1 files changed, 62 insertions, 1 deletions

diff --git a/spec/requests/api/helpers_spec.rb b/spec/requests/api/helpers_spec.rb
index 9c0ea14e3e3..91d10791541 100644
--- a/spec/requests/api/helpers_spec.rb
+++ b/spec/requests/api/helpers_spec.rb
@@ -9,7 +9,7 @@ RSpec.describe API::Helpers do
   include described_class
   include TermsHelper
 
-  let(:user) { create(:user) }
+  let_it_be(:user, reload: true) { create(:user) }
   let(:admin) { create(:admin) }
   let(:key) { create(:key, user: user) }
 
@@ -243,6 +243,67 @@ RSpec.describe API::Helpers do
         end
       end
     end
+
+    describe "when authenticating using a job token" do
+      let_it_be(:job, reload: true) do
+        create(:ci_build, user: user, status: :running)
+      end
+
+      let(:route_authentication_setting) { {} }
+
+      before do
+        allow_any_instance_of(self.class).to receive(:route_authentication_setting)
+          .and_return(route_authentication_setting)
+      end
+
+      context 'when route is allowed to be authenticated' do
+        let(:route_authentication_setting) { { job_token_allowed: true } }
+
+        it "returns a 401 response for an invalid token" do
+          env[Gitlab::Auth::AuthFinders::JOB_TOKEN_HEADER] = 'invalid token'
+
+          expect { current_user }.to raise_error /401/
+        end
+
+        it "returns a 401 response for a job that's not running" do
+          job.update!(status: :success)
+          env[Gitlab::Auth::AuthFinders::JOB_TOKEN_HEADER] = job.token
+
+          expect { current_user }.to raise_error /401/
+        end
+
+        it "returns a 403 response for a user without access" do
+          env[Gitlab::Auth::AuthFinders::JOB_TOKEN_HEADER] = job.token
+          allow_any_instance_of(Gitlab::UserAccess).to receive(:allowed?).and_return(false)
+
+          expect { current_user }.to raise_error /403/
+        end
+
+        it 'returns a 403 response for a user who is blocked' do
+          user.block!
+          env[Gitlab::Auth::AuthFinders::JOB_TOKEN_HEADER] = job.token
+
+          expect { current_user }.to raise_error /403/
+        end
+
+        it "sets current_user" do
+          env[Gitlab::Auth::AuthFinders::JOB_TOKEN_HEADER] = job.token
+
+          expect(current_user).to eq(user)
+        end
+      end
+
+      context 'when route is not allowed to be authenticated' do
+        let(:route_authentication_setting) { { job_token_allowed: false } }
+
+        it "sets current_user to nil" do
+          env[Gitlab::Auth::AuthFinders::JOB_TOKEN_HEADER] = job.token
+          allow_any_instance_of(Gitlab::UserAccess).to receive(:allowed?).and_return(true)
+
+          expect(current_user).to be_nil
+        end
+      end
+    end
   end
 
   describe '.handle_api_exception' do