summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorMayra Cabrera <mcabrera@gitlab.com>2019-07-17 20:08:59 +0000
committerMayra Cabrera <mcabrera@gitlab.com>2019-07-17 20:08:59 +0000
commit558f41ddb4cae44f386790b6f9fbefb757656b6e (patch)
tree5f69798cd77698eda58424f1ece5a3b412a54bc1
parenta0c78cadf22a0886ec96273a042692ea26e6596f (diff)
parent67b0c419be85639f246154c96f131a2c1b0622c5 (diff)
downloadgitlab-ce-558f41ddb4cae44f386790b6f9fbefb757656b6e.tar.gz
Merge branch '50228-add-test-for-deploy-token-username' into 'master'
Add tests for when deploy token usernames are not unique See merge request gitlab-org/gitlab-ce!30629
-rw-r--r--spec/lib/gitlab/auth_spec.rb64
1 files changed, 64 insertions, 0 deletions
diff --git a/spec/lib/gitlab/auth_spec.rb b/spec/lib/gitlab/auth_spec.rb
index d9c73cff01e..0403830f700 100644
--- a/spec/lib/gitlab/auth_spec.rb
+++ b/spec/lib/gitlab/auth_spec.rb
@@ -297,6 +297,70 @@ describe Gitlab::Auth do
let(:project) { create(:project) }
let(:auth_failure) { Gitlab::Auth::Result.new(nil, nil) }
+ context 'when deploy token and user have the same username' do
+ let(:username) { 'normal_user' }
+ let(:user) { create(:user, username: username, password: 'my-secret') }
+ let(:deploy_token) { create(:deploy_token, username: username, read_registry: false, projects: [project]) }
+
+ before do
+ expect(gl_auth).to receive(:rate_limit!).with('ip', success: true, login: username)
+ end
+
+ it 'succeeds for the token' do
+ auth_success = Gitlab::Auth::Result.new(deploy_token, project, :deploy_token, [:download_code])
+
+ expect(gl_auth.find_for_git_client(username, deploy_token.token, project: project, ip: 'ip'))
+ .to eq(auth_success)
+ end
+
+ it 'succeeds for the user' do
+ auth_success = Gitlab::Auth::Result.new(user, nil, :gitlab_or_ldap, full_authentication_abilities)
+
+ expect(gl_auth.find_for_git_client(username, 'my-secret', project: project, ip: 'ip'))
+ .to eq(auth_success)
+ end
+ end
+
+ context 'when deploy tokens have the same username' do
+ context 'and belong to the same project' do
+ let!(:read_registry) { create(:deploy_token, username: 'deployer', read_repository: false, projects: [project]) }
+ let!(:read_repository) { create(:deploy_token, username: read_registry.username, read_registry: false, projects: [project]) }
+
+ it 'succeeds for the right token' do
+ auth_success = Gitlab::Auth::Result.new(read_repository, project, :deploy_token, [:download_code])
+
+ expect(gl_auth).to receive(:rate_limit!).with('ip', success: true, login: 'deployer')
+ expect(gl_auth.find_for_git_client('deployer', read_repository.token, project: project, ip: 'ip'))
+ .to eq(auth_success)
+ end
+
+ it 'fails for the wrong token' do
+ expect(gl_auth).to receive(:rate_limit!).with('ip', success: false, login: 'deployer')
+ expect(gl_auth.find_for_git_client('deployer', read_registry.token, project: project, ip: 'ip'))
+ .to eq(auth_failure)
+ end
+ end
+
+ context 'and belong to different projects' do
+ let!(:read_registry) { create(:deploy_token, username: 'deployer', read_repository: false, projects: [create(:project)]) }
+ let!(:read_repository) { create(:deploy_token, username: read_registry.username, read_registry: false, projects: [project]) }
+
+ it 'succeeds for the right token' do
+ auth_success = Gitlab::Auth::Result.new(read_repository, project, :deploy_token, [:download_code])
+
+ expect(gl_auth).to receive(:rate_limit!).with('ip', success: true, login: 'deployer')
+ expect(gl_auth.find_for_git_client('deployer', read_repository.token, project: project, ip: 'ip'))
+ .to eq(auth_success)
+ end
+
+ it 'fails for the wrong token' do
+ expect(gl_auth).to receive(:rate_limit!).with('ip', success: false, login: 'deployer')
+ expect(gl_auth.find_for_git_client('deployer', read_registry.token, project: project, ip: 'ip'))
+ .to eq(auth_failure)
+ end
+ end
+ end
+
context 'when the deploy token has read_repository as scope' do
let(:deploy_token) { create(:deploy_token, read_registry: false, projects: [project]) }
let(:login) { deploy_token.username }