fe5f75930e
[master] Resolve "Personal access token with only `read_user` scope can be used to authenticate any web request" See merge request gitlab/gitlabhq!2583
112 lines
2.9 KiB
Ruby
112 lines
2.9 KiB
Ruby
require 'spec_helper'
|
|
|
|
describe GraphqlController do
|
|
describe 'execute' do
|
|
let(:user) { nil }
|
|
|
|
before do
|
|
sign_in(user) if user
|
|
|
|
run_test_query!
|
|
end
|
|
|
|
subject { query_response }
|
|
|
|
context 'graphql is disabled by feature flag' do
|
|
let(:user) { nil }
|
|
|
|
before do
|
|
stub_feature_flags(graphql: false)
|
|
end
|
|
|
|
it 'returns 404' do
|
|
run_test_query!
|
|
|
|
expect(response).to have_gitlab_http_status(404)
|
|
end
|
|
end
|
|
|
|
context 'signed out' do
|
|
let(:user) { nil }
|
|
|
|
it 'runs the query with current_user: nil' do
|
|
is_expected.to eq('echo' => 'nil says: test success')
|
|
end
|
|
end
|
|
|
|
context 'signed in' do
|
|
let(:user) { create(:user, username: 'Simon') }
|
|
|
|
it 'runs the query with current_user set' do
|
|
is_expected.to eq('echo' => '"Simon" says: test success')
|
|
end
|
|
end
|
|
|
|
context 'invalid variables' do
|
|
it 'returns an error' do
|
|
run_test_query!(variables: "This is not JSON")
|
|
|
|
expect(response).to have_gitlab_http_status(422)
|
|
expect(json_response['errors'].first['message']).not_to be_nil
|
|
end
|
|
end
|
|
end
|
|
|
|
context 'token authentication' do
|
|
before do
|
|
stub_authentication_activity_metrics(debug: false)
|
|
end
|
|
|
|
let(:user) { create(:user, username: 'Simon') }
|
|
let(:personal_access_token) { create(:personal_access_token, user: user) }
|
|
|
|
context "when the 'personal_access_token' param is populated with the personal access token" do
|
|
it 'logs the user in' do
|
|
expect(authentication_metrics)
|
|
.to increment(:user_authenticated_counter)
|
|
.and increment(:user_session_override_counter)
|
|
.and increment(:user_sessionless_authentication_counter)
|
|
|
|
run_test_query!(private_token: personal_access_token.token)
|
|
|
|
expect(response).to have_gitlab_http_status(200)
|
|
expect(query_response).to eq('echo' => '"Simon" says: test success')
|
|
end
|
|
end
|
|
|
|
context 'when the personal access token has no api scope' do
|
|
it 'does not log the user in' do
|
|
personal_access_token.update(scopes: [:read_user])
|
|
|
|
run_test_query!(private_token: personal_access_token.token)
|
|
|
|
expect(response).to have_gitlab_http_status(200)
|
|
|
|
expect(query_response).to eq('echo' => 'nil says: test success')
|
|
end
|
|
end
|
|
|
|
context 'without token' do
|
|
it 'shows public data' do
|
|
run_test_query!
|
|
|
|
expect(query_response).to eq('echo' => 'nil says: test success')
|
|
end
|
|
end
|
|
end
|
|
|
|
# Chosen to exercise all the moving parts in GraphqlController#execute
|
|
def run_test_query!(variables: { 'text' => 'test success' }, private_token: nil)
|
|
query = <<~QUERY
|
|
query Echo($text: String) {
|
|
echo(text: $text)
|
|
}
|
|
QUERY
|
|
|
|
post :execute, query: query, operationName: 'Echo', variables: variables, private_token: private_token
|
|
end
|
|
|
|
def query_response
|
|
json_response['data']
|
|
end
|
|
end
|