Add latest changes from gitlab-org/security/gitlab@14-6-stable-ee

author: GitLab Bot <gitlab-bot@gitlab.com> 2022-01-10 20:36:29 +0000
committer: GitLab Bot <gitlab-bot@gitlab.com> 2022-01-10 20:36:29 +0000
commit: 1eef146c2d1de19d4e995d421e5787053e50db80 (patch)
tree: 2761efabea712248557826977a849e31e3fdb961 /spec/requests
parent: 661d663ab2b7c69977ba8a0db02ef4afc2427e39 (diff)
download: gitlab-ce-1eef146c2d1de19d4e995d421e5787053e50db80.tar.gz
10 files changed, 253 insertions, 8 deletions
diff --git a/spec/requests/api/graphql_spec.rb b/spec/requests/api/graphql_spec.rb
index b8f7af29a9f..da0c87fcefe 100644
--- a/spec/requests/api/graphql_spec.rb
+++ b/spec/requests/api/graphql_spec.rb
@@ -253,7 +253,7 @@ RSpec.describe 'GraphQL' do
     end
 
     context 'with token authentication' do
-      let(:token) { create(:personal_access_token) }
+      let(:token) { create(:personal_access_token, user: user) }
 
       it 'authenticates users with a PAT' do
         stub_authentication_activity_metrics(debug: false)
@@ -276,6 +276,32 @@ RSpec.describe 'GraphQL' do
         expect(graphql_errors).to include({ 'message' => /API not accessible/ })
       end
 
+      context 'when user with expired password' do
+        let_it_be(:user) { create(:user, password_expires_at: 2.minutes.ago) }
+
+        it 'does not authenticate user' do
+          post_graphql(query, headers: { 'PRIVATE-TOKEN' => token.token })
+
+          expect(response).to have_gitlab_http_status(:ok)
+
+          expect(graphql_data['echo']).to eq('nil says: Hello world')
+        end
+      end
+
+      context 'when password expiration is not applicable' do
+        context 'when ldap user' do
+          let_it_be(:user) { create(:omniauth_user, provider: 'ldap', password_expires_at: 2.minutes.ago) }
+
+          it 'authenticates user' do
+            post_graphql(query, headers: { 'PRIVATE-TOKEN' => token.token })
+
+            expect(response).to have_gitlab_http_status(:ok)
+
+            expect(graphql_data['echo']).to eq("\"#{token.user.username}\" says: Hello world")
+          end
+        end
+      end
+
       context 'when the personal access token has no api scope' do
         it 'does not log the user in' do
           token.update!(scopes: [:read_user])
diff --git a/spec/requests/dashboard/projects_controller_spec.rb b/spec/requests/dashboard/projects_controller_spec.rb
new file mode 100644
index 00000000000..4cd3b6c4f9e
--- /dev/null
+++ b/spec/requests/dashboard/projects_controller_spec.rb
@@ -0,0 +1,11 @@
+# frozen_string_literal: true
+
+require 'spec_helper'
+
+RSpec.describe Dashboard::ProjectsController do
+  context 'token authentication' do
+    it_behaves_like 'authenticates sessionless user for the request spec', 'index atom', public_resource: false do
+      let(:url) { dashboard_projects_url(:atom) }
+    end
+  end
+end
diff --git a/spec/requests/dashboard_controller_spec.rb b/spec/requests/dashboard_controller_spec.rb
new file mode 100644
index 00000000000..62655d720c5
--- /dev/null
+++ b/spec/requests/dashboard_controller_spec.rb
@@ -0,0 +1,15 @@
+# frozen_string_literal: true
+
+require 'spec_helper'
+
+RSpec.describe DashboardController do
+  context 'token authentication' do
+    it_behaves_like 'authenticates sessionless user for the request spec', 'issues atom', public_resource: false do
+      let(:url) { issues_dashboard_url(:atom, assignee_username: user.username) }
+    end
+
+    it_behaves_like 'authenticates sessionless user for the request spec', 'issues_calendar ics', public_resource: false do
+      let(:url) { issues_dashboard_url(:ics, assignee_username: user.username) }
+    end
+  end
+end
diff --git a/spec/requests/groups_controller_spec.rb b/spec/requests/groups_controller_spec.rb
new file mode 100644
index 00000000000..422c108f2ad
--- /dev/null
+++ b/spec/requests/groups_controller_spec.rb
@@ -0,0 +1,51 @@
+# frozen_string_literal: true
+
+require 'spec_helper'
+
+RSpec.describe GroupsController do
+  context 'token authentication' do
+    context 'when public group' do
+      let_it_be(:public_group) { create(:group, :public) }
+
+      it_behaves_like 'authenticates sessionless user for the request spec', 'show atom', public_resource: true do
+        let(:url) { group_path(public_group, format: :atom) }
+      end
+
+      it_behaves_like 'authenticates sessionless user for the request spec', 'issues atom', public_resource: true do
+        let(:url) { issues_group_path(public_group, format: :atom) }
+      end
+
+      it_behaves_like 'authenticates sessionless user for the request spec', 'issues_calendar ics', public_resource: true do
+        let(:url) { issues_group_calendar_url(public_group, format: :ics) }
+      end
+    end
+
+    context 'when private project' do
+      let_it_be(:private_group) { create(:group, :private) }
+
+      it_behaves_like 'authenticates sessionless user for the request spec', 'show atom', public_resource: false, ignore_metrics: true do
+        let(:url) { group_path(private_group, format: :atom) }
+
+        before do
+          private_group.add_maintainer(user)
+        end
+      end
+
+      it_behaves_like 'authenticates sessionless user for the request spec', 'issues atom', public_resource: false, ignore_metrics: true do
+        let(:url) { issues_group_path(private_group, format: :atom) }
+
+        before do
+          private_group.add_maintainer(user)
+        end
+      end
+
+      it_behaves_like 'authenticates sessionless user for the request spec', 'issues_calendar ics', public_resource: false, ignore_metrics: true do
+        let(:url) { issues_group_calendar_url(private_group, format: :ics) }
+
+        before do
+          private_group.add_maintainer(user)
+        end
+      end
+    end
+  end
+end
diff --git a/spec/requests/projects/commits_controller_spec.rb b/spec/requests/projects/commits_controller_spec.rb
new file mode 100644
index 00000000000..158902c0ffd
--- /dev/null
+++ b/spec/requests/projects/commits_controller_spec.rb
@@ -0,0 +1,27 @@
+# frozen_string_literal: true
+
+require 'spec_helper'
+
+RSpec.describe Projects::CommitsController do
+  context 'token authentication' do
+    context 'when public project' do
+      let_it_be(:public_project) { create(:project, :repository, :public) }
+
+      it_behaves_like 'authenticates sessionless user for the request spec', 'show atom', public_resource: true do
+        let(:url) { project_commits_url(public_project, public_project.default_branch, format: :atom) }
+      end
+    end
+
+    context 'when private project' do
+      let_it_be(:private_project) { create(:project, :repository, :private) }
+
+      it_behaves_like 'authenticates sessionless user for the request spec', 'show atom', public_resource: false, ignore_metrics: true do
+        let(:url) { project_commits_url(private_project, private_project.default_branch, format: :atom) }
+
+        before do
+          private_project.add_maintainer(user)
+        end
+      end
+    end
+  end
+end
diff --git a/spec/requests/projects/issues_controller_spec.rb b/spec/requests/projects/issues_controller_spec.rb
index f44b1f4d502..248e3e3a92b 100644
--- a/spec/requests/projects/issues_controller_spec.rb
+++ b/spec/requests/projects/issues_controller_spec.rb
@@ -8,11 +8,11 @@ RSpec.describe Projects::IssuesController do
   let_it_be(:project) { issue.project }
   let_it_be(:user) { issue.author }
 
-  before do
-    login_as(user)
-  end
-
   describe 'GET #discussions' do
+    before do
+      login_as(user)
+    end
+
     let_it_be(:discussion) { create(:discussion_note_on_issue, noteable: issue, project: issue.project) }
     let_it_be(:discussion_reply) { create(:discussion_note_on_issue, noteable: issue, project: issue.project, in_reply_to: discussion) }
     let_it_be(:state_event) { create(:resource_state_event, issue: issue) }
@@ -68,4 +68,38 @@ RSpec.describe Projects::IssuesController do
       end
     end
   end
+
+  context 'token authentication' do
+    context 'when public project' do
+      let_it_be(:public_project) { create(:project, :public) }
+
+      it_behaves_like 'authenticates sessionless user for the request spec', 'index atom', public_resource: true do
+        let(:url) { project_issues_url(public_project, format: :atom) }
+      end
+
+      it_behaves_like 'authenticates sessionless user for the request spec', 'calendar ics', public_resource: true do
+        let(:url) { project_issues_url(public_project, format: :ics) }
+      end
+    end
+
+    context 'when private project' do
+      let_it_be(:private_project) { create(:project, :private) }
+
+      it_behaves_like 'authenticates sessionless user for the request spec', 'index atom', public_resource: false, ignore_metrics: true do
+        let(:url) { project_issues_url(private_project, format: :atom) }
+
+        before do
+          private_project.add_maintainer(user)
+        end
+      end
+
+      it_behaves_like 'authenticates sessionless user for the request spec', 'calendar ics', public_resource: false, ignore_metrics: true do
+        let(:url) { project_issues_url(private_project, format: :ics) }
+
+        before do
+          private_project.add_maintainer(user)
+        end
+      end
+    end
+  end
 end
diff --git a/spec/requests/projects/merge_requests_controller_spec.rb b/spec/requests/projects/merge_requests_controller_spec.rb
new file mode 100644
index 00000000000..3b1ce569033
--- /dev/null
+++ b/spec/requests/projects/merge_requests_controller_spec.rb
@@ -0,0 +1,27 @@
+# frozen_string_literal: true
+
+require 'spec_helper'
+
+RSpec.describe Projects::MergeRequestsController do
+  context 'token authentication' do
+    context 'when public project' do
+      let_it_be(:public_project) { create(:project, :public) }
+
+      it_behaves_like 'authenticates sessionless user for the request spec', 'index atom', public_resource: true do
+        let(:url) { project_merge_requests_url(public_project, format: :atom) }
+      end
+    end
+
+    context 'when private project' do
+      let_it_be(:private_project) { create(:project, :private) }
+
+      it_behaves_like 'authenticates sessionless user for the request spec', 'index atom', public_resource: false, ignore_metrics: true do
+        let(:url) { project_merge_requests_url(private_project, format: :atom) }
+
+        before do
+          private_project.add_maintainer(user)
+        end
+      end
+    end
+  end
+end
diff --git a/spec/requests/projects/tags_controller_spec.rb b/spec/requests/projects/tags_controller_spec.rb
new file mode 100644
index 00000000000..b9531a2739c
--- /dev/null
+++ b/spec/requests/projects/tags_controller_spec.rb
@@ -0,0 +1,27 @@
+# frozen_string_literal: true
+
+require 'spec_helper'
+
+RSpec.describe Projects::TagsController do
+  context 'token authentication' do
+    context 'when public project' do
+      let_it_be(:public_project) { create(:project, :repository, :public) }
+
+      it_behaves_like 'authenticates sessionless user for the request spec', 'index atom', public_resource: true do
+        let(:url) { project_tags_url(public_project, format: :atom) }
+      end
+    end
+
+    context 'when private project' do
+      let_it_be(:private_project) { create(:project, :repository, :private) }
+
+      it_behaves_like 'authenticates sessionless user for the request spec', 'index atom', public_resource: false, ignore_metrics: true do
+        let(:url) { project_tags_url(private_project, format: :atom) }
+
+        before do
+          private_project.add_maintainer(user)
+        end
+      end
+    end
+  end
+end
diff --git a/spec/requests/projects_controller_spec.rb b/spec/requests/projects_controller_spec.rb
new file mode 100644
index 00000000000..d2200d5a4ec
--- /dev/null
+++ b/spec/requests/projects_controller_spec.rb
@@ -0,0 +1,27 @@
+# frozen_string_literal: true
+
+require 'spec_helper'
+
+RSpec.describe ProjectsController do
+  context 'token authentication' do
+    context 'when public project' do
+      let_it_be(:public_project) { create(:project, :public) }
+
+      it_behaves_like 'authenticates sessionless user for the request spec', 'show atom', public_resource: true do
+        let(:url) { project_url(public_project, format: :atom) }
+      end
+    end
+
+    context 'when private project' do
+      let_it_be(:private_project) { create(:project, :private) }
+
+      it_behaves_like 'authenticates sessionless user for the request spec', 'show atom', public_resource: false, ignore_metrics: true do
+        let(:url) { project_url(private_project, format: :atom) }
+
+        before do
+          private_project.add_maintainer(user)
+        end
+      end
+    end
+  end
+end
diff --git a/spec/requests/users_controller_spec.rb b/spec/requests/users_controller_spec.rb
index 701a73761fd..eefc24f7824 100644
--- a/spec/requests/users_controller_spec.rb
+++ b/spec/requests/users_controller_spec.rb
@@ -792,9 +792,9 @@ RSpec.describe UsersController do
   end
 
   context 'token authentication' do
-    let(:url) { user_url(user.username, format: :atom) }
-
-    it_behaves_like 'authenticates sessionless user for the request spec', public: true
+    it_behaves_like 'authenticates sessionless user for the request spec', 'show atom', public_resource: true do
+      let(:url) { user_url(user, format: :atom) }
+    end
   end
 
   def user_moved_message(redirect_route, user)
author	GitLab Bot <gitlab-bot@gitlab.com>	2022-01-10 20:36:29 +0000
committer	GitLab Bot <gitlab-bot@gitlab.com>	2022-01-10 20:36:29 +0000
commit	1eef146c2d1de19d4e995d421e5787053e50db80 (patch)
tree	2761efabea712248557826977a849e31e3fdb961 /spec/requests
parent	661d663ab2b7c69977ba8a0db02ef4afc2427e39 (diff)
download	gitlab-ce-1eef146c2d1de19d4e995d421e5787053e50db80.tar.gz