3 files changed, 94 insertions, 4 deletions

diff --git a/spec/initializers/metrics_spec.rb b/spec/initializers/8_metrics_spec.rb
index bb595162370..570754621f3 100644
--- a/spec/initializers/metrics_spec.rb
+++ b/spec/initializers/8_metrics_spec.rb
@@ -1,5 +1,5 @@
 require 'spec_helper'
-require_relative '../../config/initializers/metrics'
+require_relative '../../config/initializers/8_metrics'
 
 describe 'instrument_classes', lib: true do
   let(:config) { double(:config) }
diff --git a/spec/initializers/doorkeeper_spec.rb b/spec/initializers/doorkeeper_spec.rb
new file mode 100644
index 00000000000..74bdbb01166
--- /dev/null
+++ b/spec/initializers/doorkeeper_spec.rb
@@ -0,0 +1,71 @@
+require 'spec_helper'
+require_relative '../../config/initializers/doorkeeper'
+
+describe Doorkeeper.configuration do
+  describe '#default_scopes' do
+    it 'matches Gitlab::Auth::DEFAULT_SCOPES' do
+      expect(subject.default_scopes).to eq Gitlab::Auth::DEFAULT_SCOPES
+    end
+  end
+
+  describe '#optional_scopes' do
+    it 'matches Gitlab::Auth::OPTIONAL_SCOPES' do
+      expect(subject.optional_scopes).to eq Gitlab::Auth::OPTIONAL_SCOPES
+    end
+  end
+
+  describe '#resource_owner_authenticator' do
+    subject { controller.instance_exec(&Doorkeeper.configuration.authenticate_resource_owner) }
+
+    let(:controller) { double }
+
+    before do
+      allow(controller).to receive(:current_user).and_return(current_user)
+      allow(controller).to receive(:session).and_return({})
+      allow(controller).to receive(:request).and_return(OpenStruct.new(fullpath: '/return-path'))
+      allow(controller).to receive(:redirect_to)
+      allow(controller).to receive(:new_user_session_url).and_return('/login')
+    end
+
+    context 'with a user present' do
+      let(:current_user) { create(:user) }
+
+      it 'returns the user' do
+        expect(subject).to eq current_user
+      end
+
+      it 'does not redirect' do
+        expect(controller).not_to receive(:redirect_to)
+
+        subject
+      end
+
+      it 'does not store the return path' do
+        subject
+
+        expect(controller.session).not_to include :user_return_to
+      end
+    end
+
+    context 'without a user present' do
+      let(:current_user) { nil }
+
+      # NOTE: this is required for doorkeeper-openid_connect
+      it 'returns nil' do
+        expect(subject).to eq nil
+      end
+
+      it 'redirects to the login form' do
+        expect(controller).to receive(:redirect_to).with('/login')
+
+        subject
+      end
+
+      it 'stores the return path' do
+        subject
+
+        expect(controller.session[:user_return_to]).to eq '/return-path'
+      end
+    end
+  end
+end
diff --git a/spec/initializers/secret_token_spec.rb b/spec/initializers/secret_token_spec.rb
index ad7f032d1e5..65c97da2efd 100644
--- a/spec/initializers/secret_token_spec.rb
+++ b/spec/initializers/secret_token_spec.rb
@@ -6,6 +6,9 @@ describe 'create_tokens', lib: true do
 
   let(:secrets) { ActiveSupport::OrderedOptions.new }
 
+  HEX_KEY = /\h{128}/
+  RSA_KEY = /\A-----BEGIN RSA PRIVATE KEY-----\n.+\n-----END RSA PRIVATE KEY-----\n\Z/m
+
   before do
     allow(File).to receive(:write)
     allow(File).to receive(:delete)
@@ -15,7 +18,7 @@ describe 'create_tokens', lib: true do
     allow(self).to receive(:exit)
   end
 
-  context 'setting secret_key_base and otp_key_base' do
+  context 'setting secret keys' do
     context 'when none of the secrets exist' do
       before do
         stub_env('SECRET_KEY_BASE', nil)
@@ -24,19 +27,29 @@ describe 'create_tokens', lib: true do
         allow(self).to receive(:warn_missing_secret)
       end
 
-      it 'generates different secrets for secret_key_base, otp_key_base, and db_key_base' do
+      it 'generates different hashes for secret_key_base, otp_key_base, and db_key_base' do
         create_tokens
 
         keys = secrets.values_at(:secret_key_base, :otp_key_base, :db_key_base)
 
         expect(keys.uniq).to eq(keys)
-        expect(keys.map(&:length)).to all(eq(128))
+        expect(keys).to all(match(HEX_KEY))
+      end
+
+      it 'generates an RSA key for jws_private_key' do
+        create_tokens
+
+        keys = secrets.values_at(:jws_private_key)
+
+        expect(keys.uniq).to eq(keys)
+        expect(keys).to all(match(RSA_KEY))
       end
 
       it 'warns about the secrets to add to secrets.yml' do
         expect(self).to receive(:warn_missing_secret).with('secret_key_base')
         expect(self).to receive(:warn_missing_secret).with('otp_key_base')
         expect(self).to receive(:warn_missing_secret).with('db_key_base')
+        expect(self).to receive(:warn_missing_secret).with('jws_private_key')
 
         create_tokens
       end
@@ -48,6 +61,7 @@ describe 'create_tokens', lib: true do
           expect(new_secrets['secret_key_base']).to eq(secrets.secret_key_base)
           expect(new_secrets['otp_key_base']).to eq(secrets.otp_key_base)
           expect(new_secrets['db_key_base']).to eq(secrets.db_key_base)
+          expect(new_secrets['jws_private_key']).to eq(secrets.jws_private_key)
         end
 
         create_tokens
@@ -63,6 +77,7 @@ describe 'create_tokens', lib: true do
     context 'when the other secrets all exist' do
       before do
         secrets.db_key_base = 'db_key_base'
+        secrets.jws_private_key = 'jws_private_key'
 
         allow(File).to receive(:exist?).with('.secret').and_return(true)
         allow(File).to receive(:read).with('.secret').and_return('file_key')
@@ -73,6 +88,7 @@ describe 'create_tokens', lib: true do
           stub_env('SECRET_KEY_BASE', 'env_key')
           secrets.secret_key_base = 'secret_key_base'
           secrets.otp_key_base = 'otp_key_base'
+          secrets.jws_private_key = 'jws_private_key'
         end
 
         it 'does not issue a warning' do
@@ -98,6 +114,7 @@ describe 'create_tokens', lib: true do
         before do
           secrets.secret_key_base = 'secret_key_base'
           secrets.otp_key_base = 'otp_key_base'
+          secrets.jws_private_key = 'jws_private_key'
         end
 
         it 'does not write any files' do
@@ -112,6 +129,7 @@ describe 'create_tokens', lib: true do
           expect(secrets.secret_key_base).to eq('secret_key_base')
           expect(secrets.otp_key_base).to eq('otp_key_base')
           expect(secrets.db_key_base).to eq('db_key_base')
+          expect(secrets.jws_private_key).to eq('jws_private_key')
         end
 
         it 'deletes the .secret file' do
@@ -135,6 +153,7 @@ describe 'create_tokens', lib: true do
             expect(new_secrets['secret_key_base']).to eq('file_key')
             expect(new_secrets['otp_key_base']).to eq('file_key')
             expect(new_secrets['db_key_base']).to eq('db_key_base')
+            expect(new_secrets['jws_private_key']).to eq('jws_private_key')
           end
 
           create_tokens