X-Git-Url: https://git.arvados.org/arvados.git/blobdiff_plain/e1e1a215d954c3337a969019da7f7becc8d14012..61ee61895a33008c70e5a294407cf55efc19622c:/services/api/test/integration/users_test.rb?ds=sidebyside diff --git a/services/api/test/integration/users_test.rb b/services/api/test/integration/users_test.rb index 81168e15b7..ca14336389 100644 --- a/services/api/test/integration/users_test.rb +++ b/services/api/test/integration/users_test.rb @@ -40,7 +40,7 @@ class UsersTest < ActionDispatch::IntegrationTest verify_link response_items, 'arvados#repository', true, 'permission', 'can_manage', 'foo/usertestrepo', created['uuid'], 'arvados#repository', true, 'Repository' - verify_link response_items, 'arvados#group', true, 'permission', 'can_read', + verify_link response_items, 'arvados#group', true, 'permission', 'can_write', 'All users', created['uuid'], 'arvados#group', true, 'Group' verify_link response_items, 'arvados#virtualMachine', false, 'permission', 'can_login', @@ -85,7 +85,7 @@ class UsersTest < ActionDispatch::IntegrationTest verify_link response_items, 'arvados#repository', true, 'permission', 'can_manage', 'foo/usertestrepo', created['uuid'], 'arvados#repository', true, 'Repository' - verify_link response_items, 'arvados#group', true, 'permission', 'can_read', + verify_link response_items, 'arvados#group', true, 'permission', 'can_write', 'All users', created['uuid'], 'arvados#group', true, 'Group' verify_link response_items, 'arvados#virtualMachine', true, 'permission', 'can_login', @@ -113,7 +113,7 @@ class UsersTest < ActionDispatch::IntegrationTest # two new links: system_group, and 'All users' group. - verify_link response_items, 'arvados#group', true, 'permission', 'can_read', + verify_link response_items, 'arvados#group', true, 'permission', 'can_write', 'All users', created['uuid'], 'arvados#group', true, 'Group' verify_link response_items, 'arvados#virtualMachine', false, 'permission', 'can_login', @@ -135,7 +135,7 @@ class UsersTest < ActionDispatch::IntegrationTest assert_equal 'foo@example.com', created['email'], 'expected input email' # verify links - verify_link response_items, 'arvados#group', true, 'permission', 'can_read', + verify_link response_items, 'arvados#group', true, 'permission', 'can_write', 'All users', created['uuid'], 'arvados#group', true, 'Group' verify_link response_items, 'arvados#repository', true, 'permission', 'can_manage', @@ -163,7 +163,7 @@ class UsersTest < ActionDispatch::IntegrationTest assert_equal created['email'], 'foo@example.com', 'expected original email' # verify links - verify_link response_items, 'arvados#group', true, 'permission', 'can_read', + verify_link response_items, 'arvados#group', true, 'permission', 'can_write', 'All users', created['uuid'], 'arvados#group', true, 'Group' verify_link response_items, 'arvados#virtualMachine', true, 'permission', 'can_login', @@ -187,7 +187,7 @@ class UsersTest < ActionDispatch::IntegrationTest # four extra links: system_group, login, group, repo and vm - verify_link response_items, 'arvados#group', true, 'permission', 'can_read', + verify_link response_items, 'arvados#group', true, 'permission', 'can_write', 'All users', created['uuid'], 'arvados#group', true, 'Group' verify_link response_items, 'arvados#repository', true, 'permission', 'can_manage', @@ -203,6 +203,22 @@ class UsersTest < ActionDispatch::IntegrationTest ApiClientAuthorization.create!(user: User.find_by_uuid(created['uuid']), api_client: ApiClient.all.first).api_token end + # share project and collections with the new user + act_as_system_user do + Link.create!(tail_uuid: created['uuid'], + head_uuid: groups(:aproject).uuid, + link_class: 'permission', + name: 'can_manage') + Link.create!(tail_uuid: created['uuid'], + head_uuid: collections(:collection_owned_by_active).uuid, + link_class: 'permission', + name: 'can_read') + Link.create!(tail_uuid: created['uuid'], + head_uuid: collections(:collection_owned_by_active_with_file_stats).uuid, + link_class: 'permission', + name: 'can_write') + end + assert_equal 1, ApiClientAuthorization.where(user_id: User.find_by_uuid(created['uuid']).id).size, 'expected token not found' post "/arvados/v1/users/#{created['uuid']}/unsetup", params: {}, headers: auth(:admin) @@ -213,6 +229,8 @@ class UsersTest < ActionDispatch::IntegrationTest assert_not_nil created2['uuid'], 'expected uuid for the newly created user' assert_equal created['uuid'], created2['uuid'], 'expected uuid not found' assert_equal 0, ApiClientAuthorization.where(user_id: User.find_by_uuid(created['uuid']).id).size, 'token should have been deleted by user unsetup' + # check permissions are deleted + assert_empty Link.where(tail_uuid: created['uuid']) verify_link_existence created['uuid'], created['email'], false, false, false, false, false end @@ -434,20 +452,26 @@ class UsersTest < ActionDispatch::IntegrationTest params: {}, headers: {"HTTP_AUTHORIZATION" => "Bearer #{token}"}) assert_response(:success) - user = json_response - assert_equal true, user['is_active'] + userJSON = json_response + assert_equal true, userJSON['is_active'] post("/arvados/v1/users/#{user['uuid']}/unsetup", params: {}, headers: auth(:admin)) assert_response :success + # Need to get a new token, the old one was invalidated by the unsetup call + act_as_system_user do + ap = ApiClientAuthorization.create!(user: user, api_client_id: 0) + token = ap.api_token + end + get("/arvados/v1/users/#{user['uuid']}", params: {}, headers: {"HTTP_AUTHORIZATION" => "Bearer #{token}"}) assert_response(:success) - user = json_response - assert_equal false, user['is_active'] + userJSON = json_response + assert_equal false, userJSON['is_active'] post("/arvados/v1/users/#{user['uuid']}/activate", params: {}, @@ -474,4 +498,60 @@ class UsersTest < ActionDispatch::IntegrationTest assert_response 403 end + test "disabling system root user not permitted" do + put("/arvados/v1/users/#{users(:system_user).uuid}", + params: { + user: {is_admin: false} + }, + headers: auth(:admin)) + assert_response 422 + + post("/arvados/v1/users/#{users(:system_user).uuid}/unsetup", + params: {}, + headers: auth(:admin)) + assert_response 422 + end + + test "creating users only accepted for admins" do + assert_equal false, users(:active).is_admin + post '/arvados/v1/users', + params: { + "user" => { + "email" => 'foo@example.com', + "username" => "barney" + } + }, + headers: auth(:active) + assert_response 403 + end + + test "create users assigns the system root user as their owner" do + post '/arvados/v1/users', + params: { + "user" => { + "email" => 'foo@example.com', + "username" => "barney" + } + }, + headers: auth(:admin) + assert_response :success + assert_not_nil json_response["uuid"] + assert_equal users(:system_user).uuid, json_response["owner_uuid"] + end + + test "create users ignores provided owner_uuid field" do + assert_equal false, users(:admin).uuid == users(:system_user).uuid + post '/arvados/v1/users', + params: { + "user" => { + "email" => 'foo@example.com', + "owner_uuid" => users(:admin).uuid, + "username" => "barney" + } + }, + headers: auth(:admin) + assert_response :success + assert_not_nil json_response["uuid"] + assert_equal users(:system_user).uuid, json_response["owner_uuid"] + end end