Add latest changes from gitlab-org/gitlab@master

3 files changed, 159 insertions, 48 deletions

diff --git a/spec/lib/gitlab/auth/user_auth_finders_spec.rb b/spec/lib/gitlab/auth/auth_finders_spec.rb
index 125039edcf8..3d10f411310 100644
--- a/spec/lib/gitlab/auth/user_auth_finders_spec.rb
+++ b/spec/lib/gitlab/auth/auth_finders_spec.rb
@@ -2,7 +2,7 @@
 
 require 'spec_helper'
 
-describe Gitlab::Auth::UserAuthFinders do
+describe Gitlab::Auth::AuthFinders do
   include described_class
 
   let(:user) { create(:user) }
@@ -196,13 +196,13 @@ describe Gitlab::Auth::UserAuthFinders do
 
     context 'when validate_access_token! returns valid' do
       it 'returns user' do
-        env[Gitlab::Auth::UserAuthFinders::PRIVATE_TOKEN_HEADER] = personal_access_token.token
+        env[described_class::PRIVATE_TOKEN_HEADER] = personal_access_token.token
 
         expect(find_user_from_access_token).to eq user
       end
 
       it 'returns exception if token has no user' do
-        env[Gitlab::Auth::UserAuthFinders::PRIVATE_TOKEN_HEADER] = personal_access_token.token
+        env[described_class::PRIVATE_TOKEN_HEADER] = personal_access_token.token
         allow_any_instance_of(PersonalAccessToken).to receive(:user).and_return(nil)
 
         expect { find_user_from_access_token }.to raise_error(Gitlab::Auth::UnauthorizedError)
@@ -228,7 +228,7 @@ describe Gitlab::Auth::UserAuthFinders do
     let(:personal_access_token) { create(:personal_access_token, user: user) }
 
     before do
-      env[Gitlab::Auth::UserAuthFinders::PRIVATE_TOKEN_HEADER] = personal_access_token.token
+      env[described_class::PRIVATE_TOKEN_HEADER] = personal_access_token.token
     end
 
     it 'returns exception if token has no user' do
@@ -279,7 +279,7 @@ describe Gitlab::Auth::UserAuthFinders do
 
     context 'passed as header' do
       it 'returns token if valid personal_access_token' do
-        env[Gitlab::Auth::UserAuthFinders::PRIVATE_TOKEN_HEADER] = personal_access_token.token
+        env[described_class::PRIVATE_TOKEN_HEADER] = personal_access_token.token
 
         expect(find_personal_access_token).to eq personal_access_token
       end
@@ -287,7 +287,7 @@ describe Gitlab::Auth::UserAuthFinders do
 
     context 'passed as param' do
       it 'returns token if valid personal_access_token' do
-        set_param(Gitlab::Auth::UserAuthFinders::PRIVATE_TOKEN_PARAM, personal_access_token.token)
+        set_param(described_class::PRIVATE_TOKEN_PARAM, personal_access_token.token)
 
         expect(find_personal_access_token).to eq personal_access_token
       end
@@ -298,7 +298,7 @@ describe Gitlab::Auth::UserAuthFinders do
     end
 
     it 'returns exception if invalid personal_access_token' do
-      env[Gitlab::Auth::UserAuthFinders::PRIVATE_TOKEN_HEADER] = 'invalid_token'
+      env[described_class::PRIVATE_TOKEN_HEADER] = 'invalid_token'
 
       expect { find_personal_access_token }.to raise_error(Gitlab::Auth::UnauthorizedError)
     end
@@ -379,4 +379,58 @@ describe Gitlab::Auth::UserAuthFinders do
       end
     end
   end
+
+  describe '#find_runner_from_token' do
+    let(:runner) { create(:ci_runner) }
+
+    context 'with API requests' do
+      before do
+        env['SCRIPT_NAME'] = '/api/endpoint'
+      end
+
+      it 'returns the runner if token is valid' do
+        set_param(:token, runner.token)
+
+        expect(find_runner_from_token).to eq(runner)
+      end
+
+      it 'returns nil if token is not present' do
+        expect(find_runner_from_token).to be_nil
+      end
+
+      it 'returns nil if token is blank' do
+        set_param(:token, '')
+
+        expect(find_runner_from_token).to be_nil
+      end
+
+      it 'returns exception if invalid token' do
+        set_param(:token, 'invalid_token')
+
+        expect { find_runner_from_token }.to raise_error(Gitlab::Auth::UnauthorizedError)
+      end
+    end
+
+    context 'without API requests' do
+      before do
+        env['SCRIPT_NAME'] = 'url.ics'
+      end
+
+      it 'returns nil if token is valid' do
+        set_param(:token, runner.token)
+
+        expect(find_runner_from_token).to be_nil
+      end
+
+      it 'returns nil if token is blank' do
+        expect(find_runner_from_token).to be_nil
+      end
+
+      it 'returns nil if invalid token' do
+        set_param(:token, 'invalid_token')
+
+        expect(find_runner_from_token).to be_nil
+      end
+    end
+  end
 end
diff --git a/spec/lib/gitlab/auth/current_user_mode_spec.rb b/spec/lib/gitlab/auth/current_user_mode_spec.rb
index b93d460cf48..3b3db0f7315 100644
--- a/spec/lib/gitlab/auth/current_user_mode_spec.rb
+++ b/spec/lib/gitlab/auth/current_user_mode_spec.rb
@@ -62,69 +62,90 @@ describe Gitlab::Auth::CurrentUserMode, :do_not_mock_admin_mode do
     context 'when the user is an admin' do
       let(:user) { build(:user, :admin) }
 
-      it 'is false by default' do
-        expect(subject.admin_mode?).to be(false)
-      end
-
-      it 'cannot be enabled with an invalid password' do
-        subject.enable_admin_mode!(password: nil)
-
-        expect(subject.admin_mode?).to be(false)
-      end
+      context 'when admin mode not requested' do
+        it 'is false by default' do
+          expect(subject.admin_mode?).to be(false)
+        end
 
-      it 'can be enabled with a valid password' do
-        subject.enable_admin_mode!(password: user.password)
+        it 'raises exception if we try to enable it' do
+          expect do
+            subject.enable_admin_mode!(password: user.password)
+          end.to raise_error(::Gitlab::Auth::CurrentUserMode::NotRequestedError)
 
-        expect(subject.admin_mode?).to be(true)
+          expect(subject.admin_mode?).to be(false)
+        end
       end
 
-      it 'can be disabled' do
-        subject.enable_admin_mode!(password: user.password)
-        subject.disable_admin_mode!
-
-        expect(subject.admin_mode?).to be(false)
-      end
+      context 'when admin mode requested first' do
+        before do
+          subject.request_admin_mode!
+        end
 
-      it 'will expire in the future' do
-        subject.enable_admin_mode!(password: user.password)
-        expect(subject.admin_mode?).to be(true), 'admin mode is not active in the present'
+        it 'is false by default' do
+          expect(subject.admin_mode?).to be(false)
+        end
 
-        Timecop.freeze(Gitlab::Auth::CurrentUserMode::MAX_ADMIN_MODE_TIME.from_now) do
-          # in the future this will be a new request, simulate by clearing the RequestStore
-          Gitlab::SafeRequestStore.clear!
+        it 'cannot be enabled with an invalid password' do
+          subject.enable_admin_mode!(password: nil)
 
-          expect(subject.admin_mode?).to be(false), 'admin mode did not expire in the future'
+          expect(subject.admin_mode?).to be(false)
         end
-      end
 
-      context 'skipping password validation' do
         it 'can be enabled with a valid password' do
-          subject.enable_admin_mode!(password: user.password, skip_password_validation: true)
+          subject.enable_admin_mode!(password: user.password)
 
           expect(subject.admin_mode?).to be(true)
         end
 
-        it 'can be enabled with an invalid password' do
-          subject.enable_admin_mode!(skip_password_validation: true)
+        it 'can be disabled' do
+          subject.enable_admin_mode!(password: user.password)
+          subject.disable_admin_mode!
 
-          expect(subject.admin_mode?).to be(true)
+          expect(subject.admin_mode?).to be(false)
         end
-      end
 
-      context 'with two independent sessions' do
-        let(:another_session) { {} }
-        let(:another_subject) { described_class.new(user) }
+        it 'will expire in the future' do
+          subject.enable_admin_mode!(password: user.password)
+          expect(subject.admin_mode?).to be(true), 'admin mode is not active in the present'
 
-        before do
-          allow(ActiveSession).to receive(:list_sessions).with(user).and_return([session, another_session])
+          Timecop.freeze(Gitlab::Auth::CurrentUserMode::MAX_ADMIN_MODE_TIME.from_now) do
+            # in the future this will be a new request, simulate by clearing the RequestStore
+            Gitlab::SafeRequestStore.clear!
+
+            expect(subject.admin_mode?).to be(false), 'admin mode did not expire in the future'
+          end
         end
 
-        it 'can be enabled in one and seen in the other' do
-          Gitlab::Session.with_session(another_session) do
-            another_subject.enable_admin_mode!(password: user.password)
+        context 'skipping password validation' do
+          it 'can be enabled with a valid password' do
+            subject.enable_admin_mode!(password: user.password, skip_password_validation: true)
+
+            expect(subject.admin_mode?).to be(true)
           end
 
-          expect(subject.admin_mode?).to be(true)
+          it 'can be enabled with an invalid password' do
+            subject.enable_admin_mode!(skip_password_validation: true)
+
+            expect(subject.admin_mode?).to be(true)
+          end
+        end
+
+        context 'with two independent sessions' do
+          let(:another_session) { {} }
+          let(:another_subject) { described_class.new(user) }
+
+          before do
+            allow(ActiveSession).to receive(:list_sessions).with(user).and_return([session, another_session])
+          end
+
+          it 'can be enabled in one and seen in the other' do
+            Gitlab::Session.with_session(another_session) do
+              another_subject.request_admin_mode!
+              another_subject.enable_admin_mode!(password: user.password)
+            end
+
+            expect(subject.admin_mode?).to be(true)
+          end
         end
       end
     end
@@ -134,16 +155,28 @@ describe Gitlab::Auth::CurrentUserMode, :do_not_mock_admin_mode do
     let(:user) { build(:user, :admin) }
 
     it 'creates a timestamp in the session' do
+      subject.request_admin_mode!
       subject.enable_admin_mode!(password: user.password)
 
       expect(session).to include(expected_session_entry(be_within(1.second).of Time.now))
     end
   end
 
+  describe '#enable_sessionless_admin_mode!' do
+    let(:user) { build(:user, :admin) }
+
+    it 'enabled admin mode without password' do
+      subject.enable_sessionless_admin_mode!
+
+      expect(subject.admin_mode?).to be(true)
+    end
+  end
+
   describe '#disable_admin_mode!' do
     let(:user) { build(:user, :admin) }
 
     it 'sets the session timestamp to nil' do
+      subject.request_admin_mode!
       subject.disable_admin_mode!
 
       expect(session).to include(expected_session_entry(be_nil))
diff --git a/spec/lib/gitlab/auth/request_authenticator_spec.rb b/spec/lib/gitlab/auth/request_authenticator_spec.rb
index f7fff389d88..4dbcd0df302 100644
--- a/spec/lib/gitlab/auth/request_authenticator_spec.rb
+++ b/spec/lib/gitlab/auth/request_authenticator_spec.rb
@@ -66,4 +66,28 @@ describe Gitlab::Auth::RequestAuthenticator do
       expect(subject.find_sessionless_user([:api])).to be_blank
     end
   end
+
+  describe '#runner' do
+    let!(:runner) { build(:ci_runner) }
+
+    it 'returns the runner using #find_runner_from_token' do
+      expect_any_instance_of(described_class)
+        .to receive(:find_runner_from_token)
+        .and_return(runner)
+
+      expect(subject.runner).to eq runner
+    end
+
+    it 'returns nil if no runner is found' do
+      expect(subject.runner).to be_blank
+    end
+
+    it 'rescue Gitlab::Auth::AuthenticationError exceptions' do
+      expect_any_instance_of(described_class)
+        .to receive(:find_runner_from_token)
+        .and_raise(Gitlab::Auth::UnauthorizedError)
+
+      expect(subject.runner).to be_blank
+    end
+  end
 end