Merge branch 'master' into feature/multi-level-container-registry-images

* master: (1327 commits)
  Merge branch 'render-json-leak' into 'security'
  Merge branch 'ssrf' into 'security'
  Merge branch 'ssrf' into 'security'
  Merge branch 'fix-links-target-blank' into 'security'
  Merge branch '28058-hide-emails-in-atom-feeds' into 'security'
  Fix karma test
  Reset filters after click
  Handle Route#name being nil after an update
  Only add frontend code coverage instrumentation when generating coverage report
  fix recompile assets step in 9.0 upgrade guide to use yarn
  Undo explicit conversion to Integer
  Make level_value accept string integers
  Make feature spec more robust
  Removed d3.js from the main application.js bundle
  Extend compound status for manual actions specs
  Update css to be nice and tidy.
  Fix pipeline status for transition between stages
  add an index to the ghost column
  Return 404 in project issues API endpoint when project cannot be found
  Improve rename projects migration
  ...

Conflicts:
	doc/ci/docker/using_docker_build.md
	spec/lib/gitlab/import_export/all_models.yml

1 files changed, 53 insertions, 7 deletions

diff --git a/spec/models/personal_access_token_spec.rb b/spec/models/personal_access_token_spec.rb
index 46eb71cef14..823623d96fa 100644
--- a/spec/models/personal_access_token_spec.rb
+++ b/spec/models/personal_access_token_spec.rb
@@ -1,15 +1,61 @@
 require 'spec_helper'
 
 describe PersonalAccessToken, models: true do
-  describe ".generate" do
-    it "generates a random token" do
-      personal_access_token = PersonalAccessToken.generate({})
-      expect(personal_access_token.token).to be_present
+  describe '.build' do
+    let(:personal_access_token) { build(:personal_access_token) }
+    let(:invalid_personal_access_token) { build(:personal_access_token, :invalid) }
+
+    it 'is a valid personal access token' do
+      expect(personal_access_token).to be_valid
+    end
+
+    it 'ensures that the token is generated' do
+      invalid_personal_access_token.save!
+
+      expect(invalid_personal_access_token).to be_valid
+      expect(invalid_personal_access_token.token).not_to be_nil
     end
+  end
+
+  describe ".active?" do
+    let(:active_personal_access_token) { build(:personal_access_token) }
+    let(:revoked_personal_access_token) { build(:personal_access_token, :revoked) }
+    let(:expired_personal_access_token) { build(:personal_access_token, :expired) }
+
+    it "returns false if the personal_access_token is revoked" do
+      expect(revoked_personal_access_token).not_to be_active
+    end
+
+    it "returns false if the personal_access_token is expired" do
+      expect(expired_personal_access_token).not_to be_active
+    end
+
+    it "returns true if the personal_access_token is not revoked and not expired" do
+      expect(active_personal_access_token).to be_active
+    end
+  end
+
+  context "validations" do
+    let(:personal_access_token) { build(:personal_access_token) }
+
+    it "requires at least one scope" do
+      personal_access_token.scopes = []
+
+      expect(personal_access_token).not_to be_valid
+      expect(personal_access_token.errors[:scopes].first).to eq "can't be blank"
+    end
+
+    it "allows creating a token with API scopes" do
+      personal_access_token.scopes = [:api, :read_user]
+
+      expect(personal_access_token).to be_valid
+    end
+
+    it "rejects creating a token with non-API scopes" do
+      personal_access_token.scopes = [:openid, :api]
 
-    it "doesn't save the record" do
-      personal_access_token = PersonalAccessToken.generate({})
-      expect(personal_access_token).not_to be_persisted
+      expect(personal_access_token).not_to be_valid
+      expect(personal_access_token.errors[:scopes].first).to eq "can only contain API scopes"
     end
   end
 end