2019-10-12 21:52:04 +05:30
|
|
|
# frozen_string_literal: true
|
|
|
|
|
2018-11-29 20:51:05 +05:30
|
|
|
shared_examples 'authenticates sessionless user' do |path, format, params|
|
|
|
|
params ||= {}
|
|
|
|
|
|
|
|
before do
|
|
|
|
stub_authentication_activity_metrics(debug: false)
|
|
|
|
end
|
|
|
|
|
|
|
|
let(:user) { create(:user) }
|
|
|
|
let(:personal_access_token) { create(:personal_access_token, user: user) }
|
|
|
|
let(:default_params) { { format: format }.merge(params.except(:public) || {}) }
|
|
|
|
|
|
|
|
context "when the 'personal_access_token' param is populated with the personal access token" do
|
|
|
|
it 'logs the user in' do
|
|
|
|
expect(authentication_metrics)
|
|
|
|
.to increment(:user_authenticated_counter)
|
|
|
|
.and increment(:user_session_override_counter)
|
|
|
|
.and increment(:user_sessionless_authentication_counter)
|
|
|
|
|
2019-02-15 15:39:39 +05:30
|
|
|
get path, params: default_params.merge(private_token: personal_access_token.token)
|
2018-11-29 20:51:05 +05:30
|
|
|
|
|
|
|
expect(response).to have_gitlab_http_status(200)
|
|
|
|
expect(controller.current_user).to eq(user)
|
|
|
|
end
|
|
|
|
|
|
|
|
it 'does not log the user in if page is public', if: params[:public] do
|
2019-02-15 15:39:39 +05:30
|
|
|
get path, params: default_params
|
2018-11-29 20:51:05 +05:30
|
|
|
|
|
|
|
expect(response).to have_gitlab_http_status(200)
|
|
|
|
expect(controller.current_user).to be_nil
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
context 'when the personal access token has no api scope', unless: params[:public] do
|
|
|
|
it 'does not log the user in' do
|
2019-10-31 01:37:42 +05:30
|
|
|
# Several instances of where these specs are shared route the request
|
|
|
|
# through ApplicationController#route_not_found which does not involve
|
|
|
|
# the usual auth code from Devise, so does not increment the
|
|
|
|
# :user_unauthenticated_counter
|
|
|
|
#
|
|
|
|
unless params[:ignore_incrementing]
|
|
|
|
expect(authentication_metrics)
|
|
|
|
.to increment(:user_unauthenticated_counter)
|
|
|
|
end
|
2018-11-29 20:51:05 +05:30
|
|
|
|
|
|
|
personal_access_token.update(scopes: [:read_user])
|
|
|
|
|
2019-02-15 15:39:39 +05:30
|
|
|
get path, params: default_params.merge(private_token: personal_access_token.token)
|
2018-11-29 20:51:05 +05:30
|
|
|
|
|
|
|
expect(response).not_to have_gitlab_http_status(200)
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
context "when the 'PERSONAL_ACCESS_TOKEN' header is populated with the personal access token" do
|
|
|
|
it 'logs the user in' do
|
|
|
|
expect(authentication_metrics)
|
|
|
|
.to increment(:user_authenticated_counter)
|
|
|
|
.and increment(:user_session_override_counter)
|
|
|
|
.and increment(:user_sessionless_authentication_counter)
|
|
|
|
|
|
|
|
@request.headers['PRIVATE-TOKEN'] = personal_access_token.token
|
2019-02-15 15:39:39 +05:30
|
|
|
get path, params: default_params
|
2018-11-29 20:51:05 +05:30
|
|
|
|
|
|
|
expect(response).to have_gitlab_http_status(200)
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
context "when the 'feed_token' param is populated with the feed token", if: format == :rss do
|
|
|
|
it "logs the user in" do
|
|
|
|
expect(authentication_metrics)
|
|
|
|
.to increment(:user_authenticated_counter)
|
|
|
|
.and increment(:user_session_override_counter)
|
|
|
|
.and increment(:user_sessionless_authentication_counter)
|
|
|
|
|
2019-02-15 15:39:39 +05:30
|
|
|
get path, params: default_params.merge(feed_token: user.feed_token)
|
2018-11-29 20:51:05 +05:30
|
|
|
|
|
|
|
expect(response).to have_gitlab_http_status 200
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
context "when the 'feed_token' param is populated with an invalid feed token", if: format == :rss, unless: params[:public] do
|
|
|
|
it "logs the user" do
|
|
|
|
expect(authentication_metrics)
|
|
|
|
.to increment(:user_unauthenticated_counter)
|
|
|
|
|
2019-02-15 15:39:39 +05:30
|
|
|
get path, params: default_params.merge(feed_token: 'token')
|
2018-11-29 20:51:05 +05:30
|
|
|
|
|
|
|
expect(response.status).not_to eq 200
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
it "doesn't log the user in otherwise", unless: params[:public] do
|
2019-10-31 01:37:42 +05:30
|
|
|
# Several instances of where these specs are shared route the request
|
|
|
|
# through ApplicationController#route_not_found which does not involve
|
|
|
|
# the usual auth code from Devise, so does not increment the
|
|
|
|
# :user_unauthenticated_counter
|
|
|
|
#
|
|
|
|
unless params[:ignore_incrementing]
|
|
|
|
expect(authentication_metrics)
|
|
|
|
.to increment(:user_unauthenticated_counter)
|
|
|
|
end
|
2018-11-29 20:51:05 +05:30
|
|
|
|
2019-02-15 15:39:39 +05:30
|
|
|
get path, params: default_params.merge(private_token: 'token')
|
2018-11-29 20:51:05 +05:30
|
|
|
|
|
|
|
expect(response.status).not_to eq(200)
|
|
|
|
end
|
|
|
|
end
|