2013-03-28 14:37:44 -04:00
|
|
|
require 'spec_helper'
|
|
|
|
|
2016-04-24 23:30:20 -04:00
|
|
|
describe API::Helpers, api: true do
|
|
|
|
include API::Helpers
|
2013-03-28 14:37:44 -04:00
|
|
|
include ApiHelpers
|
2016-08-18 20:06:33 -04:00
|
|
|
include SentryHelper
|
2016-04-18 05:17:38 -04:00
|
|
|
|
2013-03-28 14:37:44 -04:00
|
|
|
let(:user) { create(:user) }
|
|
|
|
let(:admin) { create(:admin) }
|
|
|
|
let(:key) { create(:key, user: user) }
|
|
|
|
|
|
|
|
let(:params) { {} }
|
2016-09-22 08:56:43 -04:00
|
|
|
let(:env) { { 'REQUEST_METHOD' => 'GET' } }
|
|
|
|
let(:request) { Rack::Request.new(env) }
|
2013-03-28 14:37:44 -04:00
|
|
|
|
|
|
|
def set_env(token_usr, identifier)
|
|
|
|
clear_env
|
|
|
|
clear_param
|
2016-04-24 23:30:20 -04:00
|
|
|
env[API::Helpers::PRIVATE_TOKEN_HEADER] = token_usr.private_token
|
|
|
|
env[API::Helpers::SUDO_HEADER] = identifier
|
2013-03-28 14:37:44 -04:00
|
|
|
end
|
|
|
|
|
|
|
|
def set_param(token_usr, identifier)
|
|
|
|
clear_env
|
|
|
|
clear_param
|
2016-04-24 23:30:20 -04:00
|
|
|
params[API::Helpers::PRIVATE_TOKEN_PARAM] = token_usr.private_token
|
|
|
|
params[API::Helpers::SUDO_PARAM] = identifier
|
2013-03-28 14:37:44 -04:00
|
|
|
end
|
|
|
|
|
|
|
|
def clear_env
|
2016-04-24 23:30:20 -04:00
|
|
|
env.delete(API::Helpers::PRIVATE_TOKEN_HEADER)
|
|
|
|
env.delete(API::Helpers::SUDO_HEADER)
|
2013-03-28 14:37:44 -04:00
|
|
|
end
|
|
|
|
|
|
|
|
def clear_param
|
2016-04-24 23:30:20 -04:00
|
|
|
params.delete(API::Helpers::PRIVATE_TOKEN_PARAM)
|
|
|
|
params.delete(API::Helpers::SUDO_PARAM)
|
2013-03-28 14:37:44 -04:00
|
|
|
end
|
|
|
|
|
2016-09-16 13:38:07 -04:00
|
|
|
def warden_authenticate_returns(value)
|
|
|
|
warden = double("warden", authenticate: value)
|
|
|
|
env['warden'] = warden
|
|
|
|
end
|
|
|
|
|
|
|
|
def doorkeeper_guard_returns(value)
|
|
|
|
allow_any_instance_of(self.class).to receive(:doorkeeper_guard){ value }
|
|
|
|
end
|
|
|
|
|
2013-03-28 14:37:44 -04:00
|
|
|
def error!(message, status)
|
2016-11-30 09:48:19 -05:00
|
|
|
raise Exception.new("#{status} - #{message}")
|
2013-03-28 14:37:44 -04:00
|
|
|
end
|
|
|
|
|
|
|
|
describe ".current_user" do
|
2016-09-16 13:38:07 -04:00
|
|
|
subject { current_user }
|
|
|
|
|
2016-09-22 08:56:43 -04:00
|
|
|
describe "Warden authentication" do
|
2016-09-16 13:38:07 -04:00
|
|
|
before { doorkeeper_guard_returns false }
|
|
|
|
|
2016-09-22 08:56:43 -04:00
|
|
|
context "with invalid credentials" do
|
|
|
|
context "GET request" do
|
|
|
|
before { env['REQUEST_METHOD'] = 'GET' }
|
|
|
|
it { is_expected.to be_nil }
|
|
|
|
end
|
2016-09-16 13:38:07 -04:00
|
|
|
end
|
|
|
|
|
2016-09-22 08:56:43 -04:00
|
|
|
context "with valid credentials" do
|
2016-09-16 13:38:07 -04:00
|
|
|
before { warden_authenticate_returns user }
|
|
|
|
|
2016-09-22 08:56:43 -04:00
|
|
|
context "GET request" do
|
|
|
|
before { env['REQUEST_METHOD'] = 'GET' }
|
|
|
|
it { is_expected.to eq(user) }
|
|
|
|
end
|
|
|
|
|
|
|
|
context "HEAD request" do
|
|
|
|
before { env['REQUEST_METHOD'] = 'HEAD' }
|
|
|
|
it { is_expected.to eq(user) }
|
|
|
|
end
|
|
|
|
|
|
|
|
context "PUT request" do
|
|
|
|
before { env['REQUEST_METHOD'] = 'PUT' }
|
|
|
|
it { is_expected.to be_nil }
|
|
|
|
end
|
|
|
|
|
|
|
|
context "POST request" do
|
|
|
|
before { env['REQUEST_METHOD'] = 'POST' }
|
|
|
|
it { is_expected.to be_nil }
|
|
|
|
end
|
|
|
|
|
|
|
|
context "DELETE request" do
|
|
|
|
before { env['REQUEST_METHOD'] = 'DELETE' }
|
|
|
|
it { is_expected.to be_nil }
|
|
|
|
end
|
2016-09-16 13:38:07 -04:00
|
|
|
end
|
|
|
|
end
|
|
|
|
|
2016-04-18 06:18:54 -04:00
|
|
|
describe "when authenticating using a user's private token" do
|
2016-08-01 11:00:44 -04:00
|
|
|
it "returns nil for an invalid token" do
|
2016-04-24 23:30:20 -04:00
|
|
|
env[API::Helpers::PRIVATE_TOKEN_HEADER] = 'invalid token'
|
2016-04-18 06:18:54 -04:00
|
|
|
allow_any_instance_of(self.class).to receive(:doorkeeper_guard){ false }
|
|
|
|
expect(current_user).to be_nil
|
|
|
|
end
|
|
|
|
|
2016-08-01 11:00:44 -04:00
|
|
|
it "returns nil for a user without access" do
|
2016-04-24 23:30:20 -04:00
|
|
|
env[API::Helpers::PRIVATE_TOKEN_HEADER] = user.private_token
|
2016-07-18 04:16:56 -04:00
|
|
|
allow_any_instance_of(Gitlab::UserAccess).to receive(:allowed?).and_return(false)
|
2016-04-18 06:18:54 -04:00
|
|
|
expect(current_user).to be_nil
|
|
|
|
end
|
2014-05-15 03:57:21 -04:00
|
|
|
|
2016-08-01 11:00:44 -04:00
|
|
|
it "leaves user as is when sudo not specified" do
|
2016-04-24 23:30:20 -04:00
|
|
|
env[API::Helpers::PRIVATE_TOKEN_HEADER] = user.private_token
|
2016-04-18 06:18:54 -04:00
|
|
|
expect(current_user).to eq(user)
|
|
|
|
clear_env
|
2016-04-24 23:30:20 -04:00
|
|
|
params[API::Helpers::PRIVATE_TOKEN_PARAM] = user.private_token
|
2016-04-18 06:18:54 -04:00
|
|
|
expect(current_user).to eq(user)
|
|
|
|
end
|
2014-05-15 04:03:26 -04:00
|
|
|
end
|
|
|
|
|
2016-04-18 06:18:54 -04:00
|
|
|
describe "when authenticating using a user's personal access tokens" do
|
|
|
|
let(:personal_access_token) { create(:personal_access_token, user: user) }
|
|
|
|
|
2016-08-01 11:00:44 -04:00
|
|
|
it "returns nil for an invalid token" do
|
2016-06-16 02:58:31 -04:00
|
|
|
env[API::Helpers::PRIVATE_TOKEN_HEADER] = 'invalid token'
|
2016-04-18 06:18:54 -04:00
|
|
|
allow_any_instance_of(self.class).to receive(:doorkeeper_guard){ false }
|
|
|
|
expect(current_user).to be_nil
|
|
|
|
end
|
|
|
|
|
2016-08-01 11:00:44 -04:00
|
|
|
it "returns nil for a user without access" do
|
2016-06-16 02:58:31 -04:00
|
|
|
env[API::Helpers::PRIVATE_TOKEN_HEADER] = personal_access_token.token
|
2016-07-18 04:16:56 -04:00
|
|
|
allow_any_instance_of(Gitlab::UserAccess).to receive(:allowed?).and_return(false)
|
2016-04-18 06:18:54 -04:00
|
|
|
expect(current_user).to be_nil
|
|
|
|
end
|
|
|
|
|
2016-08-01 11:00:44 -04:00
|
|
|
it "leaves user as is when sudo not specified" do
|
2016-06-16 02:58:31 -04:00
|
|
|
env[API::Helpers::PRIVATE_TOKEN_HEADER] = personal_access_token.token
|
2016-04-18 06:18:54 -04:00
|
|
|
expect(current_user).to eq(user)
|
|
|
|
clear_env
|
2016-06-16 02:58:31 -04:00
|
|
|
params[API::Helpers::PRIVATE_TOKEN_PARAM] = personal_access_token.token
|
2016-04-18 06:18:54 -04:00
|
|
|
expect(current_user).to eq(user)
|
|
|
|
end
|
|
|
|
|
|
|
|
it 'does not allow revoked tokens' do
|
|
|
|
personal_access_token.revoke!
|
2016-06-16 02:58:31 -04:00
|
|
|
env[API::Helpers::PRIVATE_TOKEN_HEADER] = personal_access_token.token
|
2016-04-18 06:18:54 -04:00
|
|
|
allow_any_instance_of(self.class).to receive(:doorkeeper_guard){ false }
|
|
|
|
expect(current_user).to be_nil
|
|
|
|
end
|
|
|
|
|
|
|
|
it 'does not allow expired tokens' do
|
|
|
|
personal_access_token.update_attributes!(expires_at: 1.day.ago)
|
2016-06-16 02:58:31 -04:00
|
|
|
env[API::Helpers::PRIVATE_TOKEN_HEADER] = personal_access_token.token
|
2016-04-18 06:18:54 -04:00
|
|
|
allow_any_instance_of(self.class).to receive(:doorkeeper_guard){ false }
|
|
|
|
expect(current_user).to be_nil
|
|
|
|
end
|
2013-03-28 14:37:44 -04:00
|
|
|
end
|
|
|
|
|
2016-11-21 07:59:37 -05:00
|
|
|
context 'sudo usage' do
|
|
|
|
context 'with admin' do
|
|
|
|
context 'with header' do
|
|
|
|
context 'with id' do
|
|
|
|
it 'changes current_user to sudo' do
|
|
|
|
set_env(admin, user.id)
|
2013-03-28 14:37:44 -04:00
|
|
|
|
2016-11-21 07:59:37 -05:00
|
|
|
expect(current_user).to eq(user)
|
|
|
|
end
|
2013-09-09 13:18:10 -04:00
|
|
|
|
2016-11-21 07:59:37 -05:00
|
|
|
it 'handles sudo to oneself' do
|
|
|
|
set_env(admin, admin.id)
|
2013-03-28 14:37:44 -04:00
|
|
|
|
2016-11-21 07:59:37 -05:00
|
|
|
expect(current_user).to eq(admin)
|
|
|
|
end
|
2013-09-09 13:18:10 -04:00
|
|
|
|
2016-11-21 07:59:37 -05:00
|
|
|
it 'throws an error when user cannot be found' do
|
|
|
|
id = user.id + admin.id
|
|
|
|
expect(user.id).not_to eq(id)
|
|
|
|
expect(admin.id).not_to eq(id)
|
2013-03-28 14:37:44 -04:00
|
|
|
|
2016-11-21 07:59:37 -05:00
|
|
|
set_env(admin, id)
|
2013-09-09 13:18:10 -04:00
|
|
|
|
2016-11-21 07:59:37 -05:00
|
|
|
expect { current_user }.to raise_error(Exception)
|
|
|
|
end
|
|
|
|
end
|
2013-03-28 14:37:44 -04:00
|
|
|
|
2016-11-21 07:59:37 -05:00
|
|
|
context 'with username' do
|
|
|
|
it 'changes current_user to sudo' do
|
|
|
|
set_env(admin, user.username)
|
|
|
|
|
|
|
|
expect(current_user).to eq(user)
|
|
|
|
end
|
|
|
|
|
|
|
|
it 'handles sudo to oneself' do
|
|
|
|
set_env(admin, admin.username)
|
|
|
|
|
|
|
|
expect(current_user).to eq(admin)
|
|
|
|
end
|
|
|
|
|
|
|
|
it "throws an error when the user cannot be found for a given username" do
|
|
|
|
username = "#{user.username}#{admin.username}"
|
|
|
|
expect(user.username).not_to eq(username)
|
|
|
|
expect(admin.username).not_to eq(username)
|
|
|
|
|
|
|
|
set_env(admin, username)
|
|
|
|
|
|
|
|
expect { current_user }.to raise_error(Exception)
|
|
|
|
end
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
context 'with param' do
|
|
|
|
context 'with id' do
|
|
|
|
it 'changes current_user to sudo' do
|
|
|
|
set_param(admin, user.id)
|
|
|
|
|
|
|
|
expect(current_user).to eq(user)
|
|
|
|
end
|
|
|
|
|
|
|
|
it 'handles sudo to oneself' do
|
|
|
|
set_param(admin, admin.id)
|
|
|
|
|
|
|
|
expect(current_user).to eq(admin)
|
|
|
|
end
|
|
|
|
|
|
|
|
it 'handles sudo to oneself using string' do
|
|
|
|
set_env(admin, user.id.to_s)
|
|
|
|
|
|
|
|
expect(current_user).to eq(user)
|
|
|
|
end
|
|
|
|
|
|
|
|
it 'throws an error when user cannot be found' do
|
|
|
|
id = user.id + admin.id
|
|
|
|
expect(user.id).not_to eq(id)
|
|
|
|
expect(admin.id).not_to eq(id)
|
2013-09-09 13:18:10 -04:00
|
|
|
|
2016-11-21 07:59:37 -05:00
|
|
|
set_param(admin, id)
|
2013-03-28 14:37:44 -04:00
|
|
|
|
2016-11-21 07:59:37 -05:00
|
|
|
expect { current_user }.to raise_error(Exception)
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
context 'with username' do
|
|
|
|
it 'changes current_user to sudo' do
|
|
|
|
set_param(admin, user.username)
|
|
|
|
|
|
|
|
expect(current_user).to eq(user)
|
|
|
|
end
|
|
|
|
|
|
|
|
it 'handles sudo to oneself' do
|
|
|
|
set_param(admin, admin.username)
|
|
|
|
|
|
|
|
expect(current_user).to eq(admin)
|
|
|
|
end
|
|
|
|
|
|
|
|
it "throws an error when the user cannot be found for a given username" do
|
|
|
|
username = "#{user.username}#{admin.username}"
|
|
|
|
expect(user.username).not_to eq(username)
|
|
|
|
expect(admin.username).not_to eq(username)
|
|
|
|
|
|
|
|
set_param(admin, username)
|
|
|
|
|
|
|
|
expect { current_user }.to raise_error(Exception)
|
|
|
|
end
|
|
|
|
end
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
context 'with regular user' do
|
|
|
|
context 'with env' do
|
|
|
|
it 'changes current_user to sudo when admin and user id' do
|
|
|
|
set_env(user, admin.id)
|
|
|
|
|
|
|
|
expect { current_user }.to raise_error(Exception)
|
|
|
|
end
|
|
|
|
|
|
|
|
it 'changes current_user to sudo when admin and user username' do
|
|
|
|
set_env(user, admin.username)
|
|
|
|
|
|
|
|
expect { current_user }.to raise_error(Exception)
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
context 'with params' do
|
|
|
|
it 'changes current_user to sudo when admin and user id' do
|
|
|
|
set_param(user, admin.id)
|
|
|
|
|
|
|
|
expect { current_user }.to raise_error(Exception)
|
|
|
|
end
|
|
|
|
|
|
|
|
it 'changes current_user to sudo when admin and user username' do
|
|
|
|
set_param(user, admin.username)
|
|
|
|
|
|
|
|
expect { current_user }.to raise_error(Exception)
|
|
|
|
end
|
|
|
|
end
|
|
|
|
end
|
2013-03-28 14:37:44 -04:00
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
describe '.sudo_identifier' do
|
2016-08-01 11:00:44 -04:00
|
|
|
it "returns integers when input is an int" do
|
2013-03-28 14:37:44 -04:00
|
|
|
set_env(admin, '123')
|
2015-02-12 13:17:35 -05:00
|
|
|
expect(sudo_identifier).to eq(123)
|
2013-03-28 14:37:44 -04:00
|
|
|
set_env(admin, '0001234567890')
|
2015-02-12 13:17:35 -05:00
|
|
|
expect(sudo_identifier).to eq(1234567890)
|
2013-03-28 14:37:44 -04:00
|
|
|
|
|
|
|
set_param(admin, '123')
|
2015-02-12 13:17:35 -05:00
|
|
|
expect(sudo_identifier).to eq(123)
|
2013-03-28 14:37:44 -04:00
|
|
|
set_param(admin, '0001234567890')
|
2015-02-12 13:17:35 -05:00
|
|
|
expect(sudo_identifier).to eq(1234567890)
|
2013-03-28 14:37:44 -04:00
|
|
|
end
|
|
|
|
|
2016-08-01 11:00:44 -04:00
|
|
|
it "returns string when input is an is not an int" do
|
2013-03-28 14:37:44 -04:00
|
|
|
set_env(admin, '12.30')
|
2015-02-12 13:17:35 -05:00
|
|
|
expect(sudo_identifier).to eq("12.30")
|
2013-03-28 14:37:44 -04:00
|
|
|
set_env(admin, 'hello')
|
2015-02-12 13:17:35 -05:00
|
|
|
expect(sudo_identifier).to eq('hello')
|
2013-03-28 14:37:44 -04:00
|
|
|
set_env(admin, ' 123')
|
2015-02-12 13:17:35 -05:00
|
|
|
expect(sudo_identifier).to eq(' 123')
|
2013-03-28 14:37:44 -04:00
|
|
|
|
|
|
|
set_param(admin, '12.30')
|
2015-02-12 13:17:35 -05:00
|
|
|
expect(sudo_identifier).to eq("12.30")
|
2013-03-28 14:37:44 -04:00
|
|
|
set_param(admin, 'hello')
|
2015-02-12 13:17:35 -05:00
|
|
|
expect(sudo_identifier).to eq('hello')
|
2013-03-28 14:37:44 -04:00
|
|
|
set_param(admin, ' 123')
|
2015-02-12 13:17:35 -05:00
|
|
|
expect(sudo_identifier).to eq(' 123')
|
2013-03-28 14:37:44 -04:00
|
|
|
end
|
|
|
|
end
|
2016-07-12 10:31:55 -04:00
|
|
|
|
2016-08-18 20:06:33 -04:00
|
|
|
describe '.handle_api_exception' do
|
|
|
|
before do
|
|
|
|
allow_any_instance_of(self.class).to receive(:sentry_enabled?).and_return(true)
|
|
|
|
allow_any_instance_of(self.class).to receive(:rack_response)
|
|
|
|
end
|
|
|
|
|
|
|
|
it 'does not report a MethodNotAllowed exception to Sentry' do
|
|
|
|
exception = Grape::Exceptions::MethodNotAllowed.new({ 'X-GitLab-Test' => '1' })
|
|
|
|
allow(exception).to receive(:backtrace).and_return(caller)
|
|
|
|
|
|
|
|
expect(Raven).not_to receive(:capture_exception).with(exception)
|
|
|
|
|
|
|
|
handle_api_exception(exception)
|
|
|
|
end
|
|
|
|
|
|
|
|
it 'does report RuntimeError to Sentry' do
|
|
|
|
exception = RuntimeError.new('test error')
|
|
|
|
allow(exception).to receive(:backtrace).and_return(caller)
|
|
|
|
|
|
|
|
expect_any_instance_of(self.class).to receive(:sentry_context)
|
|
|
|
expect(Raven).to receive(:capture_exception).with(exception)
|
|
|
|
|
|
|
|
handle_api_exception(exception)
|
|
|
|
end
|
|
|
|
end
|
2016-11-30 09:48:19 -05:00
|
|
|
|
|
|
|
describe '.authenticate_non_get!' do
|
|
|
|
%w[HEAD GET].each do |method_name|
|
|
|
|
context "method is #{method_name}" do
|
|
|
|
before do
|
|
|
|
expect_any_instance_of(self.class).to receive(:route).and_return(double(route_method: method_name))
|
|
|
|
end
|
|
|
|
|
|
|
|
it 'does not raise an error' do
|
|
|
|
expect_any_instance_of(self.class).not_to receive(:authenticate!)
|
|
|
|
|
|
|
|
expect { authenticate_non_get! }.not_to raise_error
|
|
|
|
end
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
%w[POST PUT PATCH DELETE].each do |method_name|
|
|
|
|
context "method is #{method_name}" do
|
|
|
|
before do
|
|
|
|
expect_any_instance_of(self.class).to receive(:route).and_return(double(route_method: method_name))
|
|
|
|
end
|
|
|
|
|
|
|
|
it 'calls authenticate!' do
|
|
|
|
expect_any_instance_of(self.class).to receive(:authenticate!)
|
|
|
|
|
|
|
|
authenticate_non_get!
|
|
|
|
end
|
|
|
|
end
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
describe '.authenticate!' do
|
|
|
|
context 'current_user is nil' do
|
|
|
|
before do
|
|
|
|
expect_any_instance_of(self.class).to receive(:current_user).and_return(nil)
|
|
|
|
end
|
|
|
|
|
|
|
|
it 'returns a 401 response' do
|
|
|
|
expect { authenticate! }.to raise_error '401 - {"message"=>"401 Unauthorized"}'
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
context 'current_user is present' do
|
|
|
|
before do
|
|
|
|
expect_any_instance_of(self.class).to receive(:current_user).and_return(true)
|
|
|
|
end
|
|
|
|
|
|
|
|
it 'does not raise an error' do
|
|
|
|
expect { authenticate! }.not_to raise_error
|
|
|
|
end
|
|
|
|
end
|
|
|
|
end
|
2014-04-11 15:45:56 -04:00
|
|
|
end
|