debian-mirror-gitlab/spec/requests/api/api_spec.rb

96 lines
3.2 KiB
Ruby
Raw Normal View History

2020-03-13 15:44:24 +05:30
# frozen_string_literal: true
require 'spec_helper'
2020-07-28 23:09:34 +05:30
RSpec.describe API::API do
2020-04-22 19:07:51 +05:30
include GroupAPIHelpers
2020-03-13 15:44:24 +05:30
describe 'Record user last activity in after hook' do
# It does not matter which endpoint is used because last_activity_on should
# be updated on every request. `/groups` is used as an example
# to represent any API endpoint
2020-04-22 19:07:51 +05:30
let(:user) { create(:user, last_activity_on: Date.yesterday) }
2020-03-13 15:44:24 +05:30
2020-04-22 19:07:51 +05:30
it 'updates the users last_activity_on to the current date' do
2020-03-13 15:44:24 +05:30
expect { get api('/groups', user) }.to change { user.reload.last_activity_on }.to(Date.today)
end
2020-04-22 19:07:51 +05:30
end
describe 'User with only read_api scope personal access token' do
# It does not matter which endpoint is used because this should behave
# in the same way for every request. `/groups` is used as an example
# to represent any API endpoint
context 'when personal access token has only read_api scope' do
let_it_be(:user) { create(:user) }
let_it_be(:group) { create(:group) }
let_it_be(:token) { create(:personal_access_token, user: user, scopes: [:read_api]) }
before_all do
group.add_owner(user)
end
it 'does authorize user for get request' do
get api('/groups', personal_access_token: token)
expect(response).to have_gitlab_http_status(:ok)
end
2020-07-28 23:09:34 +05:30
it 'does not authorize user for revoked token' do
revoked = create(:personal_access_token, :revoked, user: user, scopes: [:read_api])
get api('/groups', personal_access_token: revoked)
expect(response).to have_gitlab_http_status(:unauthorized)
end
2020-04-22 19:07:51 +05:30
it 'does not authorize user for post request' do
params = attributes_for_group_api
post api("/groups", personal_access_token: token), params: params
expect(response).to have_gitlab_http_status(:forbidden)
end
it 'does not authorize user for put request' do
group_param = { name: 'Test' }
put api("/groups/#{group.id}", personal_access_token: token), params: group_param
expect(response).to have_gitlab_http_status(:forbidden)
end
2020-03-13 15:44:24 +05:30
2020-04-22 19:07:51 +05:30
it 'does not authorize user for delete request' do
delete api("/groups/#{group.id}", personal_access_token: token)
2020-03-13 15:44:24 +05:30
2020-04-22 19:07:51 +05:30
expect(response).to have_gitlab_http_status(:forbidden)
2020-03-13 15:44:24 +05:30
end
end
end
2020-10-04 03:57:07 +05:30
describe 'authentication with deploy token' do
context 'admin mode' do
let_it_be(:project) { create(:project, :public) }
let_it_be(:package) { create(:maven_package, project: project, name: project.full_path) }
let_it_be(:maven_metadatum) { package.maven_metadatum }
let_it_be(:package_file) { package.package_files.first }
let_it_be(:deploy_token) { create(:deploy_token) }
let(:headers_with_deploy_token) do
{
Gitlab::Auth::AuthFinders::DEPLOY_TOKEN_HEADER => deploy_token.token
}
end
it 'does not bypass the session' do
expect(Gitlab::Auth::CurrentUserMode).not_to receive(:bypass_session!)
get(api("/packages/maven/#{maven_metadatum.path}/#{package_file.file_name}"),
headers: headers_with_deploy_token)
expect(response).to have_gitlab_http_status(:ok)
expect(response.media_type).to eq('application/octet-stream')
end
end
end
2020-03-13 15:44:24 +05:30
end