diff options
Diffstat (limited to 'spec/lib')
| -rw-r--r-- | spec/lib/gitlab/auth/auth_finders_spec.rb | 116 | ||||
| -rw-r--r-- | spec/lib/gitlab/auth/request_authenticator_spec.rb | 50 |
2 files changed, 166 insertions, 0 deletions
diff --git a/spec/lib/gitlab/auth/auth_finders_spec.rb b/spec/lib/gitlab/auth/auth_finders_spec.rb index 14200733c19..2d4239eb761 100644 --- a/spec/lib/gitlab/auth/auth_finders_spec.rb +++ b/spec/lib/gitlab/auth/auth_finders_spec.rb @@ -708,6 +708,122 @@ RSpec.describe Gitlab::Auth::AuthFinders do end end + describe '#find_user_from_basic_auth_password' do + subject { find_user_from_basic_auth_password } + + context 'when the request does not have AUTHORIZATION header' do + it { is_expected.to be_nil } + end + + it 'returns nil without user and password' do + set_basic_auth_header(nil, nil) + + is_expected.to be_nil + end + + it 'returns nil without password' do + set_basic_auth_header('some-user', nil) + + is_expected.to be_nil + end + + it 'returns nil without user' do + set_basic_auth_header(nil, 'password') + + is_expected.to be_nil + end + + it 'returns nil with CI username' do + set_basic_auth_header(::Gitlab::Auth::CI_JOB_USER, 'password') + + is_expected.to be_nil + end + + it 'returns nil with wrong password' do + set_basic_auth_header(user.username, 'wrong-password') + + is_expected.to be_nil + end + + it 'returns user with correct credentials' do + set_basic_auth_header(user.username, user.password) + + is_expected.to eq(user) + end + end + + describe '#find_user_from_lfs_token' do + subject { find_user_from_lfs_token } + + context 'when the request does not have AUTHORIZATION header' do + it { is_expected.to be_nil } + end + + it 'returns nil without user and token' do + set_basic_auth_header(nil, nil) + + is_expected.to be_nil + end + + it 'returns nil without token' do + set_basic_auth_header('some-user', nil) + + is_expected.to be_nil + end + + it 'returns nil without user' do + set_basic_auth_header(nil, 'token') + + is_expected.to be_nil + end + + it 'returns nil with wrong token' do + set_basic_auth_header(user.username, 'wrong-token') + + is_expected.to be_nil + end + + it 'returns user with correct user and correct token' do + lfs_token = Gitlab::LfsToken.new(user).token + set_basic_auth_header(user.username, lfs_token) + + is_expected.to eq(user) + end + + it 'returns nil with wrong user and correct token' do + lfs_token = Gitlab::LfsToken.new(user).token + other_user = create(:user) + set_basic_auth_header(other_user.username, lfs_token) + + is_expected.to be_nil + end + end + + describe '#find_user_from_personal_access_token' do + subject { find_user_from_personal_access_token } + + it 'returns nil without access token' do + allow_any_instance_of(described_class).to receive(:access_token).and_return(nil) + + is_expected.to be_nil + end + + it 'returns user with correct access token' do + personal_access_token = create(:personal_access_token, user: user) + allow_any_instance_of(described_class).to receive(:access_token).and_return(personal_access_token) + + is_expected.to eq(user) + end + + it 'returns exception if access token has no user' do + personal_access_token = create(:personal_access_token, user: user) + allow_any_instance_of(described_class).to receive(:access_token).and_return(personal_access_token) + allow_any_instance_of(PersonalAccessToken).to receive(:user).and_return(nil) + + expect { subject }.to raise_error(Gitlab::Auth::UnauthorizedError) + end + end + describe '#validate_access_token!' do subject { validate_access_token! } diff --git a/spec/lib/gitlab/auth/request_authenticator_spec.rb b/spec/lib/gitlab/auth/request_authenticator_spec.rb index 93e9cb06786..28e93a8da52 100644 --- a/spec/lib/gitlab/auth/request_authenticator_spec.rb +++ b/spec/lib/gitlab/auth/request_authenticator_spec.rb @@ -45,6 +45,9 @@ RSpec.describe Gitlab::Auth::RequestAuthenticator do let!(:feed_token_user) { build(:user) } let!(:static_object_token_user) { build(:user) } let!(:job_token_user) { build(:user) } + let!(:lfs_token_user) { build(:user) } + let!(:basic_auth_access_token_user) { build(:user) } + let!(:basic_auth_password_user) { build(:user) } it 'returns access_token user first' do allow_any_instance_of(described_class).to receive(:find_user_from_web_access_token) @@ -78,6 +81,30 @@ RSpec.describe Gitlab::Auth::RequestAuthenticator do expect(subject.find_sessionless_user(:api)).to eq job_token_user end + it 'returns lfs_token user if no job_token user found' do + allow_any_instance_of(described_class) + .to receive(:find_user_from_lfs_token) + .and_return(lfs_token_user) + + expect(subject.find_sessionless_user(:api)).to eq lfs_token_user + end + + it 'returns basic_auth_access_token user if no lfs_token user found' do + allow_any_instance_of(described_class) + .to receive(:find_user_from_personal_access_token) + .and_return(basic_auth_access_token_user) + + expect(subject.find_sessionless_user(:api)).to eq basic_auth_access_token_user + end + + it 'returns basic_auth_access_password user if no basic_auth_access_token user found' do + allow_any_instance_of(described_class) + .to receive(:find_user_from_basic_auth_password) + .and_return(basic_auth_password_user) + + expect(subject.find_sessionless_user(:api)).to eq basic_auth_password_user + end + it 'returns nil if no user found' do expect(subject.find_sessionless_user(:api)).to be_blank end @@ -194,4 +221,27 @@ RSpec.describe Gitlab::Auth::RequestAuthenticator do expect(subject.runner).to be_blank end end + + describe '#route_authentication_setting' do + using RSpec::Parameterized::TableSyntax + + where(:script_name, :expected_job_token_allowed, :expected_basic_auth_personal_access_token) do + '/api/endpoint' | true | true + '/namespace/project.git' | false | true + '/web/endpoint' | false | false + end + + with_them do + before do + env['SCRIPT_NAME'] = script_name + end + + it 'returns correct settings' do + expect(subject.send(:route_authentication_setting)).to eql({ + job_token_allowed: expected_job_token_allowed, + basic_auth_personal_access_token: expected_basic_auth_personal_access_token + }) + end + end + end end |