From e6a720d548ea851e5db9970f013456c8daeb35fc Mon Sep 17 00:00:00 2001
From: Lucas Di Pentima <lucas@curoverse.com>
Date: Thu, 22 Jun 2017 13:27:25 -0300
Subject: [PATCH] 11557: Fixeg bug introduced on those cases when reusing a job
 from a different project, the user has no "manage" permissions on it to
 create a sharing link. Added a test to cover the case.

Arvados-DCO-1.1-Signed-off-by: Lucas Di Pentima <lucas@curoverse.com>
---
 sdk/cwl/arvados_cwl/arvjob.py | 20 ++++++++++++++------
 sdk/cwl/tests/test_job.py     |  8 ++++++++
 2 files changed, 22 insertions(+), 6 deletions(-)

diff --git a/sdk/cwl/arvados_cwl/arvjob.py b/sdk/cwl/arvados_cwl/arvjob.py
index ef9aba51da..ab063867ac 100644
--- a/sdk/cwl/arvados_cwl/arvjob.py
+++ b/sdk/cwl/arvados_cwl/arvjob.py
@@ -16,6 +16,7 @@ from schema_salad.sourceline import SourceLine
 import ruamel.yaml as yaml
 
 import arvados.collection
+from arvados.errors import ApiError
 
 from .arvdocker import arv_docker_get_image
 from .runner import Runner, arvados_jobs_image, packed_workflow, upload_workflow_collection, trim_anonymous_location
@@ -147,12 +148,19 @@ class ArvadosJob(object):
                 logger.info("%s reused job %s", self.arvrunner.label(self), response["uuid"])
                 # Give read permission to the desired project on reused jobs
                 if response["owner_uuid"] != self.arvrunner.project_uuid:
-                    self.arvrunner.api.links().create(body={
-                        'link_class': 'permission',
-                        'name': 'can_read',
-                        'tail_uuid': self.arvrunner.project_uuid,
-                        'head_uuid': response["uuid"],
-                        }).execute(num_retries=self.arvrunner.num_retries)
+                    try:
+                        self.arvrunner.api.links().create(body={
+                            'link_class': 'permission',
+                            'name': 'can_read',
+                            'tail_uuid': self.arvrunner.project_uuid,
+                            'head_uuid': response["uuid"],
+                            }).execute(num_retries=self.arvrunner.num_retries)
+                    except ApiError as e:
+                        # The user might not have "manage" access on the job: log
+                        # a message and continue.
+                        logger.info("Creating read permission on job %s: %s",
+                                    response["uuid"],
+                                    e)
 
                 with Perf(metrics, "done %s" % self.name):
                     self.done(response)
diff --git a/sdk/cwl/tests/test_job.py b/sdk/cwl/tests/test_job.py
index fa043baa42..a71d1d8e07 100644
--- a/sdk/cwl/tests/test_job.py
+++ b/sdk/cwl/tests/test_job.py
@@ -10,6 +10,7 @@ import StringIO
 import arvados
 import arvados_cwl
 import cwltool.process
+from arvados.errors import ApiError
 from schema_salad.ref_resolver import Loader
 from schema_salad.sourceline import cmap
 from .mock_discovery import get_rootDesc
@@ -92,6 +93,13 @@ class TestJob(unittest.TestCase):
                             "head_uuid": "zzzzz-819sb-yyyyyyyyyyyyyyy",
                         })
                     )
+                    # Simulate an API excepction when trying to create a
+                    # sharing link on the job
+                    runner.api.links().create.side_effect = ApiError(
+                        mock.MagicMock(return_value={'status': 403}),
+                        'Permission denied')
+                    j.run(enable_reuse=enable_reuse)
+                    j.output_callback.assert_called_with({}, 'success')
                 else:
                     assert not runner.api.links().create.called
 
-- 
2.30.2