debian-mirror-gitlab/spec/controllers/oauth/authorizations_controller_spec.rb

129 lines
3.8 KiB
Ruby
Raw Normal View History

2019-07-31 22:56:46 +05:30
# frozen_string_literal: true
2017-08-17 22:00:37 +05:30
require 'spec_helper'
2020-06-23 00:09:42 +05:30
RSpec.describe Oauth::AuthorizationsController do
2020-08-18 19:51:02 +05:30
let(:user) { create(:user, confirmed_at: confirmed_at) }
let(:confirmed_at) { 1.hour.ago }
2018-11-08 19:23:39 +05:30
let!(:application) { create(:oauth_application, scopes: 'api read_user', redirect_uri: 'http://example.com') }
2017-08-17 22:00:37 +05:30
let(:params) do
{
response_type: "code",
2018-11-08 19:23:39 +05:30
client_id: application.uid,
redirect_uri: application.redirect_uri,
2017-08-17 22:00:37 +05:30
state: 'state'
}
end
before do
sign_in(user)
end
2020-08-18 19:51:02 +05:30
shared_examples 'OAuth Authorizations require confirmed user' do
context 'when the user is confirmed' do
context 'when there is already an access token for the application with a matching scope' do
before do
scopes = Doorkeeper::OAuth::Scopes.from_string('api')
allow(Doorkeeper.configuration).to receive(:scopes).and_return(scopes)
create(:oauth_access_token, application: application, resource_owner_id: user.id, scopes: scopes)
end
it 'authorizes the request and redirects' do
subject
expect(request.session['user_return_to']).to be_nil
expect(response).to have_gitlab_http_status(:found)
end
end
end
context 'when the user is unconfirmed' do
let(:confirmed_at) { nil }
it 'returns 200 and renders error view' do
subject
expect(response).to have_gitlab_http_status(:ok)
expect(response).to render_template('doorkeeper/authorizations/error')
end
end
end
2021-01-18 16:13:48 +05:30
shared_examples "Implicit grant can't be used in confidential application" do
context 'when application is confidential' do
before do
2021-04-29 21:17:54 +05:30
application.update!(confidential: true)
2021-01-18 16:13:48 +05:30
params[:response_type] = 'token'
end
it 'does not allow the implicit flow' do
subject
expect(response).to have_gitlab_http_status(:ok)
expect(response).to render_template('doorkeeper/authorizations/error')
end
end
end
2017-08-17 22:00:37 +05:30
describe 'GET #new' do
2020-08-18 19:51:02 +05:30
subject { get :new, params: params }
include_examples 'OAuth Authorizations require confirmed user'
2021-01-18 16:13:48 +05:30
include_examples "Implicit grant can't be used in confidential application"
2020-08-18 19:51:02 +05:30
2020-05-30 21:06:31 +05:30
context 'when the user is confirmed' do
2020-08-18 19:51:02 +05:30
let(:confirmed_at) { 1.hour.ago }
2017-08-17 22:00:37 +05:30
2020-05-30 21:06:31 +05:30
context 'without valid params' do
it 'returns 200 code and renders error view' do
get :new
expect(response).to have_gitlab_http_status(:ok)
expect(response).to render_template('doorkeeper/authorizations/error')
end
2017-08-17 22:00:37 +05:30
end
2020-05-30 21:06:31 +05:30
context 'with valid params' do
render_views
2018-03-27 19:54:05 +05:30
2020-05-30 21:06:31 +05:30
it 'returns 200 code and renders view' do
2020-08-18 19:51:02 +05:30
subject
2017-08-17 22:00:37 +05:30
2020-05-30 21:06:31 +05:30
expect(response).to have_gitlab_http_status(:ok)
expect(response).to render_template('doorkeeper/authorizations/new')
end
2017-08-17 22:00:37 +05:30
2020-05-30 21:06:31 +05:30
it 'deletes session.user_return_to and redirects when skip authorization' do
2021-04-29 21:17:54 +05:30
application.update!(trusted: true)
2020-05-30 21:06:31 +05:30
request.session['user_return_to'] = 'http://example.com'
2017-08-17 22:00:37 +05:30
2020-08-18 19:51:02 +05:30
subject
2017-08-17 22:00:37 +05:30
2020-05-30 21:06:31 +05:30
expect(request.session['user_return_to']).to be_nil
expect(response).to have_gitlab_http_status(:found)
end
2018-11-08 19:23:39 +05:30
end
2017-08-17 22:00:37 +05:30
end
2020-08-18 19:51:02 +05:30
end
2020-05-30 21:06:31 +05:30
2020-08-18 19:51:02 +05:30
describe 'POST #create' do
subject { post :create, params: params }
2020-05-30 21:06:31 +05:30
2020-08-18 19:51:02 +05:30
include_examples 'OAuth Authorizations require confirmed user'
2021-01-18 16:13:48 +05:30
include_examples "Implicit grant can't be used in confidential application"
2020-08-18 19:51:02 +05:30
end
2020-05-30 21:06:31 +05:30
2020-08-18 19:51:02 +05:30
describe 'DELETE #destroy' do
subject { delete :destroy, params: params }
include_examples 'OAuth Authorizations require confirmed user'
2021-01-18 16:13:48 +05:30
include_examples "Implicit grant can't be used in confidential application"
2020-08-18 19:51:02 +05:30
end
it 'includes Two-factor enforcement concern' do
expect(described_class.included_modules.include?(EnforcesTwoFactorAuthentication)).to eq(true)
2017-08-17 22:00:37 +05:30
end
end