manage personal_access_tokens through api

author: Simon Vocella <voxsim@gmail.com> 2016-12-27 17:26:57 +0100
committer: Tiago Botelho <tiagonbotelho@hotmail.com> 2017-02-28 22:15:39 +0000
commit: 81246e5649a8fb9e73369cbd117505a546d7e807 (patch)
tree: fa51d0a0d504f25bf1151db6f115e3c8a4ec8ad4 /spec/requests/api/users_spec.rb
parent: 4c4810b35b3b1729865640382b4c7e593f8b876d (diff)
download: gitlab-ce-81246e5649a8fb9e73369cbd117505a546d7e807.tar.gz
1 files changed, 135 insertions, 0 deletions
diff --git a/spec/requests/api/users_spec.rb b/spec/requests/api/users_spec.rb
index e5e4c84755f..5ed6adc09bc 100644
--- a/spec/requests/api/users_spec.rb
+++ b/spec/requests/api/users_spec.rb
@@ -10,6 +10,7 @@ describe API::Users, api: true  do
   let(:omniauth_user) { create(:omniauth_user) }
   let(:ldap_user) { create(:omniauth_user, provider: 'ldapmain') }
   let(:ldap_blocked_user) { create(:omniauth_user, provider: 'ldapmain', state: 'ldap_blocked') }
+  let(:not_existing_user_id) { (User.maximum('id') || 0 ) + 10 }
 
   describe "GET /users" do
     context "when unauthenticated" do
@@ -1155,4 +1156,138 @@ describe API::Users, api: true  do
       expect(json_response['message']).to eq('404 User Not Found')
     end
   end
+
+  describe 'GET /users/:user_id/personal_access_tokens' do
+    let!(:active_personal_access_token) { create(:personal_access_token, user: user) }
+    let!(:revoked_personal_access_token) { create(:revoked_personal_access_token, user: user) }
+    let!(:expired_personal_access_token) { create(:expired_personal_access_token, user: user) }
+
+    it 'returns a 404 error if user not found' do
+      get api("/users/#{not_existing_user_id}/personal_access_tokens", admin)
+
+      expect(response).to have_http_status(404)
+      expect(json_response['message']).to eq('404 User Not Found')
+    end
+
+    it 'returns a 403 error when authenticated as normal user' do
+      get api("/users/#{not_existing_user_id}/personal_access_tokens", user)
+
+      expect(response).to have_http_status(403)
+      expect(json_response['message']).to eq('403 Forbidden')
+    end
+
+    it 'returns an array of personal access tokens' do
+      get api("/users/#{user.id}/personal_access_tokens", admin)
+
+      expect(response).to have_http_status(200)
+      expect(json_response).to be_an Array
+      expect(json_response.size).to eq(3)
+      expect(json_response.detect do |personal_access_token|
+        personal_access_token['id'] == active_personal_access_token.id
+      end['token']).to eq(active_personal_access_token.token)
+    end
+
+    it 'returns an array of active personal access tokens if active is set to true' do
+      get api("/users/#{user.id}/personal_access_tokens?state=active", admin)
+
+      expect(response).to have_http_status(200)
+      expect(json_response).to be_an Array
+      expect(json_response).to all(include('active' => true))
+    end
+
+    it 'returns an array of inactive personal access tokens if active is set to false' do
+      get api("/users/#{user.id}/personal_access_tokens?state=inactive", admin)
+
+      expect(response).to have_http_status(200)
+      expect(json_response).to be_an Array
+      expect(json_response).to all(include('active' => false))
+    end
+  end
+
+  describe 'POST /users/:user_id/personal_access_tokens' do
+    let(:name) { 'my new pat' }
+    let(:expires_at) { '2016-12-28' }
+    let(:scopes) { ['api', 'read_user'] }
+
+    it 'returns validation error if personal access token miss some attributes' do
+      post api("/users/#{user.id}/personal_access_tokens", admin)
+
+      expect(response).to have_http_status(400)
+      expect(json_response['error']).to eq('name is missing')
+    end
+
+    it 'returns a 404 error if user not found' do
+      post api("/users/#{not_existing_user_id}/personal_access_tokens", admin),
+        name: name,
+        expires_at: expires_at
+
+      expect(response).to have_http_status(404)
+      expect(json_response['message']).to eq('404 User Not Found')
+    end
+
+    it 'returns a 403 error when authenticated as normal user' do
+      post api("/users/#{user.id}/personal_access_tokens", user),
+        name: name,
+        expires_at: expires_at
+
+      expect(response).to have_http_status(403)
+      expect(json_response['message']).to eq('403 Forbidden')
+    end
+
+    it 'creates a personal access token' do
+      post api("/users/#{user.id}/personal_access_tokens", admin),
+        name: name,
+        expires_at: expires_at,
+        scopes: scopes
+
+      expect(response).to have_http_status(201)
+
+      personal_access_token_id = json_response['id']
+
+      expect(json_response['name']).to eq(name)
+      expect(json_response['scopes']).to eq(scopes)
+      expect(json_response['expires_at']).to eq(expires_at)
+      expect(json_response['id']).to be_present
+      expect(json_response['created_at']).to be_present
+      expect(json_response['active']).to eq(false)
+      expect(json_response['revoked']).to eq(false)
+      expect(json_response['token']).to be_present
+      expect(PersonalAccessToken.find(personal_access_token_id)).not_to eq(nil)
+    end
+  end
+
+  describe 'DELETE /users/:id/personal_access_tokens/:personal_access_token_id' do
+    let!(:personal_access_token) { create(:personal_access_token, user: user, revoked: false) }
+
+    it 'returns a 404 error if user not found' do
+      delete api("/users/#{not_existing_user_id}/personal_access_tokens/1", admin)
+
+      expect(response).to have_http_status(404)
+      expect(json_response['message']).to eq('404 User Not Found')
+    end
+
+    it 'returns a 404 error if personal access token not found' do
+      delete api("/users/#{user.id}/personal_access_tokens/42", admin)
+
+      expect(response).to have_http_status(404)
+      expect(json_response['message']).to eq('404 PersonalAccessToken Not Found')
+    end
+
+    it 'returns a 403 error when authenticated as normal user' do
+      delete api("/users/#{user.id}/personal_access_tokens/#{personal_access_token.id}", user)
+
+      expect(response).to have_http_status(403)
+      expect(json_response['message']).to eq('403 Forbidden')
+    end
+
+    it 'revokes a personal access token' do
+      delete api("/users/#{user.id}/personal_access_tokens/#{personal_access_token.id}", admin)
+
+      expect(response).to have_http_status(200)
+      expect(personal_access_token.revoked).to eq(false)
+      expect(personal_access_token.reload.revoked).to eq(true)
+      expect(json_response['revoked']).to eq(true)
+      expect(json_response['token']).to be_present
+    end
+  end
 end
author	Simon Vocella <voxsim@gmail.com>	2016-12-27 17:26:57 +0100
committer	Tiago Botelho <tiagonbotelho@hotmail.com>	2017-02-28 22:15:39 +0000
commit	81246e5649a8fb9e73369cbd117505a546d7e807 (patch)
tree	fa51d0a0d504f25bf1151db6f115e3c8a4ec8ad4 /spec/requests/api/users_spec.rb
parent	4c4810b35b3b1729865640382b4c7e593f8b876d (diff)
download	gitlab-ce-81246e5649a8fb9e73369cbd117505a546d7e807.tar.gz