Increase test suite around deploy tokens behavior

Also, fixes broken specs
author: Mayra Cabrera <mcabrera@gitlab.com> 2018-04-05 22:02:13 -0500
committer: Mayra Cabrera <mcabrera@gitlab.com> 2018-04-06 21:20:17 -0500
commit: c4f56a88029c1fe73bf6efb062b5f77a65282fed (patch)
tree: 890a869e8ce06a5438b38c8e9dca9529362cc2f4 /spec/lib
parent: a475411f4380ef4d0260940206e2553da3b2f3ee (diff)
download: gitlab-ce-c4f56a88029c1fe73bf6efb062b5f77a65282fed.tar.gz
3 files changed, 97 insertions, 46 deletions
diff --git a/spec/lib/gitlab/auth_spec.rb b/spec/lib/gitlab/auth_spec.rb
index 7be888d812f..e3ec707076a 100644
--- a/spec/lib/gitlab/auth_spec.rb
+++ b/spec/lib/gitlab/auth_spec.rb
@@ -195,7 +195,7 @@ describe Gitlab::Auth do
           personal_access_token = create(:personal_access_token, scopes: ['read_registry'])
 
           expect(gl_auth).to receive(:rate_limit!).with('ip', success: true, login: '')
-          expect(gl_auth.find_for_git_client('', personal_access_token.token, project: nil, ip: 'ip')).to eq(Gitlab::Auth::Result.new(personal_access_token.user, nil, :personal_access_token, [:read_project, :build_download_code, :build_read_container_image]))
+          expect(gl_auth.find_for_git_client('', personal_access_token.token, project: nil, ip: 'ip')).to eq(Gitlab::Auth::Result.new(personal_access_token.user, nil, :personal_access_token, [:build_read_container_image]))
         end
       end
 
@@ -262,25 +262,38 @@ describe Gitlab::Auth do
 
       context 'when the deploy token has read_repository as scope' do
         let(:deploy_token) { create(:deploy_token, read_registry: false, projects: [project]) }
+        let(:login) { deploy_token.username }
 
-        it 'succeeds when project is present, token is valid and has read_repository as scope' do
-          abilities = %i(download_code)
-          auth_success = Gitlab::Auth::Result.new(deploy_token, project, :deploy_token, abilities)
+        it 'succeeds when login and token are valid' do
+          auth_success = Gitlab::Auth::Result.new(deploy_token, project, :deploy_token, [:download_code])
 
-          expect(gl_auth).to receive(:rate_limit!).with('ip', success: true, login: '')
-          expect(gl_auth.find_for_git_client('', deploy_token.token, project: project, ip: 'ip'))
+          expect(gl_auth).to receive(:rate_limit!).with('ip', success: true, login: login)
+          expect(gl_auth.find_for_git_client(login, deploy_token.token, project: project, ip: 'ip'))
             .to eq(auth_success)
         end
 
+        it 'fails when login is not valid' do
+          expect(gl_auth).to receive(:rate_limit!).with('ip', success: false, login: 'random_login')
+          expect(gl_auth.find_for_git_client('random_login', deploy_token.token, project: project, ip: 'ip'))
+            .to eq(auth_failure)
+        end
+
+        it 'fails when token is not valid' do
+          expect(gl_auth).to receive(:rate_limit!).with('ip', success: false, login: login)
+          expect(gl_auth.find_for_git_client(login, '123123', project: project, ip: 'ip'))
+            .to eq(auth_failure)
+        end
+
         it 'fails if token is nil' do
-          expect(gl_auth).to receive(:rate_limit!).with('ip', success: false, login: '')
-          expect(gl_auth.find_for_git_client('', nil, project: project, ip: 'ip'))
+          expect(gl_auth).to receive(:rate_limit!).with('ip', success: false, login: login)
+          expect(gl_auth.find_for_git_client(login, nil, project: project, ip: 'ip'))
             .to eq(auth_failure)
         end
 
         it 'fails if token is not related to project' do
-          expect(gl_auth).to receive(:rate_limit!).with('ip', success: false, login: '')
-          expect(gl_auth.find_for_git_client('', 'abcdef', project: project, ip: 'ip'))
+          another_deploy_token = create(:deploy_token)
+          expect(gl_auth).to receive(:rate_limit!).with('ip', success: false, login: login)
+          expect(gl_auth.find_for_git_client(login, another_deploy_token.token, project: project, ip: 'ip'))
             .to eq(auth_failure)
         end
 
@@ -296,30 +309,42 @@ describe Gitlab::Auth do
 
       context 'when the deploy token has read_registry as a scope' do
         let(:deploy_token) { create(:deploy_token, read_repository: false, projects: [project]) }
+        let(:login) { deploy_token.username }
 
         context 'when registry enabled' do
           before do
             stub_container_registry_config(enabled: true)
           end
 
-          it 'succeeds if deploy token does have read_registry as scope' do
-            abilities = %i(read_project build_download_code build_read_container_image)
-            auth_success = Gitlab::Auth::Result.new(deploy_token, project, :deploy_token, abilities)
+          it 'succeeds when login and token are valid' do
+            auth_success = Gitlab::Auth::Result.new(deploy_token, project, :deploy_token, [:build_read_container_image])
 
-            expect(gl_auth).to receive(:rate_limit!).with('ip', success: true, login: '')
-            expect(gl_auth.find_for_git_client('', deploy_token.token, project: nil, ip: 'ip'))
+            expect(gl_auth).to receive(:rate_limit!).with('ip', success: true, login: login)
+            expect(gl_auth.find_for_git_client(login, deploy_token.token, project: nil, ip: 'ip'))
               .to eq(auth_success)
           end
 
+          it 'fails when login is not valid' do
+            expect(gl_auth).to receive(:rate_limit!).with('ip', success: false, login: 'random_login')
+            expect(gl_auth.find_for_git_client('random_login', deploy_token.token, project: project, ip: 'ip'))
+              .to eq(auth_failure)
+          end
+
+          it 'fails when token is not valid' do
+            expect(gl_auth).to receive(:rate_limit!).with('ip', success: false, login: login)
+            expect(gl_auth.find_for_git_client(login, '123123', project: project, ip: 'ip'))
+              .to eq(auth_failure)
+          end
+
           it 'fails if token is nil' do
-            expect(gl_auth).to receive(:rate_limit!).with('ip', success: false, login: '')
-            expect(gl_auth.find_for_git_client('', nil, project: nil, ip: 'ip'))
+            expect(gl_auth).to receive(:rate_limit!).with('ip', success: false, login: login)
+            expect(gl_auth.find_for_git_client(login, nil, project: nil, ip: 'ip'))
               .to eq(auth_failure)
           end
 
           it 'fails if token is not related to project' do
-            expect(gl_auth).to receive(:rate_limit!).with('ip', success: false, login: '')
-            expect(gl_auth.find_for_git_client('', 'abcdef', project: nil, ip: 'ip'))
+            expect(gl_auth).to receive(:rate_limit!).with('ip', success: false, login: login)
+            expect(gl_auth.find_for_git_client(login, 'abcdef', project: nil, ip: 'ip'))
               .to eq(auth_failure)
           end
 
@@ -338,30 +363,9 @@ describe Gitlab::Auth do
             stub_container_registry_config(enabled: false)
           end
 
-          it 'fails if deploy token have read_registry as scope' do
-            expect(gl_auth).to receive(:rate_limit!).with('ip', success: false, login: '')
-            expect(gl_auth.find_for_git_client('', deploy_token.token, project: nil, ip: 'ip'))
-              .to eq(auth_failure)
-          end
-
-          it 'fails if token is nil' do
-            expect(gl_auth).to receive(:rate_limit!).with('ip', success: false, login: '')
-            expect(gl_auth.find_for_git_client('', nil, project: nil, ip: 'ip'))
-              .to eq(auth_failure)
-          end
-
-          it 'fails if token is not related to project' do
-            expect(gl_auth).to receive(:rate_limit!).with('ip', success: false, login: '')
-            expect(gl_auth.find_for_git_client('', 'abcdef', project: nil, ip: 'ip'))
-              .to eq(auth_failure)
-          end
-
-          it 'fails if token has been revoked' do
-            deploy_token.revoke!
-
-            expect(deploy_token.revoked?).to be_truthy
-            expect(gl_auth).to receive(:rate_limit!).with('ip', success: false, login: 'deploy-token')
-            expect(gl_auth.find_for_git_client('deploy-token', deploy_token.token, project: nil, ip: 'ip'))
+          it 'fails when login and token are valid' do
+            expect(gl_auth).to receive(:rate_limit!).with('ip', success: false, login: login)
+            expect(gl_auth.find_for_git_client(login, deploy_token.token, project: nil, ip: 'ip'))
               .to eq(auth_failure)
           end
         end
diff --git a/spec/lib/gitlab/git_access_spec.rb b/spec/lib/gitlab/git_access_spec.rb
index 000e9e86813..6c625596605 100644
--- a/spec/lib/gitlab/git_access_spec.rb
+++ b/spec/lib/gitlab/git_access_spec.rb
@@ -147,21 +147,29 @@ describe Gitlab::GitAccess do
         end
 
         context 'when actor is DeployToken' do
-          let(:project_deploy_token) { create(:project_deploy_token, project: project) }
-          let(:actor) { project_deploy_token.deploy_token }
+          let(:actor) { create(:deploy_token, projects: [project]) }
 
           context 'when DeployToken is active and belongs to project' do
             it 'allows pull access' do
               expect { pull_access_check }.not_to raise_error
             end
+
+            it 'blocks the push' do
+              expect { push_access_check }.to raise_unauthorized(described_class::ERROR_MESSAGES[:upload])
+            end
           end
 
           context 'when DeployToken does not belong to project' do
-            let(:actor) { create(:deploy_token) }
+            let(:another_project) { create(:project) }
+            let(:actor) { create(:deploy_token, projects: [another_project]) }
 
             it 'blocks pull access' do
               expect { pull_access_check }.to raise_not_found
             end
+
+            it 'blocks the push' do
+              expect { push_access_check }.to raise_not_found
+            end
           end
         end
       end
@@ -613,6 +621,41 @@ describe Gitlab::GitAccess do
       end
     end
 
+    describe 'deploy token permissions' do
+      let(:deploy_token) { create(:deploy_token) }
+      let(:actor) { deploy_token }
+
+      context 'pull code' do
+        context 'when project is authorized' do
+          before do
+            deploy_token.projects << project
+          end
+
+          it { expect { pull_access_check }.not_to raise_error }
+        end
+
+        context 'when unauthorized' do
+          context 'from public project' do
+            let(:project) { create(:project, :public, :repository) }
+
+            it { expect { pull_access_check }.not_to raise_error }
+          end
+
+          context 'from internal project' do
+            let(:project) { create(:project, :internal, :repository) }
+
+            it { expect { pull_access_check }.to raise_not_found }
+          end
+
+          context 'from private project' do
+            let(:project) { create(:project, :private, :repository) }
+
+            it { expect { pull_access_check }.to raise_not_found }
+          end
+        end
+      end
+    end
+
     describe 'build authentication_abilities permissions' do
       let(:authentication_abilities) { build_authentication_abilities }
 
diff --git a/spec/lib/gitlab/import_export/all_models.yml b/spec/lib/gitlab/import_export/all_models.yml
index d38e665436f..897a5984782 100644
--- a/spec/lib/gitlab/import_export/all_models.yml
+++ b/spec/lib/gitlab/import_export/all_models.yml
@@ -145,6 +145,9 @@ pipeline_schedule:
 - pipelines
 pipeline_schedule_variables:
 - pipeline_schedule
+deploy_tokens:
+- project_deploy_tokens
+- projects
 deploy_keys:
 - user
 - deploy_keys_projects
@@ -281,6 +284,7 @@ project:
 - project_badges
 - source_of_merge_requests
 - internal_ids
+- project_deploy_tokens
 - deploy_tokens
 award_emoji:
 - awardable
author	Mayra Cabrera <mcabrera@gitlab.com>	2018-04-05 22:02:13 -0500
committer	Mayra Cabrera <mcabrera@gitlab.com>	2018-04-06 21:20:17 -0500
commit	c4f56a88029c1fe73bf6efb062b5f77a65282fed (patch)
tree	890a869e8ce06a5438b38c8e9dca9529362cc2f4 /spec/lib
parent	a475411f4380ef4d0260940206e2553da3b2f3ee (diff)
download	gitlab-ce-c4f56a88029c1fe73bf6efb062b5f77a65282fed.tar.gz