Add latest changes from gitlab-org/gitlab@14-1-stable-ee

author: GitLab Bot <gitlab-bot@gitlab.com> 2021-07-28 01:40:43 +0300
committer: GitLab Bot <gitlab-bot@gitlab.com> 2021-07-28 01:40:43 +0300
commit: bbe511b231b5de3fab4dc418601c89cc1ccc8063 (patch)
tree: 650453c3b64751df39fda6f33ca4b39318f41e0d /spec/lib/gitlab
parent: ad1c34c03de42ebc5279f338f6304e77930d34d4 (diff)
2 files changed, 166 insertions, 0 deletions
diff --git a/spec/lib/gitlab/auth/auth_finders_spec.rb b/spec/lib/gitlab/auth/auth_finders_spec.rb
index 14200733c19..2d4239eb761 100644
--- a/spec/lib/gitlab/auth/auth_finders_spec.rb
+++ b/spec/lib/gitlab/auth/auth_finders_spec.rb
@@ -708,6 +708,122 @@ RSpec.describe Gitlab::Auth::AuthFinders do
     end
   end
 
+  describe '#find_user_from_basic_auth_password' do
+    subject { find_user_from_basic_auth_password }
+
+    context 'when the request does not have AUTHORIZATION header' do
+      it { is_expected.to be_nil }
+    end
+
+    it 'returns nil without user and password' do
+      set_basic_auth_header(nil, nil)
+
+      is_expected.to be_nil
+    end
+
+    it 'returns nil without password' do
+      set_basic_auth_header('some-user', nil)
+
+      is_expected.to be_nil
+    end
+
+    it 'returns nil without user' do
+      set_basic_auth_header(nil, 'password')
+
+      is_expected.to be_nil
+    end
+
+    it 'returns nil with CI username' do
+      set_basic_auth_header(::Gitlab::Auth::CI_JOB_USER, 'password')
+
+      is_expected.to be_nil
+    end
+
+    it 'returns nil with wrong password' do
+      set_basic_auth_header(user.username, 'wrong-password')
+
+      is_expected.to be_nil
+    end
+
+    it 'returns user with correct credentials' do
+      set_basic_auth_header(user.username, user.password)
+
+      is_expected.to eq(user)
+    end
+  end
+
+  describe '#find_user_from_lfs_token' do
+    subject { find_user_from_lfs_token }
+
+    context 'when the request does not have AUTHORIZATION header' do
+      it { is_expected.to be_nil }
+    end
+
+    it 'returns nil without user and token' do
+      set_basic_auth_header(nil, nil)
+
+      is_expected.to be_nil
+    end
+
+    it 'returns nil without token' do
+      set_basic_auth_header('some-user', nil)
+
+      is_expected.to be_nil
+    end
+
+    it 'returns nil without user' do
+      set_basic_auth_header(nil, 'token')
+
+      is_expected.to be_nil
+    end
+
+    it 'returns nil with wrong token' do
+      set_basic_auth_header(user.username, 'wrong-token')
+
+      is_expected.to be_nil
+    end
+
+    it 'returns user with correct user and correct token' do
+      lfs_token = Gitlab::LfsToken.new(user).token
+      set_basic_auth_header(user.username, lfs_token)
+
+      is_expected.to eq(user)
+    end
+
+    it 'returns nil with wrong user and correct token' do
+      lfs_token = Gitlab::LfsToken.new(user).token
+      other_user = create(:user)
+      set_basic_auth_header(other_user.username, lfs_token)
+
+      is_expected.to be_nil
+    end
+  end
+
+  describe '#find_user_from_personal_access_token' do
+    subject { find_user_from_personal_access_token }
+
+    it 'returns nil without access token' do
+      allow_any_instance_of(described_class).to receive(:access_token).and_return(nil)
+
+      is_expected.to be_nil
+    end
+
+    it 'returns user with correct access token' do
+      personal_access_token = create(:personal_access_token, user: user)
+      allow_any_instance_of(described_class).to receive(:access_token).and_return(personal_access_token)
+
+      is_expected.to eq(user)
+    end
+
+    it 'returns exception if access token has no user' do
+      personal_access_token = create(:personal_access_token, user: user)
+      allow_any_instance_of(described_class).to receive(:access_token).and_return(personal_access_token)
+      allow_any_instance_of(PersonalAccessToken).to receive(:user).and_return(nil)
+
+      expect { subject }.to raise_error(Gitlab::Auth::UnauthorizedError)
+    end
+  end
+
   describe '#validate_access_token!' do
     subject { validate_access_token! }
 
diff --git a/spec/lib/gitlab/auth/request_authenticator_spec.rb b/spec/lib/gitlab/auth/request_authenticator_spec.rb
index 93e9cb06786..28e93a8da52 100644
--- a/spec/lib/gitlab/auth/request_authenticator_spec.rb
+++ b/spec/lib/gitlab/auth/request_authenticator_spec.rb
@@ -45,6 +45,9 @@ RSpec.describe Gitlab::Auth::RequestAuthenticator do
     let!(:feed_token_user) { build(:user) }
     let!(:static_object_token_user) { build(:user) }
     let!(:job_token_user) { build(:user) }
+    let!(:lfs_token_user) { build(:user) }
+    let!(:basic_auth_access_token_user) { build(:user) }
+    let!(:basic_auth_password_user) { build(:user) }
 
     it 'returns access_token user first' do
       allow_any_instance_of(described_class).to receive(:find_user_from_web_access_token)
@@ -78,6 +81,30 @@ RSpec.describe Gitlab::Auth::RequestAuthenticator do
       expect(subject.find_sessionless_user(:api)).to eq job_token_user
     end
 
+    it 'returns lfs_token user if no job_token user found' do
+      allow_any_instance_of(described_class)
+        .to receive(:find_user_from_lfs_token)
+        .and_return(lfs_token_user)
+
+      expect(subject.find_sessionless_user(:api)).to eq lfs_token_user
+    end
+
+    it 'returns basic_auth_access_token user if no lfs_token user found' do
+      allow_any_instance_of(described_class)
+        .to receive(:find_user_from_personal_access_token)
+        .and_return(basic_auth_access_token_user)
+
+      expect(subject.find_sessionless_user(:api)).to eq basic_auth_access_token_user
+    end
+
+    it 'returns basic_auth_access_password user if no basic_auth_access_token user found' do
+      allow_any_instance_of(described_class)
+        .to receive(:find_user_from_basic_auth_password)
+        .and_return(basic_auth_password_user)
+
+      expect(subject.find_sessionless_user(:api)).to eq basic_auth_password_user
+    end
+
     it 'returns nil if no user found' do
       expect(subject.find_sessionless_user(:api)).to be_blank
     end
@@ -194,4 +221,27 @@ RSpec.describe Gitlab::Auth::RequestAuthenticator do
       expect(subject.runner).to be_blank
     end
   end
+
+  describe '#route_authentication_setting' do
+    using RSpec::Parameterized::TableSyntax
+
+    where(:script_name, :expected_job_token_allowed, :expected_basic_auth_personal_access_token) do
+      '/api/endpoint'          | true  | true
+      '/namespace/project.git' | false | true
+      '/web/endpoint'          | false | false
+    end
+
+    with_them do
+      before do
+        env['SCRIPT_NAME'] = script_name
+      end
+
+      it 'returns correct settings' do
+        expect(subject.send(:route_authentication_setting)).to eql({
+          job_token_allowed: expected_job_token_allowed,
+          basic_auth_personal_access_token: expected_basic_auth_personal_access_token
+        })
+      end
+    end
+  end
 end
author	GitLab Bot <gitlab-bot@gitlab.com>	2021-07-28 01:40:43 +0300
committer	GitLab Bot <gitlab-bot@gitlab.com>	2021-07-28 01:40:43 +0300
commit	bbe511b231b5de3fab4dc418601c89cc1ccc8063 (patch)
tree	650453c3b64751df39fda6f33ca4b39318f41e0d /spec/lib/gitlab
parent	ad1c34c03de42ebc5279f338f6304e77930d34d4 (diff)