summaryrefslogtreecommitdiff
path: root/spec/lib/gitlab/auth_spec.rb
diff options
context:
space:
mode:
Diffstat (limited to 'spec/lib/gitlab/auth_spec.rb')
-rw-r--r--spec/lib/gitlab/auth_spec.rb75
1 files changed, 59 insertions, 16 deletions
diff --git a/spec/lib/gitlab/auth_spec.rb b/spec/lib/gitlab/auth_spec.rb
index a4a6338961e..3b5ca7c950c 100644
--- a/spec/lib/gitlab/auth_spec.rb
+++ b/spec/lib/gitlab/auth_spec.rb
@@ -5,7 +5,15 @@ describe Gitlab::Auth do
describe 'constants' do
it 'API_SCOPES contains all scopes for API access' do
- expect(subject::API_SCOPES).to eq %i[api read_user sudo read_repository]
+ expect(subject::API_SCOPES).to eq %i[api read_user]
+ end
+
+ it 'ADMIN_SCOPES contains all scopes for ADMIN access' do
+ expect(subject::ADMIN_SCOPES).to eq %i[sudo]
+ end
+
+ it 'REPOSITORY_SCOPES contains all scopes for REPOSITORY access' do
+ expect(subject::REPOSITORY_SCOPES).to eq %i[read_repository write_repository]
end
it 'OPENID_SCOPES contains all scopes for OpenID Connect' do
@@ -19,7 +27,29 @@ describe Gitlab::Auth do
it 'optional_scopes contains all non-default scopes' do
stub_container_registry_config(enabled: true)
- expect(subject.optional_scopes).to eq %i[read_user sudo read_repository read_registry openid profile email]
+ expect(subject.optional_scopes).to eq %i[read_user read_repository write_repository read_registry sudo openid profile email]
+ end
+ end
+
+ context 'available_scopes' do
+ it 'contains all non-default scopes' do
+ stub_container_registry_config(enabled: true)
+
+ expect(subject.all_available_scopes).to eq %i[api read_user read_repository write_repository read_registry sudo]
+ end
+
+ it 'contains for non-admin user all non-default scopes without ADMIN access' do
+ stub_container_registry_config(enabled: true)
+ user = create(:user, admin: false)
+
+ expect(subject.available_scopes_for(user)).to eq %i[api read_user read_repository write_repository read_registry]
+ end
+
+ it 'contains for admin user all non-default scopes with ADMIN access' do
+ stub_container_registry_config(enabled: true)
+ user = create(:user, admin: true)
+
+ expect(subject.available_scopes_for(user)).to eq %i[api read_user read_repository write_repository read_registry sudo]
end
context 'registry_scopes' do
@@ -122,7 +152,7 @@ describe Gitlab::Auth do
token = Gitlab::LfsToken.new(key).token
expect(gl_auth).to receive(:rate_limit!).with('ip', success: true, login: "lfs+deploy-key-#{key.id}")
- expect(gl_auth.find_for_git_client("lfs+deploy-key-#{key.id}", token, project: nil, ip: 'ip')).to eq(Gitlab::Auth::Result.new(key, nil, :lfs_deploy_token, read_authentication_abilities))
+ expect(gl_auth.find_for_git_client("lfs+deploy-key-#{key.id}", token, project: nil, ip: 'ip')).to eq(Gitlab::Auth::Result.new(key, nil, :lfs_deploy_token, read_only_authentication_abilities))
end
it 'does not try password auth before oauth' do
@@ -150,7 +180,7 @@ describe Gitlab::Auth do
token = Gitlab::LfsToken.new(key).token
expect(gl_auth).to receive(:rate_limit!).with('ip', success: true, login: "lfs+deploy-key-#{key.id}")
- expect(gl_auth.find_for_git_client("lfs+deploy-key-#{key.id}", token, project: project, ip: 'ip')).to eq(Gitlab::Auth::Result.new(key, nil, :lfs_deploy_token, read_authentication_abilities))
+ expect(gl_auth.find_for_git_client("lfs+deploy-key-#{key.id}", token, project: project, ip: 'ip')).to eq(Gitlab::Auth::Result.new(key, nil, :lfs_deploy_token, read_only_authentication_abilities))
end
end
@@ -182,8 +212,19 @@ describe Gitlab::Auth do
it 'succeeds for personal access tokens with the `api` scope' do
personal_access_token = create(:personal_access_token, scopes: ['api'])
- expect(gl_auth).to receive(:rate_limit!).with('ip', success: true, login: '')
- expect(gl_auth.find_for_git_client('', personal_access_token.token, project: nil, ip: 'ip')).to eq(Gitlab::Auth::Result.new(personal_access_token.user, nil, :personal_access_token, full_authentication_abilities))
+ expect_results_with_abilities(personal_access_token, full_authentication_abilities)
+ end
+
+ it 'succeeds for personal access tokens with the `read_repository` scope' do
+ personal_access_token = create(:personal_access_token, scopes: ['read_repository'])
+
+ expect_results_with_abilities(personal_access_token, [:download_code])
+ end
+
+ it 'succeeds for personal access tokens with the `write_repository` scope' do
+ personal_access_token = create(:personal_access_token, scopes: ['write_repository'])
+
+ expect_results_with_abilities(personal_access_token, [:download_code, :push_code])
end
context 'when registry is enabled' do
@@ -194,28 +235,24 @@ describe Gitlab::Auth do
it 'succeeds for personal access tokens with the `read_registry` scope' do
personal_access_token = create(:personal_access_token, scopes: ['read_registry'])
- expect(gl_auth).to receive(:rate_limit!).with('ip', success: true, login: '')
- expect(gl_auth.find_for_git_client('', personal_access_token.token, project: nil, ip: 'ip')).to eq(Gitlab::Auth::Result.new(personal_access_token.user, nil, :personal_access_token, [:read_container_image]))
+ expect_results_with_abilities(personal_access_token, [:read_container_image])
end
end
it 'succeeds if it is an impersonation token' do
impersonation_token = create(:personal_access_token, :impersonation, scopes: ['api'])
- expect(gl_auth).to receive(:rate_limit!).with('ip', success: true, login: '')
- expect(gl_auth.find_for_git_client('', impersonation_token.token, project: nil, ip: 'ip')).to eq(Gitlab::Auth::Result.new(impersonation_token.user, nil, :personal_access_token, full_authentication_abilities))
+ expect_results_with_abilities(impersonation_token, full_authentication_abilities)
end
it 'limits abilities based on scope' do
personal_access_token = create(:personal_access_token, scopes: %w[read_user sudo])
- expect(gl_auth).to receive(:rate_limit!).with('ip', success: true, login: '')
- expect(gl_auth.find_for_git_client('', personal_access_token.token, project: nil, ip: 'ip')).to eq(Gitlab::Auth::Result.new(personal_access_token.user, nil, :personal_access_token, []))
+ expect_results_with_abilities(personal_access_token, [])
end
it 'fails if password is nil' do
- expect(gl_auth).to receive(:rate_limit!).with('ip', success: false, login: '')
- expect(gl_auth.find_for_git_client('', nil, project: nil, ip: 'ip')).to eq(Gitlab::Auth::Result.new(nil, nil))
+ expect_results_with_abilities(nil, nil, false)
end
end
@@ -479,7 +516,7 @@ describe Gitlab::Auth do
]
end
- def read_authentication_abilities
+ def read_only_authentication_abilities
[
:read_project,
:download_code,
@@ -488,7 +525,7 @@ describe Gitlab::Auth do
end
def read_write_authentication_abilities
- read_authentication_abilities + [
+ read_only_authentication_abilities + [
:push_code,
:create_container_image
]
@@ -499,4 +536,10 @@ describe Gitlab::Auth do
:admin_container_image
]
end
+
+ def expect_results_with_abilities(personal_access_token, abilities, success = true)
+ expect(gl_auth).to receive(:rate_limit!).with('ip', success: success, login: '')
+ expect(gl_auth.find_for_git_client('', personal_access_token&.token, project: nil, ip: 'ip'))
+ .to eq(Gitlab::Auth::Result.new(personal_access_token&.user, nil, personal_access_token.nil? ? nil : :personal_access_token, abilities))
+ end
end
View Lorry Controller Status