summaryrefslogtreecommitdiff
path: root/spec
diff options
context:
space:
mode:
authorGitLab Bot <gitlab-bot@gitlab.com>2021-07-27 22:40:43 +0000
committerGitLab Bot <gitlab-bot@gitlab.com>2021-07-27 22:40:43 +0000
commitbbe511b231b5de3fab4dc418601c89cc1ccc8063 (patch)
tree650453c3b64751df39fda6f33ca4b39318f41e0d /spec
parentad1c34c03de42ebc5279f338f6304e77930d34d4 (diff)
downloadgitlab-ce-bbe511b231b5de3fab4dc418601c89cc1ccc8063.tar.gz
Add latest changes from gitlab-org/gitlab@14-1-stable-ee
Diffstat (limited to 'spec')
-rw-r--r--spec/lib/gitlab/auth/auth_finders_spec.rb116
-rw-r--r--spec/lib/gitlab/auth/request_authenticator_spec.rb50
-rw-r--r--spec/models/application_setting/term_spec.rb2
-rw-r--r--spec/requests/rack_attack_global_spec.rb114
-rw-r--r--spec/services/application_settings/update_service_spec.rb4
5 files changed, 283 insertions, 3 deletions
diff --git a/spec/lib/gitlab/auth/auth_finders_spec.rb b/spec/lib/gitlab/auth/auth_finders_spec.rb
index 14200733c19..2d4239eb761 100644
--- a/spec/lib/gitlab/auth/auth_finders_spec.rb
+++ b/spec/lib/gitlab/auth/auth_finders_spec.rb
@@ -708,6 +708,122 @@ RSpec.describe Gitlab::Auth::AuthFinders do
end
end
+ describe '#find_user_from_basic_auth_password' do
+ subject { find_user_from_basic_auth_password }
+
+ context 'when the request does not have AUTHORIZATION header' do
+ it { is_expected.to be_nil }
+ end
+
+ it 'returns nil without user and password' do
+ set_basic_auth_header(nil, nil)
+
+ is_expected.to be_nil
+ end
+
+ it 'returns nil without password' do
+ set_basic_auth_header('some-user', nil)
+
+ is_expected.to be_nil
+ end
+
+ it 'returns nil without user' do
+ set_basic_auth_header(nil, 'password')
+
+ is_expected.to be_nil
+ end
+
+ it 'returns nil with CI username' do
+ set_basic_auth_header(::Gitlab::Auth::CI_JOB_USER, 'password')
+
+ is_expected.to be_nil
+ end
+
+ it 'returns nil with wrong password' do
+ set_basic_auth_header(user.username, 'wrong-password')
+
+ is_expected.to be_nil
+ end
+
+ it 'returns user with correct credentials' do
+ set_basic_auth_header(user.username, user.password)
+
+ is_expected.to eq(user)
+ end
+ end
+
+ describe '#find_user_from_lfs_token' do
+ subject { find_user_from_lfs_token }
+
+ context 'when the request does not have AUTHORIZATION header' do
+ it { is_expected.to be_nil }
+ end
+
+ it 'returns nil without user and token' do
+ set_basic_auth_header(nil, nil)
+
+ is_expected.to be_nil
+ end
+
+ it 'returns nil without token' do
+ set_basic_auth_header('some-user', nil)
+
+ is_expected.to be_nil
+ end
+
+ it 'returns nil without user' do
+ set_basic_auth_header(nil, 'token')
+
+ is_expected.to be_nil
+ end
+
+ it 'returns nil with wrong token' do
+ set_basic_auth_header(user.username, 'wrong-token')
+
+ is_expected.to be_nil
+ end
+
+ it 'returns user with correct user and correct token' do
+ lfs_token = Gitlab::LfsToken.new(user).token
+ set_basic_auth_header(user.username, lfs_token)
+
+ is_expected.to eq(user)
+ end
+
+ it 'returns nil with wrong user and correct token' do
+ lfs_token = Gitlab::LfsToken.new(user).token
+ other_user = create(:user)
+ set_basic_auth_header(other_user.username, lfs_token)
+
+ is_expected.to be_nil
+ end
+ end
+
+ describe '#find_user_from_personal_access_token' do
+ subject { find_user_from_personal_access_token }
+
+ it 'returns nil without access token' do
+ allow_any_instance_of(described_class).to receive(:access_token).and_return(nil)
+
+ is_expected.to be_nil
+ end
+
+ it 'returns user with correct access token' do
+ personal_access_token = create(:personal_access_token, user: user)
+ allow_any_instance_of(described_class).to receive(:access_token).and_return(personal_access_token)
+
+ is_expected.to eq(user)
+ end
+
+ it 'returns exception if access token has no user' do
+ personal_access_token = create(:personal_access_token, user: user)
+ allow_any_instance_of(described_class).to receive(:access_token).and_return(personal_access_token)
+ allow_any_instance_of(PersonalAccessToken).to receive(:user).and_return(nil)
+
+ expect { subject }.to raise_error(Gitlab::Auth::UnauthorizedError)
+ end
+ end
+
describe '#validate_access_token!' do
subject { validate_access_token! }
diff --git a/spec/lib/gitlab/auth/request_authenticator_spec.rb b/spec/lib/gitlab/auth/request_authenticator_spec.rb
index 93e9cb06786..28e93a8da52 100644
--- a/spec/lib/gitlab/auth/request_authenticator_spec.rb
+++ b/spec/lib/gitlab/auth/request_authenticator_spec.rb
@@ -45,6 +45,9 @@ RSpec.describe Gitlab::Auth::RequestAuthenticator do
let!(:feed_token_user) { build(:user) }
let!(:static_object_token_user) { build(:user) }
let!(:job_token_user) { build(:user) }
+ let!(:lfs_token_user) { build(:user) }
+ let!(:basic_auth_access_token_user) { build(:user) }
+ let!(:basic_auth_password_user) { build(:user) }
it 'returns access_token user first' do
allow_any_instance_of(described_class).to receive(:find_user_from_web_access_token)
@@ -78,6 +81,30 @@ RSpec.describe Gitlab::Auth::RequestAuthenticator do
expect(subject.find_sessionless_user(:api)).to eq job_token_user
end
+ it 'returns lfs_token user if no job_token user found' do
+ allow_any_instance_of(described_class)
+ .to receive(:find_user_from_lfs_token)
+ .and_return(lfs_token_user)
+
+ expect(subject.find_sessionless_user(:api)).to eq lfs_token_user
+ end
+
+ it 'returns basic_auth_access_token user if no lfs_token user found' do
+ allow_any_instance_of(described_class)
+ .to receive(:find_user_from_personal_access_token)
+ .and_return(basic_auth_access_token_user)
+
+ expect(subject.find_sessionless_user(:api)).to eq basic_auth_access_token_user
+ end
+
+ it 'returns basic_auth_access_password user if no basic_auth_access_token user found' do
+ allow_any_instance_of(described_class)
+ .to receive(:find_user_from_basic_auth_password)
+ .and_return(basic_auth_password_user)
+
+ expect(subject.find_sessionless_user(:api)).to eq basic_auth_password_user
+ end
+
it 'returns nil if no user found' do
expect(subject.find_sessionless_user(:api)).to be_blank
end
@@ -194,4 +221,27 @@ RSpec.describe Gitlab::Auth::RequestAuthenticator do
expect(subject.runner).to be_blank
end
end
+
+ describe '#route_authentication_setting' do
+ using RSpec::Parameterized::TableSyntax
+
+ where(:script_name, :expected_job_token_allowed, :expected_basic_auth_personal_access_token) do
+ '/api/endpoint' | true | true
+ '/namespace/project.git' | false | true
+ '/web/endpoint' | false | false
+ end
+
+ with_them do
+ before do
+ env['SCRIPT_NAME'] = script_name
+ end
+
+ it 'returns correct settings' do
+ expect(subject.send(:route_authentication_setting)).to eql({
+ job_token_allowed: expected_job_token_allowed,
+ basic_auth_personal_access_token: expected_basic_auth_personal_access_token
+ })
+ end
+ end
+ end
end
diff --git a/spec/models/application_setting/term_spec.rb b/spec/models/application_setting/term_spec.rb
index d9efa597352..6c7f29cbd71 100644
--- a/spec/models/application_setting/term_spec.rb
+++ b/spec/models/application_setting/term_spec.rb
@@ -3,7 +3,7 @@
require 'spec_helper'
RSpec.describe ApplicationSetting::Term do
- it { is_expected.to nullify_if_blank(:terms) }
+ it { is_expected.to validate_presence_of(:terms) }
describe '.latest' do
it 'finds the latest terms' do
diff --git a/spec/requests/rack_attack_global_spec.rb b/spec/requests/rack_attack_global_spec.rb
index f7b1b4726f6..a0f9d4c11ed 100644
--- a/spec/requests/rack_attack_global_spec.rb
+++ b/spec/requests/rack_attack_global_spec.rb
@@ -677,4 +677,118 @@ RSpec.describe 'Rack Attack global throttles', :use_clean_rails_memory_store_cac
it_behaves_like 'reject requests over the rate limit'
end
end
+
+ describe 'Gitlab::RackAttack::Request#unauthenticated?' do
+ let_it_be(:url) { "/api/v4/projects" }
+ let_it_be(:user) { create(:user) }
+
+ def expect_unauthenticated_request
+ expect_next_instance_of(Rack::Attack::Request) do |instance|
+ expect(instance.unauthenticated?).to be true
+ end
+ end
+
+ def expect_authenticated_request
+ expect_next_instance_of(Rack::Attack::Request) do |instance|
+ expect(instance.unauthenticated?).to be false
+ end
+ end
+
+ before do
+ settings_to_set[:throttle_unauthenticated_enabled] = true
+ stub_application_setting(settings_to_set)
+ end
+
+ context 'without authentication' do
+ it 'request is unauthenticated' do
+ expect_unauthenticated_request
+
+ get url
+ end
+ end
+
+ context 'authenticated by a runner token' do
+ let_it_be(:runner) { create(:ci_runner) }
+
+ it 'request is authenticated' do
+ expect_authenticated_request
+
+ get url, params: { token: runner.token }
+ end
+ end
+
+ context 'authenticated with personal access token' do
+ let_it_be(:personal_access_token) { create(:personal_access_token, user: user) }
+
+ it 'request is authenticated by token in query string' do
+ expect_authenticated_request
+
+ get url, params: { private_token: personal_access_token.token }
+ end
+
+ it 'request is authenticated by token in the headers' do
+ expect_authenticated_request
+
+ get url, headers: personal_access_token_headers(personal_access_token)
+ end
+
+ it 'request is authenticated by token in the OAuth headers' do
+ expect_authenticated_request
+
+ get url, headers: oauth_token_headers(personal_access_token)
+ end
+
+ it 'request is authenticated by token in basic auth' do
+ expect_authenticated_request
+
+ get url, headers: basic_auth_headers(user, personal_access_token)
+ end
+ end
+
+ context 'authenticated with OAuth token' do
+ let(:application) { Doorkeeper::Application.create!(name: "MyApp", redirect_uri: "https://app.com", owner: user) }
+ let(:oauth_token) { Doorkeeper::AccessToken.create!(application_id: application.id, resource_owner_id: user.id, scopes: "api") }
+
+ it 'request is authenticated by token in query string' do
+ expect_authenticated_request
+
+ get url, params: { access_token: oauth_token.token }
+ end
+
+ it 'request is authenticated by token in the headers' do
+ expect_authenticated_request
+
+ get url, headers: oauth_token_headers(oauth_token)
+ end
+ end
+
+ context 'authenticated with lfs token' do
+ it 'request is authenticated by token in basic auth' do
+ lfs_token = Gitlab::LfsToken.new(user)
+ encoded_login = ["#{user.username}:#{lfs_token.token}"].pack('m0')
+
+ expect_authenticated_request
+
+ get url, headers: { 'AUTHORIZATION' => "Basic #{encoded_login}" }
+ end
+ end
+
+ context 'authenticated with regular login' do
+ it 'request is authenticated after login' do
+ login_as(user)
+
+ expect_authenticated_request
+
+ get url
+ end
+
+ it 'request is authenticated by credentials in basic auth' do
+ encoded_login = ["#{user.username}:#{user.password}"].pack('m0')
+
+ expect_authenticated_request
+
+ get url, headers: { 'AUTHORIZATION' => "Basic #{encoded_login}" }
+ end
+ end
+ end
end
diff --git a/spec/services/application_settings/update_service_spec.rb b/spec/services/application_settings/update_service_spec.rb
index 5f0c02cd521..56c1284927d 100644
--- a/spec/services/application_settings/update_service_spec.rb
+++ b/spec/services/application_settings/update_service_spec.rb
@@ -23,8 +23,8 @@ RSpec.describe ApplicationSettings::UpdateService do
context 'when the passed terms are blank' do
let(:params) { { terms: '' } }
- it 'does create terms' do
- expect { subject.execute }.to change { ApplicationSetting::Term.count }.by(1)
+ it 'does not create terms' do
+ expect { subject.execute }.not_to change { ApplicationSetting::Term.count }
end
end