debian-mirror-gitlab/spec/requests/api/api_spec.rb

# frozen_string_literal: true

require 'spec_helper'

RSpec.describe API::API do
  include GroupAPIHelpers

  describe 'Record user last activity in after hook' do
    # It does not matter which endpoint is used because last_activity_on should
    # be updated on every request. `/groups` is used as an example
    # to represent any API endpoint
    let(:user) { create(:user, last_activity_on: Date.yesterday) }

    it 'updates the users last_activity_on to the current date' do
      expect { get api('/groups', user) }.to change { user.reload.last_activity_on }.to(Date.today)
    end
  end

  describe 'User with only read_api scope personal access token' do
    # It does not matter which endpoint is used because this should behave
    # in the same way for every request. `/groups` is used as an example
    # to represent any API endpoint

    context 'when personal access token has only read_api scope' do
      let_it_be(:user) { create(:user) }
      let_it_be(:group) { create(:group) }
      let_it_be(:token) { create(:personal_access_token, user: user, scopes: [:read_api]) }

      before_all do
        group.add_owner(user)
      end

      it 'does authorize user for get request' do
        get api('/groups', personal_access_token: token)

        expect(response).to have_gitlab_http_status(:ok)
      end

      it 'does not authorize user for revoked token' do
        revoked = create(:personal_access_token, :revoked, user: user, scopes: [:read_api])

        get api('/groups', personal_access_token: revoked)

        expect(response).to have_gitlab_http_status(:unauthorized)
      end

      it 'does not authorize user for post request' do
        params = attributes_for_group_api

        post api("/groups", personal_access_token: token), params: params

        expect(response).to have_gitlab_http_status(:forbidden)
      end

      it 'does not authorize user for put request' do
        group_param = { name: 'Test' }

        put api("/groups/#{group.id}", personal_access_token: token), params: group_param

        expect(response).to have_gitlab_http_status(:forbidden)
      end

      it 'does not authorize user for delete request' do
        delete api("/groups/#{group.id}", personal_access_token: token)

        expect(response).to have_gitlab_http_status(:forbidden)
      end
    end
  end

  describe 'authentication with deploy token' do
    context 'admin mode' do
      let_it_be(:project) { create(:project, :public) }
      let_it_be(:package) { create(:maven_package, project: project, name: project.full_path) }
      let_it_be(:maven_metadatum) { package.maven_metadatum }
      let_it_be(:package_file) { package.package_files.first }
      let_it_be(:deploy_token) { create(:deploy_token) }
      let(:headers_with_deploy_token) do
        {
          Gitlab::Auth::AuthFinders::DEPLOY_TOKEN_HEADER => deploy_token.token
        }
      end

      it 'does not bypass the session' do
        expect(Gitlab::Auth::CurrentUserMode).not_to receive(:bypass_session!)

        get(api("/packages/maven/#{maven_metadatum.path}/#{package_file.file_name}"),
            headers: headers_with_deploy_token)

        expect(response).to have_gitlab_http_status(:ok)
        expect(response.media_type).to eq('application/octet-stream')
      end
    end
  end

  context 'application context' do
    let_it_be(:project) { create(:project) }
    let_it_be(:user) { project.owner }

    it 'logs all application context fields' do
      allow_any_instance_of(Gitlab::GrapeLogging::Loggers::ContextLogger).to receive(:parameters) do
        Labkit::Context.current.to_h.tap do |log_context|
          expect(log_context).to match('correlation_id' => an_instance_of(String),
                                       'meta.caller_id' => '/api/:version/projects/:id/issues',
                                       'meta.project' => project.full_path,
                                       'meta.root_namespace' => project.namespace.full_path,
                                       'meta.user' => user.username,
                                       'meta.feature_category' => 'issue_tracking')
        end
      end

      get(api("/projects/#{project.id}/issues", user))
    end

    it 'skips fields that do not apply' do
      allow_any_instance_of(Gitlab::GrapeLogging::Loggers::ContextLogger).to receive(:parameters) do
        Labkit::Context.current.to_h.tap do |log_context|
          expect(log_context).to match('correlation_id' => an_instance_of(String),
                                       'meta.caller_id' => '/api/:version/users',
                                       'meta.feature_category' => 'users')
        end
      end

      get(api('/users'))
    end
  end
end
New upstream version 12.8.6 2020-03-13 15:44:24 +05:30			`# frozen_string_literal: true`

			`require 'spec_helper'`

New upstream version 13.2.1 2020-07-28 23:09:34 +05:30			`RSpec.describe API::API do`
New upstream version 12.10.0 2020-04-22 19:07:51 +05:30			`include GroupAPIHelpers`
New upstream version 12.8.6 2020-03-13 15:44:24 +05:30
			`describe 'Record user last activity in after hook' do`
			`# It does not matter which endpoint is used because last_activity_on should`
			# be updated on every request. `/groups` is used as an example
			`# to represent any API endpoint`
New upstream version 12.10.0 2020-04-22 19:07:51 +05:30			`let(:user) { create(:user, last_activity_on: Date.yesterday) }`
New upstream version 12.8.6 2020-03-13 15:44:24 +05:30
New upstream version 12.10.0 2020-04-22 19:07:51 +05:30			`it 'updates the users last_activity_on to the current date' do`
New upstream version 12.8.6 2020-03-13 15:44:24 +05:30			`expect { get api('/groups', user) }.to change { user.reload.last_activity_on }.to(Date.today)`
			`end`
New upstream version 12.10.0 2020-04-22 19:07:51 +05:30			`end`

			`describe 'User with only read_api scope personal access token' do`
			`# It does not matter which endpoint is used because this should behave`
			# in the same way for every request. `/groups` is used as an example
			`# to represent any API endpoint`

			`context 'when personal access token has only read_api scope' do`
			`let_it_be(:user) { create(:user) }`
			`let_it_be(:group) { create(:group) }`
			`let_it_be(:token) { create(:personal_access_token, user: user, scopes: [:read_api]) }`

			`before_all do`
			`group.add_owner(user)`
			`end`

			`it 'does authorize user for get request' do`
			`get api('/groups', personal_access_token: token)`

			`expect(response).to have_gitlab_http_status(:ok)`
			`end`

New upstream version 13.2.1 2020-07-28 23:09:34 +05:30			`it 'does not authorize user for revoked token' do`
			`revoked = create(:personal_access_token, :revoked, user: user, scopes: [:read_api])`

			`get api('/groups', personal_access_token: revoked)`

			`expect(response).to have_gitlab_http_status(:unauthorized)`
			`end`

New upstream version 12.10.0 2020-04-22 19:07:51 +05:30			`it 'does not authorize user for post request' do`
			`params = attributes_for_group_api`

			`post api("/groups", personal_access_token: token), params: params`

			`expect(response).to have_gitlab_http_status(:forbidden)`
			`end`

			`it 'does not authorize user for put request' do`
			`group_param = { name: 'Test' }`

			`put api("/groups/#{group.id}", personal_access_token: token), params: group_param`

			`expect(response).to have_gitlab_http_status(:forbidden)`
			`end`
New upstream version 12.8.6 2020-03-13 15:44:24 +05:30
New upstream version 12.10.0 2020-04-22 19:07:51 +05:30			`it 'does not authorize user for delete request' do`
			`delete api("/groups/#{group.id}", personal_access_token: token)`
New upstream version 12.8.6 2020-03-13 15:44:24 +05:30
New upstream version 12.10.0 2020-04-22 19:07:51 +05:30			`expect(response).to have_gitlab_http_status(:forbidden)`
New upstream version 12.8.6 2020-03-13 15:44:24 +05:30			`end`
			`end`
			`end`
New upstream version 13.2.10 2020-10-04 03:57:07 +05:30
			`describe 'authentication with deploy token' do`
			`context 'admin mode' do`
			`let_it_be(:project) { create(:project, :public) }`
			`let_it_be(:package) { create(:maven_package, project: project, name: project.full_path) }`
			`let_it_be(:maven_metadatum) { package.maven_metadatum }`
			`let_it_be(:package_file) { package.package_files.first }`
			`let_it_be(:deploy_token) { create(:deploy_token) }`
			`let(:headers_with_deploy_token) do`
			`{`
			`Gitlab::Auth::AuthFinders::DEPLOY_TOKEN_HEADER => deploy_token.token`
			`}`
			`end`

			`it 'does not bypass the session' do`
			`expect(Gitlab::Auth::CurrentUserMode).not_to receive(:bypass_session!)`

			`get(api("/packages/maven/#{maven_metadatum.path}/#{package_file.file_name}"),`
			`headers: headers_with_deploy_token)`

			`expect(response).to have_gitlab_http_status(:ok)`
			`expect(response.media_type).to eq('application/octet-stream')`
			`end`
			`end`
			`end`
New upstream version 13.6.5 2021-01-29 00:20:46 +05:30
			`context 'application context' do`
			`let_it_be(:project) { create(:project) }`
			`let_it_be(:user) { project.owner }`

			`it 'logs all application context fields' do`
			`allow_any_instance_of(Gitlab::GrapeLogging::Loggers::ContextLogger).to receive(:parameters) do`
			`Labkit::Context.current.to_h.tap do \|log_context\|`
			`expect(log_context).to match('correlation_id' => an_instance_of(String),`
			`'meta.caller_id' => '/api/:version/projects/:id/issues',`
			`'meta.project' => project.full_path,`
			`'meta.root_namespace' => project.namespace.full_path,`
			`'meta.user' => user.username,`
			`'meta.feature_category' => 'issue_tracking')`
			`end`
			`end`

			`get(api("/projects/#{project.id}/issues", user))`
			`end`

			`it 'skips fields that do not apply' do`
			`allow_any_instance_of(Gitlab::GrapeLogging::Loggers::ContextLogger).to receive(:parameters) do`
			`Labkit::Context.current.to_h.tap do \|log_context\|`
			`expect(log_context).to match('correlation_id' => an_instance_of(String),`
			`'meta.caller_id' => '/api/:version/users',`
			`'meta.feature_category' => 'users')`
			`end`
			`end`

			`get(api('/users'))`
			`end`
			`end`
New upstream version 12.8.6 2020-03-13 15:44:24 +05:30			`end`