diff options
author | Izaak Alpert <ihalpert@blackberry.com> | 2013-03-28 14:37:44 -0400 |
---|---|---|
committer | Izaak Alpert <ialpert@blackberry.com> | 2013-09-09 12:04:38 -0400 |
commit | e86e8818327059279247db3a451994c6a62ab161 (patch) | |
tree | 5af04da559f21450b9c12d575f0fefe4958937b8 /spec/requests/api | |
parent | 9ad5d9a4c6a3e292ddde7e46949f739eb63c746e (diff) | |
download | gitlab-ce-e86e8818327059279247db3a451994c6a62ab161.tar.gz |
API: admin users can sudo commands as other users
-Specifying a header of SUDO or adding a :sudo with either user id, or username of the user will set the current_user to be that user if your identifying private_token/PRIVATE_TOKEN is an administrator token
Diffstat (limited to 'spec/requests/api')
-rw-r--r-- | spec/requests/api/api_helpers_spec.rb | 159 |
1 files changed, 159 insertions, 0 deletions
diff --git a/spec/requests/api/api_helpers_spec.rb b/spec/requests/api/api_helpers_spec.rb new file mode 100644 index 00000000000..de71deabb8e --- /dev/null +++ b/spec/requests/api/api_helpers_spec.rb @@ -0,0 +1,159 @@ +require 'spec_helper' + +describe Gitlab::API do + include Gitlab::APIHelpers + include ApiHelpers + let(:user) { create(:user) } + let(:admin) { create(:admin) } + let(:key) { create(:key, user: user) } + + let(:params) { {} } + let(:env) { {} } + + def set_env(token_usr, identifier) + clear_env + clear_param + env[Gitlab::APIHelpers::PRIVATE_TOKEN_HEADER] = token_usr.private_token + env[Gitlab::APIHelpers::SUDO_HEADER] = identifier + end + + + def set_param(token_usr, identifier) + clear_env + clear_param + params[Gitlab::APIHelpers::PRIVATE_TOKEN_PARAM] = token_usr.private_token + params[Gitlab::APIHelpers::SUDO_PARAM] = identifier + end + + + def clear_env + env.delete(Gitlab::APIHelpers::PRIVATE_TOKEN_HEADER) + env.delete(Gitlab::APIHelpers::SUDO_HEADER) + end + + def clear_param + params.delete(Gitlab::APIHelpers::PRIVATE_TOKEN_PARAM) + params.delete(Gitlab::APIHelpers::SUDO_PARAM) + end + + def error!(message, status) + raise Exception + end + + describe ".current_user" do + it "should leave user as is when sudo not specified" do + env[Gitlab::APIHelpers::PRIVATE_TOKEN_HEADER] = user.private_token + current_user.should == user + clear_env + params[Gitlab::APIHelpers::PRIVATE_TOKEN_PARAM] = user.private_token + current_user.should == user + end + + it "should change current user to sudo when admin" do + set_env(admin, user.id) + current_user.should == user + set_param(admin, user.id) + current_user.should == user + set_env(admin, user.username) + current_user.should == user + set_param(admin, user.username) + current_user.should == user + end + + it "should throw an error when the current user is not an admin and attempting to sudo" do + set_env(user, admin.id) + expect { current_user }.to raise_error + set_param(user, admin.id) + expect { current_user }.to raise_error + set_env(user, admin.username) + expect { current_user }.to raise_error + set_param(user, admin.username) + expect { current_user }.to raise_error + end + it "should throw an error when the user cannot be found for a given id" do + id = user.id + admin.id + user.id.should_not == id + admin.id.should_not == id + set_env(admin, id) + expect { current_user }.to raise_error + + set_param(admin, id) + expect { current_user }.to raise_error + end + it "should throw an error when the user cannot be found for a given username" do + username = "#{user.username}#{admin.username}" + user.username.should_not == username + admin.username.should_not == username + set_env(admin, username) + expect { current_user }.to raise_error + + set_param(admin, username) + expect { current_user }.to raise_error + end + it "should handle sudo's to oneself" do + set_env(admin, admin.id) + current_user.should == admin + set_param(admin, admin.id) + current_user.should == admin + set_env(admin, admin.username) + current_user.should == admin + set_param(admin, admin.username) + current_user.should == admin + end + + it "should handle multiple sudo's to oneself" do + set_env(admin, user.id) + current_user.should == user + current_user.should == user + set_env(admin, user.username) + current_user.should == user + current_user.should == user + + set_param(admin, user.id) + current_user.should == user + current_user.should == user + set_param(admin, user.username) + current_user.should == user + current_user.should == user + end + it "should handle multiple sudo's to oneself using string ids" do + set_env(admin, user.id.to_s) + current_user.should == user + current_user.should == user + + set_param(admin, user.id.to_s) + current_user.should == user + current_user.should == user + end + end + + describe '.sudo_identifier' do + it "should return integers when input is an int" do + set_env(admin, '123') + sudo_identifier.should == 123 + set_env(admin, '0001234567890') + sudo_identifier.should == 1234567890 + + set_param(admin, '123') + sudo_identifier.should == 123 + set_param(admin, '0001234567890') + sudo_identifier.should == 1234567890 + end + + it "should return string when input is an is not an int" do + set_env(admin, '12.30') + sudo_identifier.should == "12.30" + set_env(admin, 'hello') + sudo_identifier.should == 'hello' + set_env(admin, ' 123') + sudo_identifier.should == ' 123' + + set_param(admin, '12.30') + sudo_identifier.should == "12.30" + set_param(admin, 'hello') + sudo_identifier.should == 'hello' + set_param(admin, ' 123') + sudo_identifier.should == ' 123' + end + end +end
\ No newline at end of file |