summaryrefslogtreecommitdiff
path: root/spec/requests/api/resource_access_tokens_spec.rb
diff options
context:
space:
mode:
Diffstat (limited to 'spec/requests/api/resource_access_tokens_spec.rb')
-rw-r--r--spec/requests/api/resource_access_tokens_spec.rb187
1 files changed, 103 insertions, 84 deletions
diff --git a/spec/requests/api/resource_access_tokens_spec.rb b/spec/requests/api/resource_access_tokens_spec.rb
index 23061ab4bf0..7e3e682767f 100644
--- a/spec/requests/api/resource_access_tokens_spec.rb
+++ b/spec/requests/api/resource_access_tokens_spec.rb
@@ -3,25 +3,27 @@
require "spec_helper"
RSpec.describe API::ResourceAccessTokens do
- context "when the resource is a project" do
- let_it_be(:project) { create(:project) }
- let_it_be(:other_project) { create(:project) }
- let_it_be(:user) { create(:user) }
+ let_it_be(:user) { create(:user) }
+ let_it_be(:user_non_priviledged) { create(:user) }
- describe "GET projects/:id/access_tokens" do
- subject(:get_tokens) { get api("/projects/#{project_id}/access_tokens", user) }
+ shared_examples 'resource access token API' do |source_type|
+ context "GET #{source_type}s/:id/access_tokens" do
+ subject(:get_tokens) { get api("/#{source_type}s/#{resource_id}/access_tokens", user) }
- context "when the user has maintainer permissions" do
+ context "when the user has valid permissions" do
let_it_be(:project_bot) { create(:user, :project_bot) }
let_it_be(:access_tokens) { create_list(:personal_access_token, 3, user: project_bot) }
- let_it_be(:project_id) { project.id }
+ let_it_be(:resource_id) { resource.id }
before do
- project.add_maintainer(user)
- project.add_maintainer(project_bot)
+ if source_type == 'project'
+ resource.add_maintainer(project_bot)
+ else
+ resource.add_owner(project_bot)
+ end
end
- it "gets a list of access tokens for the specified project" do
+ it "gets a list of access tokens for the specified #{source_type}" do
get_tokens
token_ids = json_response.map { |token| token['id'] }
@@ -38,16 +40,22 @@ RSpec.describe API::ResourceAccessTokens do
expect(api_get_token["name"]).to eq(token.name)
expect(api_get_token["scopes"]).to eq(token.scopes)
- expect(api_get_token["access_level"]).to eq(project.team.max_member_access(token.user.id))
+
+ if source_type == 'project'
+ expect(api_get_token["access_level"]).to eq(resource.team.max_member_access(token.user.id))
+ else
+ expect(api_get_token["access_level"]).to eq(resource.max_member_access_for_user(token.user))
+ end
+
expect(api_get_token["expires_at"]).to eq(token.expires_at.to_date.iso8601)
expect(api_get_token).not_to have_key('token')
end
- context "when using a project access token to GET other project access tokens" do
+ context "when using a #{source_type} access token to GET other #{source_type} access tokens" do
let_it_be(:token) { access_tokens.first }
- it "gets a list of access tokens for the specified project" do
- get api("/projects/#{project_id}/access_tokens", personal_access_token: token)
+ it "gets a list of access tokens for the specified #{source_type}" do
+ get api("/#{source_type}s/#{resource_id}/access_tokens", personal_access_token: token)
token_ids = json_response.map { |token| token['id'] }
@@ -56,16 +64,15 @@ RSpec.describe API::ResourceAccessTokens do
end
end
- context "when tokens belong to a different project" do
+ context "when tokens belong to a different #{source_type}" do
let_it_be(:bot) { create(:user, :project_bot) }
let_it_be(:token) { create(:personal_access_token, user: bot) }
before do
- other_project.add_maintainer(bot)
- other_project.add_maintainer(user)
+ other_resource.add_maintainer(bot)
end
- it "does not return tokens from a different project" do
+ it "does not return tokens from a different #{source_type}" do
get_tokens
token_ids = json_response.map { |token| token['id'] }
@@ -74,12 +81,8 @@ RSpec.describe API::ResourceAccessTokens do
end
end
- context "when the project has no access tokens" do
- let(:project_id) { other_project.id }
-
- before do
- other_project.add_maintainer(user)
- end
+ context "when the #{source_type} has no access tokens" do
+ let(:resource_id) { other_resource.id }
it 'returns an empty array' do
get_tokens
@@ -89,8 +92,8 @@ RSpec.describe API::ResourceAccessTokens do
end
end
- context "when trying to get the tokens of a different project" do
- let_it_be(:project_id) { other_project.id }
+ context "when trying to get the tokens of a different #{source_type}" do
+ let_it_be(:resource_id) { unknown_resource.id }
it "returns 404" do
get_tokens
@@ -99,8 +102,8 @@ RSpec.describe API::ResourceAccessTokens do
end
end
- context "when the project does not exist" do
- let(:project_id) { non_existing_record_id }
+ context "when the #{source_type} does not exist" do
+ let(:resource_id) { non_existing_record_id }
it "returns 404" do
get_tokens
@@ -111,13 +114,13 @@ RSpec.describe API::ResourceAccessTokens do
end
context "when the user does not have valid permissions" do
+ let_it_be(:user) { user_non_priviledged }
let_it_be(:project_bot) { create(:user, :project_bot) }
let_it_be(:access_tokens) { create_list(:personal_access_token, 3, user: project_bot) }
- let_it_be(:project_id) { project.id }
+ let_it_be(:resource_id) { resource.id }
before do
- project.add_developer(user)
- project.add_maintainer(project_bot)
+ resource.add_maintainer(project_bot)
end
it "returns 401" do
@@ -128,40 +131,36 @@ RSpec.describe API::ResourceAccessTokens do
end
end
- describe "DELETE projects/:id/access_tokens/:token_id", :sidekiq_inline do
- subject(:delete_token) { delete api("/projects/#{project_id}/access_tokens/#{token_id}", user) }
+ context "DELETE #{source_type}s/:id/access_tokens/:token_id", :sidekiq_inline do
+ subject(:delete_token) { delete api("/#{source_type}s/#{resource_id}/access_tokens/#{token_id}", user) }
let_it_be(:project_bot) { create(:user, :project_bot) }
let_it_be(:token) { create(:personal_access_token, user: project_bot) }
- let_it_be(:project_id) { project.id }
+ let_it_be(:resource_id) { resource.id }
let_it_be(:token_id) { token.id }
before do
- project.add_maintainer(project_bot)
+ resource.add_maintainer(project_bot)
end
- context "when the user has maintainer permissions" do
- before do
- project.add_maintainer(user)
- end
-
- it "deletes the project access token from the project" do
+ context "when the user has valid permissions" do
+ it "deletes the #{source_type} access token from the #{source_type}" do
delete_token
expect(response).to have_gitlab_http_status(:no_content)
expect(User.exists?(project_bot.id)).to be_falsy
end
- context "when using project access token to DELETE other project access token" do
+ context "when using #{source_type} access token to DELETE other #{source_type} access token" do
let_it_be(:other_project_bot) { create(:user, :project_bot) }
let_it_be(:other_token) { create(:personal_access_token, user: other_project_bot) }
let_it_be(:token_id) { other_token.id }
before do
- project.add_maintainer(other_project_bot)
+ resource.add_maintainer(other_project_bot)
end
- it "deletes the project access token from the project" do
+ it "deletes the #{source_type} access token from the #{source_type}" do
delete_token
expect(response).to have_gitlab_http_status(:no_content)
@@ -169,37 +168,31 @@ RSpec.describe API::ResourceAccessTokens do
end
end
- context "when attempting to delete a non-existent project access token" do
+ context "when attempting to delete a non-existent #{source_type} access token" do
let_it_be(:token_id) { non_existing_record_id }
it "does not delete the token, and returns 404" do
delete_token
expect(response).to have_gitlab_http_status(:not_found)
- expect(response.body).to include("Could not find project access token with token_id: #{token_id}")
+ expect(response.body).to include("Could not find #{source_type} access token with token_id: #{token_id}")
end
end
- context "when attempting to delete a token that does not belong to the specified project" do
- let_it_be(:project_id) { other_project.id }
-
- before do
- other_project.add_maintainer(user)
- end
+ context "when attempting to delete a token that does not belong to the specified #{source_type}" do
+ let_it_be(:resource_id) { other_resource.id }
it "does not delete the token, and returns 404" do
delete_token
expect(response).to have_gitlab_http_status(:not_found)
- expect(response.body).to include("Could not find project access token with token_id: #{token_id}")
+ expect(response.body).to include("Could not find #{source_type} access token with token_id: #{token_id}")
end
end
end
context "when the user does not have valid permissions" do
- before do
- project.add_developer(user)
- end
+ let_it_be(:user) { user_non_priviledged }
it "does not delete the token, and returns 400", :aggregate_failures do
delete_token
@@ -211,23 +204,19 @@ RSpec.describe API::ResourceAccessTokens do
end
end
- describe "POST projects/:id/access_tokens" do
+ context "POST #{source_type}s/:id/access_tokens" do
let(:params) { { name: "test", scopes: ["api"], expires_at: expires_at, access_level: access_level } }
let(:expires_at) { 1.month.from_now }
let(:access_level) { 20 }
- subject(:create_token) { post api("/projects/#{project_id}/access_tokens", user), params: params }
+ subject(:create_token) { post api("/#{source_type}s/#{resource_id}/access_tokens", user), params: params }
- context "when the user has maintainer permissions" do
- let_it_be(:project_id) { project.id }
-
- before do
- project.add_maintainer(user)
- end
+ context "when the user has valid permissions" do
+ let_it_be(:resource_id) { resource.id }
context "with valid params" do
context "with full params" do
- it "creates a project access token with the params", :aggregate_failures do
+ it "creates a #{source_type} access token with the params", :aggregate_failures do
create_token
expect(response).to have_gitlab_http_status(:created)
@@ -242,7 +231,7 @@ RSpec.describe API::ResourceAccessTokens do
context "when 'expires_at' is not set" do
let(:expires_at) { nil }
- it "creates a project access token with the params", :aggregate_failures do
+ it "creates a #{source_type} access token with the params", :aggregate_failures do
create_token
expect(response).to have_gitlab_http_status(:created)
@@ -255,7 +244,7 @@ RSpec.describe API::ResourceAccessTokens do
context "when 'access_level' is not set" do
let(:access_level) { nil }
- it 'creates a project access token with the default access level', :aggregate_failures do
+ it "creates a #{source_type} access token with the default access level", :aggregate_failures do
create_token
expect(response).to have_gitlab_http_status(:created)
@@ -272,7 +261,7 @@ RSpec.describe API::ResourceAccessTokens do
context "when missing the 'name' param" do
let_it_be(:params) { { scopes: ["api"], expires_at: 5.days.from_now } }
- it "does not create a project access token without 'name'" do
+ it "does not create a #{source_type} access token without 'name'" do
create_token
expect(response).to have_gitlab_http_status(:bad_request)
@@ -283,7 +272,7 @@ RSpec.describe API::ResourceAccessTokens do
context "when missing the 'scopes' param" do
let_it_be(:params) { { name: "test", expires_at: 5.days.from_now } }
- it "does not create a project access token without 'scopes'" do
+ it "does not create a #{source_type} access token without 'scopes'" do
create_token
expect(response).to have_gitlab_http_status(:bad_request)
@@ -292,50 +281,80 @@ RSpec.describe API::ResourceAccessTokens do
end
end
- context "when trying to create a token in a different project" do
- let_it_be(:project_id) { other_project.id }
+ context "when trying to create a token in a different #{source_type}" do
+ let_it_be(:resource_id) { unknown_resource.id }
- it "does not create the token, and returns the project not found error" do
+ it "does not create the token, and returns the #{source_type} not found error" do
create_token
expect(response).to have_gitlab_http_status(:not_found)
- expect(response.body).to include("Project Not Found")
+ expect(response.body).to include("#{source_type.capitalize} Not Found")
end
end
end
context "when the user does not have valid permissions" do
- let_it_be(:project_id) { project.id }
+ let_it_be(:resource_id) { resource.id }
- context "when the user is a developer" do
- before do
- project.add_developer(user)
- end
+ context "when the user role is too low" do
+ let_it_be(:user) { user_non_priviledged }
it "does not create the token, and returns the permission error" do
create_token
expect(response).to have_gitlab_http_status(:bad_request)
- expect(response.body).to include("User does not have permission to create project access token")
+ expect(response.body).to include("User does not have permission to create #{source_type} access token")
end
end
- context "when a project access token tries to create another project access token" do
+ context "when a #{source_type} access token tries to create another #{source_type} access token" do
let_it_be(:project_bot) { create(:user, :project_bot) }
let_it_be(:user) { project_bot }
before do
- project.add_maintainer(user)
+ if source_type == 'project'
+ resource.add_maintainer(project_bot)
+ else
+ resource.add_owner(project_bot)
+ end
end
- it "does not allow a project access token to create another project access token" do
+ it "does not allow a #{source_type} access token to create another #{source_type} access token" do
create_token
expect(response).to have_gitlab_http_status(:bad_request)
- expect(response.body).to include("User does not have permission to create project access token")
+ expect(response.body).to include("User does not have permission to create #{source_type} access token")
end
end
end
end
end
+
+ context 'when the resource is a project' do
+ let_it_be(:resource) { create(:project) }
+ let_it_be(:other_resource) { create(:project) }
+ let_it_be(:unknown_resource) { create(:project) }
+
+ before_all do
+ resource.add_maintainer(user)
+ other_resource.add_maintainer(user)
+ resource.add_developer(user_non_priviledged)
+ end
+
+ it_behaves_like 'resource access token API', 'project'
+ end
+
+ context 'when the resource is a group' do
+ let_it_be(:resource) { create(:group) }
+ let_it_be(:other_resource) { create(:group) }
+ let_it_be(:unknown_resource) { create(:project) }
+
+ before_all do
+ resource.add_owner(user)
+ other_resource.add_owner(user)
+ resource.add_maintainer(user_non_priviledged)
+ end
+
+ it_behaves_like 'resource access token API', 'group'
+ end
end