class Arvados::V1::ApiTokensScopeTest < ActionController::IntegrationTest
fixtures :all
- def setup
- @token = {}
- end
-
- def auth_with(name)
- @token = {api_token: api_client_authorizations(name).api_token}
- end
-
def v1_url(*parts)
(['arvados', 'v1'] + parts).join('/')
end
- def request_with_auth(method, path, params={})
- send(method, path, @token.merge(params))
- end
-
- def get_with_auth(*args)
- request_with_auth(:get_via_redirect, *args)
- end
-
- def post_with_auth(*args)
- request_with_auth(:post_via_redirect, *args)
- end
-
test "user list token can only list users" do
- auth_with :active_userlist
- get_with_auth v1_url('users')
+ get_args = [{}, auth(:active_userlist)]
+ get(v1_url('users'), *get_args)
assert_response :success
- get_with_auth v1_url('users', '') # Add trailing slash.
+ get(v1_url('users', ''), *get_args) # Add trailing slash.
assert_response :success
- get_with_auth v1_url('users', 'current')
+ get(v1_url('users', 'current'), *get_args)
assert_response 403
- get_with_auth v1_url('virtual_machines')
+ get(v1_url('virtual_machines'), *get_args)
assert_response 403
end
test "specimens token can see exactly owned specimens" do
- auth_with :active_specimens
- get_with_auth v1_url('specimens')
+ get_args = [{}, auth(:active_specimens)]
+ get(v1_url('specimens'), *get_args)
assert_response 403
- get_with_auth v1_url('specimens', specimens(:owned_by_active_user).uuid)
+ get(v1_url('specimens', specimens(:owned_by_active_user).uuid), *get_args)
assert_response :success
- get_with_auth v1_url('specimens', specimens(:owned_by_spectator).uuid)
+ get(v1_url('specimens', specimens(:owned_by_spectator).uuid), *get_args)
assert_includes(403..404, @response.status)
end
test "token with multiple scopes can use them all" do
def get_token_count
- get_with_auth v1_url('api_client_authorizations')
+ get(v1_url('api_client_authorizations'), {}, auth(:active_apitokens))
assert_response :success
token_count = JSON.parse(@response.body)['items_available']
assert_not_nil(token_count, "could not find token count")
token_count
end
- auth_with :active_apitokens
# Test the GET scope.
token_count = get_token_count
# Test the POST scope.
- post_with_auth(v1_url('api_client_authorizations'),
- api_client_authorization: {user_id: users(:active).id})
+ post(v1_url('api_client_authorizations'),
+ {api_client_authorization: {user_id: users(:active).id}},
+ auth(:active_apitokens))
assert_response :success
assert_equal(token_count + 1, get_token_count,
"token count suggests POST was not accepted")
# Test other requests are denied.
- get_with_auth v1_url('api_client_authorizations',
- api_client_authorizations(:active_apitokens).uuid)
+ get(v1_url('api_client_authorizations',
+ api_client_authorizations(:active_apitokens).uuid),
+ {}, auth(:active_apitokens))
assert_response 403
end
test "token without scope has no access" do
# Logs are good for this test, because logs have relatively
# few access controls enforced at the model level.
- auth_with :admin_noscope
- get_with_auth v1_url('logs')
+ req_args = [{}, auth(:admin_noscope)]
+ get(v1_url('logs'), *req_args)
assert_response 403
- get_with_auth v1_url('logs', logs(:log1).uuid)
+ get(v1_url('logs', logs(:log1).uuid), *req_args)
assert_response 403
- post_with_auth(v1_url('logs'), log: {})
+ post(v1_url('logs'), *req_args)
assert_response 403
end
def vm_logins_url(name)
v1_url('virtual_machines', virtual_machines(name).uuid, 'logins')
end
- auth_with :admin_vm
- get_with_auth vm_logins_url(:testvm)
+ get_args = [{}, auth(:admin_vm)]
+ get(vm_logins_url(:testvm), *get_args)
assert_response :success
- get_with_auth vm_logins_url(:testvm2)
- assert(@response.status >= 400, "getting testvm2 logins should have failed")
+ get(vm_logins_url(:testvm2), *get_args)
+ assert_includes(400..419, @response.status,
+ "getting testvm2 logins should have failed")
end
end
require File.expand_path('../../config/environment', __FILE__)
require 'rails/test_help'
+module ArvadosTestSupport
+ def json_response
+ @json_response ||= ActiveSupport::JSON.decode @response.body
+ end
+
+ def api_token(api_client_auth_name)
+ api_client_authorizations(api_client_auth_name).api_token
+ end
+
+ def auth(api_client_auth_name)
+ {'HTTP_AUTHORIZATION' => "OAuth2 #{api_token(api_client_auth_name)}"}
+ end
+end
+
class ActiveSupport::TestCase
# Setup all fixtures in test/fixtures/*.(yml|csv) for all tests in alphabetical order.
#
# -- they do not yet inherit this setting
fixtures :all
+ include ArvadosTestSupport
+
teardown do
Thread.current[:api_client_ip_address] = nil
Thread.current[:api_client_authorization] = nil
self.request.headers["Accept"] = "text/json"
end
- def json_response
- @json_response ||= ActiveSupport::JSON.decode @response.body
- end
-
def authorize_with(api_client_auth_name)
- self.request.env['HTTP_AUTHORIZATION'] = "OAuth2 #{api_client_authorizations(api_client_auth_name).api_token}"
+ self.request.env['HTTP_AUTHORIZATION'] = "OAuth2 #{api_token(api_client_auth_name)}"
end
-
- # Add more helper methods to be used by all tests here...
end
class ActionDispatch::IntegrationTest
-
teardown do
Thread.current[:api_client_ip_address] = nil
Thread.current[:api_client_authorization] = nil
Thread.current[:api_client] = nil
Thread.current[:user] = nil
end
-
- def auth auth_fixture
- {'HTTP_AUTHORIZATION' => "OAuth2 #{api_client_authorizations(auth_fixture).api_token}"}
- end
end
# Ensure permissions are computed from the test fixtures.