X-Git-Url: https://git.arvados.org/arvados.git/blobdiff_plain/f2c2cb93161f2a50c23e6e6ebbdf2bb879e05da2..a68ec8b7bed718acbbc55900e41847b1d319874c:/services/keep-web/handler_test.go

diff --git a/services/keep-web/handler_test.go b/services/keep-web/handler_test.go
index 92fea87a01..0f7d507879 100644
--- a/services/keep-web/handler_test.go
+++ b/services/keep-web/handler_test.go
@@ -366,6 +366,24 @@ func (s *IntegrationSuite) TestVhostPortMatch(c *check.C) {
 	}
 }
 
+func (s *IntegrationSuite) do(method string, urlstring string, token string, hdr http.Header) (*http.Request, *httptest.ResponseRecorder) {
+	u := mustParseURL(urlstring)
+	if hdr == nil && token != "" {
+		hdr = http.Header{"Authorization": {"Bearer " + token}}
+	} else if hdr == nil {
+		hdr = http.Header{}
+	} else if token != "" {
+		panic("must not pass both token and hdr")
+	}
+	return s.doReq(&http.Request{
+		Method:     method,
+		Host:       u.Host,
+		URL:        u,
+		RequestURI: u.RequestURI(),
+		Header:     hdr,
+	})
+}
+
 func (s *IntegrationSuite) doReq(req *http.Request) (*http.Request, *httptest.ResponseRecorder) {
 	resp := httptest.NewRecorder()
 	s.handler.ServeHTTP(resp, req)
@@ -391,7 +409,7 @@ func (s *IntegrationSuite) TestVhostRedirectQueryTokenToCookie(c *check.C) {
 	s.testVhostRedirectTokenToCookie(c, "GET",
 		arvadostest.FooCollection+".example.com/foo",
 		"?api_token="+arvadostest.ActiveToken,
-		"",
+		nil,
 		"",
 		http.StatusOK,
 		"foo",
@@ -402,11 +420,31 @@ func (s *IntegrationSuite) TestSingleOriginSecretLink(c *check.C) {
 	s.testVhostRedirectTokenToCookie(c, "GET",
 		"example.com/c="+arvadostest.FooCollection+"/t="+arvadostest.ActiveToken+"/foo",
 		"",
+		nil,
 		"",
+		http.StatusOK,
+		"foo",
+	)
+}
+
+func (s *IntegrationSuite) TestCollectionSharingToken(c *check.C) {
+	s.testVhostRedirectTokenToCookie(c, "GET",
+		"example.com/c="+arvadostest.FooFileCollectionUUID+"/t="+arvadostest.FooFileCollectionSharingToken+"/foo",
+		"",
+		nil,
 		"",
 		http.StatusOK,
 		"foo",
 	)
+	// Same valid sharing token, but requesting a different collection
+	s.testVhostRedirectTokenToCookie(c, "GET",
+		"example.com/c="+arvadostest.FooCollection+"/t="+arvadostest.FooFileCollectionSharingToken+"/foo",
+		"",
+		nil,
+		"",
+		http.StatusNotFound,
+		notFoundMessage+"\n",
+	)
 }
 
 // Bad token in URL is 404 Not Found because it doesn't make sense to
@@ -415,7 +453,7 @@ func (s *IntegrationSuite) TestSingleOriginSecretLinkBadToken(c *check.C) {
 	s.testVhostRedirectTokenToCookie(c, "GET",
 		"example.com/c="+arvadostest.FooCollection+"/t=bogus/foo",
 		"",
-		"",
+		nil,
 		"",
 		http.StatusNotFound,
 		notFoundMessage+"\n",
@@ -423,13 +461,70 @@ func (s *IntegrationSuite) TestSingleOriginSecretLinkBadToken(c *check.C) {
 }
 
 // Bad token in a cookie (even if it got there via our own
-// query-string-to-cookie redirect) is, in principle, retryable at the
-// same URL so it's 401 Unauthorized.
+// query-string-to-cookie redirect) is, in principle, retryable via
+// wb2-login-and-redirect flow.
 func (s *IntegrationSuite) TestVhostRedirectQueryTokenToBogusCookie(c *check.C) {
-	s.testVhostRedirectTokenToCookie(c, "GET",
+	// Inline
+	resp := s.testVhostRedirectTokenToCookie(c, "GET",
 		arvadostest.FooCollection+".example.com/foo",
 		"?api_token=thisisabogustoken",
+		http.Header{"Sec-Fetch-Mode": {"navigate"}},
 		"",
+		http.StatusSeeOther,
+		"",
+	)
+	u, err := url.Parse(resp.Header().Get("Location"))
+	c.Assert(err, check.IsNil)
+	c.Logf("redirected to %s", u)
+	c.Check(u.Host, check.Equals, s.handler.Cluster.Services.Workbench2.ExternalURL.Host)
+	c.Check(u.Query().Get("redirectToPreview"), check.Equals, "/c="+arvadostest.FooCollection+"/foo")
+	c.Check(u.Query().Get("redirectToDownload"), check.Equals, "")
+
+	// Download/attachment indicated by ?disposition=attachment
+	resp = s.testVhostRedirectTokenToCookie(c, "GET",
+		arvadostest.FooCollection+".example.com/foo",
+		"?api_token=thisisabogustoken&disposition=attachment",
+		http.Header{"Sec-Fetch-Mode": {"navigate"}},
+		"",
+		http.StatusSeeOther,
+		"",
+	)
+	u, err = url.Parse(resp.Header().Get("Location"))
+	c.Assert(err, check.IsNil)
+	c.Logf("redirected to %s", u)
+	c.Check(u.Host, check.Equals, s.handler.Cluster.Services.Workbench2.ExternalURL.Host)
+	c.Check(u.Query().Get("redirectToPreview"), check.Equals, "")
+	c.Check(u.Query().Get("redirectToDownload"), check.Equals, "/c="+arvadostest.FooCollection+"/foo")
+
+	// Download/attachment indicated by vhost
+	resp = s.testVhostRedirectTokenToCookie(c, "GET",
+		s.handler.Cluster.Services.WebDAVDownload.ExternalURL.Host+"/c="+arvadostest.FooCollection+"/foo",
+		"?api_token=thisisabogustoken",
+		http.Header{"Sec-Fetch-Mode": {"navigate"}},
+		"",
+		http.StatusSeeOther,
+		"",
+	)
+	u, err = url.Parse(resp.Header().Get("Location"))
+	c.Assert(err, check.IsNil)
+	c.Logf("redirected to %s", u)
+	c.Check(u.Host, check.Equals, s.handler.Cluster.Services.Workbench2.ExternalURL.Host)
+	c.Check(u.Query().Get("redirectToPreview"), check.Equals, "")
+	c.Check(u.Query().Get("redirectToDownload"), check.Equals, "/c="+arvadostest.FooCollection+"/foo")
+
+	// Without "Sec-Fetch-Mode: navigate" header, just 401.
+	s.testVhostRedirectTokenToCookie(c, "GET",
+		s.handler.Cluster.Services.WebDAVDownload.ExternalURL.Host+"/c="+arvadostest.FooCollection+"/foo",
+		"?api_token=thisisabogustoken",
+		http.Header{"Sec-Fetch-Mode": {"cors"}},
+		"",
+		http.StatusUnauthorized,
+		unauthorizedMessage+"\n",
+	)
+	s.testVhostRedirectTokenToCookie(c, "GET",
+		s.handler.Cluster.Services.WebDAVDownload.ExternalURL.Host+"/c="+arvadostest.FooCollection+"/foo",
+		"?api_token=thisisabogustoken",
+		nil,
 		"",
 		http.StatusUnauthorized,
 		unauthorizedMessage+"\n",
@@ -440,7 +535,7 @@ func (s *IntegrationSuite) TestVhostRedirectQueryTokenSingleOriginError(c *check
 	s.testVhostRedirectTokenToCookie(c, "GET",
 		"example.com/c="+arvadostest.FooCollection+"/foo",
 		"?api_token="+arvadostest.ActiveToken,
-		"",
+		nil,
 		"",
 		http.StatusBadRequest,
 		"cannot serve inline content at this URL (possible configuration error; see https://doc.arvados.org/install/install-keep-web.html#dns)\n",
@@ -454,7 +549,7 @@ func (s *IntegrationSuite) TestVhostRedirectQueryTokenRequestAttachment(c *check
 	resp := s.testVhostRedirectTokenToCookie(c, "GET",
 		arvadostest.FooCollection+".example.com/foo",
 		"?disposition=attachment&api_token="+arvadostest.ActiveToken,
-		"",
+		nil,
 		"",
 		http.StatusOK,
 		"foo",
@@ -467,7 +562,7 @@ func (s *IntegrationSuite) TestVhostRedirectQueryTokenSiteFS(c *check.C) {
 	resp := s.testVhostRedirectTokenToCookie(c, "GET",
 		"download.example.com/by_id/"+arvadostest.FooCollection+"/foo",
 		"?api_token="+arvadostest.ActiveToken,
-		"",
+		nil,
 		"",
 		http.StatusOK,
 		"foo",
@@ -480,7 +575,7 @@ func (s *IntegrationSuite) TestPastCollectionVersionFileAccess(c *check.C) {
 	resp := s.testVhostRedirectTokenToCookie(c, "GET",
 		"download.example.com/c="+arvadostest.WazVersion1Collection+"/waz",
 		"?api_token="+arvadostest.ActiveToken,
-		"",
+		nil,
 		"",
 		http.StatusOK,
 		"waz",
@@ -489,7 +584,7 @@ func (s *IntegrationSuite) TestPastCollectionVersionFileAccess(c *check.C) {
 	resp = s.testVhostRedirectTokenToCookie(c, "GET",
 		"download.example.com/by_id/"+arvadostest.WazVersion1Collection+"/waz",
 		"?api_token="+arvadostest.ActiveToken,
-		"",
+		nil,
 		"",
 		http.StatusOK,
 		"waz",
@@ -502,7 +597,7 @@ func (s *IntegrationSuite) TestVhostRedirectQueryTokenTrustAllContent(c *check.C
 	s.testVhostRedirectTokenToCookie(c, "GET",
 		"example.com/c="+arvadostest.FooCollection+"/foo",
 		"?api_token="+arvadostest.ActiveToken,
-		"",
+		nil,
 		"",
 		http.StatusOK,
 		"foo",
@@ -515,7 +610,7 @@ func (s *IntegrationSuite) TestVhostRedirectQueryTokenAttachmentOnlyHost(c *chec
 	s.testVhostRedirectTokenToCookie(c, "GET",
 		"example.com/c="+arvadostest.FooCollection+"/foo",
 		"?api_token="+arvadostest.ActiveToken,
-		"",
+		nil,
 		"",
 		http.StatusBadRequest,
 		"cannot serve inline content at this URL (possible configuration error; see https://doc.arvados.org/install/install-keep-web.html#dns)\n",
@@ -524,7 +619,7 @@ func (s *IntegrationSuite) TestVhostRedirectQueryTokenAttachmentOnlyHost(c *chec
 	resp := s.testVhostRedirectTokenToCookie(c, "GET",
 		"example.com:1234/c="+arvadostest.FooCollection+"/foo",
 		"?api_token="+arvadostest.ActiveToken,
-		"",
+		nil,
 		"",
 		http.StatusOK,
 		"foo",
@@ -536,7 +631,7 @@ func (s *IntegrationSuite) TestVhostRedirectPOSTFormTokenToCookie(c *check.C) {
 	s.testVhostRedirectTokenToCookie(c, "POST",
 		arvadostest.FooCollection+".example.com/foo",
 		"",
-		"application/x-www-form-urlencoded",
+		http.Header{"Content-Type": {"application/x-www-form-urlencoded"}},
 		url.Values{"api_token": {arvadostest.ActiveToken}}.Encode(),
 		http.StatusOK,
 		"foo",
@@ -547,7 +642,7 @@ func (s *IntegrationSuite) TestVhostRedirectPOSTFormTokenToCookie404(c *check.C)
 	s.testVhostRedirectTokenToCookie(c, "POST",
 		arvadostest.FooCollection+".example.com/foo",
 		"",
-		"application/x-www-form-urlencoded",
+		http.Header{"Content-Type": {"application/x-www-form-urlencoded"}},
 		url.Values{"api_token": {arvadostest.SpectatorToken}}.Encode(),
 		http.StatusNotFound,
 		notFoundMessage+"\n",
@@ -559,7 +654,7 @@ func (s *IntegrationSuite) TestAnonymousTokenOK(c *check.C) {
 	s.testVhostRedirectTokenToCookie(c, "GET",
 		"example.com/c="+arvadostest.HelloWorldCollection+"/Hello%20world.txt",
 		"",
-		"",
+		nil,
 		"",
 		http.StatusOK,
 		"Hello world\n",
@@ -571,7 +666,7 @@ func (s *IntegrationSuite) TestAnonymousTokenError(c *check.C) {
 	s.testVhostRedirectTokenToCookie(c, "GET",
 		"example.com/c="+arvadostest.HelloWorldCollection+"/Hello%20world.txt",
 		"",
-		"",
+		nil,
 		"",
 		http.StatusNotFound,
 		notFoundMessage+"\n",
@@ -711,14 +806,18 @@ func (s *IntegrationSuite) TestXHRNoRedirect(c *check.C) {
 	c.Check(resp.Header().Get("Access-Control-Allow-Origin"), check.Equals, "*")
 }
 
-func (s *IntegrationSuite) testVhostRedirectTokenToCookie(c *check.C, method, hostPath, queryString, contentType, reqBody string, expectStatus int, expectRespBody string) *httptest.ResponseRecorder {
+func (s *IntegrationSuite) testVhostRedirectTokenToCookie(c *check.C, method, hostPath, queryString string, reqHeader http.Header, reqBody string, expectStatus int, expectRespBody string) *httptest.ResponseRecorder {
+	if reqHeader == nil {
+		reqHeader = http.Header{}
+	}
 	u, _ := url.Parse(`http://` + hostPath + queryString)
+	c.Logf("requesting %s", u)
 	req := &http.Request{
 		Method:     method,
 		Host:       u.Host,
 		URL:        u,
 		RequestURI: u.RequestURI(),
-		Header:     http.Header{"Content-Type": {contentType}},
+		Header:     reqHeader,
 		Body:       ioutil.NopCloser(strings.NewReader(reqBody)),
 	}
 
@@ -733,15 +832,18 @@ func (s *IntegrationSuite) testVhostRedirectTokenToCookie(c *check.C, method, ho
 		return resp
 	}
 	c.Check(resp.Body.String(), check.Matches, `.*href="http://`+regexp.QuoteMeta(html.EscapeString(hostPath))+`(\?[^"]*)?".*`)
+	c.Check(strings.Split(resp.Header().Get("Location"), "?")[0], check.Equals, "http://"+hostPath)
 	cookies := (&http.Response{Header: resp.Header()}).Cookies()
 
-	u, _ = u.Parse(resp.Header().Get("Location"))
+	u, err := u.Parse(resp.Header().Get("Location"))
+	c.Assert(err, check.IsNil)
+	c.Logf("following redirect to %s", u)
 	req = &http.Request{
 		Method:     "GET",
 		Host:       u.Host,
 		URL:        u,
 		RequestURI: u.RequestURI(),
-		Header:     http.Header{},
+		Header:     reqHeader,
 	}
 	for _, c := range cookies {
 		req.AddCookie(c)
@@ -749,7 +851,10 @@ func (s *IntegrationSuite) testVhostRedirectTokenToCookie(c *check.C, method, ho
 
 	resp = httptest.NewRecorder()
 	s.handler.ServeHTTP(resp, req)
-	c.Check(resp.Header().Get("Location"), check.Equals, "")
+
+	if resp.Code != http.StatusSeeOther {
+		c.Check(resp.Header().Get("Location"), check.Equals, "")
+	}
 	return resp
 }
 
@@ -1178,7 +1283,7 @@ func copyHeader(h http.Header) http.Header {
 }
 
 func (s *IntegrationSuite) checkUploadDownloadRequest(c *check.C, req *http.Request,
-	successCode int, direction string, perm bool, userUuid string, collectionUuid string, filepath string) {
+	successCode int, direction string, perm bool, userUuid, collectionUuid, collectionPDH, filepath string) {
 
 	client := arvados.NewClientFromEnv()
 	client.AuthToken = arvadostest.AdminToken
@@ -1191,6 +1296,7 @@ func (s *IntegrationSuite) checkUploadDownloadRequest(c *check.C, req *http.Requ
 	c.Check(err, check.IsNil)
 	c.Check(logentries.Items, check.HasLen, 1)
 	lastLogId := logentries.Items[0].ID
+	c.Logf("lastLogId: %d", lastLogId)
 
 	var logbuf bytes.Buffer
 	logger := logrus.New()
@@ -1207,6 +1313,7 @@ func (s *IntegrationSuite) checkUploadDownloadRequest(c *check.C, req *http.Requ
 		deadline := time.Now().Add(time.Second)
 		for {
 			c.Assert(time.Now().After(deadline), check.Equals, false, check.Commentf("timed out waiting for log entry"))
+			logentries = arvados.LogList{}
 			err = client.RequestAndDecode(&logentries, "GET", "arvados/v1/logs", nil,
 				arvados.ResourceListParams{
 					Filters: []arvados.Filter{
@@ -1221,6 +1328,7 @@ func (s *IntegrationSuite) checkUploadDownloadRequest(c *check.C, req *http.Requ
 				logentries.Items[0].ID > lastLogId &&
 				logentries.Items[0].ObjectUUID == userUuid &&
 				logentries.Items[0].Properties["collection_uuid"] == collectionUuid &&
+				(collectionPDH == "" || logentries.Items[0].Properties["portable_data_hash"] == collectionPDH) &&
 				logentries.Items[0].Properties["collection_file_path"] == filepath {
 				break
 			}
@@ -1254,7 +1362,7 @@ func (s *IntegrationSuite) TestDownloadLoggingPermission(c *check.C) {
 				},
 			}
 			s.checkUploadDownloadRequest(c, req, http.StatusOK, "download", adminperm,
-				arvadostest.AdminUserUUID, arvadostest.FooCollection, "foo")
+				arvadostest.AdminUserUUID, arvadostest.FooCollection, arvadostest.FooCollectionPDH, "foo")
 
 			// Test user permission
 			req = &http.Request{
@@ -1267,7 +1375,7 @@ func (s *IntegrationSuite) TestDownloadLoggingPermission(c *check.C) {
 				},
 			}
 			s.checkUploadDownloadRequest(c, req, http.StatusOK, "download", userperm,
-				arvadostest.ActiveUserUUID, arvadostest.FooCollection, "foo")
+				arvadostest.ActiveUserUUID, arvadostest.FooCollection, arvadostest.FooCollectionPDH, "foo")
 		}
 	}
 
@@ -1287,7 +1395,7 @@ func (s *IntegrationSuite) TestDownloadLoggingPermission(c *check.C) {
 			},
 		}
 		s.checkUploadDownloadRequest(c, req, http.StatusOK, "download", true,
-			arvadostest.ActiveUserUUID, arvadostest.MultilevelCollection1, "dir1/subdir/file1")
+			arvadostest.ActiveUserUUID, arvadostest.MultilevelCollection1, arvadostest.MultilevelCollection1PDH, "dir1/subdir/file1")
 	}
 
 	u = mustParseURL("http://" + strings.Replace(arvadostest.FooCollectionPDH, "+", "-", 1) + ".keep-web.example/foo")
@@ -1301,7 +1409,7 @@ func (s *IntegrationSuite) TestDownloadLoggingPermission(c *check.C) {
 		},
 	}
 	s.checkUploadDownloadRequest(c, req, http.StatusOK, "download", true,
-		arvadostest.ActiveUserUUID, arvadostest.FooCollection, "foo")
+		arvadostest.ActiveUserUUID, "", arvadostest.FooCollectionPDH, "foo")
 }
 
 func (s *IntegrationSuite) TestUploadLoggingPermission(c *check.C) {
@@ -1341,7 +1449,7 @@ func (s *IntegrationSuite) TestUploadLoggingPermission(c *check.C) {
 				Body: io.NopCloser(bytes.NewReader([]byte("bar"))),
 			}
 			s.checkUploadDownloadRequest(c, req, http.StatusCreated, "upload", adminperm,
-				arvadostest.AdminUserUUID, coll.UUID, "bar")
+				arvadostest.AdminUserUUID, coll.UUID, "", "bar")
 
 			// Test user permission
 			req = &http.Request{
@@ -1355,7 +1463,7 @@ func (s *IntegrationSuite) TestUploadLoggingPermission(c *check.C) {
 				Body: io.NopCloser(bytes.NewReader([]byte("bar"))),
 			}
 			s.checkUploadDownloadRequest(c, req, http.StatusCreated, "upload", userperm,
-				arvadostest.ActiveUserUUID, coll.UUID, "bar")
+				arvadostest.ActiveUserUUID, coll.UUID, "", "bar")
 		}
 	}
 }