diff options
Diffstat (limited to 'spec/support/shared_examples/requests/sessionless_auth_request_shared_examples.rb')
-rw-r--r-- | spec/support/shared_examples/requests/sessionless_auth_request_shared_examples.rb | 84 |
1 files changed, 84 insertions, 0 deletions
diff --git a/spec/support/shared_examples/requests/sessionless_auth_request_shared_examples.rb b/spec/support/shared_examples/requests/sessionless_auth_request_shared_examples.rb new file mode 100644 index 00000000000..d82da1b01e1 --- /dev/null +++ b/spec/support/shared_examples/requests/sessionless_auth_request_shared_examples.rb @@ -0,0 +1,84 @@ +# frozen_string_literal: true + +RSpec.shared_examples 'authenticates sessionless user for the request spec' do |params| + params ||= {} + + before do + stub_authentication_activity_metrics(debug: false) + end + + let(:user) { create(:user) } + let(:personal_access_token) { create(:personal_access_token, user: user) } + let(:default_params) { params.except(:public) || {} } + + context "when the 'personal_access_token' param is populated with the personal access token" do + it 'logs the user in' do + expect(authentication_metrics) + .to increment(:user_authenticated_counter) + .and increment(:user_session_override_counter) + .and increment(:user_sessionless_authentication_counter) + + get url, params: default_params.merge(private_token: personal_access_token.token) + + expect(response).to have_gitlab_http_status(:ok) + expect(controller.current_user).to eq(user) + end + + it 'does not log the user in if page is public', if: params[:public] do + get url, params: default_params + + expect(response).to have_gitlab_http_status(:ok) + expect(controller.current_user).to be_nil + end + end + + context 'when the personal access token has no api scope', unless: params[:public] do + it 'does not log the user in' do + # Several instances of where these specs are shared route the request + # through ApplicationController#route_not_found which does not involve + # the usual auth code from Devise, so does not increment the + # :user_unauthenticated_counter + # + unless params[:ignore_incrementing] + expect(authentication_metrics) + .to increment(:user_unauthenticated_counter) + end + + personal_access_token.update!(scopes: [:read_user]) + + get url, params: default_params.merge(private_token: personal_access_token.token) + + expect(response).not_to have_gitlab_http_status(:ok) + end + end + + context "when the 'PERSONAL_ACCESS_TOKEN' header is populated with the personal access token" do + it 'logs the user in' do + expect(authentication_metrics) + .to increment(:user_authenticated_counter) + .and increment(:user_session_override_counter) + .and increment(:user_sessionless_authentication_counter) + + headers = { 'PRIVATE-TOKEN': personal_access_token.token } + get url, params: default_params, headers: headers + + expect(response).to have_gitlab_http_status(:ok) + end + end + + it "doesn't log the user in otherwise", unless: params[:public] do + # Several instances of where these specs are shared route the request + # through ApplicationController#route_not_found which does not involve + # the usual auth code from Devise, so does not increment the + # :user_unauthenticated_counter + # + unless params[:ignore_incrementing] + expect(authentication_metrics) + .to increment(:user_unauthenticated_counter) + end + + get url, params: default_params.merge(private_token: 'token') + + expect(response).not_to have_gitlab_http_status(:ok) + end +end |