Add latest changes from gitlab-org/security/gitlab@13-12-stable-ee

author: GitLab Bot <gitlab-bot@gitlab.com> 2021-05-31 11:43:43 +0000
committer: GitLab Bot <gitlab-bot@gitlab.com> 2021-05-31 11:44:14 +0000
commit: 4530f5d0bdc9b2f60eed2146eaf1b6f35fc53b0e (patch)
tree: 1194b1e2dd029e407f313797f781a2cf1f3ac39e /spec
parent: 15c040a6bd71894260b66a90685070c0babfee76 (diff)
download: gitlab-ce-4530f5d0bdc9b2f60eed2146eaf1b6f35fc53b0e.tar.gz
1 files changed, 30 insertions, 47 deletions
diff --git a/spec/controllers/oauth/authorizations_controller_spec.rb b/spec/controllers/oauth/authorizations_controller_spec.rb
index 5fc5cdfc9b9..0e25f6a96d7 100644
--- a/spec/controllers/oauth/authorizations_controller_spec.rb
+++ b/spec/controllers/oauth/authorizations_controller_spec.rb
@@ -70,76 +70,59 @@ RSpec.describe Oauth::AuthorizationsController do
   describe 'GET #new' do
     subject { get :new, params: params }
 
-    include_examples 'OAuth Authorizations require confirmed user'
     include_examples "Implicit grant can't be used in confidential application"
 
-    context 'rendering of views based on the ownership of the application' do
-      shared_examples 'render views' do
-        render_views
-
-        it 'returns 200 and renders view with correct info', :aggregate_failures do
-          subject
+    context 'when the user is confirmed' do
+      let(:confirmed_at) { 1.hour.ago }
 
-          expect(response).to have_gitlab_http_status(:ok)
-          expect(response.body).to include(application.owner.name)
-          expect(response).to render_template('doorkeeper/authorizations/new')
-        end
-      end
+      context 'when there is already an access token for the application with a matching scope' do
+        before do
+          scopes = Doorkeeper::OAuth::Scopes.from_string('api')
 
-      subject { get :new, params: params }
+          allow(Doorkeeper.configuration).to receive(:scopes).and_return(scopes)
 
-      context 'when auth app owner is a user' do
-        context 'with valid params' do
-          it_behaves_like 'render views'
+          create(:oauth_access_token, application: application, resource_owner_id: user.id, scopes: scopes)
         end
-      end
-
-      context 'when auth app owner is a group' do
-        let(:group) { create(:group) }
 
-        context 'when auth app owner is a root group' do
-          let(:application) { create(:oauth_application, owner_id: group.id, owner_type: 'Namespace') }
+        it 'authorizes the request and shows the user a page that redirects' do
+          subject
 
-          it_behaves_like 'render views'
+          expect(request.session['user_return_to']).to be_nil
+          expect(response).to have_gitlab_http_status(:ok)
+          expect(response).to render_template('doorkeeper/authorizations/redirect')
         end
+      end
 
-        context 'when auth app owner is a subgroup' do
-          let(:subgroup) { create(:group, parent: group) }
-          let(:application) { create(:oauth_application, owner_id: subgroup.id, owner_type: 'Namespace') }
+      context 'without valid params' do
+        it 'returns 200 code and renders error view' do
+          get :new
 
-          it_behaves_like 'render views'
+          expect(response).to have_gitlab_http_status(:ok)
+          expect(response).to render_template('doorkeeper/authorizations/error')
         end
       end
 
-      context 'when there is no owner associated' do
-        let(:application) { create(:oauth_application, owner_id: nil, owner_type: nil) }
+      context 'with valid params' do
+        render_views
 
-        it 'renders view' do
+        it 'returns 200 code and renders view' do
           subject
 
           expect(response).to have_gitlab_http_status(:ok)
           expect(response).to render_template('doorkeeper/authorizations/new')
         end
-      end
-    end
 
-    context 'without valid params' do
-      it 'returns 200 code and renders error view' do
-        get :new
+        it 'deletes session.user_return_to and redirects when skip authorization' do
+          application.update!(trusted: true)
+          request.session['user_return_to'] = 'http://example.com'
 
-        expect(response).to have_gitlab_http_status(:ok)
-        expect(response).to render_template('doorkeeper/authorizations/error')
-      end
-    end
-
-    it 'deletes session.user_return_to and redirects when skip authorization' do
-      application.update!(trusted: true)
-      request.session['user_return_to'] = 'http://example.com'
-
-      subject
+          subject
 
-      expect(request.session['user_return_to']).to be_nil
-      expect(response).to have_gitlab_http_status(:found)
+          expect(request.session['user_return_to']).to be_nil
+          expect(response).to have_gitlab_http_status(:ok)
+          expect(response).to render_template('doorkeeper/authorizations/redirect')
+        end
+      end
     end
   end
author	GitLab Bot <gitlab-bot@gitlab.com>	2021-05-31 11:43:43 +0000
committer	GitLab Bot <gitlab-bot@gitlab.com>	2021-05-31 11:44:14 +0000
commit	4530f5d0bdc9b2f60eed2146eaf1b6f35fc53b0e (patch)
tree	1194b1e2dd029e407f313797f781a2cf1f3ac39e /spec
parent	15c040a6bd71894260b66a90685070c0babfee76 (diff)
download	gitlab-ce-4530f5d0bdc9b2f60eed2146eaf1b6f35fc53b0e.tar.gz