gitlab-org--gitlab-foss/spec/controllers/graphql_controller_spec.rb

# frozen_string_literal: true

require 'spec_helper'

RSpec.describe GraphqlController do
  include GraphqlHelpers

  before do
    stub_feature_flags(graphql: true)
  end

  describe 'ArgumentError' do
    let(:user) { create(:user) }
    let(:message) { 'green ideas sleep furiously' }

    before do
      sign_in(user)
    end

    it 'handles argument errors' do
      allow(subject).to receive(:execute) do
        raise Gitlab::Graphql::Errors::ArgumentError, message
      end

      post :execute

      expect(json_response).to include(
        'errors' => include(a_hash_including('message' => message))
      )
    end
  end

  describe 'POST #execute' do
    context 'when user is logged in' do
      let(:user) { create(:user, last_activity_on: Date.yesterday) }

      before do
        sign_in(user)
      end

      it 'returns 200 when user can access API' do
        post :execute

        expect(response).to have_gitlab_http_status(:ok)
      end

      it 'returns access denied template when user cannot access API' do
        # User cannot access API in a couple of cases
        # * When user is internal(like ghost users)
        # * When user is blocked
        expect(Ability).to receive(:allowed?).with(user, :log_in, :global).and_call_original
        expect(Ability).to receive(:allowed?).with(user, :access_api, :global).and_return(false)

        post :execute

        expect(response).to have_gitlab_http_status(:forbidden)
        expect(response).to render_template('errors/access_denied')
      end

      it 'updates the users last_activity_on field' do
        expect { post :execute }.to change { user.reload.last_activity_on }
      end

      it "sets context's sessionless value as false" do
        post :execute

        expect(assigns(:context)[:is_sessionless_user]).to be false
      end
    end

    context 'when user uses an API token' do
      let(:user) { create(:user, last_activity_on: Date.yesterday) }
      let(:token) { create(:personal_access_token, user: user, scopes: [:api]) }

      subject { post :execute, params: { access_token: token.token } }

      it 'updates the users last_activity_on field' do
        expect { subject }.to change { user.reload.last_activity_on }
      end

      it "sets context's sessionless value as true" do
        subject

        expect(assigns(:context)[:is_sessionless_user]).to be true
      end
    end

    context 'when user is not logged in' do
      it 'returns 200' do
        post :execute

        expect(response).to have_gitlab_http_status(:ok)
      end

      it "sets context's sessionless value as false" do
        post :execute

        expect(assigns(:context)[:is_sessionless_user]).to be false
      end
    end

    it 'includes request object in context' do
      post :execute

      expect(assigns(:context)[:request]).to eq request
    end
  end

  describe 'Admin Mode' do
    let(:admin) { create(:admin) }
    let(:project) { create(:project) }
    let(:graphql_query) { graphql_query_for('project', { 'fullPath' => project.full_path }, %w(id name)) }

    before do
      sign_in(admin)
    end

    context 'when admin mode enabled' do
      before do
        Gitlab::Session.with_session(controller.session) do
          controller.current_user_mode.request_admin_mode!
          controller.current_user_mode.enable_admin_mode!(password: admin.password)
        end
      end

      it 'can query project data' do
        post :execute, params: { query: graphql_query }

        expect(controller.current_user_mode.admin_mode?).to be(true)
        expect(json_response['data']['project']['name']).to eq(project.name)
      end
    end

    context 'when admin mode disabled' do
      it 'cannot query project data' do
        post :execute, params: { query: graphql_query }

        expect(controller.current_user_mode.admin_mode?).to be(false)
        expect(json_response['data']['project']).to be_nil
      end

      context 'when admin is member of the project' do
        before do
          project.add_developer(admin)
        end

        it 'can query project data' do
          post :execute, params: { query: graphql_query }

          expect(controller.current_user_mode.admin_mode?).to be(false)
          expect(json_response['data']['project']['name']).to eq(project.name)
        end
      end
    end
  end

  describe '#append_info_to_payload' do
    let(:graphql_query) { graphql_query_for('project', { 'fullPath' => 'foo' }, %w(id name)) }
    let(:mock_store) { { graphql_logs: { foo: :bar } } }
    let(:log_payload) { {} }

    before do
      allow(RequestStore).to receive(:store).and_return(mock_store)
      allow(controller).to receive(:append_info_to_payload).and_wrap_original do |method, *|
        method.call(log_payload)
      end
    end

    it 'appends metadata for logging' do
      post :execute, params: { query: graphql_query, operationName: 'Foo' }

      expect(controller).to have_received(:append_info_to_payload)
      expect(log_payload.dig(:metadata, :graphql)).to eq({ operation_name: 'Foo', foo: :bar })
    end
  end
end
Add API access check to Graphql Check if user can access API on GraphqlController 2019-03-27 10:59:02 -04:00			`# frozen_string_literal: true`

			`require 'spec_helper'`

Add latest changes from gitlab-org/gitlab@master 2020-06-03 23:08:05 -04:00			`RSpec.describe GraphqlController do`
Add latest changes from gitlab-org/gitlab@master 2020-05-12 14:07:54 -04:00			`include GraphqlHelpers`

Add API access check to Graphql Check if user can access API on GraphqlController 2019-03-27 10:59:02 -04:00			`before do`
			`stub_feature_flags(graphql: true)`
			`end`

Propagate argument errors as execution errors 2019-07-29 14:36:35 -04:00			`describe 'ArgumentError' do`
			`let(:user) { create(:user) }`
			`let(:message) { 'green ideas sleep furiously' }`

			`before do`
			`sign_in(user)`
			`end`

			`it 'handles argument errors' do`
			`allow(subject).to receive(:execute) do`
			`raise Gitlab::Graphql::Errors::ArgumentError, message`
			`end`

			`post :execute`

			`expect(json_response).to include(`
			`'errors' => include(a_hash_including('message' => message))`
			`)`
			`end`
			`end`

Add API access check to Graphql Check if user can access API on GraphqlController 2019-03-27 10:59:02 -04:00			`describe 'POST #execute' do`
			`context 'when user is logged in' do`
Add latest changes from gitlab-org/gitlab@master 2020-05-14 11:08:14 -04:00			`let(:user) { create(:user, last_activity_on: Date.yesterday) }`
Add API access check to Graphql Check if user can access API on GraphqlController 2019-03-27 10:59:02 -04:00
			`before do`
			`sign_in(user)`
			`end`

			`it 'returns 200 when user can access API' do`
			`post :execute`

Add latest changes from gitlab-org/gitlab@master 2020-01-27 07:08:35 -05:00			`expect(response).to have_gitlab_http_status(:ok)`
Add API access check to Graphql Check if user can access API on GraphqlController 2019-03-27 10:59:02 -04:00			`end`

			`it 'returns access denied template when user cannot access API' do`
			`# User cannot access API in a couple of cases`
			`# * When user is internal(like ghost users)`
			`# * When user is blocked`
Add latest changes from gitlab-org/gitlab@master 2020-04-03 14:10:03 -04:00			`expect(Ability).to receive(:allowed?).with(user, :log_in, :global).and_call_original`
Add API access check to Graphql Check if user can access API on GraphqlController 2019-03-27 10:59:02 -04:00			`expect(Ability).to receive(:allowed?).with(user, :access_api, :global).and_return(false)`

			`post :execute`

Add latest changes from gitlab-org/gitlab@master 2020-03-31 17:08:05 -04:00			`expect(response).to have_gitlab_http_status(:forbidden)`
Add API access check to Graphql Check if user can access API on GraphqlController 2019-03-27 10:59:02 -04:00			`expect(response).to render_template('errors/access_denied')`
			`end`
Add latest changes from gitlab-org/gitlab@master 2020-05-14 11:08:14 -04:00
			`it 'updates the users last_activity_on field' do`
			`expect { post :execute }.to change { user.reload.last_activity_on }`
			`end`
Add latest changes from gitlab-org/gitlab@master 2020-08-20 08:10:27 -04:00
			`it "sets context's sessionless value as false" do`
			`post :execute`

			`expect(assigns(:context)[:is_sessionless_user]).to be false`
			`end`
Add latest changes from gitlab-org/gitlab@master 2020-05-14 11:08:14 -04:00			`end`

			`context 'when user uses an API token' do`
			`let(:user) { create(:user, last_activity_on: Date.yesterday) }`
			`let(:token) { create(:personal_access_token, user: user, scopes: [:api]) }`

Add latest changes from gitlab-org/gitlab@master 2020-08-20 08:10:27 -04:00			`subject { post :execute, params: { access_token: token.token } }`

Add latest changes from gitlab-org/gitlab@master 2020-05-14 11:08:14 -04:00			`it 'updates the users last_activity_on field' do`
Add latest changes from gitlab-org/gitlab@master 2020-08-20 08:10:27 -04:00			`expect { subject }.to change { user.reload.last_activity_on }`
			`end`

			`it "sets context's sessionless value as true" do`
			`subject`

			`expect(assigns(:context)[:is_sessionless_user]).to be true`
Add latest changes from gitlab-org/gitlab@master 2020-05-14 11:08:14 -04:00			`end`
Add API access check to Graphql Check if user can access API on GraphqlController 2019-03-27 10:59:02 -04:00			`end`

			`context 'when user is not logged in' do`
			`it 'returns 200' do`
			`post :execute`

Add latest changes from gitlab-org/gitlab@master 2020-01-27 07:08:35 -05:00			`expect(response).to have_gitlab_http_status(:ok)`
Add API access check to Graphql Check if user can access API on GraphqlController 2019-03-27 10:59:02 -04:00			`end`
Add latest changes from gitlab-org/gitlab@master 2020-08-20 08:10:27 -04:00
			`it "sets context's sessionless value as false" do`
			`post :execute`

			`expect(assigns(:context)[:is_sessionless_user]).to be false`
			`end`
Add API access check to Graphql Check if user can access API on GraphqlController 2019-03-27 10:59:02 -04:00			`end`
Add latest changes from gitlab-org/gitlab@master 2020-10-06 05:08:32 -04:00
			`it 'includes request object in context' do`
			`post :execute`

			`expect(assigns(:context)[:request]).to eq request`
			`end`
Add API access check to Graphql Check if user can access API on GraphqlController 2019-03-27 10:59:02 -04:00			`end`
Add latest changes from gitlab-org/gitlab@master 2020-05-12 14:07:54 -04:00
			`describe 'Admin Mode' do`
			`let(:admin) { create(:admin) }`
			`let(:project) { create(:project) }`
			`let(:graphql_query) { graphql_query_for('project', { 'fullPath' => project.full_path }, %w(id name)) }`

			`before do`
			`sign_in(admin)`
			`end`

			`context 'when admin mode enabled' do`
			`before do`
			`Gitlab::Session.with_session(controller.session) do`
			`controller.current_user_mode.request_admin_mode!`
			`controller.current_user_mode.enable_admin_mode!(password: admin.password)`
			`end`
			`end`

			`it 'can query project data' do`
			`post :execute, params: { query: graphql_query }`

			`expect(controller.current_user_mode.admin_mode?).to be(true)`
			`expect(json_response['data']['project']['name']).to eq(project.name)`
			`end`
			`end`

			`context 'when admin mode disabled' do`
			`it 'cannot query project data' do`
			`post :execute, params: { query: graphql_query }`

			`expect(controller.current_user_mode.admin_mode?).to be(false)`
			`expect(json_response['data']['project']).to be_nil`
			`end`

			`context 'when admin is member of the project' do`
			`before do`
			`project.add_developer(admin)`
			`end`

			`it 'can query project data' do`
			`post :execute, params: { query: graphql_query }`

			`expect(controller.current_user_mode.admin_mode?).to be(false)`
			`expect(json_response['data']['project']['name']).to eq(project.name)`
			`end`
			`end`
			`end`
			`end`
Add latest changes from gitlab-org/gitlab@master 2020-09-13 23:09:21 -04:00
			`describe '#append_info_to_payload' do`
			`let(:graphql_query) { graphql_query_for('project', { 'fullPath' => 'foo' }, %w(id name)) }`
Add latest changes from gitlab-org/gitlab@master 2020-10-06 08:08:38 -04:00			`let(:mock_store) { { graphql_logs: { foo: :bar } } }`
Add latest changes from gitlab-org/gitlab@master 2020-09-13 23:09:21 -04:00			`let(:log_payload) { {} }`

			`before do`
Add latest changes from gitlab-org/gitlab@master 2020-10-06 08:08:38 -04:00			`allow(RequestStore).to receive(:store).and_return(mock_store)`
Add latest changes from gitlab-org/gitlab@master 2020-09-13 23:09:21 -04:00			`allow(controller).to receive(:append_info_to_payload).and_wrap_original do \|method, *\|`
			`method.call(log_payload)`
			`end`
			`end`

			`it 'appends metadata for logging' do`
			`post :execute, params: { query: graphql_query, operationName: 'Foo' }`

			`expect(controller).to have_received(:append_info_to_payload)`
Add latest changes from gitlab-org/gitlab@master 2020-10-06 08:08:38 -04:00			`expect(log_payload.dig(:metadata, :graphql)).to eq({ operation_name: 'Foo', foo: :bar })`
Add latest changes from gitlab-org/gitlab@master 2020-09-13 23:09:21 -04:00			`end`
			`end`
Add API access check to Graphql Check if user can access API on GraphqlController 2019-03-27 10:59:02 -04:00			`end`