2019-03-30 03:23:56 -04:00
|
|
|
# frozen_string_literal: true
|
|
|
|
|
2016-04-25 05:00:59 -04:00
|
|
|
require 'spec_helper'
|
|
|
|
|
2020-06-24 14:09:03 -04:00
|
|
|
RSpec.describe PersonalAccessToken do
|
2017-12-03 23:01:18 -05:00
|
|
|
subject { described_class }
|
|
|
|
|
2017-02-23 12:47:06 -05:00
|
|
|
describe '.build' do
|
|
|
|
let(:personal_access_token) { build(:personal_access_token) }
|
2017-03-01 11:59:03 -05:00
|
|
|
let(:invalid_personal_access_token) { build(:personal_access_token, :invalid) }
|
2017-02-23 12:47:06 -05:00
|
|
|
|
|
|
|
it 'is a valid personal access token' do
|
|
|
|
expect(personal_access_token).to be_valid
|
2016-04-25 05:00:59 -04:00
|
|
|
end
|
|
|
|
|
2017-02-23 12:47:06 -05:00
|
|
|
it 'ensures that the token is generated' do
|
|
|
|
invalid_personal_access_token.save!
|
|
|
|
|
|
|
|
expect(invalid_personal_access_token).to be_valid
|
|
|
|
expect(invalid_personal_access_token.token).not_to be_nil
|
2016-04-25 05:00:59 -04:00
|
|
|
end
|
|
|
|
end
|
2017-02-27 13:56:54 -05:00
|
|
|
|
2019-12-17 04:07:48 -05:00
|
|
|
describe 'scopes' do
|
|
|
|
describe '.for_user' do
|
|
|
|
it 'returns personal access tokens of specified user only' do
|
|
|
|
user_1 = create(:user)
|
|
|
|
token_of_user_1 = create(:personal_access_token, user: user_1)
|
|
|
|
create_list(:personal_access_token, 2)
|
|
|
|
|
|
|
|
expect(described_class.for_user(user_1)).to contain_exactly(token_of_user_1)
|
|
|
|
end
|
|
|
|
end
|
2020-11-16 16:09:02 -05:00
|
|
|
|
|
|
|
describe '.for_users' do
|
|
|
|
it 'returns personal access tokens for the specified users only' do
|
|
|
|
user_1 = create(:user)
|
|
|
|
user_2 = create(:user)
|
|
|
|
token_of_user_1 = create(:personal_access_token, user: user_1)
|
|
|
|
token_of_user_2 = create(:personal_access_token, user: user_2)
|
|
|
|
create_list(:personal_access_token, 3)
|
|
|
|
|
|
|
|
expect(described_class.for_users([user_1, user_2])).to contain_exactly(token_of_user_1, token_of_user_2)
|
|
|
|
end
|
|
|
|
end
|
2019-12-17 04:07:48 -05:00
|
|
|
end
|
|
|
|
|
2016-12-27 11:26:57 -05:00
|
|
|
describe ".active?" do
|
|
|
|
let(:active_personal_access_token) { build(:personal_access_token) }
|
2017-03-01 11:59:03 -05:00
|
|
|
let(:revoked_personal_access_token) { build(:personal_access_token, :revoked) }
|
|
|
|
let(:expired_personal_access_token) { build(:personal_access_token, :expired) }
|
2016-12-27 11:26:57 -05:00
|
|
|
|
|
|
|
it "returns false if the personal_access_token is revoked" do
|
|
|
|
expect(revoked_personal_access_token).not_to be_active
|
|
|
|
end
|
|
|
|
|
|
|
|
it "returns false if the personal_access_token is expired" do
|
|
|
|
expect(expired_personal_access_token).not_to be_active
|
|
|
|
end
|
|
|
|
|
|
|
|
it "returns true if the personal_access_token is not revoked and not expired" do
|
|
|
|
expect(active_personal_access_token).to be_active
|
|
|
|
end
|
|
|
|
end
|
2017-01-31 05:21:29 -05:00
|
|
|
|
2017-05-31 09:55:12 -04:00
|
|
|
describe 'revoke!' do
|
|
|
|
let(:active_personal_access_token) { create(:personal_access_token) }
|
|
|
|
|
|
|
|
it 'revokes the token' do
|
|
|
|
active_personal_access_token.revoke!
|
|
|
|
|
2017-08-04 09:17:20 -04:00
|
|
|
expect(active_personal_access_token).to be_revoked
|
2017-05-31 09:55:12 -04:00
|
|
|
end
|
|
|
|
end
|
|
|
|
|
2017-12-03 23:01:18 -05:00
|
|
|
describe 'Redis storage' do
|
|
|
|
let(:user_id) { 123 }
|
2018-10-29 12:06:45 -04:00
|
|
|
let(:token) { 'KS3wegQYXBLYhQsciwsj' }
|
2017-12-03 23:01:18 -05:00
|
|
|
|
2018-10-29 12:06:45 -04:00
|
|
|
context 'reading encrypted data' do
|
|
|
|
before do
|
|
|
|
subject.redis_store!(user_id, token)
|
|
|
|
end
|
|
|
|
|
|
|
|
it 'returns stored data' do
|
|
|
|
expect(subject.redis_getdel(user_id)).to eq(token)
|
|
|
|
end
|
2017-12-03 23:01:18 -05:00
|
|
|
end
|
|
|
|
|
2018-10-29 12:06:45 -04:00
|
|
|
context 'reading unencrypted data' do
|
|
|
|
before do
|
|
|
|
Gitlab::Redis::SharedState.with do |redis|
|
|
|
|
redis.set(described_class.redis_shared_state_key(user_id),
|
|
|
|
token,
|
|
|
|
ex: PersonalAccessToken::REDIS_EXPIRY_TIME)
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
it 'returns stored data unmodified' do
|
|
|
|
expect(subject.redis_getdel(user_id)).to eq(token)
|
|
|
|
end
|
2017-12-03 23:01:18 -05:00
|
|
|
end
|
|
|
|
|
|
|
|
context 'after deletion' do
|
|
|
|
before do
|
2018-10-29 12:06:45 -04:00
|
|
|
subject.redis_store!(user_id, token)
|
|
|
|
|
2017-12-03 23:01:18 -05:00
|
|
|
expect(subject.redis_getdel(user_id)).to eq(token)
|
|
|
|
end
|
|
|
|
|
|
|
|
it 'token is removed' do
|
|
|
|
expect(subject.redis_getdel(user_id)).to be_nil
|
|
|
|
end
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
2017-02-06 10:39:35 -05:00
|
|
|
context "validations" do
|
|
|
|
let(:personal_access_token) { build(:personal_access_token) }
|
|
|
|
|
|
|
|
it "requires at least one scope" do
|
|
|
|
personal_access_token.scopes = []
|
|
|
|
|
|
|
|
expect(personal_access_token).not_to be_valid
|
|
|
|
expect(personal_access_token.errors[:scopes].first).to eq "can't be blank"
|
|
|
|
end
|
|
|
|
|
2017-01-31 05:21:29 -05:00
|
|
|
it "allows creating a token with API scopes" do
|
|
|
|
personal_access_token.scopes = [:api, :read_user]
|
|
|
|
|
|
|
|
expect(personal_access_token).to be_valid
|
|
|
|
end
|
|
|
|
|
2017-08-04 09:17:20 -04:00
|
|
|
context 'when registry is disabled' do
|
|
|
|
before do
|
|
|
|
stub_container_registry_config(enabled: false)
|
|
|
|
end
|
2017-05-31 09:55:12 -04:00
|
|
|
|
2017-08-04 09:17:20 -04:00
|
|
|
it "rejects creating a token with read_registry scope" do
|
|
|
|
personal_access_token.scopes = [:read_registry]
|
|
|
|
|
|
|
|
expect(personal_access_token).not_to be_valid
|
|
|
|
expect(personal_access_token.errors[:scopes].first).to eq "can only contain available scopes"
|
|
|
|
end
|
|
|
|
|
|
|
|
it "allows revoking a token with read_registry scope" do
|
|
|
|
personal_access_token.scopes = [:read_registry]
|
|
|
|
|
|
|
|
personal_access_token.revoke!
|
|
|
|
|
|
|
|
expect(personal_access_token).to be_revoked
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
context 'when registry is enabled' do
|
|
|
|
before do
|
|
|
|
stub_container_registry_config(enabled: true)
|
|
|
|
end
|
|
|
|
|
|
|
|
it "allows creating a token with read_registry scope" do
|
|
|
|
personal_access_token.scopes = [:read_registry]
|
|
|
|
|
|
|
|
expect(personal_access_token).to be_valid
|
|
|
|
end
|
2017-05-31 09:55:12 -04:00
|
|
|
end
|
|
|
|
|
|
|
|
it "rejects creating a token with unavailable scopes" do
|
2017-01-31 05:21:29 -05:00
|
|
|
personal_access_token.scopes = [:openid, :api]
|
|
|
|
|
|
|
|
expect(personal_access_token).not_to be_valid
|
2017-05-31 09:55:12 -04:00
|
|
|
expect(personal_access_token.errors[:scopes].first).to eq "can only contain available scopes"
|
2017-01-31 05:21:29 -05:00
|
|
|
end
|
|
|
|
end
|
2019-12-10 02:53:40 -05:00
|
|
|
|
|
|
|
describe 'scopes' do
|
|
|
|
describe '.expiring_and_not_notified' do
|
|
|
|
let_it_be(:expired_token) { create(:personal_access_token, expires_at: 2.days.ago) }
|
|
|
|
let_it_be(:revoked_token) { create(:personal_access_token, revoked: true) }
|
|
|
|
let_it_be(:valid_token_and_notified) { create(:personal_access_token, expires_at: 2.days.from_now, expire_notification_delivered: true) }
|
|
|
|
let_it_be(:valid_token) { create(:personal_access_token, expires_at: 2.days.from_now) }
|
2020-07-13 11:09:08 -04:00
|
|
|
let_it_be(:long_expiry_token) { create(:personal_access_token, expires_at: '999999-12-31'.to_date) }
|
2019-12-10 02:53:40 -05:00
|
|
|
|
|
|
|
context 'in one day' do
|
|
|
|
it "doesn't have any tokens" do
|
|
|
|
expect(described_class.expiring_and_not_notified(1.day.from_now)).to be_empty
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
context 'in three days' do
|
|
|
|
it 'only includes a valid token' do
|
|
|
|
expect(described_class.expiring_and_not_notified(3.days.from_now)).to contain_exactly(valid_token)
|
|
|
|
end
|
|
|
|
end
|
|
|
|
end
|
2020-05-27 17:08:05 -04:00
|
|
|
|
2020-08-05 20:09:53 -04:00
|
|
|
describe '.expired_today_and_not_notified' do
|
|
|
|
let_it_be(:active) { create(:personal_access_token) }
|
|
|
|
let_it_be(:expired_yesterday) { create(:personal_access_token, expires_at: Date.yesterday) }
|
|
|
|
let_it_be(:revoked_token) { create(:personal_access_token, expires_at: Date.current, revoked: true) }
|
|
|
|
let_it_be(:expired_today) { create(:personal_access_token, expires_at: Date.current) }
|
|
|
|
let_it_be(:expired_today_and_notified) { create(:personal_access_token, expires_at: Date.current, after_expiry_notification_delivered: true) }
|
|
|
|
|
|
|
|
it 'returns tokens that have expired today' do
|
|
|
|
expect(described_class.expired_today_and_not_notified).to contain_exactly(expired_today)
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
2020-05-27 17:08:05 -04:00
|
|
|
describe '.without_impersonation' do
|
|
|
|
let_it_be(:impersonation_token) { create(:personal_access_token, :impersonation) }
|
|
|
|
let_it_be(:personal_access_token) { create(:personal_access_token) }
|
|
|
|
|
|
|
|
it 'returns only non-impersonation tokens' do
|
|
|
|
expect(described_class.without_impersonation).to contain_exactly(personal_access_token)
|
|
|
|
end
|
|
|
|
end
|
2020-06-18 08:09:25 -04:00
|
|
|
|
|
|
|
describe 'revoke scopes' do
|
|
|
|
let_it_be(:revoked_token) { create(:personal_access_token, :revoked) }
|
|
|
|
let_it_be(:non_revoked_token) { create(:personal_access_token, revoked: false) }
|
|
|
|
let_it_be(:non_revoked_token2) { create(:personal_access_token, revoked: nil) }
|
|
|
|
|
|
|
|
describe '.revoked' do
|
|
|
|
it { expect(described_class.revoked).to contain_exactly(revoked_token) }
|
|
|
|
end
|
|
|
|
|
|
|
|
describe '.not_revoked' do
|
|
|
|
it { expect(described_class.not_revoked).to contain_exactly(non_revoked_token, non_revoked_token2) }
|
|
|
|
end
|
|
|
|
end
|
2019-12-10 02:53:40 -05:00
|
|
|
end
|
2020-05-05 17:09:42 -04:00
|
|
|
|
|
|
|
describe '.simple_sorts' do
|
2020-07-08 02:09:13 -04:00
|
|
|
it 'includes overridden keys' do
|
2020-05-05 17:09:42 -04:00
|
|
|
expect(described_class.simple_sorts.keys).to include(*%w(expires_at_asc expires_at_desc))
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
describe 'ordering by expires_at' do
|
|
|
|
let_it_be(:earlier_token) { create(:personal_access_token, expires_at: 2.days.ago) }
|
|
|
|
let_it_be(:later_token) { create(:personal_access_token, expires_at: 1.day.ago) }
|
|
|
|
|
|
|
|
describe '.order_expires_at_asc' do
|
|
|
|
it 'returns ordered list in asc order of expiry date' do
|
|
|
|
expect(described_class.order_expires_at_asc).to match [earlier_token, later_token]
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
describe '.order_expires_at_desc' do
|
|
|
|
it 'returns ordered list in desc order of expiry date' do
|
|
|
|
expect(described_class.order_expires_at_desc).to match [later_token, earlier_token]
|
|
|
|
end
|
|
|
|
end
|
|
|
|
end
|
2016-04-25 05:00:59 -04:00
|
|
|
end
|