spec/services/resource_access_tokens/revoke_service_spec.rb


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111

# frozen_string_literal: true

require 'spec_helper'

describe ResourceAccessTokens::RevokeService do
  subject { described_class.new(user, resource, access_token).execute }

  let_it_be(:user) { create(:user) }
  let(:access_token) { create(:personal_access_token, user: resource_bot) }

  describe '#execute' do
    # Created shared_examples as it will easy to include specs for group bots in https://gitlab.com/gitlab-org/gitlab/-/issues/214046
    shared_examples 'revokes access token' do
      it { expect(subject.success?).to be true }

      it { expect(subject.message).to eq("Revoked access token: #{access_token.name}") }

      it 'revokes token access' do
        subject

        expect(access_token.reload.revoked?).to be true
      end

      it 'removes membership of bot user' do
        subject

        expect(resource.reload.users).not_to include(resource_bot)
      end

      it 'transfer issuables of bot user to ghost user' do
        issue = create(:issue, author: resource_bot)

        subject

        expect(issue.reload.author.ghost?).to be true
      end
    end

    shared_examples 'rollback revoke steps' do
      it 'does not revoke the access token' do
        subject

        expect(access_token.reload.revoked?).to be false
      end

      it 'does not remove bot from member list' do
        subject

        expect(resource.reload.users).to include(resource_bot)
      end

      it 'does not transfer issuables of bot user to ghost user' do
        issue = create(:issue, author: resource_bot)

        subject

        expect(issue.reload.author.ghost?).to be false
      end
    end

    context 'when resource is a project' do
      let_it_be(:resource) { create(:project, :private) }
      let_it_be(:resource_bot) { create(:user, :project_bot) }

      before_all do
        resource.add_maintainer(user)
        resource.add_maintainer(resource_bot)
      end

      it_behaves_like 'revokes access token'

      context 'when revoke fails' do
        context 'invalid resource type' do
          subject { described_class.new(user, resource, access_token).execute }

          let_it_be(:resource) { double }
          let_it_be(:resource_bot) { create(:user, :project_bot) }

          it 'returns error response' do
            response = subject

            expect(response.success?).to be false
            expect(response.message).to eq("Failed to find bot user")
          end

          it { expect { subject }.not_to change(access_token.reload, :revoked) }
        end

        context 'when migration to ghost user fails' do
          before do
            allow_next_instance_of(::Members::DestroyService) do |service|
              allow(service).to receive(:execute).and_return(false)
            end
          end

          it_behaves_like 'rollback revoke steps'
        end

        context 'when migration to ghost user fails' do
          before do
            allow_next_instance_of(::Users::MigrateToGhostUserService) do |service|
              allow(service).to receive(:execute).and_return(false)
            end
          end

          it_behaves_like 'rollback revoke steps'
        end
      end
    end
  end
end