diff options
| author | Robert Speicher <robert@gitlab.com> | 2017-10-12 10:24:14 +0000 |
|---|---|---|
| committer | Robert Speicher <robert@gitlab.com> | 2017-10-12 10:24:14 +0000 |
| commit | 1e4b75ba40570a3e96e1999e375a120c4ba8b346 (patch) | |
| tree | 1e1600e92f12fc853a51457dfbebcc70c97a0019 /spec | |
| parent | 5d4e07330526e0cb2965ef5c218542094d1e1008 (diff) | |
| parent | 025c6eeaa1e02dce31cb836c39ee4a5f312f202f (diff) | |
| download | gitlab-ce-1e4b75ba40570a3e96e1999e375a120c4ba8b346.tar.gz | |
Merge branch 'dm-api-authentication' into 'master'
Move all API authentication code to APIGuard
See merge request gitlab-org/gitlab-ce!14528
Diffstat (limited to 'spec')
| -rw-r--r-- | spec/requests/api/helpers_spec.rb | 18 | ||||
| -rw-r--r-- | spec/support/api/scopes/read_user_shared_examples.rb | 8 |
2 files changed, 13 insertions, 13 deletions
diff --git a/spec/requests/api/helpers_spec.rb b/spec/requests/api/helpers_spec.rb index 862920ad7c3..9f3b5a809d7 100644 --- a/spec/requests/api/helpers_spec.rb +++ b/spec/requests/api/helpers_spec.rb @@ -222,13 +222,6 @@ describe API::Helpers do expect { current_user }.to raise_error /401/ end - it "returns a 401 response for a token without the appropriate scope" do - personal_access_token = create(:personal_access_token, user: user, scopes: ['read_user']) - env[API::APIGuard::PRIVATE_TOKEN_HEADER] = personal_access_token.token - - expect { current_user }.to raise_error /401/ - end - it "leaves user as is when sudo not specified" do env[API::APIGuard::PRIVATE_TOKEN_HEADER] = personal_access_token.token expect(current_user).to eq(user) @@ -238,18 +231,25 @@ describe API::Helpers do expect(current_user).to eq(user) end + it "does not allow tokens without the appropriate scope" do + personal_access_token = create(:personal_access_token, user: user, scopes: ['read_user']) + env[API::APIGuard::PRIVATE_TOKEN_HEADER] = personal_access_token.token + + expect { current_user }.to raise_error API::APIGuard::InsufficientScopeError + end + it 'does not allow revoked tokens' do personal_access_token.revoke! env[API::APIGuard::PRIVATE_TOKEN_HEADER] = personal_access_token.token - expect { current_user }.to raise_error /401/ + expect { current_user }.to raise_error API::APIGuard::RevokedError end it 'does not allow expired tokens' do personal_access_token.update_attributes!(expires_at: 1.day.ago) env[API::APIGuard::PRIVATE_TOKEN_HEADER] = personal_access_token.token - expect { current_user }.to raise_error /401/ + expect { current_user }.to raise_error API::APIGuard::ExpiredError end end diff --git a/spec/support/api/scopes/read_user_shared_examples.rb b/spec/support/api/scopes/read_user_shared_examples.rb index 57e28e040d7..111534f2f26 100644 --- a/spec/support/api/scopes/read_user_shared_examples.rb +++ b/spec/support/api/scopes/read_user_shared_examples.rb @@ -27,10 +27,10 @@ shared_examples_for 'allows the "read_user" scope' do stub_container_registry_config(enabled: true) end - it 'returns a "401" response' do + it 'returns a "403" response' do get api_call.call(path, user, personal_access_token: token) - expect(response).to have_http_status(401) + expect(response).to have_http_status(403) end end end @@ -74,10 +74,10 @@ shared_examples_for 'does not allow the "read_user" scope' do context 'when the requesting token has the "read_user" scope' do let(:token) { create(:personal_access_token, scopes: ['read_user'], user: user) } - it 'returns a "401" response' do + it 'returns a "403" response' do post api_call.call(path, user, personal_access_token: token), attributes_for(:user, projects_limit: 3) - expect(response).to have_http_status(401) + expect(response).to have_http_status(403) end end end |