2019-07-31 22:56:46 +05:30
|
|
|
# frozen_string_literal: true
|
|
|
|
|
2017-08-17 22:00:37 +05:30
|
|
|
require 'spec_helper'
|
|
|
|
|
2020-06-23 00:09:42 +05:30
|
|
|
RSpec.describe Oauth::AuthorizationsController do
|
2020-08-18 19:51:02 +05:30
|
|
|
let(:user) { create(:user, confirmed_at: confirmed_at) }
|
|
|
|
let(:confirmed_at) { 1.hour.ago }
|
2018-11-08 19:23:39 +05:30
|
|
|
let!(:application) { create(:oauth_application, scopes: 'api read_user', redirect_uri: 'http://example.com') }
|
2017-08-17 22:00:37 +05:30
|
|
|
let(:params) do
|
|
|
|
{
|
|
|
|
response_type: "code",
|
2018-11-08 19:23:39 +05:30
|
|
|
client_id: application.uid,
|
|
|
|
redirect_uri: application.redirect_uri,
|
2017-08-17 22:00:37 +05:30
|
|
|
state: 'state'
|
|
|
|
}
|
|
|
|
end
|
|
|
|
|
|
|
|
before do
|
|
|
|
sign_in(user)
|
|
|
|
end
|
|
|
|
|
2020-08-18 19:51:02 +05:30
|
|
|
shared_examples 'OAuth Authorizations require confirmed user' do
|
|
|
|
context 'when the user is confirmed' do
|
|
|
|
context 'when there is already an access token for the application with a matching scope' do
|
|
|
|
before do
|
|
|
|
scopes = Doorkeeper::OAuth::Scopes.from_string('api')
|
|
|
|
|
|
|
|
allow(Doorkeeper.configuration).to receive(:scopes).and_return(scopes)
|
|
|
|
|
|
|
|
create(:oauth_access_token, application: application, resource_owner_id: user.id, scopes: scopes)
|
|
|
|
end
|
|
|
|
|
|
|
|
it 'authorizes the request and redirects' do
|
|
|
|
subject
|
|
|
|
|
|
|
|
expect(request.session['user_return_to']).to be_nil
|
|
|
|
expect(response).to have_gitlab_http_status(:found)
|
|
|
|
end
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
context 'when the user is unconfirmed' do
|
|
|
|
let(:confirmed_at) { nil }
|
|
|
|
|
|
|
|
it 'returns 200 and renders error view' do
|
|
|
|
subject
|
|
|
|
|
|
|
|
expect(response).to have_gitlab_http_status(:ok)
|
|
|
|
expect(response).to render_template('doorkeeper/authorizations/error')
|
|
|
|
end
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
2021-01-18 16:13:48 +05:30
|
|
|
shared_examples "Implicit grant can't be used in confidential application" do
|
|
|
|
context 'when application is confidential' do
|
|
|
|
before do
|
2021-04-29 21:17:54 +05:30
|
|
|
application.update!(confidential: true)
|
2021-01-18 16:13:48 +05:30
|
|
|
params[:response_type] = 'token'
|
|
|
|
end
|
|
|
|
|
|
|
|
it 'does not allow the implicit flow' do
|
|
|
|
subject
|
|
|
|
|
|
|
|
expect(response).to have_gitlab_http_status(:ok)
|
|
|
|
expect(response).to render_template('doorkeeper/authorizations/error')
|
|
|
|
end
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
2017-08-17 22:00:37 +05:30
|
|
|
describe 'GET #new' do
|
2020-08-18 19:51:02 +05:30
|
|
|
subject { get :new, params: params }
|
|
|
|
|
2021-01-18 16:13:48 +05:30
|
|
|
include_examples "Implicit grant can't be used in confidential application"
|
2020-08-18 19:51:02 +05:30
|
|
|
|
2020-05-30 21:06:31 +05:30
|
|
|
context 'when the user is confirmed' do
|
2020-08-18 19:51:02 +05:30
|
|
|
let(:confirmed_at) { 1.hour.ago }
|
2017-08-17 22:00:37 +05:30
|
|
|
|
2021-06-02 17:11:27 +05:30
|
|
|
context 'when there is already an access token for the application with a matching scope' do
|
|
|
|
before do
|
|
|
|
scopes = Doorkeeper::OAuth::Scopes.from_string('api')
|
|
|
|
|
|
|
|
allow(Doorkeeper.configuration).to receive(:scopes).and_return(scopes)
|
|
|
|
|
|
|
|
create(:oauth_access_token, application: application, resource_owner_id: user.id, scopes: scopes)
|
|
|
|
end
|
|
|
|
|
|
|
|
it 'authorizes the request and shows the user a page that redirects' do
|
|
|
|
subject
|
|
|
|
|
|
|
|
expect(request.session['user_return_to']).to be_nil
|
|
|
|
expect(response).to have_gitlab_http_status(:ok)
|
|
|
|
expect(response).to render_template('doorkeeper/authorizations/redirect')
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
2020-05-30 21:06:31 +05:30
|
|
|
context 'without valid params' do
|
|
|
|
it 'returns 200 code and renders error view' do
|
|
|
|
get :new
|
|
|
|
|
|
|
|
expect(response).to have_gitlab_http_status(:ok)
|
|
|
|
expect(response).to render_template('doorkeeper/authorizations/error')
|
|
|
|
end
|
2017-08-17 22:00:37 +05:30
|
|
|
end
|
|
|
|
|
2020-05-30 21:06:31 +05:30
|
|
|
context 'with valid params' do
|
|
|
|
render_views
|
2018-03-27 19:54:05 +05:30
|
|
|
|
2020-05-30 21:06:31 +05:30
|
|
|
it 'returns 200 code and renders view' do
|
2020-08-18 19:51:02 +05:30
|
|
|
subject
|
2017-08-17 22:00:37 +05:30
|
|
|
|
2020-05-30 21:06:31 +05:30
|
|
|
expect(response).to have_gitlab_http_status(:ok)
|
|
|
|
expect(response).to render_template('doorkeeper/authorizations/new')
|
|
|
|
end
|
2017-08-17 22:00:37 +05:30
|
|
|
|
2020-05-30 21:06:31 +05:30
|
|
|
it 'deletes session.user_return_to and redirects when skip authorization' do
|
2021-04-29 21:17:54 +05:30
|
|
|
application.update!(trusted: true)
|
2020-05-30 21:06:31 +05:30
|
|
|
request.session['user_return_to'] = 'http://example.com'
|
2017-08-17 22:00:37 +05:30
|
|
|
|
2020-08-18 19:51:02 +05:30
|
|
|
subject
|
2017-08-17 22:00:37 +05:30
|
|
|
|
2020-05-30 21:06:31 +05:30
|
|
|
expect(request.session['user_return_to']).to be_nil
|
2021-06-02 17:11:27 +05:30
|
|
|
expect(response).to have_gitlab_http_status(:ok)
|
|
|
|
expect(response).to render_template('doorkeeper/authorizations/redirect')
|
2020-05-30 21:06:31 +05:30
|
|
|
end
|
2018-11-08 19:23:39 +05:30
|
|
|
end
|
2017-08-17 22:00:37 +05:30
|
|
|
end
|
2020-08-18 19:51:02 +05:30
|
|
|
end
|
2020-05-30 21:06:31 +05:30
|
|
|
|
2020-08-18 19:51:02 +05:30
|
|
|
describe 'POST #create' do
|
|
|
|
subject { post :create, params: params }
|
2020-05-30 21:06:31 +05:30
|
|
|
|
2020-08-18 19:51:02 +05:30
|
|
|
include_examples 'OAuth Authorizations require confirmed user'
|
2021-01-18 16:13:48 +05:30
|
|
|
include_examples "Implicit grant can't be used in confidential application"
|
2020-08-18 19:51:02 +05:30
|
|
|
end
|
2020-05-30 21:06:31 +05:30
|
|
|
|
2020-08-18 19:51:02 +05:30
|
|
|
describe 'DELETE #destroy' do
|
|
|
|
subject { delete :destroy, params: params }
|
|
|
|
|
|
|
|
include_examples 'OAuth Authorizations require confirmed user'
|
2021-01-18 16:13:48 +05:30
|
|
|
include_examples "Implicit grant can't be used in confidential application"
|
2020-08-18 19:51:02 +05:30
|
|
|
end
|
|
|
|
|
|
|
|
it 'includes Two-factor enforcement concern' do
|
|
|
|
expect(described_class.included_modules.include?(EnforcesTwoFactorAuthentication)).to eq(true)
|
2017-08-17 22:00:37 +05:30
|
|
|
end
|
|
|
|
end
|