diff options
author | Simon Vocella <voxsim@gmail.com> | 2016-12-27 17:26:57 +0100 |
---|---|---|
committer | Tiago Botelho <tiagonbotelho@hotmail.com> | 2017-02-28 22:15:39 +0000 |
commit | 81246e5649a8fb9e73369cbd117505a546d7e807 (patch) | |
tree | fa51d0a0d504f25bf1151db6f115e3c8a4ec8ad4 /spec/requests/api/users_spec.rb | |
parent | 4c4810b35b3b1729865640382b4c7e593f8b876d (diff) | |
download | gitlab-ce-81246e5649a8fb9e73369cbd117505a546d7e807.tar.gz |
manage personal_access_tokens through api
Diffstat (limited to 'spec/requests/api/users_spec.rb')
-rw-r--r-- | spec/requests/api/users_spec.rb | 135 |
1 files changed, 135 insertions, 0 deletions
diff --git a/spec/requests/api/users_spec.rb b/spec/requests/api/users_spec.rb index e5e4c84755f..5ed6adc09bc 100644 --- a/spec/requests/api/users_spec.rb +++ b/spec/requests/api/users_spec.rb @@ -10,6 +10,7 @@ describe API::Users, api: true do let(:omniauth_user) { create(:omniauth_user) } let(:ldap_user) { create(:omniauth_user, provider: 'ldapmain') } let(:ldap_blocked_user) { create(:omniauth_user, provider: 'ldapmain', state: 'ldap_blocked') } + let(:not_existing_user_id) { (User.maximum('id') || 0 ) + 10 } describe "GET /users" do context "when unauthenticated" do @@ -1155,4 +1156,138 @@ describe API::Users, api: true do expect(json_response['message']).to eq('404 User Not Found') end end + + describe 'GET /users/:user_id/personal_access_tokens' do + let!(:active_personal_access_token) { create(:personal_access_token, user: user) } + let!(:revoked_personal_access_token) { create(:revoked_personal_access_token, user: user) } + let!(:expired_personal_access_token) { create(:expired_personal_access_token, user: user) } + + it 'returns a 404 error if user not found' do + get api("/users/#{not_existing_user_id}/personal_access_tokens", admin) + + expect(response).to have_http_status(404) + expect(json_response['message']).to eq('404 User Not Found') + end + + it 'returns a 403 error when authenticated as normal user' do + get api("/users/#{not_existing_user_id}/personal_access_tokens", user) + + expect(response).to have_http_status(403) + expect(json_response['message']).to eq('403 Forbidden') + end + + it 'returns an array of personal access tokens' do + get api("/users/#{user.id}/personal_access_tokens", admin) + + expect(response).to have_http_status(200) + expect(json_response).to be_an Array + expect(json_response.size).to eq(3) + expect(json_response.detect do |personal_access_token| + personal_access_token['id'] == active_personal_access_token.id + end['token']).to eq(active_personal_access_token.token) + end + + it 'returns an array of active personal access tokens if active is set to true' do + get api("/users/#{user.id}/personal_access_tokens?state=active", admin) + + expect(response).to have_http_status(200) + expect(json_response).to be_an Array + expect(json_response).to all(include('active' => true)) + end + + it 'returns an array of inactive personal access tokens if active is set to false' do + get api("/users/#{user.id}/personal_access_tokens?state=inactive", admin) + + expect(response).to have_http_status(200) + expect(json_response).to be_an Array + expect(json_response).to all(include('active' => false)) + end + end + + describe 'POST /users/:user_id/personal_access_tokens' do + let(:name) { 'my new pat' } + let(:expires_at) { '2016-12-28' } + let(:scopes) { ['api', 'read_user'] } + + it 'returns validation error if personal access token miss some attributes' do + post api("/users/#{user.id}/personal_access_tokens", admin) + + expect(response).to have_http_status(400) + expect(json_response['error']).to eq('name is missing') + end + + it 'returns a 404 error if user not found' do + post api("/users/#{not_existing_user_id}/personal_access_tokens", admin), + name: name, + expires_at: expires_at + + expect(response).to have_http_status(404) + expect(json_response['message']).to eq('404 User Not Found') + end + + it 'returns a 403 error when authenticated as normal user' do + post api("/users/#{user.id}/personal_access_tokens", user), + name: name, + expires_at: expires_at + + expect(response).to have_http_status(403) + expect(json_response['message']).to eq('403 Forbidden') + end + + it 'creates a personal access token' do + post api("/users/#{user.id}/personal_access_tokens", admin), + name: name, + expires_at: expires_at, + scopes: scopes + + expect(response).to have_http_status(201) + + personal_access_token_id = json_response['id'] + + expect(json_response['name']).to eq(name) + expect(json_response['scopes']).to eq(scopes) + expect(json_response['expires_at']).to eq(expires_at) + expect(json_response['id']).to be_present + expect(json_response['created_at']).to be_present + expect(json_response['active']).to eq(false) + expect(json_response['revoked']).to eq(false) + expect(json_response['token']).to be_present + expect(PersonalAccessToken.find(personal_access_token_id)).not_to eq(nil) + end + end + + describe 'DELETE /users/:id/personal_access_tokens/:personal_access_token_id' do + let!(:personal_access_token) { create(:personal_access_token, user: user, revoked: false) } + + it 'returns a 404 error if user not found' do + delete api("/users/#{not_existing_user_id}/personal_access_tokens/1", admin) + + expect(response).to have_http_status(404) + expect(json_response['message']).to eq('404 User Not Found') + end + + it 'returns a 404 error if personal access token not found' do + delete api("/users/#{user.id}/personal_access_tokens/42", admin) + + expect(response).to have_http_status(404) + expect(json_response['message']).to eq('404 PersonalAccessToken Not Found') + end + + it 'returns a 403 error when authenticated as normal user' do + delete api("/users/#{user.id}/personal_access_tokens/#{personal_access_token.id}", user) + + expect(response).to have_http_status(403) + expect(json_response['message']).to eq('403 Forbidden') + end + + it 'revokes a personal access token' do + delete api("/users/#{user.id}/personal_access_tokens/#{personal_access_token.id}", admin) + + expect(response).to have_http_status(200) + expect(personal_access_token.revoked).to eq(false) + expect(personal_access_token.reload.revoked).to eq(true) + expect(json_response['revoked']).to eq(true) + expect(json_response['token']).to be_present + end + end end |