X-Git-Url: https://git.arvados.org/arvados.git/blobdiff_plain/e050037b111e354c53d607568829abb643987d9d..9f81dc57445cd51b92e34a82742765788c35620c:/services/api/test/unit/group_test.rb diff --git a/services/api/test/unit/group_test.rb b/services/api/test/unit/group_test.rb index a5dc0ece84..d7a33a4515 100644 --- a/services/api/test/unit/group_test.rb +++ b/services/api/test/unit/group_test.rb @@ -3,8 +3,10 @@ # SPDX-License-Identifier: AGPL-3.0 require 'test_helper' +require 'fix_roles_projects' class GroupTest < ActiveSupport::TestCase + include DbCurrentTime test "cannot set owner_uuid to object with existing ownership cycle" do set_user_from_auth :active_trustedclient @@ -31,8 +33,8 @@ class GroupTest < ActiveSupport::TestCase test "cannot create a new ownership cycle" do set_user_from_auth :active_trustedclient - g_foo = Group.create!(name: "foo") - g_bar = Group.create!(name: "bar") + g_foo = Group.create!(name: "foo", group_class: "project") + g_bar = Group.create!(name: "bar", group_class: "project") g_foo.owner_uuid = g_bar.uuid assert g_foo.save, lambda { g_foo.errors.messages } @@ -45,7 +47,7 @@ class GroupTest < ActiveSupport::TestCase test "cannot create a single-object ownership cycle" do set_user_from_auth :active_trustedclient - g_foo = Group.create!(name: "foo") + g_foo = Group.create!(name: "foo", group_class: "project") assert g_foo.save # Ensure I have permission to manage this group even when its owner changes @@ -60,10 +62,47 @@ class GroupTest < ActiveSupport::TestCase assert g_foo.errors.messages[:owner_uuid].join(" ").match(/ownership cycle/) end - test "delete group hides contents" do + test "cannot create a group that is not a 'role' or 'project' or 'filter'" do set_user_from_auth :active_trustedclient - g_foo = Group.create!(name: "foo") + assert_raises(ActiveRecord::RecordInvalid) do + Group.create!(name: "foo") + end + + assert_raises(ActiveRecord::RecordInvalid) do + Group.create!(name: "foo", group_class: "") + end + + assert_raises(ActiveRecord::RecordInvalid) do + Group.create!(name: "foo", group_class: "bogus") + end + end + + test "cannot change group_class on an already created group" do + set_user_from_auth :active_trustedclient + g = Group.create!(name: "foo", group_class: "role") + assert_raises(ActiveRecord::RecordInvalid) do + g.update_attributes!(group_class: "project") + end + end + + test "role cannot own things" do + set_user_from_auth :active_trustedclient + role = Group.create!(name: "foo", group_class: "role") + assert_raises(ArvadosModel::PermissionDeniedError) do + Collection.create!(name: "bzzz123", owner_uuid: role.uuid) + end + + c = Collection.create!(name: "bzzz124") + assert_raises(ArvadosModel::PermissionDeniedError) do + c.update_attributes!(owner_uuid: role.uuid) + end + end + + test "trash group hides contents" do + set_user_from_auth :active_trustedclient + + g_foo = Group.create!(name: "foo", group_class: "project") col = Collection.create!(owner_uuid: g_foo.uuid) assert Collection.readable_by(users(:active)).where(uuid: col.uuid).any? @@ -74,12 +113,12 @@ class GroupTest < ActiveSupport::TestCase assert Collection.readable_by(users(:active)).where(uuid: col.uuid).any? end - test "delete group" do + test "trash group" do set_user_from_auth :active_trustedclient - g_foo = Group.create!(name: "foo") - g_bar = Group.create!(name: "bar", owner_uuid: g_foo.uuid) - g_baz = Group.create!(name: "baz", owner_uuid: g_bar.uuid) + g_foo = Group.create!(name: "foo", group_class: "project") + g_bar = Group.create!(name: "bar", owner_uuid: g_foo.uuid, group_class: "project") + g_baz = Group.create!(name: "baz", owner_uuid: g_bar.uuid, group_class: "project") assert Group.readable_by(users(:active)).where(uuid: g_foo.uuid).any? assert Group.readable_by(users(:active)).where(uuid: g_bar.uuid).any? @@ -95,12 +134,12 @@ class GroupTest < ActiveSupport::TestCase end - test "delete subgroup" do + test "trash subgroup" do set_user_from_auth :active_trustedclient - g_foo = Group.create!(name: "foo") - g_bar = Group.create!(name: "bar", owner_uuid: g_foo.uuid) - g_baz = Group.create!(name: "baz", owner_uuid: g_bar.uuid) + g_foo = Group.create!(name: "foo", group_class: "project") + g_bar = Group.create!(name: "bar", owner_uuid: g_foo.uuid, group_class: "project") + g_baz = Group.create!(name: "baz", owner_uuid: g_bar.uuid, group_class: "project") assert Group.readable_by(users(:active)).where(uuid: g_foo.uuid).any? assert Group.readable_by(users(:active)).where(uuid: g_bar.uuid).any? @@ -115,12 +154,12 @@ class GroupTest < ActiveSupport::TestCase assert Group.readable_by(users(:active), {:include_trash => true}).where(uuid: g_baz.uuid).any? end - test "delete subsubgroup" do + test "trash subsubgroup" do set_user_from_auth :active_trustedclient - g_foo = Group.create!(name: "foo") - g_bar = Group.create!(name: "bar", owner_uuid: g_foo.uuid) - g_baz = Group.create!(name: "baz", owner_uuid: g_bar.uuid) + g_foo = Group.create!(name: "foo", group_class: "project") + g_bar = Group.create!(name: "bar", owner_uuid: g_foo.uuid, group_class: "project") + g_baz = Group.create!(name: "baz", owner_uuid: g_bar.uuid, group_class: "project") assert Group.readable_by(users(:active)).where(uuid: g_foo.uuid).any? assert Group.readable_by(users(:active)).where(uuid: g_bar.uuid).any? @@ -133,7 +172,7 @@ class GroupTest < ActiveSupport::TestCase end - test "delete group propagates to subgroups" do + test "trash group propagates to subgroups" do set_user_from_auth :active_trustedclient g_foo = groups(:trashed_project) @@ -158,7 +197,7 @@ class GroupTest < ActiveSupport::TestCase assert Group.readable_by(users(:active)).where(uuid: g_bar.uuid).any? assert Collection.readable_by(users(:active)).where(uuid: col.uuid).any? - # this one should still be deleted. + # this one should still be trashed. assert Group.readable_by(users(:active)).where(uuid: g_baz.uuid).empty? g_baz.update! is_trashed: false @@ -168,7 +207,7 @@ class GroupTest < ActiveSupport::TestCase test "trashed does not propagate across permission links" do set_user_from_auth :admin - g_foo = Group.create!(name: "foo") + g_foo = Group.create!(name: "foo", group_class: "role") u_bar = User.create!(first_name: "bar") assert Group.readable_by(users(:admin)).where(uuid: g_foo.uuid).any? @@ -189,4 +228,133 @@ class GroupTest < ActiveSupport::TestCase assert User.readable_by(users(:admin)).where(uuid: u_bar.uuid).any? end + test "move projects to trash in SweepTrashedObjects" do + p = groups(:trashed_on_next_sweep) + assert_empty Group.where('uuid=? and is_trashed=true', p.uuid) + SweepTrashedObjects.sweep_now + assert_not_empty Group.where('uuid=? and is_trashed=true', p.uuid) + end + + test "delete projects and their contents in SweepTrashedObjects" do + g_foo = groups(:trashed_project) + g_bar = groups(:trashed_subproject) + g_baz = groups(:trashed_subproject3) + col = collections(:collection_in_trashed_subproject) + job = jobs(:job_in_trashed_project) + cr = container_requests(:cr_in_trashed_project) + # Save how many objects were before the sweep + user_nr_was = User.all.length + coll_nr_was = Collection.all.length + group_nr_was = Group.where('group_class<>?', 'project').length + project_nr_was = Group.where(group_class: 'project').length + cr_nr_was = ContainerRequest.all.length + job_nr_was = Job.all.length + assert_not_empty Group.where(uuid: g_foo.uuid) + assert_not_empty Group.where(uuid: g_bar.uuid) + assert_not_empty Group.where(uuid: g_baz.uuid) + assert_not_empty Collection.where(uuid: col.uuid) + assert_not_empty Job.where(uuid: job.uuid) + assert_not_empty ContainerRequest.where(uuid: cr.uuid) + SweepTrashedObjects.sweep_now + assert_empty Group.where(uuid: g_foo.uuid) + assert_empty Group.where(uuid: g_bar.uuid) + assert_empty Group.where(uuid: g_baz.uuid) + assert_empty Collection.where(uuid: col.uuid) + assert_empty Job.where(uuid: job.uuid) + assert_empty ContainerRequest.where(uuid: cr.uuid) + # No unwanted deletions should have happened + assert_equal user_nr_was, User.all.length + assert_equal coll_nr_was-2, # collection_in_trashed_subproject + Collection.all.length # & deleted_on_next_sweep collections + assert_equal group_nr_was, Group.where('group_class<>?', 'project').length + assert_equal project_nr_was-3, Group.where(group_class: 'project').length + assert_equal cr_nr_was-1, ContainerRequest.all.length + assert_equal job_nr_was-1, Job.all.length + end + + test "project names must be displayable in a filesystem" do + set_user_from_auth :active + ["", "{SOLIDUS}"].each do |subst| + Rails.configuration.Collections.ForwardSlashNameSubstitution = subst + proj = Group.create group_class: "project" + role = Group.create group_class: "role" + filt = Group.create group_class: "filter" + [[nil, true], + ["", true], + [".", false], + ["..", false], + ["...", true], + ["..z..", true], + ["foo/bar", subst != ""], + ["../..", subst != ""], + ["/", subst != ""], + ].each do |name, valid| + role.name = name + assert_equal true, role.valid? + proj.name = name + assert_equal valid, proj.valid?, "#{name.inspect} should be #{valid ? "valid" : "invalid"}" + filt.name = name + assert_equal valid, filt.valid?, "#{name.inspect} should be #{valid ? "valid" : "invalid"}" + end + end + end + + def insert_group uuid, owner_uuid, name, group_class + q = ActiveRecord::Base.connection.exec_query %{ +insert into groups (uuid, owner_uuid, name, group_class, created_at, updated_at) + values ('#{uuid}', '#{owner_uuid}', + '#{name}', #{if group_class then "'"+group_class+"'" else 'NULL' end}, + statement_timestamp(), statement_timestamp()) +} + uuid + end + + test "migration to fix roles and projects" do + g1 = insert_group Group.generate_uuid, system_user_uuid, 'group with no class', nil + g2 = insert_group Group.generate_uuid, users(:active).uuid, 'role owned by a user', 'role' + + g3 = insert_group Group.generate_uuid, system_user_uuid, 'role that owns a project', 'role' + g4 = insert_group Group.generate_uuid, g3, 'the project', 'project' + + g5 = insert_group Group.generate_uuid, users(:active).uuid, 'a project with an outgoing permission link', 'project' + + g6 = insert_group Group.generate_uuid, system_user_uuid, 'name collision', 'role' + g7 = insert_group Group.generate_uuid, users(:active).uuid, 'name collision', 'role' + + g8 = insert_group Group.generate_uuid, users(:active).uuid, 'trashed with no class', nil + g8obj = Group.find_by_uuid(g8) + g8obj.trash_at = db_current_time + g8obj.delete_at = db_current_time + act_as_system_user do + g8obj.save!(validate: false) + end + + refresh_permissions + + act_as_system_user do + l1 = Link.create!(link_class: 'permission', name: 'can_manage', tail_uuid: g3, head_uuid: g4) + q = ActiveRecord::Base.connection.exec_query %{ +update links set tail_uuid='#{g5}' where uuid='#{l1.uuid}' +} + refresh_permissions + end + + assert_equal nil, Group.find_by_uuid(g1).group_class + assert_equal nil, Group.find_by_uuid(g8).group_class + assert_equal users(:active).uuid, Group.find_by_uuid(g2).owner_uuid + assert_equal g3, Group.find_by_uuid(g4).owner_uuid + assert !Link.where(tail_uuid: users(:active).uuid, head_uuid: g2, link_class: "permission", name: "can_manage").any? + assert !Link.where(tail_uuid: g3, head_uuid: g4, link_class: "permission", name: "can_manage").any? + assert Link.where(link_class: 'permission', name: 'can_manage', tail_uuid: g5, head_uuid: g4).any? + + fix_roles_projects + + assert_equal 'role', Group.find_by_uuid(g1).group_class + assert_equal 'role', Group.find_by_uuid(g8).group_class + assert_equal system_user_uuid, Group.find_by_uuid(g2).owner_uuid + assert_equal system_user_uuid, Group.find_by_uuid(g4).owner_uuid + assert Link.where(tail_uuid: users(:active).uuid, head_uuid: g2, link_class: "permission", name: "can_manage").any? + assert Link.where(tail_uuid: g3, head_uuid: g4, link_class: "permission", name: "can_manage").any? + assert !Link.where(link_class: 'permission', name: 'can_manage', tail_uuid: g5, head_uuid: g4).any? + end end