2019-03-27 10:59:02 -04:00
|
|
|
# frozen_string_literal: true
|
|
|
|
|
|
|
|
require 'spec_helper'
|
|
|
|
|
2020-06-03 23:08:05 -04:00
|
|
|
RSpec.describe GraphqlController do
|
2020-05-12 14:07:54 -04:00
|
|
|
include GraphqlHelpers
|
|
|
|
|
2019-03-27 10:59:02 -04:00
|
|
|
before do
|
|
|
|
stub_feature_flags(graphql: true)
|
|
|
|
end
|
|
|
|
|
2019-07-29 14:36:35 -04:00
|
|
|
describe 'ArgumentError' do
|
|
|
|
let(:user) { create(:user) }
|
|
|
|
let(:message) { 'green ideas sleep furiously' }
|
|
|
|
|
|
|
|
before do
|
|
|
|
sign_in(user)
|
|
|
|
end
|
|
|
|
|
|
|
|
it 'handles argument errors' do
|
|
|
|
allow(subject).to receive(:execute) do
|
|
|
|
raise Gitlab::Graphql::Errors::ArgumentError, message
|
|
|
|
end
|
|
|
|
|
|
|
|
post :execute
|
|
|
|
|
|
|
|
expect(json_response).to include(
|
|
|
|
'errors' => include(a_hash_including('message' => message))
|
|
|
|
)
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
2019-03-27 10:59:02 -04:00
|
|
|
describe 'POST #execute' do
|
|
|
|
context 'when user is logged in' do
|
2020-05-14 11:08:14 -04:00
|
|
|
let(:user) { create(:user, last_activity_on: Date.yesterday) }
|
2019-03-27 10:59:02 -04:00
|
|
|
|
|
|
|
before do
|
|
|
|
sign_in(user)
|
|
|
|
end
|
|
|
|
|
2021-10-07 11:12:00 -04:00
|
|
|
it 'sets feature category in ApplicationContext from request' do
|
|
|
|
request.headers["HTTP_X_GITLAB_FEATURE_CATEGORY"] = "web_ide"
|
|
|
|
|
|
|
|
post :execute
|
|
|
|
|
|
|
|
expect(::Gitlab::ApplicationContext.current_context_attribute(:feature_category)).to eq('web_ide')
|
|
|
|
end
|
|
|
|
|
2019-03-27 10:59:02 -04:00
|
|
|
it 'returns 200 when user can access API' do
|
|
|
|
post :execute
|
|
|
|
|
2020-01-27 07:08:35 -05:00
|
|
|
expect(response).to have_gitlab_http_status(:ok)
|
2019-03-27 10:59:02 -04:00
|
|
|
end
|
|
|
|
|
2021-12-06 22:12:22 -05:00
|
|
|
it 'executes a simple query with no errors' do
|
|
|
|
post :execute, params: { query: '{ __typename }' }
|
|
|
|
|
|
|
|
expect(response).to have_gitlab_http_status(:ok)
|
|
|
|
expect(json_response).to eq({ 'data' => { '__typename' => 'Query' } })
|
|
|
|
end
|
|
|
|
|
|
|
|
it 'executes a simple multiplexed query with no errors' do
|
|
|
|
multiplex = [{ query: '{ __typename }' }] * 2
|
|
|
|
|
|
|
|
post :execute, params: { _json: multiplex }
|
|
|
|
|
|
|
|
expect(response).to have_gitlab_http_status(:ok)
|
|
|
|
expect(json_response).to eq([
|
|
|
|
{ 'data' => { '__typename' => 'Query' } },
|
|
|
|
{ 'data' => { '__typename' => 'Query' } }
|
|
|
|
])
|
|
|
|
end
|
|
|
|
|
|
|
|
it 'sets a limit on the total query size' do
|
|
|
|
graphql_query = "{#{(['__typename'] * 1000).join(' ')}}"
|
|
|
|
|
|
|
|
post :execute, params: { query: graphql_query }
|
|
|
|
|
|
|
|
expect(response).to have_gitlab_http_status(:unprocessable_entity)
|
|
|
|
expect(json_response).to eq({ 'errors' => [{ 'message' => 'Query too large' }] })
|
|
|
|
end
|
|
|
|
|
|
|
|
it 'sets a limit on the total query size for multiplex queries' do
|
|
|
|
graphql_query = "{#{(['__typename'] * 200).join(' ')}}"
|
|
|
|
multiplex = [{ query: graphql_query }] * 5
|
|
|
|
|
|
|
|
post :execute, params: { _json: multiplex }
|
|
|
|
|
|
|
|
expect(response).to have_gitlab_http_status(:unprocessable_entity)
|
|
|
|
expect(json_response).to eq({ 'errors' => [{ 'message' => 'Query too large' }] })
|
|
|
|
end
|
|
|
|
|
2021-07-01 17:08:38 -04:00
|
|
|
it 'returns forbidden when user cannot access API' do
|
2019-03-27 10:59:02 -04:00
|
|
|
# User cannot access API in a couple of cases
|
|
|
|
# * When user is internal(like ghost users)
|
|
|
|
# * When user is blocked
|
2020-04-03 14:10:03 -04:00
|
|
|
expect(Ability).to receive(:allowed?).with(user, :log_in, :global).and_call_original
|
2019-03-27 10:59:02 -04:00
|
|
|
expect(Ability).to receive(:allowed?).with(user, :access_api, :global).and_return(false)
|
|
|
|
|
|
|
|
post :execute
|
|
|
|
|
2020-03-31 17:08:05 -04:00
|
|
|
expect(response).to have_gitlab_http_status(:forbidden)
|
2021-07-01 17:08:38 -04:00
|
|
|
expect(json_response).to include(
|
|
|
|
'errors' => include(a_hash_including('message' => /API not accessible/))
|
|
|
|
)
|
2019-03-27 10:59:02 -04:00
|
|
|
end
|
2020-05-14 11:08:14 -04:00
|
|
|
|
|
|
|
it 'updates the users last_activity_on field' do
|
|
|
|
expect { post :execute }.to change { user.reload.last_activity_on }
|
|
|
|
end
|
2020-08-20 08:10:27 -04:00
|
|
|
|
|
|
|
it "sets context's sessionless value as false" do
|
|
|
|
post :execute
|
|
|
|
|
|
|
|
expect(assigns(:context)[:is_sessionless_user]).to be false
|
|
|
|
end
|
2021-02-14 04:09:06 -05:00
|
|
|
|
|
|
|
it 'calls the track api when trackable method' do
|
|
|
|
agent = 'vs-code-gitlab-workflow/3.11.1 VSCode/1.52.1 Node.js/12.14.1 (darwin; x64)'
|
|
|
|
request.env['HTTP_USER_AGENT'] = agent
|
|
|
|
|
|
|
|
expect(Gitlab::UsageDataCounters::VSCodeExtensionActivityUniqueCounter)
|
|
|
|
.to receive(:track_api_request_when_trackable).with(user_agent: agent, user: user)
|
|
|
|
|
|
|
|
post :execute
|
|
|
|
end
|
2020-05-14 11:08:14 -04:00
|
|
|
end
|
|
|
|
|
|
|
|
context 'when user uses an API token' do
|
|
|
|
let(:user) { create(:user, last_activity_on: Date.yesterday) }
|
|
|
|
let(:token) { create(:personal_access_token, user: user, scopes: [:api]) }
|
|
|
|
|
2020-08-20 08:10:27 -04:00
|
|
|
subject { post :execute, params: { access_token: token.token } }
|
|
|
|
|
2020-05-14 11:08:14 -04:00
|
|
|
it 'updates the users last_activity_on field' do
|
2020-08-20 08:10:27 -04:00
|
|
|
expect { subject }.to change { user.reload.last_activity_on }
|
|
|
|
end
|
|
|
|
|
|
|
|
it "sets context's sessionless value as true" do
|
|
|
|
subject
|
|
|
|
|
|
|
|
expect(assigns(:context)[:is_sessionless_user]).to be true
|
2020-05-14 11:08:14 -04:00
|
|
|
end
|
2021-02-14 04:09:06 -05:00
|
|
|
|
|
|
|
it 'calls the track api when trackable method' do
|
|
|
|
agent = 'vs-code-gitlab-workflow/3.11.1 VSCode/1.52.1 Node.js/12.14.1 (darwin; x64)'
|
|
|
|
request.env['HTTP_USER_AGENT'] = agent
|
|
|
|
|
|
|
|
expect(Gitlab::UsageDataCounters::VSCodeExtensionActivityUniqueCounter)
|
|
|
|
.to receive(:track_api_request_when_trackable).with(user_agent: agent, user: user)
|
|
|
|
|
|
|
|
subject
|
|
|
|
end
|
2019-03-27 10:59:02 -04:00
|
|
|
end
|
|
|
|
|
|
|
|
context 'when user is not logged in' do
|
|
|
|
it 'returns 200' do
|
|
|
|
post :execute
|
|
|
|
|
2020-01-27 07:08:35 -05:00
|
|
|
expect(response).to have_gitlab_http_status(:ok)
|
2019-03-27 10:59:02 -04:00
|
|
|
end
|
2020-08-20 08:10:27 -04:00
|
|
|
|
|
|
|
it "sets context's sessionless value as false" do
|
|
|
|
post :execute
|
|
|
|
|
|
|
|
expect(assigns(:context)[:is_sessionless_user]).to be false
|
|
|
|
end
|
2019-03-27 10:59:02 -04:00
|
|
|
end
|
2020-10-06 05:08:32 -04:00
|
|
|
|
|
|
|
it 'includes request object in context' do
|
|
|
|
post :execute
|
|
|
|
|
|
|
|
expect(assigns(:context)[:request]).to eq request
|
|
|
|
end
|
2019-03-27 10:59:02 -04:00
|
|
|
end
|
2020-05-12 14:07:54 -04:00
|
|
|
|
|
|
|
describe 'Admin Mode' do
|
|
|
|
let(:admin) { create(:admin) }
|
|
|
|
let(:project) { create(:project) }
|
|
|
|
let(:graphql_query) { graphql_query_for('project', { 'fullPath' => project.full_path }, %w(id name)) }
|
|
|
|
|
|
|
|
before do
|
|
|
|
sign_in(admin)
|
|
|
|
end
|
|
|
|
|
|
|
|
context 'when admin mode enabled' do
|
|
|
|
before do
|
|
|
|
Gitlab::Session.with_session(controller.session) do
|
|
|
|
controller.current_user_mode.request_admin_mode!
|
|
|
|
controller.current_user_mode.enable_admin_mode!(password: admin.password)
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
it 'can query project data' do
|
|
|
|
post :execute, params: { query: graphql_query }
|
|
|
|
|
|
|
|
expect(controller.current_user_mode.admin_mode?).to be(true)
|
|
|
|
expect(json_response['data']['project']['name']).to eq(project.name)
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
context 'when admin mode disabled' do
|
|
|
|
it 'cannot query project data' do
|
|
|
|
post :execute, params: { query: graphql_query }
|
|
|
|
|
|
|
|
expect(controller.current_user_mode.admin_mode?).to be(false)
|
|
|
|
expect(json_response['data']['project']).to be_nil
|
|
|
|
end
|
|
|
|
|
|
|
|
context 'when admin is member of the project' do
|
|
|
|
before do
|
|
|
|
project.add_developer(admin)
|
|
|
|
end
|
|
|
|
|
|
|
|
it 'can query project data' do
|
|
|
|
post :execute, params: { query: graphql_query }
|
|
|
|
|
|
|
|
expect(controller.current_user_mode.admin_mode?).to be(false)
|
|
|
|
expect(json_response['data']['project']['name']).to eq(project.name)
|
|
|
|
end
|
|
|
|
end
|
|
|
|
end
|
|
|
|
end
|
2020-09-13 23:09:21 -04:00
|
|
|
|
|
|
|
describe '#append_info_to_payload' do
|
2021-03-23 14:09:05 -04:00
|
|
|
let(:query_1) { { query: graphql_query_for('project', { 'fullPath' => 'foo' }, %w(id name), 'getProject_1') } }
|
|
|
|
let(:query_2) { { query: graphql_query_for('project', { 'fullPath' => 'bar' }, %w(id), 'getProject_2') } }
|
|
|
|
let(:graphql_queries) { [query_1, query_2] }
|
2020-09-13 23:09:21 -04:00
|
|
|
let(:log_payload) { {} }
|
2021-03-23 14:09:05 -04:00
|
|
|
let(:expected_logs) do
|
|
|
|
[
|
|
|
|
{
|
|
|
|
operation_name: 'getProject_1',
|
|
|
|
complexity: 3,
|
|
|
|
depth: 2,
|
|
|
|
used_deprecated_fields: [],
|
|
|
|
used_fields: ['Project.id', 'Project.name', 'Query.project'],
|
|
|
|
variables: '{}'
|
|
|
|
},
|
|
|
|
{
|
|
|
|
operation_name: 'getProject_2',
|
|
|
|
complexity: 2,
|
|
|
|
depth: 2,
|
|
|
|
used_deprecated_fields: [],
|
|
|
|
used_fields: ['Project.id', 'Query.project'],
|
|
|
|
variables: '{}'
|
|
|
|
}
|
|
|
|
]
|
|
|
|
end
|
2020-09-13 23:09:21 -04:00
|
|
|
|
|
|
|
before do
|
2021-03-23 14:09:05 -04:00
|
|
|
RequestStore.clear!
|
|
|
|
|
2020-09-13 23:09:21 -04:00
|
|
|
allow(controller).to receive(:append_info_to_payload).and_wrap_original do |method, *|
|
|
|
|
method.call(log_payload)
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
it 'appends metadata for logging' do
|
2021-03-23 14:09:05 -04:00
|
|
|
post :execute, params: { _json: graphql_queries }
|
2020-09-13 23:09:21 -04:00
|
|
|
|
|
|
|
expect(controller).to have_received(:append_info_to_payload)
|
2021-03-23 14:09:05 -04:00
|
|
|
expect(log_payload.dig(:metadata, :graphql)).to match_array(expected_logs)
|
2020-09-13 23:09:21 -04:00
|
|
|
end
|
2021-12-13 07:12:59 -05:00
|
|
|
|
|
|
|
it 'appends the exception in case of errors' do
|
|
|
|
exception = StandardError.new('boom')
|
|
|
|
|
|
|
|
expect(controller).to receive(:execute).and_raise(exception)
|
|
|
|
|
|
|
|
post :execute, params: { _json: graphql_queries }
|
|
|
|
|
|
|
|
expect(controller).to have_received(:append_info_to_payload)
|
|
|
|
expect(log_payload.dig(:exception_object)).to eq(exception)
|
|
|
|
end
|
2020-09-13 23:09:21 -04:00
|
|
|
end
|
2019-03-27 10:59:02 -04:00
|
|
|
end
|