Add latest changes from gitlab-org/gitlab@master

author: GitLab Bot <gitlab-bot@gitlab.com> 2023-06-02 15:06:59 +0300
committer: GitLab Bot <gitlab-bot@gitlab.com> 2023-06-02 15:06:59 +0300
commit: e9570ea27e2dc549962b9b318af369e9363fd1c4 (patch)
tree: 1a6aabfa0b41df8f6400a7bbcabe0bdb54f10fe7 /spec/requests
parent: 7e8ecb5c00aae3b7072a5b8ff2c53db03c0bc579 (diff)
3 files changed, 152 insertions, 1 deletions
diff --git a/spec/requests/api/markdown_spec.rb b/spec/requests/api/markdown_spec.rb
index db5bbd610fc..8298d0bf150 100644
--- a/spec/requests/api/markdown_spec.rb
+++ b/spec/requests/api/markdown_spec.rb
@@ -5,13 +5,18 @@ require "spec_helper"
 RSpec.describe API::Markdown, feature_category: :team_planning do
   describe "POST /markdown" do
     let(:user) {} # No-op. It gets overwritten in the contexts below.
+    let(:token) {} # No-op. It gets overwritten in the contexts below.
     let(:disable_authenticate_markdown_api) { false }
 
     before do
       stub_commonmark_sourcepos_disabled
       stub_feature_flags(authenticate_markdown_api: false) if disable_authenticate_markdown_api
 
-      post api("/markdown", user), params: params
+      if token
+        post api("/markdown", personal_access_token: token), params: params
+      else
+        post api("/markdown", user), params: params
+      end
     end
 
     shared_examples "rendered markdown text without GFM" do
@@ -85,6 +90,13 @@ RSpec.describe API::Markdown, feature_category: :team_planning do
       let(:issue_url) { "http://#{Gitlab.config.gitlab.host}/#{issue.project.namespace.path}/#{issue.project.path}/-/issues/#{issue.iid}" }
       let(:text) { ":tada: Hello world! :100: #{issue.to_reference}" }
 
+      context "when personal access token has only read_api scope" do
+        let(:token) { create(:personal_access_token, user: user, scopes: [:read_api]) }
+        let(:params) { { text: text } }
+
+        it_behaves_like "rendered markdown text without GFM"
+      end
+
       context "when not using gfm" do
         context "without project" do
           let(:params) { { text: text } }
diff --git a/spec/requests/api/project_job_token_scope_spec.rb b/spec/requests/api/project_job_token_scope_spec.rb
index b7ee1fe774f..06e28d57ca6 100644
--- a/spec/requests/api/project_job_token_scope_spec.rb
+++ b/spec/requests/api/project_job_token_scope_spec.rb
@@ -264,6 +264,132 @@ RSpec.describe API::ProjectJobTokenScope, feature_category: :secrets_management
     end
   end
 
+  describe "POST /projects/:id/job_token_scope/allowlist" do
+    let_it_be(:project) { create(:project, :public) }
+    let_it_be(:project_inbound_allowed) { create(:project, :public) }
+    let_it_be(:user) { create(:user) }
+
+    let(:post_job_token_scope_allowlist_path) { "/projects/#{project.id}/job_token_scope/allowlist" }
+
+    let(:post_job_token_scope_allowlist_params) do
+      { target_project_id: project_inbound_allowed.id }
+    end
+
+    subject do
+      post api(post_job_token_scope_allowlist_path, user), params: post_job_token_scope_allowlist_params
+    end
+
+    context 'when unauthenticated user (missing user)' do
+      context 'for public project' do
+        it 'does not return ci cd settings of job token' do
+          project.update!(visibility_level: Gitlab::VisibilityLevel::PUBLIC)
+
+          post api(post_job_token_scope_allowlist_path)
+
+          expect(response).to have_gitlab_http_status(:unauthorized)
+        end
+      end
+    end
+
+    context 'when authenticated user as maintainer' do
+      before_all { project.add_maintainer(user) }
+
+      it 'returns unauthorized and blank response when invalid auth credentials are given' do
+        invalid_personal_access_token = build(:personal_access_token, user: user)
+
+        post api(post_job_token_scope_allowlist_path, user, personal_access_token: invalid_personal_access_token),
+          params: post_job_token_scope_allowlist_params
+
+        expect(response).to have_gitlab_http_status(:unauthorized)
+      end
+
+      it 'returns created and creates job token scope link' do
+        subject
+
+        expect(response).to have_gitlab_http_status(:created)
+        expect(json_response).to be_present
+        expect(json_response).to include(
+          "target_project_id" => project_inbound_allowed.id,
+          "source_project_id" => project.id
+        )
+        expect(json_response).not_to include "id", "direction"
+      end
+
+      it 'returns bad_request and does not create an additional job token scope link' do
+        create(
+          :ci_job_token_project_scope_link,
+          source_project: project,
+          target_project: project_inbound_allowed,
+          direction: :inbound
+        )
+
+        subject
+
+        expect(response).to have_gitlab_http_status(:bad_request)
+      end
+
+      it 'returns bad_request when adding the source project' do
+        post api(post_job_token_scope_allowlist_path, user), params: { target_project_id: project.id }
+
+        expect(response).to have_gitlab_http_status(:bad_request)
+      end
+
+      it 'returns not_found when project for param `project_id` does not exist' do
+        post api(post_job_token_scope_allowlist_path, user), params: { target_project_id: non_existing_record_id }
+
+        expect(response).to have_gitlab_http_status(:not_found)
+      end
+
+      it 'returns :bad_request when parameter `project_id` missing' do
+        post api(post_job_token_scope_allowlist_path, user), params: {}
+
+        expect(response).to have_gitlab_http_status(:bad_request)
+      end
+
+      it 'returns :bad_request when parameter `project_id` is nil value' do
+        post api(post_job_token_scope_allowlist_path, user), params: { target_project_id: nil }
+
+        expect(response).to have_gitlab_http_status(:bad_request)
+      end
+
+      it 'returns :bad_request when parameter `project_id` is empty value' do
+        post api(post_job_token_scope_allowlist_path, user), params: { target_project_id: '' }
+
+        expect(response).to have_gitlab_http_status(:bad_request)
+      end
+
+      it 'returns :bad_request when parameter `project_id` is float value' do
+        post api(post_job_token_scope_allowlist_path, user), params: { target_project_id: 12.34 }
+
+        expect(response).to have_gitlab_http_status(:bad_request)
+      end
+    end
+
+    context 'when authenticated user as developer' do
+      before_all { project.add_developer(user) }
+
+      context 'for private project' do
+        it 'returns forbidden and no ci cd settings' do
+          project.update!(visibility_level: Gitlab::VisibilityLevel::PRIVATE)
+
+          subject
+
+          expect(response).to have_gitlab_http_status(:forbidden)
+        end
+      end
+
+      context 'for public project' do
+        it 'returns forbidden and no ci cd settings' do
+          project.update!(visibility_level: Gitlab::VisibilityLevel::PUBLIC)
+
+          subject
+
+          expect(response).to have_gitlab_http_status(:forbidden)
+        end
+      end
+    end
+  end
+
   describe 'DELETE /projects/:id/job_token_scope/allowlist/:target_project_id' do
     let_it_be(:project) { create(:project, :public) }
     let_it_be(:target_project) { create(:project, :public) }
diff --git a/spec/requests/well_known_routing_spec.rb b/spec/requests/well_known_routing_spec.rb
new file mode 100644
index 00000000000..d4e77a06953
--- /dev/null
+++ b/spec/requests/well_known_routing_spec.rb
@@ -0,0 +1,13 @@
+# frozen_string_literal: true
+
+require 'spec_helper'
+
+RSpec.describe 'well-known URLs', feature_category: :system_access do
+  describe '/.well-known/change-password' do
+    it 'redirects to edit profile password path' do
+      get('/.well-known/change-password')
+
+      expect(response).to redirect_to(edit_profile_password_path)
+    end
+  end
+end
author	GitLab Bot <gitlab-bot@gitlab.com>	2023-06-02 15:06:59 +0300
committer	GitLab Bot <gitlab-bot@gitlab.com>	2023-06-02 15:06:59 +0300
commit	e9570ea27e2dc549962b9b318af369e9363fd1c4 (patch)
tree	1a6aabfa0b41df8f6400a7bbcabe0bdb54f10fe7 /spec/requests
parent	7e8ecb5c00aae3b7072a5b8ff2c53db03c0bc579 (diff)