gitlab-org--gitlab-foss/spec/controllers/graphql_controller_spec.rb

require 'spec_helper'

describe GraphqlController do
  describe 'execute' do
    let(:user) { nil }

    before do
      sign_in(user) if user

      run_test_query!
    end

    subject { query_response }

    context 'graphql is disabled by feature flag' do
      let(:user) { nil }

      before do
        stub_feature_flags(graphql: false)
      end

      it 'returns 404' do
        run_test_query!

        expect(response).to have_gitlab_http_status(404)
      end
    end

    context 'signed out' do
      let(:user) { nil }

      it 'runs the query with current_user: nil' do
        is_expected.to eq('echo' => 'nil says: test success')
      end
    end

    context 'signed in' do
      let(:user) { create(:user, username: 'Simon') }

      it 'runs the query with current_user set' do
        is_expected.to eq('echo' => '"Simon" says: test success')
      end
    end

    context 'invalid variables' do
      it 'returns an error' do
        run_test_query!(variables: "This is not JSON")

        expect(response).to have_gitlab_http_status(422)
        expect(json_response['errors'].first['message']).not_to be_nil
      end
    end
  end

  context 'token authentication' do
    before do
      stub_authentication_activity_metrics(debug: false)
    end

    let(:user) { create(:user, username: 'Simon') }
    let(:personal_access_token) { create(:personal_access_token, user: user) }

    context "when the 'personal_access_token' param is populated with the personal access token" do
      it 'logs the user in' do
        expect(authentication_metrics)
          .to increment(:user_authenticated_counter)
                .and increment(:user_session_override_counter)
                       .and increment(:user_sessionless_authentication_counter)

        run_test_query!(private_token: personal_access_token.token)

        expect(response).to have_gitlab_http_status(200)
        expect(query_response).to eq('echo' => '"Simon" says: test success')
      end
    end

    context 'when the personal access token has no api scope' do
      it 'does not log the user in' do
        personal_access_token.update(scopes: [:read_user])

        run_test_query!(private_token: personal_access_token.token)

        expect(response).to have_gitlab_http_status(200)

        expect(query_response).to eq('echo' => 'nil says: test success')
      end
    end

    context 'without token' do
      it 'shows public data' do
        run_test_query!

        expect(query_response).to eq('echo' => 'nil says: test success')
      end
    end
  end

  # Chosen to exercise all the moving parts in GraphqlController#execute
  def run_test_query!(variables: { 'text' => 'test success' }, private_token: nil)
    query = <<~QUERY
      query Echo($text: String) {
        echo(text: $text)
      }
    QUERY

    post :execute, params: { query: query, operationName: 'Echo', variables: variables, private_token: private_token }
  end

  def query_response
    json_response['data']
  end
end
Add a minimal GraphQL API 2017-08-16 09:04:41 -04:00			`require 'spec_helper'`

			`describe GraphqlController do`
			`describe 'execute' do`
Handle exceptions outside the GraphQL schema This allows us to report JSON parse exceptions to clients and ignore them in sentry. 2018-05-21 07:42:07 -04:00			`let(:user) { nil }`

Add a minimal GraphQL API 2017-08-16 09:04:41 -04:00			`before do`
			`sign_in(user) if user`

			`run_test_query!`
			`end`

			`subject { query_response }`

			`context 'graphql is disabled by feature flag' do`
			`let(:user) { nil }`

			`before do`
			`stub_feature_flags(graphql: false)`
			`end`

			`it 'returns 404' do`
			`run_test_query!`

			`expect(response).to have_gitlab_http_status(404)`
			`end`
			`end`

			`context 'signed out' do`
			`let(:user) { nil }`

			`it 'runs the query with current_user: nil' do`
			`is_expected.to eq('echo' => 'nil says: test success')`
			`end`
			`end`

			`context 'signed in' do`
			`let(:user) { create(:user, username: 'Simon') }`

			`it 'runs the query with current_user set' do`
			`is_expected.to eq('echo' => '"Simon" says: test success')`
			`end`
			`end`
Handle exceptions outside the GraphQL schema This allows us to report JSON parse exceptions to clients and ignore them in sentry. 2018-05-21 07:42:07 -04:00
			`context 'invalid variables' do`
			`it 'returns an error' do`
			`run_test_query!(variables: "This is not JSON")`

			`expect(response).to have_gitlab_http_status(422)`
			`expect(json_response['errors'].first['message']).not_to be_nil`
			`end`
			`end`
Add a minimal GraphQL API 2017-08-16 09:04:41 -04:00			`end`

Merge branch 'security-fix-pat-web-access' into 'master' [master] Resolve "Personal access token with only `read_user` scope can be used to authenticate any web request" See merge request gitlab/gitlabhq!2583 2018-11-28 14:06:02 -05:00			`context 'token authentication' do`
			`before do`
			`stub_authentication_activity_metrics(debug: false)`
			`end`

			`let(:user) { create(:user, username: 'Simon') }`
			`let(:personal_access_token) { create(:personal_access_token, user: user) }`

			`context "when the 'personal_access_token' param is populated with the personal access token" do`
			`it 'logs the user in' do`
			`expect(authentication_metrics)`
			`.to increment(:user_authenticated_counter)`
			`.and increment(:user_session_override_counter)`
			`.and increment(:user_sessionless_authentication_counter)`

			`run_test_query!(private_token: personal_access_token.token)`

			`expect(response).to have_gitlab_http_status(200)`
			`expect(query_response).to eq('echo' => '"Simon" says: test success')`
			`end`
			`end`

			`context 'when the personal access token has no api scope' do`
			`it 'does not log the user in' do`
			`personal_access_token.update(scopes: [:read_user])`

			`run_test_query!(private_token: personal_access_token.token)`

			`expect(response).to have_gitlab_http_status(200)`

			`expect(query_response).to eq('echo' => 'nil says: test success')`
			`end`
			`end`

			`context 'without token' do`
			`it 'shows public data' do`
			`run_test_query!`

			`expect(query_response).to eq('echo' => 'nil says: test success')`
			`end`
			`end`
			`end`

Add a minimal GraphQL API 2017-08-16 09:04:41 -04:00			`# Chosen to exercise all the moving parts in GraphqlController#execute`
Merge branch 'security-fix-pat-web-access' into 'master' [master] Resolve "Personal access token with only `read_user` scope can be used to authenticate any web request" See merge request gitlab/gitlabhq!2583 2018-11-28 14:06:02 -05:00			`def run_test_query!(variables: { 'text' => 'test success' }, private_token: nil)`
Add a minimal GraphQL API 2017-08-16 09:04:41 -04:00			`query = <<~QUERY`
			`query Echo($text: String) {`
			`echo(text: $text)`
			`}`
			`QUERY`

Update specs to rails5 format Updates specs to use new rails5 format. The old format: `get :show, { some: params }, { some: headers }` The new format: `get :show, params: { some: params }, headers: { some: headers }` 2018-12-17 17:52:17 -05:00			`post :execute, params: { query: query, operationName: 'Echo', variables: variables, private_token: private_token }`
Add a minimal GraphQL API 2017-08-16 09:04:41 -04:00			`end`

			`def query_response`
			`json_response['data']`
			`end`
			`end`