Merge branch 'devel' into 1209-feature-add-jsdoc-linter

.gitlab/build/build_foxx_image.yml

@@ -22,6 +22,7 @@ build-foxx:
         - docker/**/*
         - scripts/**/*
         - core/database/**/*
+        - core/CMakeLists.txt
         - common/proto/**/*
         - .gitlab-ci.yml
         - CMakeLists.txt
@@ -43,6 +44,7 @@ retag-image:
         - docker/**/*
         - scripts/**/*
         - core/database/**/*
+        - core/CMakeLists.txt
         - common/proto/**/*
         - .gitlab-ci.yml
         - CMakeLists.txt

.gitlab/common.yml

@@ -287,7 +287,22 @@
   stage: log
   script:
     - BRANCH_LOWER=$(echo "$CI_COMMIT_REF_NAME" | tr '[:upper:]' '[:lower:]')
-    - docker logs $(docker ps -a --filter "ancestor=${REGISTRY}/${PROJECT}/${COMPONENT}-${BRANCH_LOWER}" --format "{{.Names}}")
+    - FULL_IMAGE_NAME="${REGISTRY}/${PROJECT}/${COMPONENT}-${BRANCH_LOWER}"
+    - echo "Full image name is $FULL_IMAGE_NAME"
+    - ANCESTOR_CONTAINERS=$(docker ps -a --filter "ancestor=${FULL_IMAGE_NAME}" --format "{{.Names}}") 
+    - echo "${ANCESTOR_CONTAINERS}"
+      # It is possible to return more than one container with the same ancestor
+      # for instance if two different branches have the exact same build but
+      # different names. Or one image was built on top of another and share the
+      # same base.
+    - MATCHING_CONTAINERS=$( echo "$ANCESTOR_CONTAINERS" | grep "${COMPONENT}-${BRANCH_LOWER}" || echo "")
+    - if [ -z "$MATCHING_CONTAINERS" ]; then
+        echo "No matching containers found for image ${FULL_IMAGE_NAME} and component ${COMPONENT}-${BRANCH_LOWER}";
+      else
+        echo "Getting log output for the following."
+        echo "$MATCHING_CONTAINERS"
+        docker logs $MATCHING_CONTAINERS;
+      fi
   rules:
     - when: always
 

.gitlab/end_to_end.yml

@@ -280,7 +280,7 @@ end-to-end-repo-setup:
 
 # Requires setting up Globus Connect Server, requires firewall exceptions on
 # the machine running this.
-# Note we need the certificates to be available on the gcs-authz container
+# Note we need the certificates to be available on the gcs container
 # if it is meant to be run on the same machine as the metadata services
 # because the Apache web server can then route traffic appropriately, if 
 # run separate from the metadata services it should not be needed.
@@ -312,13 +312,13 @@ end-to-end-gcs-authz-setup:
     - chown gitlab-runner "$HOST_LOG_FILE_PATH"
     - ./scripts/generate_datafed.sh
     - docker login "${REGISTRY}" -u "${HARBOR_USER}" -p "${HARBOR_DATAFED_GITLAB_CI_REGISTRY_TOKEN}"
-    - ./scripts/container_stop.sh -n "gcs-authz" -p
+    - ./scripts/container_stop.sh -n "${COMPONENT}" -p
     - random_string=$(bash -c "cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w "10" | head -n 1")
     - cat $CI_DATAFED_CORE_PUB_KEY > /shared/datafed-repo-key.pub
     - cat $CI_DATAFED_CORE_PRIV_KEY > /shared/datafed-repo-key.priv
     - echo "#!/bin/bash" > run_globus.sh
     - echo "docker run -d \\" >> run_globus.sh
-    - echo "--name \"gcs-authz-${BRANCH_LOWER}-${CI_COMMIT_SHORT_SHA}-${random_string}\" \\" >> run_globus.sh
+    - echo "--name \"${COMPONENT}-${BRANCH_LOWER}-${CI_COMMIT_SHORT_SHA}-${random_string}\" \\" >> run_globus.sh
     - echo "--network host \\" >> run_globus.sh
     - echo "-e DATAFED_GLOBUS_APP_SECRET=\"$CI_DATAFED_GLOBUS_APP_SECRET\" \\" >> run_globus.sh
     - echo "-e DATAFED_GLOBUS_APP_ID=\"$CI_DATAFED_GLOBUS_APP_ID\" \\" >> run_globus.sh

.gitlab/stage_unit.yml

@@ -94,11 +94,11 @@ run-authz-unit-job:
     - chown gitlab-runner "$HOST_LOG_FILE_PATH"
     - ./scripts/generate_datafed.sh
     - docker login "${REGISTRY}" -u "${HARBOR_USER}" -p "${HARBOR_DATAFED_GITLAB_CI_REGISTRY_TOKEN}"
-    - ./scripts/container_stop.sh -n "gcs-authz" -p
+    - ./scripts/container_stop.sh -n "${COMPONENT}" -p
     - random_string=$(bash -c "cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w "10" | head -n 1")
     - echo "#!/bin/bash" > run_globus.sh
     - echo "docker run \\" >> run_globus.sh
-    - echo "--name \"gcs-authz-${BRANCH_LOWER}-${CI_COMMIT_SHORT_SHA}-${random_string}\" \\" >> run_globus.sh
+    - echo "--name \"${COMPONENT}-${BRANCH_LOWER}-${CI_COMMIT_SHORT_SHA}-${random_string}\" \\" >> run_globus.sh
     - echo "--network host \\" >> run_globus.sh
     - echo "-e DATAFED_GLOBUS_APP_SECRET=\"$CI_DATAFED_GLOBUS_APP_SECRET\" \\" >> run_globus.sh
     - echo "-e DATAFED_GLOBUS_APP_ID=\"$CI_DATAFED_GLOBUS_APP_ID\" \\" >> run_globus.sh

CHANGELOG.md

@@ -7,6 +7,7 @@
 2. [918] - Add admin script for making a user an admin
 3. [1009] - Add collections to database for holding Globus tokens. 
 4. [1002] - Add backoff for task worker when database fails to prevent log overflow.
+5. [1109] - Add support for Globus token association to Globus collection and user.
 
 ## PATCH Bug fixes/Technical Debt/Documentation
 1. [984] - Fixes {server_default} from showing up in path.
@@ -27,6 +28,7 @@
 16. [1149] - Docker container GCS Collection Mount Bug Fix
 17. [1168] - Add authz unit testing to the CI
 18. [1200] - Add JavaScript linter (eslint) and (prettier) formatter for JavaScript
+19. [1180] - Refactor of authz foxx module, split into objects and added unit tests
 
 # v2024.6.17.10.40
 

core/database/CMakeLists.txt

@@ -13,11 +13,21 @@ configure_file(
 if( ENABLE_FOXX_TESTS )
   add_test(NAME foxx_setup COMMAND "${CMAKE_CURRENT_SOURCE_DIR}/tests/test_setup.sh")
   add_test(NAME foxx_teardown COMMAND "${CMAKE_CURRENT_SOURCE_DIR}/tests/test_teardown.sh")
+  add_test(NAME foxx_authz COMMAND "${CMAKE_CURRENT_SOURCE_DIR}/tests/test_foxx.sh" -t "unit_authz")
+  add_test(NAME foxx_record COMMAND "${CMAKE_CURRENT_SOURCE_DIR}/tests/test_foxx.sh" -t "unit_record")
+  add_test(NAME foxx_path COMMAND "${CMAKE_CURRENT_SOURCE_DIR}/tests/test_foxx.sh" -t "unit_path")
+  add_test(NAME foxx_db_fixtures COMMAND "${CMAKE_CURRENT_SOURCE_DIR}/tests/test_fixture_setup.sh")
   add_test(NAME foxx_version COMMAND "${CMAKE_CURRENT_SOURCE_DIR}/tests/test_foxx.sh" -t "unit_version")
   add_test(NAME foxx_support COMMAND "${CMAKE_CURRENT_SOURCE_DIR}/tests/test_foxx.sh" -t "unit_support")
+  add_test(NAME foxx_user_router COMMAND "${CMAKE_CURRENT_SOURCE_DIR}/tests/test_foxx.sh" -t "user_router")
 
   set_tests_properties(foxx_setup PROPERTIES FIXTURES_SETUP Foxx)
   set_tests_properties(foxx_teardown PROPERTIES FIXTURES_CLEANUP Foxx)
+  set_tests_properties(foxx_db_fixtures PROPERTIES FIXTURES_SETUP FoxxDBFixtures FIXTURES_REQUIRED Foxx)
   set_tests_properties(foxx_version PROPERTIES FIXTURES_REQUIRED Foxx)
   set_tests_properties(foxx_support PROPERTIES FIXTURES_REQUIRED Foxx)
+  set_tests_properties(foxx_authz PROPERTIES FIXTURES_REQUIRED Foxx)
+  set_tests_properties(foxx_record PROPERTIES FIXTURES_REQUIRED Foxx)
+  set_tests_properties(foxx_path PROPERTIES FIXTURES_REQUIRED Foxx)
+  set_tests_properties(foxx_user_router PROPERTIES FIXTURES_REQUIRED "Foxx;FoxxDBFixtures")
 endif()

core/database/README.md

@@ -0,0 +1,44 @@
+# WARNING - Adding Tests
+
+Note The granularity of CMake is dependent on how they are defined in the CMakeLists.txt file. The tests are specified in
+CMake by passing a string that is matched against the chai test cases in the
+"it()" sections of the chai unit tests. Any test cases that match the pattern will run when that test is triggered.
+
+i.e.
+
+CMakeLists.txt line
+
+```
+add_test(NAME foxx_record COMMAND "${CMAKE_CURRENT_SOURCE_DIR}/tests/test_foxx.sh" -t "unit_record")
+```
+
+This will pass "unit_record" as the pattern to be matched to the test_foxx.sh
+script. In turn, the test_foxx.sh script will call foxx test with
+"unit_record".  Tests are not matched based on the name of the test file they
+are matched based on the test cases. 
+
+i.e.
+
+Below is part of a test case that would be matched against the "unit_record" pattern.
+
+```
+
+describe('Record Class', () => {
+  it('unit_record: isPathConsistent should return false paths are inconsistent in new and old alloc.', () => {
+     :
+     :
+  });
+
+  
+  it('unit_record: isPathConsistent a different test case.', () => {
+     :
+     :
+  });
+});
+``` 
+
+Notice that 'unit_record' is explicitly mentioned in the test cases. In the above exerpt, both tests will run. If ctest were to be explicitly called we could run all unit_record tests with the following.
+
+```
+ctest -R foxx_record
+```

core/database/foxx/api/authz.js

@@ -0,0 +1,59 @@
+"use strict";
+
+const g_db = require("@arangodb").db;
+const path = require("path");
+const g_lib = require("./support");
+
+module.exports = (function () {
+    let obj = {};
+
+    /**
+     * @brief Will check to see if a client has the required permissions on a
+     * record.
+     *
+     * @param {string} a_data_key - A datafed key associated with a record. Is not prepended with 'd/'
+     * @param {obj} a_client - A user document, the user associated with the document is the one
+     * who we are verifying if they have permissions to on the data record.
+     *
+     * e.g.
+     *
+     * a_client id
+     *
+     * Client will contain the following information
+     * {
+     *   "_key" : "bob",
+     *   "_id" : "u/bob",
+     *   "name" : "bob junior ",
+     *   "name_first" : "bob",
+     *   "name_last" : "jones",
+     *   "is_admin" : true,
+     *   "max_coll" : 50,
+     *   "max_proj" : 10,
+     *   "max_sav_qry" : 20,
+     *   :
+     *   "email" : "bobjones@gmail.com"
+     * }
+     *
+     * @param - the permission type that is being checked i.e.
+     *
+     * PERM_CREATE
+     * PERM_WR_DATA
+     * PERM_RD_DATA
+     **/
+    obj.isRecordActionAuthorized = function (a_client, a_data_key, a_perm) {
+        const data_id = "d/" + a_data_key;
+        // If the user is not an admin of the object we will need
+        // to check if the user has the write authorization
+        if (g_lib.hasAdminPermObject(a_client, data_id)) {
+            return true;
+        }
+        let data = g_db.d.document(data_id);
+        // Grab the data item
+        if (g_lib.hasPermissions(a_client, data, a_perm)) {
+            return true;
+        }
+        return false;
+    };
+
+    return obj;
+})();