Add latest changes from gitlab-org/security/gitlab@13-4-stable-ee

2 files changed, 90 insertions, 4 deletions

diff --git a/spec/requests/api/api_spec.rb b/spec/requests/api/api_spec.rb
index bd0426601db..7d637757f38 100644
--- a/spec/requests/api/api_spec.rb
+++ b/spec/requests/api/api_spec.rb
@@ -67,4 +67,29 @@ RSpec.describe API::API do
       end
     end
   end
+
+  describe 'authentication with deploy token' do
+    context 'admin mode' do
+      let_it_be(:project) { create(:project, :public) }
+      let_it_be(:package) { create(:maven_package, project: project, name: project.full_path) }
+      let_it_be(:maven_metadatum) { package.maven_metadatum }
+      let_it_be(:package_file) { package.package_files.first }
+      let_it_be(:deploy_token) { create(:deploy_token) }
+      let(:headers_with_deploy_token) do
+        {
+          Gitlab::Auth::AuthFinders::DEPLOY_TOKEN_HEADER => deploy_token.token
+        }
+      end
+
+      it 'does not bypass the session' do
+        expect(Gitlab::Auth::CurrentUserMode).not_to receive(:bypass_session!)
+
+        get(api("/packages/maven/#{maven_metadatum.path}/#{package_file.file_name}"),
+            headers: headers_with_deploy_token)
+
+        expect(response).to have_gitlab_http_status(:ok)
+        expect(response.media_type).to eq('application/octet-stream')
+      end
+    end
+  end
 end
diff --git a/spec/requests/api/members_spec.rb b/spec/requests/api/members_spec.rb
index de52087340c..55b2447fc68 100644
--- a/spec/requests/api/members_spec.rb
+++ b/spec/requests/api/members_spec.rb
@@ -244,13 +244,12 @@ RSpec.describe API::Members do
         it 'creates a new member' do
           expect do
             post api("/#{source_type.pluralize}/#{source.id}/members", maintainer),
-                 params: { user_id: stranger.id, access_level: Member::DEVELOPER, expires_at: '2016-08-05' }
+                 params: { user_id: stranger.id, access_level: Member::DEVELOPER }
 
             expect(response).to have_gitlab_http_status(:created)
           end.to change { source.members.count }.by(1)
           expect(json_response['id']).to eq(stranger.id)
           expect(json_response['access_level']).to eq(Member::DEVELOPER)
-          expect(json_response['expires_at']).to eq('2016-08-05')
         end
       end
 
@@ -285,6 +284,40 @@ RSpec.describe API::Members do
         end
       end
 
+      context 'access expiry date' do
+        subject do
+          post api("/#{source_type.pluralize}/#{source.id}/members", maintainer),
+               params: { user_id: stranger.id, access_level: Member::DEVELOPER, expires_at: expires_at }
+        end
+
+        context 'when set to a date in the past' do
+          let(:expires_at) { 2.days.ago.to_date }
+
+          it 'does not create a member' do
+            expect do
+              subject
+            end.not_to change { source.members.count }
+
+            expect(response).to have_gitlab_http_status(:bad_request)
+            expect(json_response['message']).to eq({ 'expires_at' => ['cannot be a date in the past'] })
+          end
+        end
+
+        context 'when set to a date in the future' do
+          let(:expires_at) { 2.days.from_now.to_date }
+
+          it 'creates a member' do
+            expect do
+              subject
+            end.to change { source.members.count }.by(1)
+
+            expect(response).to have_gitlab_http_status(:created)
+            expect(json_response['id']).to eq(stranger.id)
+            expect(json_response['expires_at']).to eq(expires_at.to_s)
+          end
+        end
+      end
+
       it "returns 409 if member already exists" do
         post api("/#{source_type.pluralize}/#{source.id}/members", maintainer),
              params: { user_id: maintainer.id, access_level: Member::MAINTAINER }
@@ -369,12 +402,40 @@ RSpec.describe API::Members do
       context 'when authenticated as a maintainer/owner' do
         it 'updates the member' do
           put api("/#{source_type.pluralize}/#{source.id}/members/#{developer.id}", maintainer),
-              params: { access_level: Member::MAINTAINER, expires_at: '2016-08-05' }
+              params: { access_level: Member::MAINTAINER }
 
           expect(response).to have_gitlab_http_status(:ok)
           expect(json_response['id']).to eq(developer.id)
           expect(json_response['access_level']).to eq(Member::MAINTAINER)
-          expect(json_response['expires_at']).to eq('2016-08-05')
+        end
+      end
+
+      context 'access expiry date' do
+        subject do
+          put api("/#{source_type.pluralize}/#{source.id}/members/#{developer.id}", maintainer),
+              params: { expires_at: expires_at, access_level: Member::MAINTAINER }
+        end
+
+        context 'when set to a date in the past' do
+          let(:expires_at) { 2.days.ago.to_date }
+
+          it 'does not update the member' do
+            subject
+
+            expect(response).to have_gitlab_http_status(:bad_request)
+            expect(json_response['message']).to eq({ 'expires_at' => ['cannot be a date in the past'] })
+          end
+        end
+
+        context 'when set to a date in the future' do
+          let(:expires_at) { 2.days.from_now.to_date }
+
+          it 'updates the member' do
+            subject
+
+            expect(response).to have_gitlab_http_status(:ok)
+            expect(json_response['expires_at']).to eq(expires_at.to_s)
+          end
         end
       end