summaryrefslogtreecommitdiff
path: root/spec/requests
diff options
context:
space:
mode:
authorGitLab Bot <gitlab-bot@gitlab.com>2022-01-10 20:36:29 +0000
committerGitLab Bot <gitlab-bot@gitlab.com>2022-01-10 20:36:29 +0000
commit1eef146c2d1de19d4e995d421e5787053e50db80 (patch)
tree2761efabea712248557826977a849e31e3fdb961 /spec/requests
parent661d663ab2b7c69977ba8a0db02ef4afc2427e39 (diff)
downloadgitlab-ce-1eef146c2d1de19d4e995d421e5787053e50db80.tar.gz
Add latest changes from gitlab-org/security/gitlab@14-6-stable-ee
Diffstat (limited to 'spec/requests')
-rw-r--r--spec/requests/api/graphql_spec.rb28
-rw-r--r--spec/requests/dashboard/projects_controller_spec.rb11
-rw-r--r--spec/requests/dashboard_controller_spec.rb15
-rw-r--r--spec/requests/groups_controller_spec.rb51
-rw-r--r--spec/requests/projects/commits_controller_spec.rb27
-rw-r--r--spec/requests/projects/issues_controller_spec.rb42
-rw-r--r--spec/requests/projects/merge_requests_controller_spec.rb27
-rw-r--r--spec/requests/projects/tags_controller_spec.rb27
-rw-r--r--spec/requests/projects_controller_spec.rb27
-rw-r--r--spec/requests/users_controller_spec.rb6
10 files changed, 253 insertions, 8 deletions
diff --git a/spec/requests/api/graphql_spec.rb b/spec/requests/api/graphql_spec.rb
index b8f7af29a9f..da0c87fcefe 100644
--- a/spec/requests/api/graphql_spec.rb
+++ b/spec/requests/api/graphql_spec.rb
@@ -253,7 +253,7 @@ RSpec.describe 'GraphQL' do
end
context 'with token authentication' do
- let(:token) { create(:personal_access_token) }
+ let(:token) { create(:personal_access_token, user: user) }
it 'authenticates users with a PAT' do
stub_authentication_activity_metrics(debug: false)
@@ -276,6 +276,32 @@ RSpec.describe 'GraphQL' do
expect(graphql_errors).to include({ 'message' => /API not accessible/ })
end
+ context 'when user with expired password' do
+ let_it_be(:user) { create(:user, password_expires_at: 2.minutes.ago) }
+
+ it 'does not authenticate user' do
+ post_graphql(query, headers: { 'PRIVATE-TOKEN' => token.token })
+
+ expect(response).to have_gitlab_http_status(:ok)
+
+ expect(graphql_data['echo']).to eq('nil says: Hello world')
+ end
+ end
+
+ context 'when password expiration is not applicable' do
+ context 'when ldap user' do
+ let_it_be(:user) { create(:omniauth_user, provider: 'ldap', password_expires_at: 2.minutes.ago) }
+
+ it 'authenticates user' do
+ post_graphql(query, headers: { 'PRIVATE-TOKEN' => token.token })
+
+ expect(response).to have_gitlab_http_status(:ok)
+
+ expect(graphql_data['echo']).to eq("\"#{token.user.username}\" says: Hello world")
+ end
+ end
+ end
+
context 'when the personal access token has no api scope' do
it 'does not log the user in' do
token.update!(scopes: [:read_user])
diff --git a/spec/requests/dashboard/projects_controller_spec.rb b/spec/requests/dashboard/projects_controller_spec.rb
new file mode 100644
index 00000000000..4cd3b6c4f9e
--- /dev/null
+++ b/spec/requests/dashboard/projects_controller_spec.rb
@@ -0,0 +1,11 @@
+# frozen_string_literal: true
+
+require 'spec_helper'
+
+RSpec.describe Dashboard::ProjectsController do
+ context 'token authentication' do
+ it_behaves_like 'authenticates sessionless user for the request spec', 'index atom', public_resource: false do
+ let(:url) { dashboard_projects_url(:atom) }
+ end
+ end
+end
diff --git a/spec/requests/dashboard_controller_spec.rb b/spec/requests/dashboard_controller_spec.rb
new file mode 100644
index 00000000000..62655d720c5
--- /dev/null
+++ b/spec/requests/dashboard_controller_spec.rb
@@ -0,0 +1,15 @@
+# frozen_string_literal: true
+
+require 'spec_helper'
+
+RSpec.describe DashboardController do
+ context 'token authentication' do
+ it_behaves_like 'authenticates sessionless user for the request spec', 'issues atom', public_resource: false do
+ let(:url) { issues_dashboard_url(:atom, assignee_username: user.username) }
+ end
+
+ it_behaves_like 'authenticates sessionless user for the request spec', 'issues_calendar ics', public_resource: false do
+ let(:url) { issues_dashboard_url(:ics, assignee_username: user.username) }
+ end
+ end
+end
diff --git a/spec/requests/groups_controller_spec.rb b/spec/requests/groups_controller_spec.rb
new file mode 100644
index 00000000000..422c108f2ad
--- /dev/null
+++ b/spec/requests/groups_controller_spec.rb
@@ -0,0 +1,51 @@
+# frozen_string_literal: true
+
+require 'spec_helper'
+
+RSpec.describe GroupsController do
+ context 'token authentication' do
+ context 'when public group' do
+ let_it_be(:public_group) { create(:group, :public) }
+
+ it_behaves_like 'authenticates sessionless user for the request spec', 'show atom', public_resource: true do
+ let(:url) { group_path(public_group, format: :atom) }
+ end
+
+ it_behaves_like 'authenticates sessionless user for the request spec', 'issues atom', public_resource: true do
+ let(:url) { issues_group_path(public_group, format: :atom) }
+ end
+
+ it_behaves_like 'authenticates sessionless user for the request spec', 'issues_calendar ics', public_resource: true do
+ let(:url) { issues_group_calendar_url(public_group, format: :ics) }
+ end
+ end
+
+ context 'when private project' do
+ let_it_be(:private_group) { create(:group, :private) }
+
+ it_behaves_like 'authenticates sessionless user for the request spec', 'show atom', public_resource: false, ignore_metrics: true do
+ let(:url) { group_path(private_group, format: :atom) }
+
+ before do
+ private_group.add_maintainer(user)
+ end
+ end
+
+ it_behaves_like 'authenticates sessionless user for the request spec', 'issues atom', public_resource: false, ignore_metrics: true do
+ let(:url) { issues_group_path(private_group, format: :atom) }
+
+ before do
+ private_group.add_maintainer(user)
+ end
+ end
+
+ it_behaves_like 'authenticates sessionless user for the request spec', 'issues_calendar ics', public_resource: false, ignore_metrics: true do
+ let(:url) { issues_group_calendar_url(private_group, format: :ics) }
+
+ before do
+ private_group.add_maintainer(user)
+ end
+ end
+ end
+ end
+end
diff --git a/spec/requests/projects/commits_controller_spec.rb b/spec/requests/projects/commits_controller_spec.rb
new file mode 100644
index 00000000000..158902c0ffd
--- /dev/null
+++ b/spec/requests/projects/commits_controller_spec.rb
@@ -0,0 +1,27 @@
+# frozen_string_literal: true
+
+require 'spec_helper'
+
+RSpec.describe Projects::CommitsController do
+ context 'token authentication' do
+ context 'when public project' do
+ let_it_be(:public_project) { create(:project, :repository, :public) }
+
+ it_behaves_like 'authenticates sessionless user for the request spec', 'show atom', public_resource: true do
+ let(:url) { project_commits_url(public_project, public_project.default_branch, format: :atom) }
+ end
+ end
+
+ context 'when private project' do
+ let_it_be(:private_project) { create(:project, :repository, :private) }
+
+ it_behaves_like 'authenticates sessionless user for the request spec', 'show atom', public_resource: false, ignore_metrics: true do
+ let(:url) { project_commits_url(private_project, private_project.default_branch, format: :atom) }
+
+ before do
+ private_project.add_maintainer(user)
+ end
+ end
+ end
+ end
+end
diff --git a/spec/requests/projects/issues_controller_spec.rb b/spec/requests/projects/issues_controller_spec.rb
index f44b1f4d502..248e3e3a92b 100644
--- a/spec/requests/projects/issues_controller_spec.rb
+++ b/spec/requests/projects/issues_controller_spec.rb
@@ -8,11 +8,11 @@ RSpec.describe Projects::IssuesController do
let_it_be(:project) { issue.project }
let_it_be(:user) { issue.author }
- before do
- login_as(user)
- end
-
describe 'GET #discussions' do
+ before do
+ login_as(user)
+ end
+
let_it_be(:discussion) { create(:discussion_note_on_issue, noteable: issue, project: issue.project) }
let_it_be(:discussion_reply) { create(:discussion_note_on_issue, noteable: issue, project: issue.project, in_reply_to: discussion) }
let_it_be(:state_event) { create(:resource_state_event, issue: issue) }
@@ -68,4 +68,38 @@ RSpec.describe Projects::IssuesController do
end
end
end
+
+ context 'token authentication' do
+ context 'when public project' do
+ let_it_be(:public_project) { create(:project, :public) }
+
+ it_behaves_like 'authenticates sessionless user for the request spec', 'index atom', public_resource: true do
+ let(:url) { project_issues_url(public_project, format: :atom) }
+ end
+
+ it_behaves_like 'authenticates sessionless user for the request spec', 'calendar ics', public_resource: true do
+ let(:url) { project_issues_url(public_project, format: :ics) }
+ end
+ end
+
+ context 'when private project' do
+ let_it_be(:private_project) { create(:project, :private) }
+
+ it_behaves_like 'authenticates sessionless user for the request spec', 'index atom', public_resource: false, ignore_metrics: true do
+ let(:url) { project_issues_url(private_project, format: :atom) }
+
+ before do
+ private_project.add_maintainer(user)
+ end
+ end
+
+ it_behaves_like 'authenticates sessionless user for the request spec', 'calendar ics', public_resource: false, ignore_metrics: true do
+ let(:url) { project_issues_url(private_project, format: :ics) }
+
+ before do
+ private_project.add_maintainer(user)
+ end
+ end
+ end
+ end
end
diff --git a/spec/requests/projects/merge_requests_controller_spec.rb b/spec/requests/projects/merge_requests_controller_spec.rb
new file mode 100644
index 00000000000..3b1ce569033
--- /dev/null
+++ b/spec/requests/projects/merge_requests_controller_spec.rb
@@ -0,0 +1,27 @@
+# frozen_string_literal: true
+
+require 'spec_helper'
+
+RSpec.describe Projects::MergeRequestsController do
+ context 'token authentication' do
+ context 'when public project' do
+ let_it_be(:public_project) { create(:project, :public) }
+
+ it_behaves_like 'authenticates sessionless user for the request spec', 'index atom', public_resource: true do
+ let(:url) { project_merge_requests_url(public_project, format: :atom) }
+ end
+ end
+
+ context 'when private project' do
+ let_it_be(:private_project) { create(:project, :private) }
+
+ it_behaves_like 'authenticates sessionless user for the request spec', 'index atom', public_resource: false, ignore_metrics: true do
+ let(:url) { project_merge_requests_url(private_project, format: :atom) }
+
+ before do
+ private_project.add_maintainer(user)
+ end
+ end
+ end
+ end
+end
diff --git a/spec/requests/projects/tags_controller_spec.rb b/spec/requests/projects/tags_controller_spec.rb
new file mode 100644
index 00000000000..b9531a2739c
--- /dev/null
+++ b/spec/requests/projects/tags_controller_spec.rb
@@ -0,0 +1,27 @@
+# frozen_string_literal: true
+
+require 'spec_helper'
+
+RSpec.describe Projects::TagsController do
+ context 'token authentication' do
+ context 'when public project' do
+ let_it_be(:public_project) { create(:project, :repository, :public) }
+
+ it_behaves_like 'authenticates sessionless user for the request spec', 'index atom', public_resource: true do
+ let(:url) { project_tags_url(public_project, format: :atom) }
+ end
+ end
+
+ context 'when private project' do
+ let_it_be(:private_project) { create(:project, :repository, :private) }
+
+ it_behaves_like 'authenticates sessionless user for the request spec', 'index atom', public_resource: false, ignore_metrics: true do
+ let(:url) { project_tags_url(private_project, format: :atom) }
+
+ before do
+ private_project.add_maintainer(user)
+ end
+ end
+ end
+ end
+end
diff --git a/spec/requests/projects_controller_spec.rb b/spec/requests/projects_controller_spec.rb
new file mode 100644
index 00000000000..d2200d5a4ec
--- /dev/null
+++ b/spec/requests/projects_controller_spec.rb
@@ -0,0 +1,27 @@
+# frozen_string_literal: true
+
+require 'spec_helper'
+
+RSpec.describe ProjectsController do
+ context 'token authentication' do
+ context 'when public project' do
+ let_it_be(:public_project) { create(:project, :public) }
+
+ it_behaves_like 'authenticates sessionless user for the request spec', 'show atom', public_resource: true do
+ let(:url) { project_url(public_project, format: :atom) }
+ end
+ end
+
+ context 'when private project' do
+ let_it_be(:private_project) { create(:project, :private) }
+
+ it_behaves_like 'authenticates sessionless user for the request spec', 'show atom', public_resource: false, ignore_metrics: true do
+ let(:url) { project_url(private_project, format: :atom) }
+
+ before do
+ private_project.add_maintainer(user)
+ end
+ end
+ end
+ end
+end
diff --git a/spec/requests/users_controller_spec.rb b/spec/requests/users_controller_spec.rb
index 701a73761fd..eefc24f7824 100644
--- a/spec/requests/users_controller_spec.rb
+++ b/spec/requests/users_controller_spec.rb
@@ -792,9 +792,9 @@ RSpec.describe UsersController do
end
context 'token authentication' do
- let(:url) { user_url(user.username, format: :atom) }
-
- it_behaves_like 'authenticates sessionless user for the request spec', public: true
+ it_behaves_like 'authenticates sessionless user for the request spec', 'show atom', public_resource: true do
+ let(:url) { user_url(user, format: :atom) }
+ end
end
def user_moved_message(redirect_route, user)