"
 	"net/http/httptest"
 	"net/url"
+	"os"
+	"os/exec"
+	"path/filepath"
 	"strings"
 	"time"
 
-	"git.arvados.org/arvados.git/lib/config"
 	"git.arvados.org/arvados.git/lib/controller/router"
 	"git.arvados.org/arvados.git/lib/controller/rpc"
 	"git.arvados.org/arvados.git/lib/crunchrun"
 	"git.arvados.org/arvados.git/lib/ctrlctx"
 	"git.arvados.org/arvados.git/sdk/go/arvados"
+	"git.arvados.org/arvados.git/sdk/go/arvadosclient"
 	"git.arvados.org/arvados.git/sdk/go/arvadostest"
-	"git.arvados.org/arvados.git/sdk/go/auth"
 	"git.arvados.org/arvados.git/sdk/go/ctxlog"
+	"git.arvados.org/arvados.git/sdk/go/httpserver"
+	"git.arvados.org/arvados.git/sdk/go/keepclient"
 	"golang.org/x/crypto/ssh"
 	check "gopkg.in/check.v1"
 )
@@ -33,27 +38,14 @@ import (
 var _ = check.Suite(&ContainerGatewaySuite{})
 
 type ContainerGatewaySuite struct {
-	cluster *arvados.Cluster
-	localdb *Conn
-	ctx     context.Context
+	localdbSuite
 	ctrUUID string
+	srv     *httptest.Server
 	gw      *crunchrun.Gateway
 }
 
-func (s *ContainerGatewaySuite) TearDownSuite(c *check.C) {
-	// Undo any changes/additions to the user database so they
-	// don't affect subsequent tests.
-	arvadostest.ResetEnv()
-	c.Check(arvados.NewClientFromEnv().RequestAndDecode(nil, "POST", "database/reset", nil, nil), check.IsNil)
-}
-
-func (s *ContainerGatewaySuite) SetUpSuite(c *check.C) {
-	cfg, err := config.NewLoader(nil, ctxlog.TestLogger(c)).Load()
-	c.Assert(err, check.IsNil)
-	s.cluster, err = cfg.GetCluster("")
-	c.Assert(err, check.IsNil)
-	s.localdb = NewConn(context.Background(), s.cluster, (&ctrlctx.DBConnector{PostgreSQL: s.cluster.PostgreSQL}).GetDB)
-	s.ctx = auth.NewContext(context.Background(), &auth.Credentials{Tokens: []string{arvadostest.ActiveTokenV2}})
+func (s *ContainerGatewaySuite) SetUpTest(c *check.C) {
+	s.localdbSuite.SetUpTest(c)
 
 	s.ctrUUID = arvadostest.QueuedContainerUUID
 
@@ -62,15 +54,15 @@ func (s *ContainerGatewaySuite) SetUpSuite(c *check.C) {
 	authKey := fmt.Sprintf("%x", h.Sum(nil))
 
 	rtr := router.New(s.localdb, router.Config{})
-	srv := httptest.NewUnstartedServer(rtr)
-	srv.StartTLS()
+	s.srv = httptest.NewUnstartedServer(httpserver.AddRequestIDs(httpserver.LogRequests(rtr)))
+	s.srv.StartTLS()
 	// the test setup doesn't use lib/service so
 	// service.URLFromContext() returns nothing -- instead, this
 	// is how we advertise our internal URL and enable
 	// proxy-to-other-controller mode,
-	forceInternalURLForTest = &arvados.URL{Scheme: "https", Host: srv.Listener.Addr().String()}
+	forceInternalURLForTest = &arvados.URL{Scheme: "https", Host: s.srv.Listener.Addr().String()}
 	ac := &arvados.Client{
-		APIHost:   srv.Listener.Addr().String(),
+		APIHost:   s.srv.Listener.Addr().String(),
 		AuthToken: arvadostest.Dispatch1Token,
 		Insecure:  true,
 	}
@@ -83,21 +75,14 @@ func (s *ContainerGatewaySuite) SetUpSuite(c *check.C) {
 		ArvadosClient: ac,
 	}
 	c.Assert(s.gw.Start(), check.IsNil)
-	rootctx := auth.NewContext(context.Background(), &auth.Credentials{Tokens: []string{s.cluster.SystemRootToken}})
-	_, err = s.localdb.ContainerUpdate(rootctx, arvados.UpdateOptions{
+	rootctx := ctrlctx.NewWithToken(s.ctx, s.cluster, s.cluster.SystemRootToken)
+	// OK if this line fails (because state is already Running
+	// from a previous test case) as long as the following line
+	// succeeds:
+	s.localdb.ContainerUpdate(rootctx, arvados.UpdateOptions{
 		UUID: s.ctrUUID,
 		Attrs: map[string]interface{}{
 			"state": arvados.ContainerStateLocked}})
-	c.Assert(err, check.IsNil)
-}
-
-func (s *ContainerGatewaySuite) SetUpTest(c *check.C) {
-	// clear any tunnel sessions started by previous test cases
-	s.localdb.gwTunnelsLock.Lock()
-	s.localdb.gwTunnels = nil
-	s.localdb.gwTunnelsLock.Unlock()
-
-	rootctx := auth.NewContext(context.Background(), &auth.Credentials{Tokens: []string{s.cluster.SystemRootToken}})
 	_, err := s.localdb.ContainerUpdate(rootctx, arvados.UpdateOptions{
 		UUID: s.ctrUUID,
 		Attrs: map[string]interface{}{
@@ -107,10 +92,15 @@ func (s *ContainerGatewaySuite) SetUpTest(c *check.C) {
 
 	s.cluster.Containers.ShellAccess.Admin = true
 	s.cluster.Containers.ShellAccess.User = true
-	_, err = arvadostest.DB(c, s.cluster).Exec(`update containers set interactive_session_started=$1 where uuid=$2`, false, s.ctrUUID)
+	_, err = s.db.Exec(`update containers set interactive_session_started=$1 where uuid=$2`, false, s.ctrUUID)
 	c.Check(err, check.IsNil)
 }
 
+func (s *ContainerGatewaySuite) TearDownTest(c *check.C) {
+	s.srv.Close()
+	s.localdbSuite.TearDownTest(c)
+}
+
 func (s *ContainerGatewaySuite) TestConfig(c *check.C) {
 	for _, trial := range []struct {
 		configAdmin bool
@@ -130,7 +120,7 @@ func (s *ContainerGatewaySuite) TestConfig(c *check.C) {
 		c.Logf("trial %#v", trial)
 		s.cluster.Containers.ShellAccess.Admin = trial.configAdmin
 		s.cluster.Containers.ShellAccess.User = trial.configUser
-		ctx := auth.NewContext(s.ctx, &auth.Credentials{Tokens: []string{trial.sendToken}})
+		ctx := ctrlctx.NewWithToken(s.ctx, s.cluster, trial.sendToken)
 		sshconn, err := s.localdb.ContainerSSH(ctx, arvados.ContainerSSHOptions{UUID: s.ctrUUID})
 		if trial.errorCode == 0 {
 			if !c.Check(err, check.IsNil) {
@@ -176,7 +166,7 @@ func (s *ContainerGatewaySuite) TestDirectTCP(c *check.C) {
 	}
 
 	c.Logf("connecting to %s", s.gw.Address)
-	sshconn, err := s.localdb.ContainerSSH(s.ctx, arvados.ContainerSSHOptions{UUID: s.ctrUUID})
+	sshconn, err := s.localdb.ContainerSSH(s.userctx, arvados.ContainerSSHOptions{UUID: s.ctrUUID})
 	c.Assert(err, check.IsNil)
 	c.Assert(sshconn.Conn, check.NotNil)
 	defer sshconn.Conn.Close()
@@ -212,9 +202,259 @@ func (s *ContainerGatewaySuite) TestDirectTCP(c *check.C) {
 	}
 }
 
+func (s *ContainerGatewaySuite) setupLogCollection(c *check.C) {
+	files := map[string]string{
+		"stderr.txt":   "hello world\n",
+		"a/b/c/d.html": "<html></html>\n",
+	}
+	client := arvados.NewClientFromEnv()
+	ac, err := arvadosclient.New(client)
+	c.Assert(err, check.IsNil)
+	kc, err := keepclient.MakeKeepClient(ac)
+	c.Assert(err, check.IsNil)
+	cfs, err := (&arvados.Collection{}).FileSystem(client, kc)
+	c.Assert(err, check.IsNil)
+	for name, content := range files {
+		for i, ch := range name {
+			if ch == '/' {
+				err := cfs.Mkdir("/"+name[:i], 0777)
+				c.Assert(err, check.IsNil)
+			}
+		}
+		f, err := cfs.OpenFile("/"+name, os.O_CREATE|os.O_WRONLY, 0777)
+		c.Assert(err, check.IsNil)
+		f.Write([]byte(content))
+		err = f.Close()
+		c.Assert(err, check.IsNil)
+	}
+	cfs.Sync()
+	s.gw.LogCollection = cfs
+}
+
+func (s *ContainerGatewaySuite) saveLogAndCloseGateway(c *check.C) {
+	rootctx := ctrlctx.NewWithToken(s.ctx, s.cluster, s.cluster.SystemRootToken)
+	txt, err := s.gw.LogCollection.MarshalManifest(".")
+	c.Assert(err, check.IsNil)
+	coll, err := s.localdb.CollectionCreate(rootctx, arvados.CreateOptions{
+		Attrs: map[string]interface{}{
+			"manifest_text": txt,
+		}})
+	c.Assert(err, check.IsNil)
+	_, err = s.localdb.ContainerUpdate(rootctx, arvados.UpdateOptions{
+		UUID: s.ctrUUID,
+		Attrs: map[string]interface{}{
+			"log":             coll.PortableDataHash,
+			"gateway_address": "",
+		}})
+	c.Assert(err, check.IsNil)
+	// gateway_address="" above already ensures localdb
+	// can't circumvent the keep-web proxy test by getting
+	// content from the container gateway; this is just
+	// extra insurance.
+	s.gw.LogCollection = nil
+}
+
+func (s *ContainerGatewaySuite) TestContainerLogViaTunnel(c *check.C) {
+	forceProxyForTest = true
+	defer func() { forceProxyForTest = false }()
+
+	s.gw = s.setupGatewayWithTunnel(c)
+	s.setupLogCollection(c)
+
+	for _, broken := range []bool{false, true} {
+		c.Logf("broken=%v", broken)
+
+		if broken {
+			delete(s.cluster.Services.Controller.InternalURLs, *forceInternalURLForTest)
+		} else {
+			s.cluster.Services.Controller.InternalURLs[*forceInternalURLForTest] = arvados.ServiceInstance{}
+			defer delete(s.cluster.Services.Controller.InternalURLs, *forceInternalURLForTest)
+		}
+
+		handler, err := s.localdb.ContainerLog(s.userctx, arvados.ContainerLogOptions{
+			UUID:          s.ctrUUID,
+			WebDAVOptions: arvados.WebDAVOptions{Path: "/stderr.txt"},
+		})
+		if broken {
+			c.Check(err, check.ErrorMatches, `.*tunnel endpoint is invalid.*`)
+			continue
+		}
+		c.Check(err, check.IsNil)
+		c.Assert(handler, check.NotNil)
+		r, err := http.NewRequestWithContext(s.userctx, "GET", "https://controller.example/arvados/v1/containers/"+s.ctrUUID+"/log/stderr.txt", nil)
+		c.Assert(err, check.IsNil)
+		r.Header.Set("Authorization", "Bearer "+arvadostest.ActiveTokenV2)
+		rec := httptest.NewRecorder()
+		handler.ServeHTTP(rec, r)
+		resp := rec.Result()
+		c.Check(resp.StatusCode, check.Equals, http.StatusOK)
+		buf, err := ioutil.ReadAll(resp.Body)
+		c.Check(err, check.IsNil)
+		c.Check(string(buf), check.Equals, "hello world\n")
+	}
+}
+
+func (s *ContainerGatewaySuite) TestContainerLogViaGateway(c *check.C) {
+	s.setupLogCollection(c)
+	s.testContainerLog(c)
+}
+
+func (s *ContainerGatewaySuite) TestContainerLogViaKeepWeb(c *check.C) {
+	s.setupLogCollection(c)
+	s.saveLogAndCloseGateway(c)
+	s.testContainerLog(c)
+}
+
+func (s *ContainerGatewaySuite) testContainerLog(c *check.C) {
+	for _, trial := range []struct {
+		method       string
+		path         string
+		header       http.Header
+		expectStatus int
+		expectBodyRe string
+		expectHeader http.Header
+	}{
+		{
+			method:       "GET",
+			path:         "/stderr.txt",
+			expectStatus: http.StatusOK,
+			expectBodyRe: "hello world\n",
+			expectHeader: http.Header{
+				"Content-Type": {"text/plain; charset=utf-8"},
+			},
+		},
+		{
+			method: "GET",
+			path:   "/stderr.txt",
+			header: http.Header{
+				"Range": {"bytes=-6"},
+			},
+			expectStatus: http.StatusPartialContent,
+			expectBodyRe: "world\n",
+			expectHeader: http.Header{
+				"Content-Type":  {"text/plain; charset=utf-8"},
+				"Content-Range": {"bytes 6-11/12"},
+			},
+		},
+		{
+			method:       "OPTIONS",
+			path:         "/stderr.txt",
+			expectStatus: http.StatusOK,
+			expectBodyRe: "",
+			expectHeader: http.Header{
+				"Dav":   {"1, 2"},
+				"Allow": {"OPTIONS, LOCK, GET, HEAD, POST, DELETE, PROPPATCH, COPY, MOVE, UNLOCK, PROPFIND, PUT"},
+			},
+		},
+		{
+			method:       "PROPFIND",
+			path:         "",
+			expectStatus: http.StatusMultiStatus,
+			expectBodyRe: `.*\Q<D:displayname>stderr.txt</D:displayname>\E.*`,
+			expectHeader: http.Header{
+				"Content-Type": {"text/xml; charset=utf-8"},
+			},
+		},
+		{
+			method:       "PROPFIND",
+			path:         "/a/b/c/",
+			expectStatus: http.StatusMultiStatus,
+			expectBodyRe: `.*\Q<D:displayname>d.html</D:displayname>\E.*`,
+			expectHeader: http.Header{
+				"Content-Type": {"text/xml; charset=utf-8"},
+			},
+		},
+		{
+			method:       "GET",
+			path:         "/a/b/c/d.html",
+			expectStatus: http.StatusOK,
+			expectBodyRe: "<html></html>\n",
+			expectHeader: http.Header{
+				"Content-Type": {"text/html; charset=utf-8"},
+			},
+		},
+	} {
+		c.Logf("trial %#v", trial)
+		handler, err := s.localdb.ContainerLog(s.userctx, arvados.ContainerLogOptions{
+			UUID:          s.ctrUUID,
+			WebDAVOptions: arvados.WebDAVOptions{Path: trial.path},
+		})
+		c.Assert(err, check.IsNil)
+		c.Assert(handler, check.NotNil)
+		r, err := http.NewRequestWithContext(s.userctx, trial.method, "https://controller.example/arvados/v1/containers/"+s.ctrUUID+"/log"+trial.path, nil)
+		c.Assert(err, check.IsNil)
+		for k := range trial.header {
+			r.Header.Set(k, trial.header.Get(k))
+		}
+		rec := httptest.NewRecorder()
+		handler.ServeHTTP(rec, r)
+		resp := rec.Result()
+		c.Check(resp.StatusCode, check.Equals, trial.expectStatus)
+		for k := range trial.expectHeader {
+			c.Check(resp.Header.Get(k), check.Equals, trial.expectHeader.Get(k))
+		}
+		buf, err := ioutil.ReadAll(resp.Body)
+		c.Check(err, check.IsNil)
+		c.Check(string(buf), check.Matches, trial.expectBodyRe)
+	}
+}
+
+func (s *ContainerGatewaySuite) TestContainerLogViaCadaver(c *check.C) {
+	s.setupLogCollection(c)
+
+	out := s.runCadaver(c, arvadostest.ActiveToken, "/arvados/v1/containers/"+s.ctrUUID+"/log", "ls")
+	c.Check(out, check.Matches, `(?ms).*stderr\.txt\s+12\s.*`)
+	c.Check(out, check.Matches, `(?ms).*a\s+0\s.*`)
+
+	out = s.runCadaver(c, arvadostest.ActiveTokenV2, "/arvados/v1/containers/"+s.ctrUUID+"/log", "get stderr.txt")
+	c.Check(out, check.Matches, `(?ms).*Downloading .* to stderr\.txt: .* succeeded\..*`)
+
+	s.saveLogAndCloseGateway(c)
+
+	out = s.runCadaver(c, arvadostest.ActiveTokenV2, "/arvados/v1/containers/"+s.ctrUUID+"/log", "get stderr.txt")
+	c.Check(out, check.Matches, `(?ms).*Downloading .* to stderr\.txt: .* succeeded\..*`)
+}
+
+func (s *ContainerGatewaySuite) runCadaver(c *check.C, password, path, stdin string) string {
+	// Replace s.srv with an HTTP server, otherwise cadaver will
+	// just fail on TLS cert verification.
+	s.srv.Close()
+	rtr := router.New(s.localdb, router.Config{})
+	s.srv = httptest.NewUnstartedServer(httpserver.AddRequestIDs(httpserver.LogRequests(rtr)))
+	s.srv.Start()
+
+	tempdir, err := ioutil.TempDir("", "localdb-test-")
+	c.Assert(err, check.IsNil)
+	defer os.RemoveAll(tempdir)
+
+	cmd := exec.Command("cadaver", s.srv.URL+path)
+	if password != "" {
+		cmd.Env = append(os.Environ(), "HOME="+tempdir)
+		f, err := os.OpenFile(filepath.Join(tempdir, ".netrc"), os.O_CREATE|os.O_TRUNC|os.O_WRONLY, 0600)
+		c.Assert(err, check.IsNil)
+		_, err = fmt.Fprintf(f, "default login none password %s\n", password)
+		c.Assert(err, check.IsNil)
+		c.Assert(f.Close(), check.IsNil)
+	}
+	cmd.Stdin = bytes.NewBufferString(stdin)
+	cmd.Dir = tempdir
+	stdout, err := cmd.StdoutPipe()
+	c.Assert(err, check.Equals, nil)
+	cmd.Stderr = cmd.Stdout
+	c.Logf("cmd: %v", cmd.Args)
+	go cmd.Start()
+
+	var buf bytes.Buffer
+	_, err = io.Copy(&buf, stdout)
+	c.Check(err, check.Equals, nil)
+	err = cmd.Wait()
+	c.Check(err, check.Equals, nil)
+	return buf.String()
+}
+
 func (s *ContainerGatewaySuite) TestConnect(c *check.C) {
 	c.Logf("connecting to %s", s.gw.Address)
-	sshconn, err := s.localdb.ContainerSSH(s.ctx, arvados.ContainerSSHOptions{UUID: s.ctrUUID})
+	sshconn, err := s.localdb.ContainerSSH(s.userctx, arvados.ContainerSSHOptions{UUID: s.ctrUUID})
 	c.Assert(err, check.IsNil)
 	c.Assert(sshconn.Conn, check.NotNil)
 	defer sshconn.Conn.Close()
@@ -245,33 +485,33 @@ func (s *ContainerGatewaySuite) TestConnect(c *check.C) {
 	case <-time.After(time.Second):
 		c.Fail()
 	}
-	ctr, err := s.localdb.ContainerGet(s.ctx, arvados.GetOptions{UUID: s.ctrUUID})
+	ctr, err := s.localdb.ContainerGet(s.userctx, arvados.GetOptions{UUID: s.ctrUUID})
 	c.Check(err, check.IsNil)
 	c.Check(ctr.InteractiveSessionStarted, check.Equals, true)
 }
 
 func (s *ContainerGatewaySuite) TestConnectFail(c *check.C) {
 	c.Log("trying with no token")
-	ctx := auth.NewContext(context.Background(), &auth.Credentials{})
+	ctx := ctrlctx.NewWithToken(s.ctx, s.cluster, "")
 	_, err := s.localdb.ContainerSSH(ctx, arvados.ContainerSSHOptions{UUID: s.ctrUUID})
 	c.Check(err, check.ErrorMatches, `.* 401 .*`)
 
 	c.Log("trying with anonymous token")
-	ctx = auth.NewContext(context.Background(), &auth.Credentials{Tokens: []string{arvadostest.AnonymousToken}})
+	ctx = ctrlctx.NewWithToken(s.ctx, s.cluster, arvadostest.AnonymousToken)
 	_, err = s.localdb.ContainerSSH(ctx, arvados.ContainerSSHOptions{UUID: s.ctrUUID})
 	c.Check(err, check.ErrorMatches, `.* 404 .*`)
 }
 
 func (s *ContainerGatewaySuite) TestCreateTunnel(c *check.C) {
 	// no AuthSecret
-	conn, err := s.localdb.ContainerGatewayTunnel(s.ctx, arvados.ContainerGatewayTunnelOptions{
+	conn, err := s.localdb.ContainerGatewayTunnel(s.userctx, arvados.ContainerGatewayTunnelOptions{
 		UUID: s.ctrUUID,
 	})
 	c.Check(err, check.ErrorMatches, `authentication error`)
 	c.Check(conn.Conn, check.IsNil)
 
 	// bogus AuthSecret
-	conn, err = s.localdb.ContainerGatewayTunnel(s.ctx, arvados.ContainerGatewayTunnelOptions{
+	conn, err = s.localdb.ContainerGatewayTunnel(s.userctx, arvados.ContainerGatewayTunnelOptions{
 		UUID:       s.ctrUUID,
 		AuthSecret: "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855",
 	})
@@ -279,7 +519,7 @@ func (s *ContainerGatewaySuite) TestCreateTunnel(c *check.C) {
 	c.Check(conn.Conn, check.IsNil)
 
 	// good AuthSecret
-	conn, err = s.localdb.ContainerGatewayTunnel(s.ctx, arvados.ContainerGatewayTunnelOptions{
+	conn, err = s.localdb.ContainerGatewayTunnel(s.userctx, arvados.ContainerGatewayTunnelOptions{
 		UUID:       s.ctrUUID,
 		AuthSecret: s.gw.AuthSecret,
 	})
@@ -298,7 +538,7 @@ func (s *ContainerGatewaySuite) TestConnectThroughTunnelWithProxyOK(c *check.C)
 func (s *ContainerGatewaySuite) TestConnectThroughTunnelWithProxyError(c *check.C) {
 	forceProxyForTest = true
 	defer func() { forceProxyForTest = false }()
-	// forceInternalURLForTest shouldn't be used because it isn't
+	// forceInternalURLForTest will not be usable because it isn't
 	// listed in s.cluster.Services.Controller.InternalURLs
 	s.testConnectThroughTunnel(c, `.*tunnel endpoint is invalid.*`)
 }
@@ -307,8 +547,8 @@ func (s *ContainerGatewaySuite) TestConnectThroughTunnelNoProxyOK(c *check.C) {
 	s.testConnectThroughTunnel(c, "")
 }
 
-func (s *ContainerGatewaySuite) testConnectThroughTunnel(c *check.C, expectErrorMatch string) {
-	rootctx := auth.NewContext(context.Background(), &auth.Credentials{Tokens: []string{s.cluster.SystemRootToken}})
+func (s *ContainerGatewaySuite) setupGatewayWithTunnel(c *check.C) *crunchrun.Gateway {
+	rootctx := ctrlctx.NewWithToken(s.ctx, s.cluster, s.cluster.SystemRootToken)
 	// Until the tunnel starts up, set gateway_address to a value
 	// that can't work. We want to ensure the only way we can
 	// reach the gateway is through the tunnel.
@@ -343,7 +583,7 @@ func (s *ContainerGatewaySuite) testConnectThroughTunnel(c *check.C, expectError
 	c.Assert(err, check.IsNil)
 
 	for deadline := time.Now().Add(5 * time.Second); time.Now().Before(deadline); time.Sleep(time.Second / 2) {
-		ctr, err := s.localdb.ContainerGet(s.ctx, arvados.GetOptions{UUID: s.ctrUUID})
+		ctr, err := s.localdb.ContainerGet(s.userctx, arvados.GetOptions{UUID: s.ctrUUID})
 		c.Assert(err, check.IsNil)
 		c.Check(ctr.InteractiveSessionStarted, check.Equals, false)
 		c.Logf("ctr.GatewayAddress == %s", ctr.GatewayAddress)
@@ -351,10 +591,14 @@ func (s *ContainerGatewaySuite) testConnectThroughTunnel(c *check.C, expectError
 			break
 		}
 	}
+	return tungw
+}
 
+func (s *ContainerGatewaySuite) testConnectThroughTunnel(c *check.C, expectErrorMatch string) {
+	s.setupGatewayWithTunnel(c)
 	c.Log("connecting to gateway through tunnel")
 	arpc := rpc.NewConn("", &url.URL{Scheme: "https", Host: s.gw.ArvadosClient.APIHost}, true, rpc.PassthroughTokenProvider)
-	sshconn, err := arpc.ContainerSSH(s.ctx, arvados.ContainerSSHOptions{UUID: s.ctrUUID})
+	sshconn, err := arpc.ContainerSSH(s.userctx, arvados.ContainerSSHOptions{UUID: s.ctrUUID})
 	if expectErrorMatch != "" {
 		c.Check(err, check.ErrorMatches, expectErrorMatch)
 		return
@@ -389,7 +633,7 @@ func (s *ContainerGatewaySuite) testConnectThroughTunnel(c *check.C, expectError
 	case <-time.After(time.Second):
 		c.Fail()
 	}
-	ctr, err := s.localdb.ContainerGet(s.ctx, arvados.GetOptions{UUID: s.ctrUUID})
+	ctr, err := s.localdb.ContainerGet(s.userctx, arvados.GetOptions{UUID: s.ctrUUID})
 	c.Check(err, check.IsNil)
 	c.Check(ctr.InteractiveSessionStarted, check.Equals, true)
 }