Add latest changes from gitlab-org/security/gitlab@15-7-stable-ee

author: GitLab Bot <gitlab-bot@gitlab.com> 2023-01-07 01:30:08 +0300
committer: GitLab Bot <gitlab-bot@gitlab.com> 2023-01-07 01:30:24 +0300
commit: b9b8440df6afd24ba540343c612e522f52bea0db (patch)
tree: aecce7c15523692907d333edeb7c4f1a6d1044fc /spec
parent: e4a92d342784ccbb929e7d2b1faa42d6c2f591a3 (diff)
3 files changed, 49 insertions, 36 deletions
diff --git a/spec/controllers/uploads_controller_spec.rb b/spec/controllers/uploads_controller_spec.rb
index e128db8d1c1..3e9c56d3274 100644
--- a/spec/controllers/uploads_controller_spec.rb
+++ b/spec/controllers/uploads_controller_spec.rb
@@ -268,17 +268,35 @@ RSpec.describe UploadsController do
       end
 
       context "when not signed in" do
-        it "responds with status 200" do
-          get :show, params: { model: "user", mounted_as: "avatar", id: user.id, filename: "dk.png" }
+        context "when restricted visibility level is not set to public" do
+          before do
+            stub_application_setting(restricted_visibility_levels: [])
+          end
 
-          expect(response).to have_gitlab_http_status(:ok)
+          it "responds with status 200" do
+            get :show, params: { model: "user", mounted_as: "avatar", id: user.id, filename: "dk.png" }
+
+            expect(response).to have_gitlab_http_status(:ok)
+          end
+
+          it_behaves_like 'content publicly cached' do
+            subject do
+              get :show, params: { model: 'user', mounted_as: 'avatar', id: user.id, filename: 'dk.png' }
+
+              response
+            end
+          end
         end
 
-        it_behaves_like 'content publicly cached' do
-          subject do
-            get :show, params: { model: 'user', mounted_as: 'avatar', id: user.id, filename: 'dk.png' }
+        context "when restricted visibility level is set to public" do
+          before do
+            stub_application_setting(restricted_visibility_levels: [Gitlab::VisibilityLevel::PUBLIC])
+          end
 
-            response
+          it "responds with status 401" do
+            get :show, params: { model: "user", mounted_as: "avatar", id: user.id, filename: "dk.png" }
+
+            expect(response).to have_gitlab_http_status(:unauthorized)
           end
         end
       end
diff --git a/spec/services/error_tracking/list_projects_service_spec.rb b/spec/services/error_tracking/list_projects_service_spec.rb
index ce391bd1ca0..8408adcc21d 100644
--- a/spec/services/error_tracking/list_projects_service_spec.rb
+++ b/spec/services/error_tracking/list_projects_service_spec.rb
@@ -2,7 +2,7 @@
 
 require 'spec_helper'
 
-RSpec.describe ErrorTracking::ListProjectsService do
+RSpec.describe ErrorTracking::ListProjectsService, feature_category: :integrations do
   let_it_be(:user) { create(:user) }
   let_it_be(:project, reload: true) { create(:project) }
 
@@ -51,15 +51,33 @@ RSpec.describe ErrorTracking::ListProjectsService do
       end
 
       context 'masked param token' do
-        let(:params) { ActionController::Parameters.new(token: "*********", api_host: new_api_host) }
+        let(:params) { ActionController::Parameters.new(token: "*********", api_host: api_host) }
 
-        before do
-          expect(error_tracking_setting).to receive(:list_sentry_projects)
+        context 'with the current api host' do
+          let(:api_host) { 'https://sentrytest.gitlab.com' }
+
+          before do
+            expect(error_tracking_setting).to receive(:list_sentry_projects)
             .and_return({ projects: [] })
+          end
+
+          it 'uses database token' do
+            expect { subject.execute }.not_to change { error_tracking_setting.token }
+          end
         end
 
-        it 'uses database token' do
-          expect { subject.execute }.not_to change { error_tracking_setting.token }
+        context 'with a new api host' do
+          let(:api_host) { new_api_host }
+
+          it 'returns an error' do
+            expect(result[:message]).to start_with('Token is a required field')
+            expect(error_tracking_setting).not_to be_valid
+            expect(error_tracking_setting).not_to receive(:list_sentry_projects)
+          end
+
+          it 'resets the token' do
+            expect { subject.execute }.to change { error_tracking_setting.token }.from(token).to(nil)
+          end
         end
       end
 
diff --git a/spec/support/shared_examples/policies/resource_access_token_shared_examples.rb b/spec/support/shared_examples/policies/resource_access_token_shared_examples.rb
index 337ad024fc0..cc91b73449a 100644
--- a/spec/support/shared_examples/policies/resource_access_token_shared_examples.rb
+++ b/spec/support/shared_examples/policies/resource_access_token_shared_examples.rb
@@ -71,26 +71,3 @@ RSpec.shared_examples 'Self-managed Core resource access tokens' do
     end
   end
 end
-
-RSpec.shared_examples 'GitLab.com Core resource access tokens' do
-  before do
-    allow(::Gitlab).to receive(:com?).and_return(true)
-    stub_ee_application_setting(should_check_namespace_plan: true)
-  end
-
-  context 'with owner access' do
-    let(:current_user) { owner }
-
-    context 'create resource access tokens' do
-      it { is_expected.not_to be_allowed(:create_resource_access_tokens) }
-    end
-
-    context 'read resource access tokens' do
-      it { is_expected.not_to be_allowed(:read_resource_access_tokens) }
-    end
-
-    context 'destroy resource access tokens' do
-      it { is_expected.not_to be_allowed(:destroy_resource_access_tokens) }
-    end
-  end
-end
author	GitLab Bot <gitlab-bot@gitlab.com>	2023-01-07 01:30:08 +0300
committer	GitLab Bot <gitlab-bot@gitlab.com>	2023-01-07 01:30:24 +0300
commit	b9b8440df6afd24ba540343c612e522f52bea0db (patch)
tree	aecce7c15523692907d333edeb7c4f1a6d1044fc /spec
parent	e4a92d342784ccbb929e7d2b1faa42d6c2f591a3 (diff)