debian-mirror-gitlab/spec/controllers/oauth/authorizations_controller_spec.rb

Ignoring revisions in .git-blame-ignore-revs. Click here to bypass and see the normal blame view.

302 lines
9.3 KiB
Ruby
Raw Permalink Normal View History

2019-07-31 22:56:46 +05:30
# frozen_string_literal: true
2017-08-17 22:00:37 +05:30
require 'spec_helper'
2020-06-23 00:09:42 +05:30
RSpec.describe Oauth::AuthorizationsController do
2021-12-11 22:18:48 +05:30
let(:user) { create(:user) }
2022-04-04 11:22:00 +05:30
let(:application_scopes) { 'api read_user' }
let!(:application) do
2023-05-27 22:25:52 +05:30
create(:oauth_application, scopes: application_scopes, redirect_uri: 'http://example.com')
2022-04-04 11:22:00 +05:30
end
2017-08-17 22:00:37 +05:30
let(:params) do
{
response_type: "code",
2018-11-08 19:23:39 +05:30
client_id: application.uid,
redirect_uri: application.redirect_uri,
2017-08-17 22:00:37 +05:30
state: 'state'
}
end
before do
sign_in(user)
end
2020-08-18 19:51:02 +05:30
shared_examples 'OAuth Authorizations require confirmed user' do
context 'when the user is confirmed' do
context 'when there is already an access token for the application with a matching scope' do
before do
scopes = Doorkeeper::OAuth::Scopes.from_string('api')
allow(Doorkeeper.configuration).to receive(:scopes).and_return(scopes)
create(:oauth_access_token, application: application, resource_owner_id: user.id, scopes: scopes)
end
it 'authorizes the request and redirects' do
subject
expect(request.session['user_return_to']).to be_nil
expect(response).to have_gitlab_http_status(:found)
end
end
end
context 'when the user is unconfirmed' do
2021-12-11 22:18:48 +05:30
let(:user) { create(:user, :unconfirmed) }
2020-08-18 19:51:02 +05:30
it 'returns 200 and renders error view' do
subject
expect(response).to have_gitlab_http_status(:ok)
expect(response).to render_template('doorkeeper/authorizations/error')
end
end
end
2017-08-17 22:00:37 +05:30
describe 'GET #new' do
2020-08-18 19:51:02 +05:30
subject { get :new, params: params }
2020-05-30 21:06:31 +05:30
context 'when the user is confirmed' do
2021-06-02 17:11:27 +05:30
context 'when there is already an access token for the application with a matching scope' do
before do
scopes = Doorkeeper::OAuth::Scopes.from_string('api')
allow(Doorkeeper.configuration).to receive(:scopes).and_return(scopes)
create(:oauth_access_token, application: application, resource_owner_id: user.id, scopes: scopes)
end
it 'authorizes the request and shows the user a page that redirects' do
subject
expect(request.session['user_return_to']).to be_nil
expect(response).to have_gitlab_http_status(:ok)
expect(response).to render_template('doorkeeper/authorizations/redirect')
end
end
2020-05-30 21:06:31 +05:30
context 'without valid params' do
it 'returns 200 code and renders error view' do
get :new
expect(response).to have_gitlab_http_status(:ok)
expect(response).to render_template('doorkeeper/authorizations/error')
end
2017-08-17 22:00:37 +05:30
end
2020-05-30 21:06:31 +05:30
context 'with valid params' do
render_views
2018-03-27 19:54:05 +05:30
2020-05-30 21:06:31 +05:30
it 'returns 200 code and renders view' do
2020-08-18 19:51:02 +05:30
subject
2017-08-17 22:00:37 +05:30
2020-05-30 21:06:31 +05:30
expect(response).to have_gitlab_http_status(:ok)
expect(response).to render_template('doorkeeper/authorizations/new')
end
2017-08-17 22:00:37 +05:30
2020-05-30 21:06:31 +05:30
it 'deletes session.user_return_to and redirects when skip authorization' do
2021-04-29 21:17:54 +05:30
application.update!(trusted: true)
2020-05-30 21:06:31 +05:30
request.session['user_return_to'] = 'http://example.com'
2017-08-17 22:00:37 +05:30
2020-08-18 19:51:02 +05:30
subject
2017-08-17 22:00:37 +05:30
2020-05-30 21:06:31 +05:30
expect(request.session['user_return_to']).to be_nil
2021-06-02 17:11:27 +05:30
expect(response).to have_gitlab_http_status(:ok)
expect(response).to render_template('doorkeeper/authorizations/redirect')
2020-05-30 21:06:31 +05:30
end
2022-04-04 11:22:00 +05:30
context 'with gl_auth_type=login' do
let(:minimal_scope) { Gitlab::Auth::READ_USER_SCOPE.to_s }
before do
params[:gl_auth_type] = 'login'
end
shared_examples 'downgrades scopes' do
it 'downgrades the scopes' do
subject
pre_auth = controller.send(:pre_auth)
expect(pre_auth.scopes).to contain_exactly(minimal_scope)
expect(response).to have_gitlab_http_status(:ok)
expect(response).to render_template('doorkeeper/authorizations/new')
# See: config/locales/doorkeeper.en.yml
expect(response.body).to include("Read the authenticated user's personal information")
expect(response.body).not_to include("Access the authenticated user's API")
end
end
shared_examples 'adds read_user scope' do
it 'modifies the client.application.scopes' do
expect { subject }
.to change { application.reload.scopes }.to include(minimal_scope)
end
it 'does not remove pre-existing scopes' do
subject
expect(application.scopes).to include(*application_scopes.split(/ /))
end
end
context 'the application has all scopes' do
let(:application_scopes) { 'api read_api read_user' }
include_examples 'downgrades scopes'
end
context 'the application has api and read_user scopes' do
let(:application_scopes) { 'api read_user' }
include_examples 'downgrades scopes'
end
context 'the application has read_api and read_user scopes' do
let(:application_scopes) { 'read_api read_user' }
include_examples 'downgrades scopes'
end
context 'the application has only api scopes' do
let(:application_scopes) { 'api' }
include_examples 'downgrades scopes'
include_examples 'adds read_user scope'
end
context 'the application has only read_api scopes' do
let(:application_scopes) { 'read_api' }
include_examples 'downgrades scopes'
include_examples 'adds read_user scope'
end
context 'the application has scopes we do not handle' do
let(:application_scopes) { Gitlab::Auth::PROFILE_SCOPE.to_s }
before do
params[:scope] = application_scopes
end
it 'does not modify the scopes' do
subject
pre_auth = controller.send(:pre_auth)
expect(pre_auth.scopes).to contain_exactly(application_scopes)
expect(response).to have_gitlab_http_status(:ok)
expect(response).to render_template('doorkeeper/authorizations/new')
end
end
end
2018-11-08 19:23:39 +05:30
end
2017-08-17 22:00:37 +05:30
end
2022-07-23 23:45:48 +05:30
context 'when the user is not signed in' do
before do
sign_out(user)
end
it 'sets a lower session expiry and redirects to the sign in page' do
subject
expect(request.env['rack.session.options'][:expire_after]).to eq(
Settings.gitlab['unauthenticated_session_expire_delay']
)
expect(request.session['user_return_to']).to eq("/oauth/authorize?#{params.to_query}")
expect(response).to have_gitlab_http_status(:found)
expect(response).to redirect_to(new_user_session_path)
end
end
2023-01-13 00:05:48 +05:30
context 'when the user is admin' do
context 'when disable_admin_oauth_scopes is set' do
before do
stub_application_setting(disable_admin_oauth_scopes: true)
scopes = Doorkeeper::OAuth::Scopes.from_string('api')
allow(Doorkeeper.configuration).to receive(:scopes).and_return(scopes)
end
let(:user) { create(:user, :admin) }
it 'returns 200 and renders forbidden view' do
subject
expect(response).to have_gitlab_http_status(:ok)
expect(response).to render_template('doorkeeper/authorizations/forbidden')
end
end
context 'when disable_admin_oauth_scopes is set and the application is trusted' do
before do
stub_application_setting(disable_admin_oauth_scopes: true)
application.update!(trusted: true)
end
let(:application_scopes) { 'api' }
let(:user) { create(:user, :admin) }
it 'returns 200 and renders redirect view' do
subject
expect(response).to have_gitlab_http_status(:ok)
expect(response).to render_template('doorkeeper/authorizations/redirect')
end
end
context 'when disable_admin_oauth_scopes is disabled' do
before do
stub_application_setting(disable_admin_oauth_scopes: false)
end
let(:application_scopes) { 'api' }
let(:user) { create(:user, :admin) }
it 'returns 200 and renders new view' do
subject
expect(response).to have_gitlab_http_status(:ok)
expect(response).to render_template('doorkeeper/authorizations/new')
end
end
end
context 'when the user is not admin' do
context 'when disable_admin_oauth_scopes is enabled' do
before do
stub_application_setting(disable_admin_oauth_scopes: true)
end
it 'returns 200 and renders new view' do
subject
expect(response).to have_gitlab_http_status(:ok)
expect(response).to render_template('doorkeeper/authorizations/new')
end
end
end
2020-08-18 19:51:02 +05:30
end
2020-05-30 21:06:31 +05:30
2020-08-18 19:51:02 +05:30
describe 'POST #create' do
subject { post :create, params: params }
2020-05-30 21:06:31 +05:30
2020-08-18 19:51:02 +05:30
include_examples 'OAuth Authorizations require confirmed user'
end
2020-05-30 21:06:31 +05:30
2020-08-18 19:51:02 +05:30
describe 'DELETE #destroy' do
subject { delete :destroy, params: params }
include_examples 'OAuth Authorizations require confirmed user'
end
it 'includes Two-factor enforcement concern' do
expect(described_class.included_modules.include?(EnforcesTwoFactorAuthentication)).to eq(true)
2017-08-17 22:00:37 +05:30
end
end