summaryrefslogtreecommitdiff
path: root/spec/services
diff options
context:
space:
mode:
authorTimothy Andrew <mail@timothyandrew.net>2016-11-22 14:34:23 +0530
committerTimothy Andrew <mail@timothyandrew.net>2016-12-16 16:29:31 +0530
commit7fa06ed55d18af4d055041eb27d38fecf9b5548f (patch)
treed2565cdc70269e5f244e7cf542170b0d5d8cf7aa /spec/services
parent6c809dfae84e702f7a49d3fac5725745264e0ff9 (diff)
downloadgitlab-ce-7fa06ed55d18af4d055041eb27d38fecf9b5548f.tar.gz
Calls to the API are checked for scope.
- Move the `Oauth2::AccessTokenValidationService` class to `AccessTokenValidationService`, since it is now being used for personal access token validation as well. - Each API endpoint declares the scopes it accepts (if any). Currently, the top level API module declares the `api` scope, and the `Users` API module declares the `read_user` scope (for GET requests). - Move the `find_user_by_private_token` from the API `Helpers` module to the `APIGuard` module, to avoid littering `Helpers` with more auth-related methods to support `find_user_by_private_token`
Diffstat (limited to 'spec/services')
-rw-r--r--spec/services/access_token_validation_service_spec.rb42
1 files changed, 42 insertions, 0 deletions
diff --git a/spec/services/access_token_validation_service_spec.rb b/spec/services/access_token_validation_service_spec.rb
new file mode 100644
index 00000000000..8808934fa24
--- /dev/null
+++ b/spec/services/access_token_validation_service_spec.rb
@@ -0,0 +1,42 @@
+require 'spec_helper'
+
+describe AccessTokenValidationService, services: true do
+
+ describe ".sufficient_scope?" do
+ it "returns true if the required scope is present in the token's scopes" do
+ token = double("token", scopes: [:api, :read_user])
+
+ expect(described_class.sufficient_scope?(token, [:api])).to be(true)
+ end
+
+ it "returns true if more than one of the required scopes is present in the token's scopes" do
+ token = double("token", scopes: [:api, :read_user, :other_scope])
+
+ expect(described_class.sufficient_scope?(token, [:api, :other_scope])).to be(true)
+ end
+
+ it "returns true if the list of required scopes is an exact match for the token's scopes" do
+ token = double("token", scopes: [:api, :read_user, :other_scope])
+
+ expect(described_class.sufficient_scope?(token, [:api, :read_user, :other_scope])).to be(true)
+ end
+
+ it "returns true if the list of required scopes contains all of the token's scopes, in addition to others" do
+ token = double("token", scopes: [:api, :read_user])
+
+ expect(described_class.sufficient_scope?(token, [:api, :read_user, :other_scope])).to be(true)
+ end
+
+ it 'returns true if the list of required scopes is blank' do
+ token = double("token", scopes: [])
+
+ expect(described_class.sufficient_scope?(token, [])).to be(true)
+ end
+
+ it "returns false if there are no scopes in common between the required scopes and the token scopes" do
+ token = double("token", scopes: [:api, :read_user])
+
+ expect(described_class.sufficient_scope?(token, [:other_scope])).to be(false)
+ end
+ end
+end