Add latest changes from gitlab-org/security/gitlab@13-11-stable-ee

2 files changed, 57 insertions, 7 deletions

diff --git a/spec/support/helpers/graphql_helpers.rb b/spec/support/helpers/graphql_helpers.rb
index d714f04fbba..9d6c6ab93e4 100644
--- a/spec/support/helpers/graphql_helpers.rb
+++ b/spec/support/helpers/graphql_helpers.rb
@@ -396,17 +396,21 @@ module GraphqlHelpers
     post api('/', current_user, version: 'graphql'), params: { _json: queries }, headers: headers
   end
 
-  def post_graphql(query, current_user: nil, variables: nil, headers: {})
+  def post_graphql(query, current_user: nil, variables: nil, headers: {}, token: {})
     params = { query: query, variables: serialize_variables(variables) }
-    post api('/', current_user, version: 'graphql'), params: params, headers: headers
+    post api('/', current_user, version: 'graphql', **token), params: params, headers: headers
 
-    if graphql_errors # Errors are acceptable, but not this one:
-      expect(graphql_errors).not_to include(a_hash_including('message' => 'Internal server error'))
-    end
+    return unless graphql_errors
+
+    # Errors are acceptable, but not this one:
+    expect(graphql_errors).not_to include(a_hash_including('message' => 'Internal server error'))
   end
 
-  def post_graphql_mutation(mutation, current_user: nil)
-    post_graphql(mutation.query, current_user: current_user, variables: mutation.variables)
+  def post_graphql_mutation(mutation, current_user: nil, token: {})
+    post_graphql(mutation.query,
+                 current_user: current_user,
+                 variables: mutation.variables,
+                 token: token)
   end
 
   def post_graphql_mutation_with_uploads(mutation, current_user: nil)
diff --git a/spec/support/shared_examples/requests/graphql_shared_examples.rb b/spec/support/shared_examples/requests/graphql_shared_examples.rb
index a66bc7112fe..d133c5ea641 100644
--- a/spec/support/shared_examples/requests/graphql_shared_examples.rb
+++ b/spec/support/shared_examples/requests/graphql_shared_examples.rb
@@ -10,6 +10,52 @@ RSpec.shared_examples 'a working graphql query' do
   end
 end
 
+RSpec.shared_examples 'a working GraphQL mutation' do
+  include GraphqlHelpers
+
+  before do
+    post_graphql_mutation(mutation, current_user: current_user, token: token)
+  end
+
+  shared_examples 'allows access to the mutation' do
+    let(:scopes) { ['api'] }
+
+    it_behaves_like 'a working graphql query' do
+      it 'returns data' do
+        expect(graphql_data.compact).not_to be_empty
+      end
+    end
+  end
+
+  shared_examples 'prevents access to the mutation' do
+    let(:scopes) { ['read_api'] }
+
+    it 'does not resolve the mutation' do
+      expect(graphql_data.compact).to be_empty
+      expect(graphql_errors).to be_present
+    end
+  end
+
+  context 'with a personal access token' do
+    let(:token) do
+      pat = create(:personal_access_token, user: current_user, scopes: scopes)
+      { personal_access_token: pat }
+    end
+
+    it_behaves_like 'prevents access to the mutation'
+    it_behaves_like 'allows access to the mutation'
+  end
+
+  context 'with an OAuth token' do
+    let(:token) do
+      { oauth_access_token: create(:oauth_access_token, resource_owner: current_user, scopes: scopes.join(' ')) }
+    end
+
+    it_behaves_like 'prevents access to the mutation'
+    it_behaves_like 'allows access to the mutation'
+  end
+end
+
 RSpec.shared_examples 'a mutation on an unauthorized resource' do
   it_behaves_like 'a mutation that returns top-level errors',
                       errors: [::Gitlab::Graphql::Authorize::AuthorizeResource::RESOURCE_ACCESS_ERROR]