# frozen_string_literal: true require 'spec_helper' RSpec.shared_examples 'TokenAuthenticatable' do describe 'dynamically defined methods' do it { expect(described_class).to respond_to("find_by_#{token_field}") } it { is_expected.to respond_to("ensure_#{token_field}") } it { is_expected.to respond_to("set_#{token_field}") } it { is_expected.to respond_to("reset_#{token_field}!") } end end RSpec.describe User, 'TokenAuthenticatable' do let(:token_field) { :feed_token } it_behaves_like 'TokenAuthenticatable' describe 'ensures authentication token' do subject { create(:user).send(token_field) } it { is_expected.to be_a String } end end RSpec.describe ApplicationSetting, 'TokenAuthenticatable' do let(:token_field) { :runners_registration_token } let(:settings) { described_class.new } it_behaves_like 'TokenAuthenticatable' describe 'generating new token' do context 'token is not generated yet' do describe 'token field accessor' do subject { settings.send(token_field) } it { is_expected.not_to be_blank } end describe "ensure_runners_registration_token" do subject { settings.send("ensure_#{token_field}") } it { is_expected.to be_a String } it { is_expected.not_to be_blank } it 'does not persist token' do expect(settings).not_to be_persisted end end describe 'ensure_runners_registration_token!' do subject { settings.send("ensure_#{token_field}!") } it 'persists new token as an encrypted string' do expect(subject).to eq settings.reload.runners_registration_token expect(settings.read_attribute('runners_registration_token_encrypted')) .to eq TokenAuthenticatableStrategies::EncryptionHelper.encrypt_token(subject) expect(settings).to be_persisted end it 'does not persist token in a clear text' do expect(subject).not_to eq settings.reload .read_attribute('runners_registration_token_encrypted') end end end context 'token is generated' do before do settings.send("reset_#{token_field}!") end it 'persists a new token' do expect(settings.runners_registration_token).to be_a String end end end describe 'setting new token' do subject { settings.send("set_#{token_field}", '0123456789') } it { is_expected.to eq '0123456789' } end describe 'multiple token fields' do before(:all) do described_class.send(:add_authentication_token_field, :yet_another_token) end it { is_expected.to respond_to(:ensure_runners_registration_token) } it { is_expected.to respond_to(:ensure_yet_another_token) } end describe 'setting same token field multiple times' do subject { described_class.send(:add_authentication_token_field, :runners_registration_token) } it 'raises error' do expect {subject}.to raise_error(ArgumentError) end end end RSpec.describe PersonalAccessToken, 'TokenAuthenticatable' do shared_examples 'changes personal access token' do it 'sets new token' do subject expect(personal_access_token.token).to eq("#{PersonalAccessToken.token_prefix}#{token_value}") expect(personal_access_token.token_digest).to eq(Gitlab::CryptoHelper.sha256("#{PersonalAccessToken.token_prefix}#{token_value}")) end end shared_examples 'does not change personal access token' do it 'sets new token' do subject expect(personal_access_token.token).to be(nil) expect(personal_access_token.token_digest).to eq(token_digest) end end let(:token_value) { 'token' } let(:token_digest) { Gitlab::CryptoHelper.sha256(token_value) } let(:user) { create(:user) } let(:personal_access_token) do described_class.new(name: 'test-pat-01', user_id: user.id, scopes: [:api], token_digest: token_digest) end before do allow(Devise).to receive(:friendly_token).and_return(token_value) end describe '.find_by_token' do subject { PersonalAccessToken.find_by_token(token_value) } it 'finds the token' do personal_access_token.save! expect(subject).to eq(personal_access_token) end end describe '#set_token' do let(:new_token_value) { 'new-token' } subject { personal_access_token.set_token(new_token_value) } it 'sets new token' do subject expect(personal_access_token.token).to eq(new_token_value) expect(personal_access_token.token_digest).to eq(Gitlab::CryptoHelper.sha256(new_token_value)) end end describe '#ensure_token' do subject { personal_access_token.ensure_token } context 'token_digest does not exist' do let(:token_digest) { nil } it_behaves_like 'changes personal access token' end context 'token_digest already generated' do let(:token_digest) { 's3cr3t' } it_behaves_like 'does not change personal access token' end end describe '#ensure_token!' do subject { personal_access_token.ensure_token! } context 'token_digest does not exist' do let(:token_digest) { nil } it_behaves_like 'changes personal access token' end context 'token_digest already generated' do let(:token_digest) { 's3cr3t' } it_behaves_like 'does not change personal access token' end end describe '#reset_token!' do subject { personal_access_token.reset_token! } context 'token_digest does not exist' do let(:token_digest) { nil } it_behaves_like 'changes personal access token' end context 'token_digest already generated' do let(:token_digest) { 's3cr3t' } it_behaves_like 'changes personal access token' end end end RSpec.describe Ci::Build, 'TokenAuthenticatable' do let(:token_field) { :token } let(:build) { FactoryBot.build(:ci_build) } it_behaves_like 'TokenAuthenticatable' describe 'generating new token' do context 'token is not generated yet' do describe 'token field accessor' do it 'makes it possible to access token' do expect(build.token).to be_nil build.save! expect(build.token).to be_present end end describe "ensure_token" do subject { build.ensure_token } it { is_expected.to be_a String } it { is_expected.not_to be_blank } it 'does not persist token' do expect(build).not_to be_persisted end end describe 'ensure_token!' do it 'persists a new token' do expect(build.ensure_token!).to eq build.reload.token expect(build).to be_persisted end it 'persists new token as an encrypted string' do build.ensure_token! encrypted = TokenAuthenticatableStrategies::EncryptionHelper.encrypt_token(build.token) expect(build.read_attribute('token_encrypted')).to eq encrypted end it 'does not persist a token in a clear text' do build.ensure_token! expect(build.read_attribute('token')).to be_nil end end end describe '#reset_token!' do it 'persists a new token' do build.save! build.token.yield_self do |previous_token| build.reset_token! expect(build.token).not_to eq previous_token expect(build.token).to be_a String end end end end describe 'setting a new token' do subject { build.set_token('0123456789') } it 'returns the token' do expect(subject).to eq '0123456789' end it 'writes a new encrypted token' do expect(build.read_attribute('token_encrypted')).to be_nil expect(subject).to eq '0123456789' expect(build.read_attribute('token_encrypted')).to be_present end it 'does not write a new cleartext token' do expect(build.read_attribute('token')).to be_nil expect(subject).to eq '0123456789' expect(build.read_attribute('token')).to be_nil end end describe '#token_with_expiration' do describe '#expirable?' do subject { build.token_with_expiration.expirable? } it { is_expected.to eq(false) } end end end RSpec.describe Ci::Runner, 'TokenAuthenticatable', :freeze_time do let_it_be(:non_expirable_runner) { create(:ci_runner) } let_it_be(:non_expired_runner) { create(:ci_runner).tap { |r| r.update!(token_expires_at: 5.seconds.from_now) } } let_it_be(:expired_runner) { create(:ci_runner).tap { |r| r.update!(token_expires_at: 5.seconds.ago) } } describe '#token_expired?' do subject { runner.token_expired? } context 'when enforce_runner_token_expires_at feature flag is disabled' do before do stub_feature_flags(enforce_runner_token_expires_at: false) end context 'when runner has no token expiration' do let(:runner) { non_expirable_runner } it { is_expected.to eq(false) } end context 'when runner token is not expired' do let(:runner) { non_expired_runner } it { is_expected.to eq(false) } end context 'when runner token is expired' do let(:runner) { expired_runner } it { is_expected.to eq(false) } end end context 'when enforce_runner_token_expires_at feature flag is enabled' do before do stub_feature_flags(enforce_runner_token_expires_at: true) end context 'when runner has no token expiration' do let(:runner) { non_expirable_runner } it { is_expected.to eq(false) } end context 'when runner token is not expired' do let(:runner) { non_expired_runner } it { is_expected.to eq(false) } end context 'when runner token is expired' do let(:runner) { expired_runner } it { is_expected.to eq(true) } end end end describe '#token_with_expiration' do describe '#token' do subject { non_expired_runner.token_with_expiration.token } it { is_expected.to eq(non_expired_runner.token) } end describe '#token_expires_at' do subject { non_expired_runner.token_with_expiration.token_expires_at } it { is_expected.to eq(non_expired_runner.token_expires_at) } end describe '#expirable?' do subject { non_expired_runner.token_with_expiration.expirable? } it { is_expected.to eq(true) } end end describe '.find_by_token' do subject { Ci::Runner.find_by_token(runner.token) } context 'when enforce_runner_token_expires_at feature flag is disabled' do before do stub_feature_flags(enforce_runner_token_expires_at: false) end context 'when runner has no token expiration' do let(:runner) { non_expirable_runner } it { is_expected.to eq(non_expirable_runner) } end context 'when runner token is not expired' do let(:runner) { non_expired_runner } it { is_expected.to eq(non_expired_runner) } end context 'when runner token is expired' do let(:runner) { expired_runner } it { is_expected.to eq(expired_runner) } end end context 'when enforce_runner_token_expires_at feature flag is enabled' do before do stub_feature_flags(enforce_runner_token_expires_at: true) end context 'when runner has no token expiration' do let(:runner) { non_expirable_runner } it { is_expected.to eq(non_expirable_runner) } end context 'when runner token is not expired' do let(:runner) { non_expired_runner } it { is_expected.to eq(non_expired_runner) } end context 'when runner token is expired' do let(:runner) { expired_runner } it { is_expected.to be_nil } end end end end