spec/requests/api/api_helpers_spec.rb


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215

require 'spec_helper'

describe API::Helpers, api: true do

  include API::Helpers
  include ApiHelpers

  let(:user) { create(:user) }
  let(:admin) { create(:admin) }
  let(:key) { create(:key, user: user) }

  let(:params) { {} }
  let(:env) { {} }

  def set_env(token_usr, identifier)
    clear_env
    clear_param
    env[API::Helpers::PRIVATE_TOKEN_HEADER] = token_usr.private_token
    env[API::Helpers::SUDO_HEADER] = identifier
  end

  def set_param(token_usr, identifier)
    clear_env
    clear_param
    params[API::Helpers::PRIVATE_TOKEN_PARAM] = token_usr.private_token
    params[API::Helpers::SUDO_PARAM] = identifier
  end

  def clear_env
    env.delete(API::Helpers::PRIVATE_TOKEN_HEADER)
    env.delete(API::Helpers::SUDO_HEADER)
  end

  def clear_param
    params.delete(API::Helpers::PRIVATE_TOKEN_PARAM)
    params.delete(API::Helpers::SUDO_PARAM)
  end

  def error!(message, status)
    raise Exception
  end

  describe ".current_user" do
    describe "when authenticating using a user's private token" do
      it "should return nil for an invalid token" do
        env[API::Helpers::PRIVATE_TOKEN_HEADER] = 'invalid token'
        allow_any_instance_of(self.class).to receive(:doorkeeper_guard){ false }
        expect(current_user).to be_nil
      end

      it "should return nil for a user without access" do
        env[API::Helpers::PRIVATE_TOKEN_HEADER] = user.private_token
        allow(Gitlab::UserAccess).to receive(:allowed?).and_return(false)
        expect(current_user).to be_nil
      end

      it "should leave user as is when sudo not specified" do
        env[API::Helpers::PRIVATE_TOKEN_HEADER] = user.private_token
        expect(current_user).to eq(user)
        clear_env
        params[API::Helpers::PRIVATE_TOKEN_PARAM] = user.private_token
        expect(current_user).to eq(user)
      end
    end

    describe "when authenticating using a user's personal access tokens" do
      let(:personal_access_token) { create(:personal_access_token, user: user) }

      it "should return nil for an invalid token" do
        env[API::Helpers::PRIVATE_TOKEN_HEADER] = 'invalid token'
        allow_any_instance_of(self.class).to receive(:doorkeeper_guard){ false }
        expect(current_user).to be_nil
      end

      it "should return nil for a user without access" do
        env[API::Helpers::PRIVATE_TOKEN_HEADER] = personal_access_token.token
        allow(Gitlab::UserAccess).to receive(:allowed?).and_return(false)
        expect(current_user).to be_nil
      end

      it "should leave user as is when sudo not specified" do
        env[API::Helpers::PRIVATE_TOKEN_HEADER] = personal_access_token.token
        expect(current_user).to eq(user)
        clear_env
        params[API::Helpers::PRIVATE_TOKEN_PARAM] = personal_access_token.token
        expect(current_user).to eq(user)
      end

      it 'does not allow revoked tokens' do
        personal_access_token.revoke!
        env[API::Helpers::PRIVATE_TOKEN_HEADER] = personal_access_token.token
        allow_any_instance_of(self.class).to receive(:doorkeeper_guard){ false }
        expect(current_user).to be_nil
      end

      it 'does not allow expired tokens' do
        personal_access_token.update_attributes!(expires_at: 1.day.ago)
        env[API::Helpers::PRIVATE_TOKEN_HEADER] = personal_access_token.token
        allow_any_instance_of(self.class).to receive(:doorkeeper_guard){ false }
        expect(current_user).to be_nil
      end
    end

    it "should change current user to sudo when admin" do
      set_env(admin, user.id)
      expect(current_user).to eq(user)
      set_param(admin, user.id)
      expect(current_user).to eq(user)
      set_env(admin, user.username)
      expect(current_user).to eq(user)
      set_param(admin, user.username)
      expect(current_user).to eq(user)
    end

    it "should throw an error when the current user is not an admin and attempting to sudo" do
      set_env(user, admin.id)
      expect { current_user }.to raise_error(Exception)
      set_param(user, admin.id)
      expect { current_user }.to raise_error(Exception)
      set_env(user, admin.username)
      expect { current_user }.to raise_error(Exception)
      set_param(user, admin.username)
      expect { current_user }.to raise_error(Exception)
    end

    it "should throw an error when the user cannot be found for a given id" do
      id = user.id + admin.id
      expect(user.id).not_to eq(id)
      expect(admin.id).not_to eq(id)
      set_env(admin, id)
      expect { current_user }.to raise_error(Exception)

      set_param(admin, id)
      expect { current_user }.to raise_error(Exception)
    end

    it "should throw an error when the user cannot be found for a given username" do
      username = "#{user.username}#{admin.username}"
      expect(user.username).not_to eq(username)
      expect(admin.username).not_to eq(username)
      set_env(admin, username)
      expect { current_user }.to raise_error(Exception)

      set_param(admin, username)
      expect { current_user }.to raise_error(Exception)
    end

    it "should handle sudo's to oneself" do
      set_env(admin, admin.id)
      expect(current_user).to eq(admin)
      set_param(admin, admin.id)
      expect(current_user).to eq(admin)
      set_env(admin, admin.username)
      expect(current_user).to eq(admin)
      set_param(admin, admin.username)
      expect(current_user).to eq(admin)
    end

    it "should handle multiple sudo's to oneself" do
      set_env(admin, user.id)
      expect(current_user).to eq(user)
      expect(current_user).to eq(user)
      set_env(admin, user.username)
      expect(current_user).to eq(user)
      expect(current_user).to eq(user)

      set_param(admin, user.id)
      expect(current_user).to eq(user)
      expect(current_user).to eq(user)
      set_param(admin, user.username)
      expect(current_user).to eq(user)
      expect(current_user).to eq(user)
    end

    it "should handle multiple sudo's to oneself using string ids" do
      set_env(admin, user.id.to_s)
      expect(current_user).to eq(user)
      expect(current_user).to eq(user)

      set_param(admin, user.id.to_s)
      expect(current_user).to eq(user)
      expect(current_user).to eq(user)
    end
  end

  describe '.sudo_identifier' do
    it "should return integers when input is an int" do
      set_env(admin, '123')
      expect(sudo_identifier).to eq(123)
      set_env(admin, '0001234567890')
      expect(sudo_identifier).to eq(1234567890)

      set_param(admin, '123')
      expect(sudo_identifier).to eq(123)
      set_param(admin, '0001234567890')
      expect(sudo_identifier).to eq(1234567890)
    end

    it "should return string when input is an is not an int" do
      set_env(admin, '12.30')
      expect(sudo_identifier).to eq("12.30")
      set_env(admin, 'hello')
      expect(sudo_identifier).to eq('hello')
      set_env(admin, ' 123')
      expect(sudo_identifier).to eq(' 123')

      set_param(admin, '12.30')
      expect(sudo_identifier).to eq("12.30")
      set_param(admin, 'hello')
      expect(sudo_identifier).to eq('hello')
      set_param(admin, ' 123')
      expect(sudo_identifier).to eq(' 123')
    end
  end
end