diff options
Diffstat (limited to 'spec/lib')
| -rw-r--r-- | spec/lib/gitlab/auth/auth_finders_spec.rb (renamed from spec/lib/gitlab/auth/user_auth_finders_spec.rb) | 68 | ||||
| -rw-r--r-- | spec/lib/gitlab/auth/current_user_mode_spec.rb | 115 | ||||
| -rw-r--r-- | spec/lib/gitlab/auth/request_authenticator_spec.rb | 24 | ||||
| -rw-r--r-- | spec/lib/gitlab/import_export/all_models.yml | 1 | ||||
| -rw-r--r-- | spec/lib/gitlab/import_export/safe_model_attributes.yml | 10 |
5 files changed, 170 insertions, 48 deletions
diff --git a/spec/lib/gitlab/auth/user_auth_finders_spec.rb b/spec/lib/gitlab/auth/auth_finders_spec.rb index 125039edcf8..3d10f411310 100644 --- a/spec/lib/gitlab/auth/user_auth_finders_spec.rb +++ b/spec/lib/gitlab/auth/auth_finders_spec.rb @@ -2,7 +2,7 @@ require 'spec_helper' -describe Gitlab::Auth::UserAuthFinders do +describe Gitlab::Auth::AuthFinders do include described_class let(:user) { create(:user) } @@ -196,13 +196,13 @@ describe Gitlab::Auth::UserAuthFinders do context 'when validate_access_token! returns valid' do it 'returns user' do - env[Gitlab::Auth::UserAuthFinders::PRIVATE_TOKEN_HEADER] = personal_access_token.token + env[described_class::PRIVATE_TOKEN_HEADER] = personal_access_token.token expect(find_user_from_access_token).to eq user end it 'returns exception if token has no user' do - env[Gitlab::Auth::UserAuthFinders::PRIVATE_TOKEN_HEADER] = personal_access_token.token + env[described_class::PRIVATE_TOKEN_HEADER] = personal_access_token.token allow_any_instance_of(PersonalAccessToken).to receive(:user).and_return(nil) expect { find_user_from_access_token }.to raise_error(Gitlab::Auth::UnauthorizedError) @@ -228,7 +228,7 @@ describe Gitlab::Auth::UserAuthFinders do let(:personal_access_token) { create(:personal_access_token, user: user) } before do - env[Gitlab::Auth::UserAuthFinders::PRIVATE_TOKEN_HEADER] = personal_access_token.token + env[described_class::PRIVATE_TOKEN_HEADER] = personal_access_token.token end it 'returns exception if token has no user' do @@ -279,7 +279,7 @@ describe Gitlab::Auth::UserAuthFinders do context 'passed as header' do it 'returns token if valid personal_access_token' do - env[Gitlab::Auth::UserAuthFinders::PRIVATE_TOKEN_HEADER] = personal_access_token.token + env[described_class::PRIVATE_TOKEN_HEADER] = personal_access_token.token expect(find_personal_access_token).to eq personal_access_token end @@ -287,7 +287,7 @@ describe Gitlab::Auth::UserAuthFinders do context 'passed as param' do it 'returns token if valid personal_access_token' do - set_param(Gitlab::Auth::UserAuthFinders::PRIVATE_TOKEN_PARAM, personal_access_token.token) + set_param(described_class::PRIVATE_TOKEN_PARAM, personal_access_token.token) expect(find_personal_access_token).to eq personal_access_token end @@ -298,7 +298,7 @@ describe Gitlab::Auth::UserAuthFinders do end it 'returns exception if invalid personal_access_token' do - env[Gitlab::Auth::UserAuthFinders::PRIVATE_TOKEN_HEADER] = 'invalid_token' + env[described_class::PRIVATE_TOKEN_HEADER] = 'invalid_token' expect { find_personal_access_token }.to raise_error(Gitlab::Auth::UnauthorizedError) end @@ -379,4 +379,58 @@ describe Gitlab::Auth::UserAuthFinders do end end end + + describe '#find_runner_from_token' do + let(:runner) { create(:ci_runner) } + + context 'with API requests' do + before do + env['SCRIPT_NAME'] = '/api/endpoint' + end + + it 'returns the runner if token is valid' do + set_param(:token, runner.token) + + expect(find_runner_from_token).to eq(runner) + end + + it 'returns nil if token is not present' do + expect(find_runner_from_token).to be_nil + end + + it 'returns nil if token is blank' do + set_param(:token, '') + + expect(find_runner_from_token).to be_nil + end + + it 'returns exception if invalid token' do + set_param(:token, 'invalid_token') + + expect { find_runner_from_token }.to raise_error(Gitlab::Auth::UnauthorizedError) + end + end + + context 'without API requests' do + before do + env['SCRIPT_NAME'] = 'url.ics' + end + + it 'returns nil if token is valid' do + set_param(:token, runner.token) + + expect(find_runner_from_token).to be_nil + end + + it 'returns nil if token is blank' do + expect(find_runner_from_token).to be_nil + end + + it 'returns nil if invalid token' do + set_param(:token, 'invalid_token') + + expect(find_runner_from_token).to be_nil + end + end + end end diff --git a/spec/lib/gitlab/auth/current_user_mode_spec.rb b/spec/lib/gitlab/auth/current_user_mode_spec.rb index b93d460cf48..3b3db0f7315 100644 --- a/spec/lib/gitlab/auth/current_user_mode_spec.rb +++ b/spec/lib/gitlab/auth/current_user_mode_spec.rb @@ -62,69 +62,90 @@ describe Gitlab::Auth::CurrentUserMode, :do_not_mock_admin_mode do context 'when the user is an admin' do let(:user) { build(:user, :admin) } - it 'is false by default' do - expect(subject.admin_mode?).to be(false) - end - - it 'cannot be enabled with an invalid password' do - subject.enable_admin_mode!(password: nil) - - expect(subject.admin_mode?).to be(false) - end + context 'when admin mode not requested' do + it 'is false by default' do + expect(subject.admin_mode?).to be(false) + end - it 'can be enabled with a valid password' do - subject.enable_admin_mode!(password: user.password) + it 'raises exception if we try to enable it' do + expect do + subject.enable_admin_mode!(password: user.password) + end.to raise_error(::Gitlab::Auth::CurrentUserMode::NotRequestedError) - expect(subject.admin_mode?).to be(true) + expect(subject.admin_mode?).to be(false) + end end - it 'can be disabled' do - subject.enable_admin_mode!(password: user.password) - subject.disable_admin_mode! - - expect(subject.admin_mode?).to be(false) - end + context 'when admin mode requested first' do + before do + subject.request_admin_mode! + end - it 'will expire in the future' do - subject.enable_admin_mode!(password: user.password) - expect(subject.admin_mode?).to be(true), 'admin mode is not active in the present' + it 'is false by default' do + expect(subject.admin_mode?).to be(false) + end - Timecop.freeze(Gitlab::Auth::CurrentUserMode::MAX_ADMIN_MODE_TIME.from_now) do - # in the future this will be a new request, simulate by clearing the RequestStore - Gitlab::SafeRequestStore.clear! + it 'cannot be enabled with an invalid password' do + subject.enable_admin_mode!(password: nil) - expect(subject.admin_mode?).to be(false), 'admin mode did not expire in the future' + expect(subject.admin_mode?).to be(false) end - end - context 'skipping password validation' do it 'can be enabled with a valid password' do - subject.enable_admin_mode!(password: user.password, skip_password_validation: true) + subject.enable_admin_mode!(password: user.password) expect(subject.admin_mode?).to be(true) end - it 'can be enabled with an invalid password' do - subject.enable_admin_mode!(skip_password_validation: true) + it 'can be disabled' do + subject.enable_admin_mode!(password: user.password) + subject.disable_admin_mode! - expect(subject.admin_mode?).to be(true) + expect(subject.admin_mode?).to be(false) end - end - context 'with two independent sessions' do - let(:another_session) { {} } - let(:another_subject) { described_class.new(user) } + it 'will expire in the future' do + subject.enable_admin_mode!(password: user.password) + expect(subject.admin_mode?).to be(true), 'admin mode is not active in the present' - before do - allow(ActiveSession).to receive(:list_sessions).with(user).and_return([session, another_session]) + Timecop.freeze(Gitlab::Auth::CurrentUserMode::MAX_ADMIN_MODE_TIME.from_now) do + # in the future this will be a new request, simulate by clearing the RequestStore + Gitlab::SafeRequestStore.clear! + + expect(subject.admin_mode?).to be(false), 'admin mode did not expire in the future' + end end - it 'can be enabled in one and seen in the other' do - Gitlab::Session.with_session(another_session) do - another_subject.enable_admin_mode!(password: user.password) + context 'skipping password validation' do + it 'can be enabled with a valid password' do + subject.enable_admin_mode!(password: user.password, skip_password_validation: true) + + expect(subject.admin_mode?).to be(true) end - expect(subject.admin_mode?).to be(true) + it 'can be enabled with an invalid password' do + subject.enable_admin_mode!(skip_password_validation: true) + + expect(subject.admin_mode?).to be(true) + end + end + + context 'with two independent sessions' do + let(:another_session) { {} } + let(:another_subject) { described_class.new(user) } + + before do + allow(ActiveSession).to receive(:list_sessions).with(user).and_return([session, another_session]) + end + + it 'can be enabled in one and seen in the other' do + Gitlab::Session.with_session(another_session) do + another_subject.request_admin_mode! + another_subject.enable_admin_mode!(password: user.password) + end + + expect(subject.admin_mode?).to be(true) + end end end end @@ -134,16 +155,28 @@ describe Gitlab::Auth::CurrentUserMode, :do_not_mock_admin_mode do let(:user) { build(:user, :admin) } it 'creates a timestamp in the session' do + subject.request_admin_mode! subject.enable_admin_mode!(password: user.password) expect(session).to include(expected_session_entry(be_within(1.second).of Time.now)) end end + describe '#enable_sessionless_admin_mode!' do + let(:user) { build(:user, :admin) } + + it 'enabled admin mode without password' do + subject.enable_sessionless_admin_mode! + + expect(subject.admin_mode?).to be(true) + end + end + describe '#disable_admin_mode!' do let(:user) { build(:user, :admin) } it 'sets the session timestamp to nil' do + subject.request_admin_mode! subject.disable_admin_mode! expect(session).to include(expected_session_entry(be_nil)) diff --git a/spec/lib/gitlab/auth/request_authenticator_spec.rb b/spec/lib/gitlab/auth/request_authenticator_spec.rb index f7fff389d88..4dbcd0df302 100644 --- a/spec/lib/gitlab/auth/request_authenticator_spec.rb +++ b/spec/lib/gitlab/auth/request_authenticator_spec.rb @@ -66,4 +66,28 @@ describe Gitlab::Auth::RequestAuthenticator do expect(subject.find_sessionless_user([:api])).to be_blank end end + + describe '#runner' do + let!(:runner) { build(:ci_runner) } + + it 'returns the runner using #find_runner_from_token' do + expect_any_instance_of(described_class) + .to receive(:find_runner_from_token) + .and_return(runner) + + expect(subject.runner).to eq runner + end + + it 'returns nil if no runner is found' do + expect(subject.runner).to be_blank + end + + it 'rescue Gitlab::Auth::AuthenticationError exceptions' do + expect_any_instance_of(described_class) + .to receive(:find_runner_from_token) + .and_raise(Gitlab::Auth::UnauthorizedError) + + expect(subject.runner).to be_blank + end + end end diff --git a/spec/lib/gitlab/import_export/all_models.yml b/spec/lib/gitlab/import_export/all_models.yml index 26793f28bd8..8d436fb28e0 100644 --- a/spec/lib/gitlab/import_export/all_models.yml +++ b/spec/lib/gitlab/import_export/all_models.yml @@ -443,6 +443,7 @@ project: - downstream_project_subscriptions - service_desk_setting - import_failures +- container_expiration_policy award_emoji: - awardable - user diff --git a/spec/lib/gitlab/import_export/safe_model_attributes.yml b/spec/lib/gitlab/import_export/safe_model_attributes.yml index fa6bf14bf64..bf8c079f027 100644 --- a/spec/lib/gitlab/import_export/safe_model_attributes.yml +++ b/spec/lib/gitlab/import_export/safe_model_attributes.yml @@ -773,3 +773,13 @@ ZoomMeeting: ServiceDeskSetting: - project_id - issue_template_key +ContainerExpirationPolicy: +- created_at +- updated_at +- next_run_at +- project_id +- name_regex +- cadence +- older_than +- keep_n +- enabled |