2020-04-22 19:07:51 +05:30
|
|
|
# frozen_string_literal: true
|
|
|
|
|
|
|
|
require 'spec_helper'
|
|
|
|
|
2023-05-27 22:25:52 +05:30
|
|
|
RSpec.describe ResourceAccessTokens::CreateService, feature_category: :system_access do
|
2020-05-24 23:13:21 +05:30
|
|
|
subject { described_class.new(user, resource, params).execute }
|
2020-04-22 19:07:51 +05:30
|
|
|
|
|
|
|
let_it_be(:user) { create(:user) }
|
|
|
|
let_it_be(:project) { create(:project, :private) }
|
2022-03-02 08:16:31 +05:30
|
|
|
let_it_be(:group) { create(:group, :private) }
|
2020-04-22 19:07:51 +05:30
|
|
|
let_it_be(:params) { {} }
|
2023-07-09 08:55:56 +05:30
|
|
|
let_it_be(:max_pat_access_token_lifetime) do
|
|
|
|
PersonalAccessToken::MAX_PERSONAL_ACCESS_TOKEN_LIFETIME_IN_DAYS.days.from_now.to_date.freeze
|
|
|
|
end
|
2020-04-22 19:07:51 +05:30
|
|
|
|
2022-03-02 08:16:31 +05:30
|
|
|
before do
|
|
|
|
stub_config_setting(host: 'example.com')
|
|
|
|
end
|
|
|
|
|
2020-04-22 19:07:51 +05:30
|
|
|
describe '#execute' do
|
2021-01-29 00:20:46 +05:30
|
|
|
shared_examples 'token creation fails' do
|
2022-08-27 11:52:29 +05:30
|
|
|
let(:resource) { create(:project) }
|
2020-04-22 19:07:51 +05:30
|
|
|
|
2021-01-29 00:20:46 +05:30
|
|
|
it 'does not add the project bot as a member' do
|
|
|
|
expect { subject }.not_to change { resource.members.count }
|
|
|
|
end
|
2020-04-22 19:07:51 +05:30
|
|
|
|
2021-01-29 00:20:46 +05:30
|
|
|
it 'immediately destroys the bot user if one was created', :sidekiq_inline do
|
|
|
|
expect { subject }.not_to change { User.bots.count }
|
2020-04-22 19:07:51 +05:30
|
|
|
end
|
|
|
|
end
|
|
|
|
|
2023-03-04 22:38:38 +05:30
|
|
|
shared_examples 'correct error message' do
|
|
|
|
it 'returns correct error message' do
|
|
|
|
expect(subject.error?).to be true
|
|
|
|
expect(subject.errors).to include(error_message)
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
2020-04-22 19:07:51 +05:30
|
|
|
shared_examples 'allows creation of bot with valid params' do
|
|
|
|
it { expect { subject }.to change { User.count }.by(1) }
|
|
|
|
|
|
|
|
it 'creates resource bot user' do
|
|
|
|
response = subject
|
|
|
|
|
|
|
|
access_token = response.payload[:access_token]
|
|
|
|
|
2022-03-02 08:16:31 +05:30
|
|
|
expect(access_token.user.reload.user_type).to eq("project_bot")
|
2021-01-03 14:25:43 +05:30
|
|
|
expect(access_token.user.created_by_id).to eq(user.id)
|
2020-04-22 19:07:51 +05:30
|
|
|
end
|
|
|
|
|
2020-07-28 23:09:34 +05:30
|
|
|
context 'email confirmation status' do
|
|
|
|
shared_examples_for 'creates a user that has their email confirmed' do
|
|
|
|
it 'creates a user that has their email confirmed' do
|
|
|
|
response = subject
|
|
|
|
access_token = response.payload[:access_token]
|
|
|
|
|
|
|
|
expect(access_token.user.reload.confirmed?).to eq(true)
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
context 'when created by an admin' do
|
2021-01-29 00:20:46 +05:30
|
|
|
let(:user) { create(:admin) }
|
|
|
|
|
|
|
|
context 'when admin mode is enabled', :enable_admin_mode do
|
|
|
|
it_behaves_like 'creates a user that has their email confirmed'
|
|
|
|
end
|
|
|
|
|
|
|
|
context 'when admin mode is disabled' do
|
|
|
|
it 'returns error' do
|
|
|
|
response = subject
|
|
|
|
|
|
|
|
expect(response.error?).to be true
|
|
|
|
end
|
2020-07-28 23:09:34 +05:30
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
context 'when created by a non-admin' do
|
|
|
|
it_behaves_like 'creates a user that has their email confirmed'
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
2020-04-22 19:07:51 +05:30
|
|
|
context 'bot name' do
|
2021-01-03 14:25:43 +05:30
|
|
|
context 'when no name is passed' do
|
|
|
|
it 'uses default name' do
|
2020-04-22 19:07:51 +05:30
|
|
|
response = subject
|
|
|
|
access_token = response.payload[:access_token]
|
|
|
|
|
|
|
|
expect(access_token.user.name).to eq("#{resource.name.to_s.humanize} bot")
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
2021-01-03 14:25:43 +05:30
|
|
|
context 'when user provides name' do
|
2020-05-24 23:13:21 +05:30
|
|
|
let_it_be(:params) { { name: 'Random bot' } }
|
2020-04-22 19:07:51 +05:30
|
|
|
|
2021-01-03 14:25:43 +05:30
|
|
|
it 'overrides the default name value' do
|
2020-04-22 19:07:51 +05:30
|
|
|
response = subject
|
|
|
|
access_token = response.payload[:access_token]
|
|
|
|
|
|
|
|
expect(access_token.user.name).to eq(params[:name])
|
|
|
|
end
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
2023-05-27 22:25:52 +05:30
|
|
|
context 'bot username and email' do
|
|
|
|
include_examples 'username and email pair is generated by Gitlab::Utils::UsernameAndEmailGenerator' do
|
|
|
|
subject do
|
|
|
|
response = described_class.new(user, resource, params).execute
|
|
|
|
response.payload[:access_token].user
|
|
|
|
end
|
|
|
|
|
|
|
|
let(:username_prefix) do
|
|
|
|
"#{resource.class.name.downcase}_#{resource.id}_bot"
|
|
|
|
end
|
2022-03-02 08:16:31 +05:30
|
|
|
|
2023-05-27 22:25:52 +05:30
|
|
|
let(:email_domain) do
|
|
|
|
"noreply.#{Gitlab.config.gitlab.host}"
|
|
|
|
end
|
2022-03-02 08:16:31 +05:30
|
|
|
end
|
|
|
|
end
|
|
|
|
|
2021-09-30 23:02:18 +05:30
|
|
|
context 'access level' do
|
|
|
|
context 'when user does not specify an access level' do
|
|
|
|
it 'adds the bot user as a maintainer in the resource' do
|
|
|
|
response = subject
|
|
|
|
access_token = response.payload[:access_token]
|
|
|
|
bot_user = access_token.user
|
2020-04-22 19:07:51 +05:30
|
|
|
|
2021-09-30 23:02:18 +05:30
|
|
|
expect(resource.members.maintainers.map(&:user_id)).to include(bot_user.id)
|
|
|
|
end
|
|
|
|
end
|
2020-04-22 19:07:51 +05:30
|
|
|
|
2023-05-27 22:25:52 +05:30
|
|
|
shared_examples 'bot with access level' do
|
2021-09-30 23:02:18 +05:30
|
|
|
it 'adds the bot user with the specified access level in the resource' do
|
|
|
|
response = subject
|
|
|
|
access_token = response.payload[:access_token]
|
|
|
|
bot_user = access_token.user
|
|
|
|
|
|
|
|
expect(resource.members.developers.map(&:user_id)).to include(bot_user.id)
|
|
|
|
end
|
2021-09-04 01:27:46 +05:30
|
|
|
end
|
|
|
|
|
2023-05-27 22:25:52 +05:30
|
|
|
context 'when user specifies an access level' do
|
|
|
|
let_it_be(:params) { { access_level: Gitlab::Access::DEVELOPER } }
|
|
|
|
|
|
|
|
it_behaves_like 'bot with access level'
|
|
|
|
end
|
|
|
|
|
|
|
|
context 'with DEVELOPER access_level, in string format' do
|
|
|
|
let_it_be(:params) { { access_level: Gitlab::Access::DEVELOPER.to_s } }
|
|
|
|
|
|
|
|
it_behaves_like 'bot with access level'
|
|
|
|
end
|
|
|
|
|
2021-09-30 23:02:18 +05:30
|
|
|
context 'when user is external' do
|
|
|
|
before do
|
2022-03-02 08:16:31 +05:30
|
|
|
user.update!(external: true)
|
2021-09-30 23:02:18 +05:30
|
|
|
end
|
|
|
|
|
|
|
|
it 'creates resource bot user with external status' do
|
|
|
|
expect(subject.payload[:access_token].user.external).to eq true
|
|
|
|
end
|
2021-09-04 01:27:46 +05:30
|
|
|
end
|
|
|
|
end
|
|
|
|
|
2020-04-22 19:07:51 +05:30
|
|
|
context 'personal access token' do
|
|
|
|
it { expect { subject }.to change { PersonalAccessToken.count }.by(1) }
|
|
|
|
|
|
|
|
context 'when user does not provide scope' do
|
|
|
|
it 'has default scopes' do
|
|
|
|
response = subject
|
|
|
|
access_token = response.payload[:access_token]
|
|
|
|
|
2020-05-24 23:13:21 +05:30
|
|
|
expect(access_token.scopes).to eq(Gitlab::Auth.resource_bot_scopes)
|
2020-04-22 19:07:51 +05:30
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
context 'when user provides scope explicitly' do
|
2020-05-24 23:13:21 +05:30
|
|
|
let_it_be(:params) { { scopes: Gitlab::Auth::REPOSITORY_SCOPES } }
|
2020-04-22 19:07:51 +05:30
|
|
|
|
2021-01-03 14:25:43 +05:30
|
|
|
it 'overrides the default scope value' do
|
2020-04-22 19:07:51 +05:30
|
|
|
response = subject
|
|
|
|
access_token = response.payload[:access_token]
|
|
|
|
|
|
|
|
expect(access_token.scopes).to eq(Gitlab::Auth::REPOSITORY_SCOPES)
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
context 'expires_at' do
|
2021-01-03 14:25:43 +05:30
|
|
|
context 'when no expiration value is passed' do
|
2023-07-09 08:55:56 +05:30
|
|
|
context 'when default_pat_expiration feature flag is true' do
|
|
|
|
it 'defaults to PersonalAccessToken::MAX_PERSONAL_ACCESS_TOKEN_LIFETIME_IN_DAYS' do
|
|
|
|
freeze_time do
|
|
|
|
response = subject
|
|
|
|
access_token = response.payload[:access_token]
|
|
|
|
|
|
|
|
expect(access_token.expires_at).to eq(
|
|
|
|
max_pat_access_token_lifetime.to_date
|
|
|
|
)
|
|
|
|
end
|
|
|
|
end
|
2020-04-22 19:07:51 +05:30
|
|
|
|
2023-07-09 08:55:56 +05:30
|
|
|
context 'expiry of the project bot member' do
|
|
|
|
it 'project bot membership does not expire' do
|
|
|
|
response = subject
|
|
|
|
access_token = response.payload[:access_token]
|
|
|
|
project_bot = access_token.user
|
|
|
|
|
|
|
|
expect(resource.members.find_by(user_id: project_bot.id).expires_at).to eq(
|
|
|
|
max_pat_access_token_lifetime.to_date
|
|
|
|
)
|
|
|
|
end
|
|
|
|
end
|
2020-04-22 19:07:51 +05:30
|
|
|
end
|
2021-01-03 14:25:43 +05:30
|
|
|
|
2023-07-09 08:55:56 +05:30
|
|
|
context 'when default_pat_expiration feature flag is false' do
|
|
|
|
before do
|
|
|
|
stub_feature_flags(default_pat_expiration: false)
|
|
|
|
end
|
|
|
|
|
|
|
|
it 'uses nil expiration value' do
|
2021-01-03 14:25:43 +05:30
|
|
|
response = subject
|
|
|
|
access_token = response.payload[:access_token]
|
|
|
|
|
2023-07-09 08:55:56 +05:30
|
|
|
expect(access_token.expires_at).to eq(nil)
|
|
|
|
end
|
|
|
|
|
|
|
|
context 'expiry of the project bot member' do
|
|
|
|
it 'project bot membership expires' do
|
|
|
|
response = subject
|
|
|
|
access_token = response.payload[:access_token]
|
|
|
|
project_bot = access_token.user
|
|
|
|
|
|
|
|
expect(resource.members.find_by(user_id: project_bot.id).expires_at).to eq(nil)
|
|
|
|
end
|
2021-01-03 14:25:43 +05:30
|
|
|
end
|
|
|
|
end
|
2020-04-22 19:07:51 +05:30
|
|
|
end
|
|
|
|
|
2021-01-03 14:25:43 +05:30
|
|
|
context 'when user provides expiration value' do
|
2020-05-24 23:13:21 +05:30
|
|
|
let_it_be(:params) { { expires_at: Date.today + 1.month } }
|
2020-04-22 19:07:51 +05:30
|
|
|
|
2021-01-03 14:25:43 +05:30
|
|
|
it 'overrides the default expiration value' do
|
2020-04-22 19:07:51 +05:30
|
|
|
response = subject
|
|
|
|
access_token = response.payload[:access_token]
|
|
|
|
|
|
|
|
expect(access_token.expires_at).to eq(params[:expires_at])
|
|
|
|
end
|
2021-01-03 14:25:43 +05:30
|
|
|
|
|
|
|
context 'expiry of the project bot member' do
|
|
|
|
it 'sets the project bot to expire on the same day as the token' do
|
|
|
|
response = subject
|
|
|
|
access_token = response.payload[:access_token]
|
|
|
|
project_bot = access_token.user
|
|
|
|
|
2023-07-09 08:55:56 +05:30
|
|
|
expect(resource.members.find_by(user_id: project_bot.id).expires_at).to eq(access_token.expires_at)
|
2021-01-03 14:25:43 +05:30
|
|
|
end
|
|
|
|
end
|
2020-04-22 19:07:51 +05:30
|
|
|
end
|
|
|
|
|
|
|
|
context 'when invalid scope is passed' do
|
2023-03-04 22:38:38 +05:30
|
|
|
let(:error_message) { 'Scopes can only contain available scopes' }
|
2020-05-24 23:13:21 +05:30
|
|
|
let_it_be(:params) { { scopes: [:invalid_scope] } }
|
2020-04-22 19:07:51 +05:30
|
|
|
|
2021-01-29 00:20:46 +05:30
|
|
|
it_behaves_like 'token creation fails'
|
2023-03-04 22:38:38 +05:30
|
|
|
it_behaves_like 'correct error message'
|
2020-04-22 19:07:51 +05:30
|
|
|
end
|
|
|
|
end
|
|
|
|
|
2021-01-29 00:20:46 +05:30
|
|
|
context "when access provisioning fails" do
|
|
|
|
let_it_be(:bot_user) { create(:user, :project_bot) }
|
2021-09-30 23:02:18 +05:30
|
|
|
|
2021-01-29 00:20:46 +05:30
|
|
|
let(:unpersisted_member) { build(:project_member, source: resource, user: bot_user) }
|
2023-05-27 22:25:52 +05:30
|
|
|
let(:error_message) { 'Could not provision maintainer access to the access token. ERROR: error message' }
|
2020-04-22 19:07:51 +05:30
|
|
|
|
2021-01-29 00:20:46 +05:30
|
|
|
before do
|
|
|
|
allow_next_instance_of(ResourceAccessTokens::CreateService) do |service|
|
|
|
|
allow(service).to receive(:create_user).and_return(bot_user)
|
|
|
|
allow(service).to receive(:create_membership).and_return(unpersisted_member)
|
|
|
|
end
|
2023-05-27 22:25:52 +05:30
|
|
|
|
|
|
|
allow(unpersisted_member).to receive_message_chain(:errors, :full_messages, :to_sentence)
|
|
|
|
.and_return('error message')
|
|
|
|
end
|
|
|
|
|
|
|
|
context 'with MAINTAINER access_level, in integer format' do
|
|
|
|
let_it_be(:params) { { access_level: Gitlab::Access::MAINTAINER } }
|
|
|
|
|
|
|
|
it_behaves_like 'token creation fails'
|
|
|
|
it_behaves_like 'correct error message'
|
2021-01-29 00:20:46 +05:30
|
|
|
end
|
2020-04-22 19:07:51 +05:30
|
|
|
|
2023-05-27 22:25:52 +05:30
|
|
|
context 'with MAINTAINER access_level, in string format' do
|
|
|
|
let_it_be(:params) { { access_level: Gitlab::Access::MAINTAINER.to_s } }
|
|
|
|
|
|
|
|
it_behaves_like 'token creation fails'
|
|
|
|
it_behaves_like 'correct error message'
|
|
|
|
end
|
2020-04-22 19:07:51 +05:30
|
|
|
end
|
|
|
|
end
|
2021-03-11 19:13:27 +05:30
|
|
|
|
|
|
|
it 'logs the event' do
|
|
|
|
allow(Gitlab::AppLogger).to receive(:info)
|
|
|
|
|
|
|
|
response = subject
|
|
|
|
|
|
|
|
expect(Gitlab::AppLogger).to have_received(:info).with(/PROJECT ACCESS TOKEN CREATION: created_by: #{user.username}, project_id: #{resource.id}, token_user: #{response.payload[:access_token].user.name}, token_id: \d+/)
|
|
|
|
end
|
2020-04-22 19:07:51 +05:30
|
|
|
end
|
|
|
|
|
2022-03-02 08:16:31 +05:30
|
|
|
shared_examples 'when user does not have permission to create a resource bot' do
|
2023-03-04 22:38:38 +05:30
|
|
|
let(:error_message) { "User does not have permission to create #{resource_type} access token" }
|
2022-03-02 08:16:31 +05:30
|
|
|
|
2023-03-04 22:38:38 +05:30
|
|
|
it_behaves_like 'token creation fails'
|
|
|
|
it_behaves_like 'correct error message'
|
2022-03-02 08:16:31 +05:30
|
|
|
end
|
|
|
|
|
2020-04-22 19:07:51 +05:30
|
|
|
context 'when resource is a project' do
|
2020-05-24 23:13:21 +05:30
|
|
|
let_it_be(:resource_type) { 'project' }
|
|
|
|
let_it_be(:resource) { project }
|
2020-04-22 19:07:51 +05:30
|
|
|
|
2022-03-02 08:16:31 +05:30
|
|
|
it_behaves_like 'when user does not have permission to create a resource bot'
|
2021-01-29 00:20:46 +05:30
|
|
|
|
2022-03-02 08:16:31 +05:30
|
|
|
context 'user with valid permission' do
|
|
|
|
before_all do
|
|
|
|
resource.add_maintainer(user)
|
2021-01-29 00:20:46 +05:30
|
|
|
end
|
2022-03-02 08:16:31 +05:30
|
|
|
|
|
|
|
it_behaves_like 'allows creation of bot with valid params'
|
2022-07-23 23:45:48 +05:30
|
|
|
|
|
|
|
context 'when user specifies an access level of OWNER for the bot' do
|
|
|
|
let_it_be(:params) { { access_level: Gitlab::Access::OWNER } }
|
|
|
|
|
|
|
|
context 'when the executor is a MAINTAINER' do
|
2023-03-04 22:38:38 +05:30
|
|
|
let(:error_message) { 'Could not provision owner access to project access token' }
|
2022-07-23 23:45:48 +05:30
|
|
|
|
2023-03-04 22:38:38 +05:30
|
|
|
context 'with OWNER access_level, in integer format' do
|
|
|
|
it_behaves_like 'token creation fails'
|
|
|
|
it_behaves_like 'correct error message'
|
|
|
|
end
|
|
|
|
|
|
|
|
context 'with OWNER access_level, in string format' do
|
|
|
|
let(:error_message) { 'Could not provision owner access to project access token' }
|
|
|
|
let_it_be(:params) { { access_level: Gitlab::Access::OWNER.to_s } }
|
|
|
|
|
|
|
|
it_behaves_like 'token creation fails'
|
|
|
|
it_behaves_like 'correct error message'
|
2022-07-23 23:45:48 +05:30
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
context 'when the executor is an OWNER' do
|
|
|
|
let_it_be(:user) { project.first_owner }
|
|
|
|
|
|
|
|
it 'adds the bot user with the specified access level in the resource' do
|
|
|
|
response = subject
|
|
|
|
|
|
|
|
access_token = response.payload[:access_token]
|
|
|
|
bot_user = access_token.user
|
|
|
|
|
|
|
|
expect(resource.members.owners.map(&:user_id)).to include(bot_user.id)
|
|
|
|
end
|
|
|
|
end
|
|
|
|
end
|
2021-01-29 00:20:46 +05:30
|
|
|
end
|
2022-03-02 08:16:31 +05:30
|
|
|
end
|
|
|
|
|
2022-07-23 23:45:48 +05:30
|
|
|
context 'when resource is a group' do
|
2022-03-02 08:16:31 +05:30
|
|
|
let_it_be(:resource_type) { 'group' }
|
|
|
|
let_it_be(:resource) { group }
|
|
|
|
|
|
|
|
it_behaves_like 'when user does not have permission to create a resource bot'
|
2020-04-22 19:07:51 +05:30
|
|
|
|
|
|
|
context 'user with valid permission' do
|
2020-05-24 23:13:21 +05:30
|
|
|
before_all do
|
2022-03-02 08:16:31 +05:30
|
|
|
resource.add_owner(user)
|
2020-04-22 19:07:51 +05:30
|
|
|
end
|
|
|
|
|
|
|
|
it_behaves_like 'allows creation of bot with valid params'
|
2022-07-23 23:45:48 +05:30
|
|
|
|
|
|
|
context 'when user specifies an access level of OWNER for the bot' do
|
|
|
|
let_it_be(:params) { { access_level: Gitlab::Access::OWNER } }
|
|
|
|
|
|
|
|
it 'adds the bot user with the specified access level in the resource' do
|
|
|
|
response = subject
|
|
|
|
access_token = response.payload[:access_token]
|
|
|
|
bot_user = access_token.user
|
|
|
|
|
|
|
|
expect(resource.members.owners.map(&:user_id)).to include(bot_user.id)
|
|
|
|
end
|
|
|
|
end
|
2020-04-22 19:07:51 +05:30
|
|
|
end
|
|
|
|
end
|
|
|
|
end
|
|
|
|
end
|