debian-mirror-gitlab/spec/services/resource_access_tokens/revoke_service_spec.rb

Ignoring revisions in .git-blame-ignore-revs. Click here to bypass and see the normal blame view.

155 lines
4.9 KiB
Ruby
Raw Normal View History

2020-05-24 23:13:21 +05:30
# frozen_string_literal: true
require 'spec_helper'
2023-05-27 22:25:52 +05:30
RSpec.describe ResourceAccessTokens::RevokeService, feature_category: :system_access do
2020-05-24 23:13:21 +05:30
subject { described_class.new(user, resource, access_token).execute }
let_it_be(:user) { create(:user) }
2022-03-02 08:16:31 +05:30
let_it_be(:user_non_priviledged) { create(:user) }
let_it_be(:resource_bot) { create(:user, :project_bot) }
2021-09-30 23:02:18 +05:30
2020-05-24 23:13:21 +05:30
let(:access_token) { create(:personal_access_token, user: resource_bot) }
2021-01-03 14:25:43 +05:30
describe '#execute', :sidekiq_inline do
2020-05-24 23:13:21 +05:30
shared_examples 'revokes access token' do
it { expect(subject.success?).to be true }
2021-01-03 14:25:43 +05:30
it { expect(subject.message).to eq("Access token #{access_token.name} has been revoked and the bot user has been scheduled for deletion.") }
2020-05-24 23:13:21 +05:30
2021-01-03 14:25:43 +05:30
it 'calls delete user worker' do
expect(DeleteUserWorker).to receive(:perform_async).with(user.id, resource_bot.id, skip_authorization: true)
2020-05-24 23:13:21 +05:30
2021-01-03 14:25:43 +05:30
subject
2020-05-24 23:13:21 +05:30
end
it 'removes membership of bot user' do
subject
expect(resource.reload.users).not_to include(resource_bot)
end
2023-01-13 00:05:48 +05:30
it 'initiates user removal' do
subject
2021-01-03 14:25:43 +05:30
2023-01-13 00:05:48 +05:30
expect(
Users::GhostUserMigration.where(user: resource_bot,
initiator_user: user)
).to be_exists
2021-01-03 14:25:43 +05:30
end
2021-03-11 19:13:27 +05:30
it 'logs the event' do
allow(Gitlab::AppLogger).to receive(:info)
subject
expect(Gitlab::AppLogger).to have_received(:info).with("PROJECT ACCESS TOKEN REVOCATION: revoked_by: #{user.username}, project_id: #{resource.id}, token_user: #{resource_bot.name}, token_id: #{access_token.id}")
end
2020-05-24 23:13:21 +05:30
end
shared_examples 'rollback revoke steps' do
it 'does not revoke the access token' do
subject
expect(access_token.reload.revoked?).to be false
end
it 'does not remove bot from member list' do
subject
expect(resource.reload.users).to include(resource_bot)
end
it 'does not transfer issuables of bot user to ghost user' do
issue = create(:issue, author: resource_bot)
subject
expect(issue.reload.author.ghost?).to be false
end
2021-01-03 14:25:43 +05:30
it 'does not destroy project bot user' do
subject
expect(User.exists?(resource_bot.id)).to be_truthy
end
2020-05-24 23:13:21 +05:30
end
2022-03-02 08:16:31 +05:30
shared_examples 'revoke fails' do |resource_type|
let_it_be(:other_user) { create(:user) }
2021-09-30 23:02:18 +05:30
2022-03-02 08:16:31 +05:30
context "when access token does not belong to this #{resource_type}" do
it 'does not find the bot' do
other_access_token = create(:personal_access_token, user: other_user)
2020-05-24 23:13:21 +05:30
2022-03-02 08:16:31 +05:30
response = described_class.new(user, resource, other_access_token).execute
2020-05-24 23:13:21 +05:30
2022-03-02 08:16:31 +05:30
expect(response.success?).to be false
expect(response.message).to eq("Failed to find bot user")
expect(access_token.reload.revoked?).to be false
end
end
2020-05-24 23:13:21 +05:30
2022-03-02 08:16:31 +05:30
context 'when user does not have permission to destroy bot' do
context "when non-#{resource_type} member tries to delete project bot" do
it 'does not allow other user to delete bot' do
response = described_class.new(other_user, resource, access_token).execute
2020-05-24 23:13:21 +05:30
2022-03-02 08:16:31 +05:30
expect(response.success?).to be false
expect(response.message).to eq("#{other_user.name} cannot delete #{access_token.user.name}")
expect(access_token.reload.revoked?).to be false
end
end
2020-05-24 23:13:21 +05:30
2022-03-02 08:16:31 +05:30
context "when non-priviledged #{resource_type} member tries to delete project bot" do
it 'does not allow developer to delete bot' do
response = described_class.new(user_non_priviledged, resource, access_token).execute
2020-05-24 23:13:21 +05:30
expect(response.success?).to be false
2022-03-02 08:16:31 +05:30
expect(response.message).to eq("#{user_non_priviledged.name} cannot delete #{access_token.user.name}")
2021-01-03 14:25:43 +05:30
expect(access_token.reload.revoked?).to be false
2020-05-24 23:13:21 +05:30
end
end
2022-03-02 08:16:31 +05:30
end
2020-05-24 23:13:21 +05:30
2022-03-02 08:16:31 +05:30
context 'when deletion of bot user fails' do
before do
allow_next_instance_of(::ResourceAccessTokens::RevokeService) do |service|
allow(service).to receive(:execute).and_return(false)
2020-05-24 23:13:21 +05:30
end
2022-03-02 08:16:31 +05:30
end
it_behaves_like 'rollback revoke steps'
end
end
2020-05-24 23:13:21 +05:30
2022-03-02 08:16:31 +05:30
context 'when resource is a project' do
let_it_be(:resource) { create(:project, :private) }
2021-01-03 14:25:43 +05:30
2022-03-02 08:16:31 +05:30
before do
resource.add_maintainer(user)
resource.add_developer(user_non_priviledged)
resource.add_maintainer(resource_bot)
end
2021-01-03 14:25:43 +05:30
2022-03-02 08:16:31 +05:30
it_behaves_like 'revokes access token'
2021-01-03 14:25:43 +05:30
2022-03-02 08:16:31 +05:30
it_behaves_like 'revoke fails', 'project'
end
2020-05-24 23:13:21 +05:30
2022-03-02 08:16:31 +05:30
context 'when resource is a group' do
let_it_be(:resource) { create(:group, :private) }
2020-05-24 23:13:21 +05:30
2022-03-02 08:16:31 +05:30
before do
resource.add_owner(user)
resource.add_maintainer(user_non_priviledged)
resource.add_maintainer(resource_bot)
2020-05-24 23:13:21 +05:30
end
2022-03-02 08:16:31 +05:30
it_behaves_like 'revokes access token'
it_behaves_like 'revoke fails', 'group'
2020-05-24 23:13:21 +05:30
end
end
end