spec/requests/api/api_helpers_spec.rb


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173

require 'spec_helper'

describe API, api: true do
  include API::APIHelpers
  include ApiHelpers
  let(:user) { create(:user) }
  let(:admin) { create(:admin) }
  let(:key) { create(:key, user: user) }

  let(:params) { {} }
  let(:env) { {} }

  def set_env(token_usr, identifier)
    clear_env
    clear_param
    env[API::APIHelpers::PRIVATE_TOKEN_HEADER] = token_usr.private_token
    env[API::APIHelpers::SUDO_HEADER] = identifier
  end

  def set_param(token_usr, identifier)
    clear_env
    clear_param
    params[API::APIHelpers::PRIVATE_TOKEN_PARAM] = token_usr.private_token
    params[API::APIHelpers::SUDO_PARAM] = identifier
  end

  def clear_env
    env.delete(API::APIHelpers::PRIVATE_TOKEN_HEADER)
    env.delete(API::APIHelpers::SUDO_HEADER)
  end

  def clear_param
    params.delete(API::APIHelpers::PRIVATE_TOKEN_PARAM)
    params.delete(API::APIHelpers::SUDO_PARAM)
  end

  def error!(message, status)
    raise Exception
  end

  describe ".current_user" do
    it "should return nil for an invalid token" do
      env[API::APIHelpers::PRIVATE_TOKEN_HEADER] = 'invalid token'
      allow_any_instance_of(self.class).to receive(:doorkeeper_guard){ false }
      expect(current_user).to be_nil
    end

    it "should return nil for a user without access" do
      env[API::APIHelpers::PRIVATE_TOKEN_HEADER] = user.private_token
      Gitlab::UserAccess.stub(allowed?: false)
      expect(current_user).to be_nil
    end

    it "should leave user as is when sudo not specified" do
      env[API::APIHelpers::PRIVATE_TOKEN_HEADER] = user.private_token
      expect(current_user).to eq(user)
      clear_env
      params[API::APIHelpers::PRIVATE_TOKEN_PARAM] = user.private_token
      expect(current_user).to eq(user)
    end

    it "should change current user to sudo when admin" do
      set_env(admin, user.id)
      expect(current_user).to eq(user)
      set_param(admin, user.id)
      expect(current_user).to eq(user)
      set_env(admin, user.username)
      expect(current_user).to eq(user)
      set_param(admin, user.username)
      expect(current_user).to eq(user)
    end

    it "should throw an error when the current user is not an admin and attempting to sudo" do
      set_env(user, admin.id)
      expect { current_user }.to raise_error
      set_param(user, admin.id)
      expect { current_user }.to raise_error
      set_env(user, admin.username)
      expect { current_user }.to raise_error
      set_param(user, admin.username)
      expect { current_user }.to raise_error
    end

    it "should throw an error when the user cannot be found for a given id" do
      id = user.id + admin.id
      expect(user.id).not_to eq(id)
      expect(admin.id).not_to eq(id)
      set_env(admin, id)
      expect { current_user }.to raise_error

      set_param(admin, id)
      expect { current_user }.to raise_error
    end

    it "should throw an error when the user cannot be found for a given username" do
      username = "#{user.username}#{admin.username}"
      expect(user.username).not_to eq(username)
      expect(admin.username).not_to eq(username)
      set_env(admin, username)
      expect { current_user }.to raise_error

      set_param(admin, username)
      expect { current_user }.to raise_error
    end

    it "should handle sudo's to oneself" do
      set_env(admin, admin.id)
      expect(current_user).to eq(admin)
      set_param(admin, admin.id)
      expect(current_user).to eq(admin)
      set_env(admin, admin.username)
      expect(current_user).to eq(admin)
      set_param(admin, admin.username)
      expect(current_user).to eq(admin)
    end

    it "should handle multiple sudo's to oneself" do
      set_env(admin, user.id)
      expect(current_user).to eq(user)
      expect(current_user).to eq(user)
      set_env(admin, user.username)
      expect(current_user).to eq(user)
      expect(current_user).to eq(user)

      set_param(admin, user.id)
      expect(current_user).to eq(user)
      expect(current_user).to eq(user)
      set_param(admin, user.username)
      expect(current_user).to eq(user)
      expect(current_user).to eq(user)
    end

    it "should handle multiple sudo's to oneself using string ids" do
      set_env(admin, user.id.to_s)
      expect(current_user).to eq(user)
      expect(current_user).to eq(user)

      set_param(admin, user.id.to_s)
      expect(current_user).to eq(user)
      expect(current_user).to eq(user)
    end
  end

  describe '.sudo_identifier' do
    it "should return integers when input is an int" do
      set_env(admin, '123')
      expect(sudo_identifier).to eq(123)
      set_env(admin, '0001234567890')
      expect(sudo_identifier).to eq(1234567890)

      set_param(admin, '123')
      expect(sudo_identifier).to eq(123)
      set_param(admin, '0001234567890')
      expect(sudo_identifier).to eq(1234567890)
    end

    it "should return string when input is an is not an int" do
      set_env(admin, '12.30')
      expect(sudo_identifier).to eq("12.30")
      set_env(admin, 'hello')
      expect(sudo_identifier).to eq('hello')
      set_env(admin, ' 123')
      expect(sudo_identifier).to eq(' 123')

      set_param(admin, '12.30')
      expect(sudo_identifier).to eq("12.30")
      set_param(admin, 'hello')
      expect(sudo_identifier).to eq('hello')
      set_param(admin, ' 123')
      expect(sudo_identifier).to eq(' 123')
    end
  end
end