gitlab-org--gitlab-foss/spec/lib/gitlab/backend/grack_auth_spec.rb

require "spec_helper"

describe Grack::Auth, lib: true do
  let(:user)    { create(:user) }
  let(:project) { create(:project) }

  let(:app)   { lambda { |env| [200, {}, "Success!"] } }
  let!(:auth) { Grack::Auth.new(app) }
  let(:env) do
    {
      'rack.input'     => '',
      'REQUEST_METHOD' => 'GET',
      'QUERY_STRING'   => 'service=git-upload-pack'
    }
  end
  let(:status) { auth.call(env).first }

  describe "#call" do
    context "when the project doesn't exist" do
      before do
        env["PATH_INFO"] = "doesnt/exist.git"
      end

      context "when no authentication is provided" do
        it "responds with status 401" do
          expect(status).to eq(401)
        end
      end

      context "when username and password are provided" do
        context "when authentication fails" do
          before do
            env["HTTP_AUTHORIZATION"] = ActionController::HttpAuthentication::Basic.encode_credentials(user.username, "nope")
          end

          it "responds with status 401" do
            expect(status).to eq(401)
          end
        end

        context "when authentication succeeds" do
          before do
            env["HTTP_AUTHORIZATION"] = ActionController::HttpAuthentication::Basic.encode_credentials(user.username, user.password)
          end

          it "responds with status 404" do
            expect(status).to eq(404)
          end
        end
      end
    end

    context "when the Wiki for a project exists" do
      before do
        @wiki = ProjectWiki.new(project)
        env["PATH_INFO"] = "#{@wiki.repository.path_with_namespace}.git/info/refs"
        project.update_attribute(:visibility_level, Project::PUBLIC)
      end

      it "responds with the right project" do
        response = auth.call(env)
        json_body = ActiveSupport::JSON.decode(response[2][0])

        expect(response.first).to eq(200)
        expect(json_body['RepoPath']).to include(@wiki.repository.path_with_namespace)
      end
    end

    context "when the project exists" do
      before do
        env["PATH_INFO"] = project.path_with_namespace + ".git"
      end

      context "when the project is public" do
        before do
          project.update_attribute(:visibility_level, Project::PUBLIC)
        end

        it "responds with status 200" do
          expect(status).to eq(200)
        end
      end

      context "when the project is private" do
        before do
          project.update_attribute(:visibility_level, Project::PRIVATE)
        end

        context "when no authentication is provided" do
          it "responds with status 401" do
            expect(status).to eq(401)
          end
        end

        context "when username and password are provided" do
          context "when authentication fails" do
            before do
              env["HTTP_AUTHORIZATION"] = ActionController::HttpAuthentication::Basic.encode_credentials(user.username, "nope")
            end

            it "responds with status 401" do
              expect(status).to eq(401)
            end

            context "when the user is IP banned" do
              before do
                expect(Rack::Attack::Allow2Ban).to receive(:filter).and_return(true)
                allow_any_instance_of(Rack::Request).to receive(:ip).and_return('1.2.3.4')
              end

              it "responds with status 401" do
                expect(status).to eq(401)
              end
            end
          end

          context "when authentication succeeds" do
            before do
              env["HTTP_AUTHORIZATION"] = ActionController::HttpAuthentication::Basic.encode_credentials(user.username, user.password)
            end

            context "when the user has access to the project" do
              before do
                project.team << [user, :master]
              end

              context "when the user is blocked" do
                before do
                  user.block
                  project.team << [user, :master]
                end

                it "responds with status 404" do
                  expect(status).to eq(404)
                end
              end

              context "when the user isn't blocked" do
                before do
                  expect(Rack::Attack::Allow2Ban).to receive(:reset)
                end

                it "responds with status 200" do
                  expect(status).to eq(200)
                end
              end

              context "when blank password attempts follow a valid login" do
                let(:options) { Gitlab.config.rack_attack.git_basic_auth }
                let(:maxretry) { options[:maxretry] - 1 }
                let(:ip) { '1.2.3.4' }

                before do
                  allow_any_instance_of(Rack::Request).to receive(:ip).and_return(ip)
                  Rack::Attack::Allow2Ban.reset(ip, options)
                end

                after do
                  Rack::Attack::Allow2Ban.reset(ip, options)
                end

                def attempt_login(include_password)
                  password = include_password ? user.password : ""
                  env["HTTP_AUTHORIZATION"] = ActionController::HttpAuthentication::Basic.encode_credentials(user.username, password)
                  Grack::Auth.new(app)
                  auth.call(env).first
                end

                it "repeated attempts followed by successful attempt" do
                  maxretry.times.each do
                    expect(attempt_login(false)).to eq(401)
                  end

                  expect(attempt_login(true)).to eq(200)
                  expect(Rack::Attack::Allow2Ban.banned?(ip)).to be_falsey

                  maxretry.times.each do
                    expect(attempt_login(false)).to eq(401)
                  end
                end
              end
            end

            context "when the user doesn't have access to the project" do
              it "responds with status 404" do
                expect(status).to eq(404)
              end
            end
          end
        end

        context "when a gitlab ci token is provided" do
          let(:token) { "123" }
          let(:project) { FactoryGirl.create :empty_project }

          before do
            project.update_attributes(runners_token: token, builds_enabled: true)

            env["HTTP_AUTHORIZATION"] = ActionController::HttpAuthentication::Basic.encode_credentials("gitlab-ci-token", token)
          end

          it "responds with status 200" do
            expect(status).to eq(200)
          end
        end
      end
    end
  end
end
Add tests for GrackAuth. 2015-02-24 15:05:39 +00:00			`require "spec_helper"`

Tag lib specs 2015-12-09 10:55:36 +00:00			`describe Grack::Auth, lib: true do`
Add tests for GrackAuth. 2015-02-24 15:05:39 +00:00			`let(:user) { create(:user) }`
			`let(:project) { create(:project) }`

			`let(:app) { lambda { \|env\| [200, {}, "Success!"] } }`
			`let!(:auth) { Grack::Auth.new(app) }`
Fix Style/Blocks cop violations 2015-06-22 20:00:54 +00:00			`let(:env) do`
Add tests for GrackAuth. 2015-02-24 15:05:39 +00:00			`{`
Fix Style/Blocks cop violations 2015-06-22 20:00:54 +00:00			`'rack.input' => '',`
			`'REQUEST_METHOD' => 'GET',`
			`'QUERY_STRING' => 'service=git-upload-pack'`
Add tests for GrackAuth. 2015-02-24 15:05:39 +00:00			`}`
Fix Style/Blocks cop violations 2015-06-22 20:00:54 +00:00			`end`
Add tests for GrackAuth. 2015-02-24 15:05:39 +00:00			`let(:status) { auth.call(env).first }`

			`describe "#call" do`
			`context "when the project doesn't exist" do`
			`before do`
			`env["PATH_INFO"] = "doesnt/exist.git"`
			`end`

			`context "when no authentication is provided" do`
			`it "responds with status 401" do`
			`expect(status).to eq(401)`
			`end`
			`end`

			`context "when username and password are provided" do`
			`context "when authentication fails" do`
			`before do`
			`env["HTTP_AUTHORIZATION"] = ActionController::HttpAuthentication::Basic.encode_credentials(user.username, "nope")`
			`end`

			`it "responds with status 401" do`
			`expect(status).to eq(401)`
			`end`
			`end`

			`context "when authentication succeeds" do`
			`before do`
			`env["HTTP_AUTHORIZATION"] = ActionController::HttpAuthentication::Basic.encode_credentials(user.username, user.password)`
			`end`

			`it "responds with status 404" do`
			`expect(status).to eq(404)`
			`end`
			`end`
			`end`
			`end`

Add spec for cloning Wiki over HTTP 2015-10-22 21:16:37 +00:00			`context "when the Wiki for a project exists" do`
			`before do`
			`@wiki = ProjectWiki.new(project)`
			`env["PATH_INFO"] = "#{@wiki.repository.path_with_namespace}.git/info/refs"`
			`project.update_attribute(:visibility_level, Project::PUBLIC)`
			`end`

			`it "responds with the right project" do`
			`response = auth.call(env)`
			`json_body = ActiveSupport::JSON.decode(response[2][0])`

			`expect(response.first).to eq(200)`
			`expect(json_body['RepoPath']).to include(@wiki.repository.path_with_namespace)`
			`end`
			`end`

Add tests for GrackAuth. 2015-02-24 15:05:39 +00:00			`context "when the project exists" do`
			`before do`
			`env["PATH_INFO"] = project.path_with_namespace + ".git"`
			`end`

			`context "when the project is public" do`
			`before do`
			`project.update_attribute(:visibility_level, Project::PUBLIC)`
			`end`

			`it "responds with status 200" do`
			`expect(status).to eq(200)`
			`end`
			`end`

			`context "when the project is private" do`
			`before do`
			`project.update_attribute(:visibility_level, Project::PRIVATE)`
			`end`

			`context "when no authentication is provided" do`
			`it "responds with status 401" do`
			`expect(status).to eq(401)`
			`end`
			`end`

			`context "when username and password are provided" do`
			`context "when authentication fails" do`
			`before do`
			`env["HTTP_AUTHORIZATION"] = ActionController::HttpAuthentication::Basic.encode_credentials(user.username, "nope")`
			`end`

			`it "responds with status 401" do`
			`expect(status).to eq(401)`
			`end`
Reduce Rack Attack false positives by clearing out auth failure count upon successful Git over HTTP authentication. Add logging when a ban goes into effect for debugging. Issue #1171 2015-03-16 02:07:23 +00:00
			`context "when the user is IP banned" do`
			`before do`
			`expect(Rack::Attack::Allow2Ban).to receive(:filter).and_return(true)`
			`allow_any_instance_of(Rack::Request).to receive(:ip).and_return('1.2.3.4')`
			`end`

			`it "responds with status 401" do`
			`expect(status).to eq(401)`
			`end`
			`end`
Add tests for GrackAuth. 2015-02-24 15:05:39 +00:00			`end`

			`context "when authentication succeeds" do`
			`before do`
			`env["HTTP_AUTHORIZATION"] = ActionController::HttpAuthentication::Basic.encode_credentials(user.username, user.password)`
			`end`

			`context "when the user has access to the project" do`
			`before do`
			`project.team << [user, :master]`
			`end`

			`context "when the user is blocked" do`
			`before do`
			`user.block`
			`project.team << [user, :master]`
			`end`

			`it "responds with status 404" do`
			`expect(status).to eq(404)`
			`end`
			`end`

			`context "when the user isn't blocked" do`
Reduce Rack Attack false positives by clearing out auth failure count upon successful Git over HTTP authentication. Add logging when a ban goes into effect for debugging. Issue #1171 2015-03-16 02:07:23 +00:00			`before do`
Fix Style/IndentationWidth cop violations 2015-06-23 05:25:40 +00:00			`expect(Rack::Attack::Allow2Ban).to receive(:reset)`
Reduce Rack Attack false positives by clearing out auth failure count upon successful Git over HTTP authentication. Add logging when a ban goes into effect for debugging. Issue #1171 2015-03-16 02:07:23 +00:00			`end`

Add tests for GrackAuth. 2015-02-24 15:05:39 +00:00			`it "responds with status 200" do`
			`expect(status).to eq(200)`
			`end`
			`end`
Reduce Rack Attack false positives by clearing out auth failure count upon successful Git over HTTP authentication. Add logging when a ban goes into effect for debugging. Issue #1171 2015-03-16 02:07:23 +00:00
			`context "when blank password attempts follow a valid login" do`
			`let(:options) { Gitlab.config.rack_attack.git_basic_auth }`
			`let(:maxretry) { options[:maxretry] - 1 }`
			`let(:ip) { '1.2.3.4' }`

			`before do`
			`allow_any_instance_of(Rack::Request).to receive(:ip).and_return(ip)`
			`Rack::Attack::Allow2Ban.reset(ip, options)`
			`end`

			`after do`
			`Rack::Attack::Allow2Ban.reset(ip, options)`
			`end`

			`def attempt_login(include_password)`
			`password = include_password ? user.password : ""`
			`env["HTTP_AUTHORIZATION"] = ActionController::HttpAuthentication::Basic.encode_credentials(user.username, password)`
			`Grack::Auth.new(app)`
			`auth.call(env).first`
			`end`

			`it "repeated attempts followed by successful attempt" do`
Fix rubocop warnings in spec/lib and spec/tasks 2015-10-03 21:02:21 +00:00			`maxretry.times.each do`
Reduce Rack Attack false positives by clearing out auth failure count upon successful Git over HTTP authentication. Add logging when a ban goes into effect for debugging. Issue #1171 2015-03-16 02:07:23 +00:00			`expect(attempt_login(false)).to eq(401)`
			`end`

			`expect(attempt_login(true)).to eq(200)`
Remove Rack Attack monkey patches and bump to version 4.3.0 2015-05-22 20:25:03 +00:00			`expect(Rack::Attack::Allow2Ban.banned?(ip)).to be_falsey`
Reduce Rack Attack false positives by clearing out auth failure count upon successful Git over HTTP authentication. Add logging when a ban goes into effect for debugging. Issue #1171 2015-03-16 02:07:23 +00:00
Fix rubocop warnings in spec/lib and spec/tasks 2015-10-03 21:02:21 +00:00			`maxretry.times.each do`
Reduce Rack Attack false positives by clearing out auth failure count upon successful Git over HTTP authentication. Add logging when a ban goes into effect for debugging. Issue #1171 2015-03-16 02:07:23 +00:00			`expect(attempt_login(false)).to eq(401)`
			`end`
			`end`
			`end`
Add tests for GrackAuth. 2015-02-24 15:05:39 +00:00			`end`

			`context "when the user doesn't have access to the project" do`
			`it "responds with status 404" do`
			`expect(status).to eq(404)`
			`end`
			`end`
			`end`
			`end`

			`context "when a gitlab ci token is provided" do`
			`let(:token) { "123" }`
Fix after column rename 2015-12-11 12:39:43 +00:00			`let(:project) { FactoryGirl.create :empty_project }`
Add tests for GrackAuth. 2015-02-24 15:05:39 +00:00
			`before do`
Fix after column rename 2015-12-11 12:39:43 +00:00			`project.update_attributes(runners_token: token, builds_enabled: true)`
Add tests for GrackAuth. 2015-02-24 15:05:39 +00:00
			`env["HTTP_AUTHORIZATION"] = ActionController::HttpAuthentication::Basic.encode_credentials("gitlab-ci-token", token)`
			`end`

			`it "responds with status 200" do`
			`expect(status).to eq(200)`
			`end`
			`end`
			`end`
			`end`
			`end`
			`end`