diff options
| author | Andreas Brandl <abrandl@gitlab.com> | 2019-04-05 16:02:56 +0300 |
|---|---|---|
| committer | Andreas Brandl <abrandl@gitlab.com> | 2019-04-05 16:02:56 +0300 |
| commit | 46b1b9c1d61c269588bd3cd4203420608ddd7f0b (patch) | |
| tree | a877f5366d3367e1264e96f3f5e8a4b23bdbd62a /spec | |
| parent | 7a48a06cf3b454021aa466464686fee8c82d6862 (diff) | |
Revert "Merge branch 'if-57131-external_auth_to_ce' into 'master'"
This reverts merge request !26823
Diffstat (limited to 'spec')
64 files changed, 22 insertions, 2206 deletions
diff --git a/spec/controllers/admin/application_settings_controller_spec.rb b/spec/controllers/admin/application_settings_controller_spec.rb index 60b725f4cac..9af472df74e 100644 --- a/spec/controllers/admin/application_settings_controller_spec.rb +++ b/spec/controllers/admin/application_settings_controller_spec.rb @@ -85,28 +85,6 @@ describe Admin::ApplicationSettingsController do expect(response).to redirect_to(admin_application_settings_path) expect(ApplicationSetting.current.receive_max_input_size).to eq(1024) end - - context 'external policy classification settings' do - let(:settings) do - { - external_authorization_service_enabled: true, - external_authorization_service_url: 'https://custom.service/', - external_authorization_service_default_label: 'default', - external_authorization_service_timeout: 3, - external_auth_client_cert: File.read('spec/fixtures/passphrase_x509_certificate.crt'), - external_auth_client_key: File.read('spec/fixtures/passphrase_x509_certificate_pk.key'), - external_auth_client_key_pass: "5iveL!fe" - } - end - - it 'updates settings when the feature is available' do - put :update, params: { application_setting: settings } - - settings.each do |attribute, value| - expect(ApplicationSetting.current.public_send(attribute)).to eq(value) - end - end - end end describe 'PUT #reset_registration_token' do diff --git a/spec/controllers/boards/issues_controller_spec.rb b/spec/controllers/boards/issues_controller_spec.rb index 309cac47928..5eb05f01b8d 100644 --- a/spec/controllers/boards/issues_controller_spec.rb +++ b/spec/controllers/boards/issues_controller_spec.rb @@ -1,8 +1,6 @@ require 'spec_helper' describe Boards::IssuesController do - include ExternalAuthorizationServiceHelpers - let(:project) { create(:project, :private) } let(:board) { create(:board, project: project) } let(:user) { create(:user) } @@ -138,30 +136,6 @@ describe Boards::IssuesController do end end - context 'with external authorization' do - before do - sign_in(user) - enable_external_authorization_service_check - end - - it 'returns a 403 for group boards' do - group = create(:group) - group_board = create(:board, group: group) - - list_issues(user: user, board: group_board) - - expect(response).to have_gitlab_http_status(403) - end - - it 'is successful for project boards' do - project_board = create(:board, project: project) - - list_issues(user: user, board: project_board) - - expect(response).to have_gitlab_http_status(200) - end - end - def list_issues(user:, board:, list: nil) sign_in(user) diff --git a/spec/controllers/concerns/project_unauthorized_spec.rb b/spec/controllers/concerns/project_unauthorized_spec.rb deleted file mode 100644 index 90b59b027cf..00000000000 --- a/spec/controllers/concerns/project_unauthorized_spec.rb +++ /dev/null @@ -1,51 +0,0 @@ -require 'spec_helper' - -describe ProjectUnauthorized do - include ExternalAuthorizationServiceHelpers - let(:user) { create(:user) } - - before do - sign_in user - end - - render_views - - describe '#project_unauthorized_proc' do - controller(::Projects::ApplicationController) do - def show - head :ok - end - end - - let(:project) { create(:project) } - - before do - project.add_developer(user) - end - - it 'renders a 200 when the service allows access to the project' do - external_service_allow_access(user, project) - - get :show, params: { namespace_id: project.namespace.to_param, id: project.to_param } - - expect(response).to have_gitlab_http_status(200) - end - - it 'renders a 403 when the service denies access to the project' do - external_service_deny_access(user, project) - - get :show, params: { namespace_id: project.namespace.to_param, id: project.to_param } - - expect(response).to have_gitlab_http_status(403) - expect(response.body).to match("External authorization denied access to this project") - end - - it 'renders a 404 when the user cannot see the project at all' do - other_project = create(:project, :private) - - get :show, params: { namespace_id: other_project.namespace.to_param, id: other_project.to_param } - - expect(response).to have_gitlab_http_status(404) - end - end -end diff --git a/spec/controllers/dashboard/groups_controller_spec.rb b/spec/controllers/dashboard/groups_controller_spec.rb index 775b3ca40b2..c8d99f79277 100644 --- a/spec/controllers/dashboard/groups_controller_spec.rb +++ b/spec/controllers/dashboard/groups_controller_spec.rb @@ -1,8 +1,6 @@ require 'spec_helper' describe Dashboard::GroupsController do - include ExternalAuthorizationServiceHelpers - let(:user) { create(:user) } before do @@ -13,43 +11,33 @@ describe Dashboard::GroupsController do expect(described_class).to include(GroupTree) end - describe '#index' do - it 'only includes projects the user is a member of' do - member_of_group = create(:group) - member_of_group.add_developer(user) - create(:group, :public) - - get :index - - expect(assigns(:groups)).to contain_exactly(member_of_group) - end + it 'only includes projects the user is a member of' do + member_of_group = create(:group) + member_of_group.add_developer(user) + create(:group, :public) - context 'when rendering an expanded hierarchy with public groups you are not a member of', :nested_groups do - let!(:top_level_result) { create(:group, name: 'chef-top') } - let!(:top_level_a) { create(:group, name: 'top-a') } - let!(:sub_level_result_a) { create(:group, name: 'chef-sub-a', parent: top_level_a) } - let!(:other_group) { create(:group, name: 'other') } + get :index - before do - top_level_result.add_maintainer(user) - top_level_a.add_maintainer(user) - end + expect(assigns(:groups)).to contain_exactly(member_of_group) + end - it 'renders only groups the user is a member of when searching hierarchy correctly' do - get :index, params: { filter: 'chef' }, format: :json + context 'when rendering an expanded hierarchy with public groups you are not a member of', :nested_groups do + let!(:top_level_result) { create(:group, name: 'chef-top') } + let!(:top_level_a) { create(:group, name: 'top-a') } + let!(:sub_level_result_a) { create(:group, name: 'chef-sub-a', parent: top_level_a) } + let!(:other_group) { create(:group, name: 'other') } - expect(response).to have_gitlab_http_status(200) - all_groups = [top_level_result, top_level_a, sub_level_result_a] - expect(assigns(:groups)).to contain_exactly(*all_groups) - end + before do + top_level_result.add_maintainer(user) + top_level_a.add_maintainer(user) end - it 'works when the external authorization service is enabled' do - enable_external_authorization_service_check - - get :index + it 'renders only groups the user is a member of when searching hierarchy correctly' do + get :index, params: { filter: 'chef' }, format: :json expect(response).to have_gitlab_http_status(200) + all_groups = [top_level_result, top_level_a, sub_level_result_a] + expect(assigns(:groups)).to contain_exactly(*all_groups) end end end diff --git a/spec/controllers/dashboard/labels_controller_spec.rb b/spec/controllers/dashboard/labels_controller_spec.rb index 01de896f9f4..a3bfb2f3a87 100644 --- a/spec/controllers/dashboard/labels_controller_spec.rb +++ b/spec/controllers/dashboard/labels_controller_spec.rb @@ -13,17 +13,13 @@ describe Dashboard::LabelsController do describe "#index" do let!(:unrelated_label) { create(:label, project: create(:project, :public)) } - subject { get :index, format: :json } - it 'returns global labels for projects the user has a relationship with' do - subject + get :index, format: :json expect(json_response).to be_kind_of(Array) expect(json_response.size).to eq(1) expect(json_response[0]["id"]).to be_nil expect(json_response[0]["title"]).to eq(label.title) end - - it_behaves_like 'disabled when using an external authorization service' end end diff --git a/spec/controllers/dashboard/milestones_controller_spec.rb b/spec/controllers/dashboard/milestones_controller_spec.rb index 1614739db05..828de0e7ca5 100644 --- a/spec/controllers/dashboard/milestones_controller_spec.rb +++ b/spec/controllers/dashboard/milestones_controller_spec.rb @@ -81,11 +81,5 @@ describe Dashboard::MilestonesController do expect(response.body).to include("Open\n<span class=\"badge badge-pill\">2</span>") expect(response.body).to include("Closed\n<span class=\"badge badge-pill\">0</span>") end - - context 'external authorization' do - subject { get :index } - - it_behaves_like 'disabled when using an external authorization service' - end end end diff --git a/spec/controllers/dashboard/projects_controller_spec.rb b/spec/controllers/dashboard/projects_controller_spec.rb index c17cb49e460..649441f4917 100644 --- a/spec/controllers/dashboard/projects_controller_spec.rb +++ b/spec/controllers/dashboard/projects_controller_spec.rb @@ -1,29 +1,7 @@ require 'spec_helper' describe Dashboard::ProjectsController do - include ExternalAuthorizationServiceHelpers - - describe '#index' do - context 'user not logged in' do - it_behaves_like 'authenticates sessionless user', :index, :atom - end - - context 'user logged in' do - before do - sign_in create(:user) - end - - context 'external authorization' do - it 'works when the external authorization service is enabled' do - enable_external_authorization_service_check - - get :index - - expect(response).to have_gitlab_http_status(200) - end - end - end - end + it_behaves_like 'authenticates sessionless user', :index, :atom context 'json requests' do render_views diff --git a/spec/controllers/dashboard/todos_controller_spec.rb b/spec/controllers/dashboard/todos_controller_spec.rb index abbf0b52306..d88beaff0e1 100644 --- a/spec/controllers/dashboard/todos_controller_spec.rb +++ b/spec/controllers/dashboard/todos_controller_spec.rb @@ -105,12 +105,6 @@ describe Dashboard::TodosController do end end end - - context 'external authorization' do - subject { get :index } - - it_behaves_like 'disabled when using an external authorization service' - end end describe 'PATCH #restore' do diff --git a/spec/controllers/groups/avatars_controller_spec.rb b/spec/controllers/groups/avatars_controller_spec.rb index 6ececa6f372..772d1d0c1dd 100644 --- a/spec/controllers/groups/avatars_controller_spec.rb +++ b/spec/controllers/groups/avatars_controller_spec.rb @@ -1,8 +1,6 @@ require 'spec_helper' describe Groups::AvatarsController do - include ExternalAuthorizationServiceHelpers - let(:user) { create(:user) } let(:group) { create(:group, avatar: fixture_file_upload("spec/fixtures/dk.png", "image/png")) } @@ -17,12 +15,4 @@ describe Groups::AvatarsController do expect(@group.avatar.present?).to be_falsey expect(@group).to be_valid end - - it 'works when external authorization service is enabled' do - enable_external_authorization_service_check - - delete :destroy, params: { group_id: group } - - expect(response).to have_gitlab_http_status(302) - end end diff --git a/spec/controllers/groups/boards_controller_spec.rb b/spec/controllers/groups/boards_controller_spec.rb index 0ca5ce51750..27ee37b3817 100644 --- a/spec/controllers/groups/boards_controller_spec.rb +++ b/spec/controllers/groups/boards_controller_spec.rb @@ -82,10 +82,6 @@ describe Groups::BoardsController do end end - it_behaves_like 'disabled when using an external authorization service' do - subject { list_boards } - end - def list_boards(format: :html) get :index, params: { group_id: group }, format: format end @@ -164,10 +160,6 @@ describe Groups::BoardsController do end end - it_behaves_like 'disabled when using an external authorization service' do - subject { read_board board: board } - end - def read_board(board:, format: :html) get :show, params: { group_id: group, diff --git a/spec/controllers/groups/children_controller_spec.rb b/spec/controllers/groups/children_controller_spec.rb index 4085c8f95a9..e1b97013408 100644 --- a/spec/controllers/groups/children_controller_spec.rb +++ b/spec/controllers/groups/children_controller_spec.rb @@ -1,8 +1,6 @@ require 'spec_helper' describe Groups::ChildrenController do - include ExternalAuthorizationServiceHelpers - let(:group) { create(:group, :public) } let(:user) { create(:user) } let!(:group_member) { create(:group_member, group: group, user: user) } @@ -319,15 +317,5 @@ describe Groups::ChildrenController do end end end - - context 'external authorization' do - it 'works when external authorization service is enabled' do - enable_external_authorization_service_check - - get :index, params: { group_id: group }, format: :json - - expect(response).to have_gitlab_http_status(200) - end - end end end diff --git a/spec/controllers/groups/group_members_controller_spec.rb b/spec/controllers/groups/group_members_controller_spec.rb index 96a58d6d87c..3a801fabafc 100644 --- a/spec/controllers/groups/group_members_controller_spec.rb +++ b/spec/controllers/groups/group_members_controller_spec.rb @@ -1,11 +1,8 @@ require 'spec_helper' describe Groups::GroupMembersController do - include ExternalAuthorizationServiceHelpers - let(:user) { create(:user) } let(:group) { create(:group, :public, :access_requestable) } - let(:membership) { create(:group_member, group: group) } describe 'GET index' do it 'renders index with 200 status code' do @@ -266,87 +263,4 @@ describe Groups::GroupMembersController do end end end - - context 'with external authorization enabled' do - before do - enable_external_authorization_service_check - group.add_owner(user) - sign_in(user) - end - - describe 'GET #index' do - it 'is successful' do - get :index, params: { group_id: group } - - expect(response).to have_gitlab_http_status(200) - end - end - - describe 'POST #create' do - it 'is successful' do - post :create, params: { group_id: group, users: user, access_level: Gitlab::Access::GUEST } - - expect(response).to have_gitlab_http_status(302) - end - end - - describe 'PUT #update' do - it 'is successful' do - put :update, - params: { - group_member: { access_level: Gitlab::Access::GUEST }, - group_id: group, - id: membership - }, - format: :js - - expect(response).to have_gitlab_http_status(200) - end - end - - describe 'DELETE #destroy' do - it 'is successful' do - delete :destroy, params: { group_id: group, id: membership } - - expect(response).to have_gitlab_http_status(302) - end - end - - describe 'POST #destroy' do - it 'is successful' do - sign_in(create(:user)) - - post :request_access, params: { group_id: group } - - expect(response).to have_gitlab_http_status(302) - end - end - - describe 'POST #approve_request_access' do - it 'is successful' do - access_request = create(:group_member, :access_request, group: group) - post :approve_access_request, params: { group_id: group, id: access_request } - - expect(response).to have_gitlab_http_status(302) - end - end - - describe 'DELETE #leave' do - it 'is successful' do - group.add_owner(create(:user)) - - delete :leave, params: { group_id: group } - - expect(response).to have_gitlab_http_status(302) - end - end - - describe 'POST #resend_invite' do - it 'is successful' do - post :resend_invite, params: { group_id: group, id: membership } - - expect(response).to have_gitlab_http_status(302) - end - end - end end diff --git a/spec/controllers/groups/labels_controller_spec.rb b/spec/controllers/groups/labels_controller_spec.rb index 9af47114838..fa664a29066 100644 --- a/spec/controllers/groups/labels_controller_spec.rb +++ b/spec/controllers/groups/labels_controller_spec.rb @@ -37,12 +37,6 @@ describe Groups::LabelsController do expect(label_ids).to match_array([group_label_1.title, subgroup_label_1.title]) end end - - context 'external authorization' do - subject { get :index, params: { group_id: group.to_param } } - - it_behaves_like 'disabled when using an external authorization service' - end end describe 'POST #toggle_subscription' do diff --git a/spec/controllers/groups/milestones_controller_spec.rb b/spec/controllers/groups/milestones_controller_spec.rb index d70946cbc8f..043cf28514b 100644 --- a/spec/controllers/groups/milestones_controller_spec.rb +++ b/spec/controllers/groups/milestones_controller_spec.rb @@ -80,12 +80,6 @@ describe Groups::MilestonesController do expect(response.content_type).to eq 'application/json' end end - - context 'external authorization' do - subject { get :index, params: { group_id: group.to_param } } - - it_behaves_like 'disabled when using an external authorization service' - end end describe '#show' do diff --git a/spec/controllers/groups/settings/ci_cd_controller_spec.rb b/spec/controllers/groups/settings/ci_cd_controller_spec.rb index b998f64ef72..3290ed8b088 100644 --- a/spec/controllers/groups/settings/ci_cd_controller_spec.rb +++ b/spec/controllers/groups/settings/ci_cd_controller_spec.rb @@ -1,8 +1,6 @@ require 'spec_helper' describe Groups::Settings::CiCdController do - include ExternalAuthorizationServiceHelpers - let(:group) { create(:group) } let(:user) { create(:user) } @@ -35,19 +33,6 @@ describe Groups::Settings::CiCdController do expect(response).to have_gitlab_http_status(404) end end - - context 'external authorization' do - before do - enable_external_authorization_service_check - group.add_owner(user) - end - - it 'renders show with 200 status code' do - get :show, params: { group_id: group } - - expect(response).to have_gitlab_http_status(200) - end - end end describe 'PUT #reset_registration_token' do diff --git a/spec/controllers/groups/variables_controller_spec.rb b/spec/controllers/groups/variables_controller_spec.rb index 40f05167350..29ec3588316 100644 --- a/spec/controllers/groups/variables_controller_spec.rb +++ b/spec/controllers/groups/variables_controller_spec.rb @@ -1,8 +1,6 @@ require 'spec_helper' describe Groups::VariablesController do - include ExternalAuthorizationServiceHelpers - let(:group) { create(:group) } let(:user) { create(:user) } @@ -36,36 +34,4 @@ describe Groups::VariablesController do include_examples 'PATCH #update updates variables' end - - context 'with external authorization enabled' do - before do - enable_external_authorization_service_check - end - - describe 'GET #show' do - let!(:variable) { create(:ci_group_variable, group: group) } - - it 'is successful' do - get :show, params: { group_id: group }, format: :json - - expect(response).to have_gitlab_http_status(200) - end - end - - describe 'PATCH #update' do - let!(:variable) { create(:ci_group_variable, group: group) } - let(:owner) { group } - - it 'is successful' do - patch :update, - params: { - group_id: group, - variables_attributes: [{ id: variable.id, key: 'hello' }] - }, - format: :json - - expect(response).to have_gitlab_http_status(200) - end - end - end end diff --git a/spec/controllers/groups_controller_spec.rb b/spec/controllers/groups_controller_spec.rb index 0adcba4f0b8..2b803e7151f 100644 --- a/spec/controllers/groups_controller_spec.rb +++ b/spec/controllers/groups_controller_spec.rb @@ -1,8 +1,6 @@ require 'spec_helper' describe GroupsController do - include ExternalAuthorizationServiceHelpers - let(:user) { create(:user) } let(:admin) { create(:admin) } let(:group) { create(:group, :public) } @@ -660,98 +658,4 @@ describe GroupsController do end end end - - describe 'external authorization' do - before do - group.add_owner(user) - sign_in(user) - end - - context 'with external authorization service enabled' do - before do - enable_external_authorization_service_check - end - - describe 'GET #show' do - it 'is successful' do - get :show, params: { id: group.to_param } - - expect(response).to have_gitlab_http_status(200) - end - - it 'does not allow other formats' do - get :show, params: { id: group.to_param }, format: :atom - - expect(response).to have_gitlab_http_status(403) - end - end - - describe 'GET #edit' do - it 'is successful' do - get :edit, params: { id: group.to_param } - - expect(response).to have_gitlab_http_status(200) - end - end - - describe 'GET #new' do - it 'is successful' do - get :new - - expect(response).to have_gitlab_http_status(200) - end - end - - describe 'GET #index' do - it 'is successful' do - get :index - - # Redirects to the dashboard - expect(response).to have_gitlab_http_status(302) - end - end - - describe 'POST #create' do - it 'creates a group' do - expect do - post :create, params: { group: { name: 'a name', path: 'a-name' } } - end.to change { Group.count }.by(1) - end - end - - describe 'PUT #update' do - it 'updates a group' do - expect do - put :update, params: { id: group.to_param, group: { name: 'world' } } - end.to change { group.reload.name } - end - end - - describe 'DELETE #destroy' do - it 'deletes the group' do - delete :destroy, params: { id: group.to_param } - - expect(response).to have_gitlab_http_status(302) - end - end - end - - describe 'GET #activity' do - subject { get :activity, params: { id: group.to_param } } - - it_behaves_like 'disabled when using an external authorization service' - end - - describe 'GET #issues' do - subject { get :issues, params: { id: group.to_param } } - - it_behaves_like 'disabled when using an external authorization service' - end - - describe 'GET #merge_requests' do - subject { get :merge_requests, params: { id: group.to_param } } - - it_behaves_like 'disabled when using an external authorization service' - end - end end diff --git a/spec/controllers/projects/boards_controller_spec.rb b/spec/controllers/projects/boards_controller_spec.rb index b1203fd00b0..1eeded06459 100644 --- a/spec/controllers/projects/boards_controller_spec.rb +++ b/spec/controllers/projects/boards_controller_spec.rb @@ -98,10 +98,6 @@ describe Projects::BoardsController do end end - it_behaves_like 'unauthorized when external service denies access' do - subject { list_boards } - end - def list_boards(format: :html) get :index, params: { namespace_id: project.namespace, diff --git a/spec/controllers/projects/issues_controller_spec.rb b/spec/controllers/projects/issues_controller_spec.rb index bfa23af76d5..c34d7c13d57 100644 --- a/spec/controllers/projects/issues_controller_spec.rb +++ b/spec/controllers/projects/issues_controller_spec.rb @@ -127,17 +127,6 @@ describe Projects::IssuesController do expect(assigns(:issues).size).to eq(2) end end - - context 'external authorization' do - before do - sign_in user - project.add_developer(user) - end - - it_behaves_like 'unauthorized when external service denies access' do - subject { get :index, params: { namespace_id: project.namespace, project_id: project } } - end - end end describe 'GET #new' do diff --git a/spec/controllers/projects_controller_spec.rb b/spec/controllers/projects_controller_spec.rb index 04cc315b175..56d38b9475e 100644 --- a/spec/controllers/projects_controller_spec.rb +++ b/spec/controllers/projects_controller_spec.rb @@ -1,7 +1,6 @@ require('spec_helper') describe ProjectsController do - include ExternalAuthorizationServiceHelpers include ProjectForksHelper let(:project) { create(:project) } @@ -408,37 +407,6 @@ describe ProjectsController do it_behaves_like 'updating a project' end - - context 'as maintainer' do - before do - project.add_maintainer(user) - sign_in(user) - end - - it_behaves_like 'unauthorized when external service denies access' do - subject do - put :update, - params: { - namespace_id: project.namespace, - id: project, - project: { description: 'Hello world' } - } - project.reload - end - - it 'updates when the service allows access' do - external_service_allow_access(user, project) - - expect { subject }.to change(project, :description) - end - - it 'does not update when the service rejects access' do - external_service_deny_access(user, project) - - expect { subject }.not_to change(project, :description) - end - end - end end describe '#transfer' do diff --git a/spec/controllers/search_controller_spec.rb b/spec/controllers/search_controller_spec.rb index 752d6ae55cc..02a0cfe0272 100644 --- a/spec/controllers/search_controller_spec.rb +++ b/spec/controllers/search_controller_spec.rb @@ -1,8 +1,6 @@ require 'spec_helper' describe SearchController do - include ExternalAuthorizationServiceHelpers - let(:user) { create(:user) } before do @@ -78,41 +76,4 @@ describe SearchController do expect(assigns[:search_objects].count).to eq(0) end end - - context 'with external authorization service enabled' do - let(:project) { create(:project, namespace: user.namespace) } - let(:note) { create(:note_on_issue, project: project) } - - before do - enable_external_authorization_service_check - end - - describe 'GET #show' do - it 'renders a 403 when no project is given' do - get :show, params: { scope: 'notes', search: note.note } - - expect(response).to have_gitlab_http_status(403) - end - - it 'renders a 200 when a project was set' do - get :show, params: { project_id: project.id, scope: 'notes', search: note.note } - - expect(response).to have_gitlab_http_status(200) - end - end - - describe 'GET #autocomplete' do - it 'renders a 403 when no project is given' do - get :autocomplete, params: { term: 'hello' } - - expect(response).to have_gitlab_http_status(403) - end - - it 'renders a 200 when a project was set' do - get :autocomplete, params: { project_id: project.id, term: 'hello' } - - expect(response).to have_gitlab_http_status(200) - end - end - end end diff --git a/spec/controllers/users_controller_spec.rb b/spec/controllers/users_controller_spec.rb index 42d28c53d34..4f6a6881193 100644 --- a/spec/controllers/users_controller_spec.rb +++ b/spec/controllers/users_controller_spec.rb @@ -223,12 +223,6 @@ describe UsersController do end end - context 'external authorization' do - subject { get :calendar_activities, params: { username: user.username } } - - it_behaves_like 'disabled when using an external authorization service' - end - def create_push_event push_data = Gitlab::DataBuilder::Push.build_sample(project, public_user) EventCreateService.new.push(project, public_user, push_data) @@ -292,12 +286,6 @@ describe UsersController do expect(JSON.parse(response.body)).to have_key('html') end end - - context 'external authorization' do - subject { get :snippets, params: { username: user.username } } - - it_behaves_like 'disabled when using an external authorization service' - end end describe 'GET #exists' do diff --git a/spec/features/dashboard/group_dashboard_with_external_authorization_service_spec.rb b/spec/features/dashboard/group_dashboard_with_external_authorization_service_spec.rb deleted file mode 100644 index 4098dd02141..00000000000 --- a/spec/features/dashboard/group_dashboard_with_external_authorization_service_spec.rb +++ /dev/null @@ -1,38 +0,0 @@ -require 'spec_helper' - -describe 'The group dashboard' do - include ExternalAuthorizationServiceHelpers - - let(:user) { create(:user) } - - before do - sign_in user - end - - describe 'The top navigation' do - it 'has all the expected links' do - visit dashboard_groups_path - - within('.navbar') do - expect(page).to have_button('Projects') - expect(page).to have_button('Groups') - expect(page).to have_link('Activity') - expect(page).to have_link('Milestones') - expect(page).to have_link('Snippets') - end - end - - it 'hides some links when an external authorization service is enabled' do - enable_external_authorization_service_check - visit dashboard_groups_path - - within('.navbar') do - expect(page).to have_button('Projects') - expect(page).to have_button('Groups') - expect(page).not_to have_link('Activity') - expect(page).not_to have_link('Milestones') - expect(page).to have_link('Snippets') - end - end - end -end diff --git a/spec/features/groups/group_page_with_external_authorization_service_spec.rb b/spec/features/groups/group_page_with_external_authorization_service_spec.rb deleted file mode 100644 index c05c3f4f3d6..00000000000 --- a/spec/features/groups/group_page_with_external_authorization_service_spec.rb +++ /dev/null @@ -1,58 +0,0 @@ -# frozen_string_literal: true - -require 'spec_helper' - -describe 'The group page' do - include ExternalAuthorizationServiceHelpers - - let(:user) { create(:user) } - let(:group) { create(:group) } - - before do - sign_in user - group.add_owner(user) - end - - def expect_all_sidebar_links - within('.nav-sidebar') do - expect(page).to have_link('Overview') - expect(page).to have_link('Details') - expect(page).to have_link('Activity') - expect(page).to have_link('Issues') - expect(page).to have_link('Merge Requests') - expect(page).to have_link('Members') - end - end - - describe 'The sidebar' do - it 'has all the expected links' do - visit group_path(group) - - expect_all_sidebar_links - end - - it 'shows all project features when policy control is enabled' do - stub_application_setting(external_authorization_service_enabled: true) - - visit group_path(group) - - expect_all_sidebar_links - end - - it 'hides some links when an external authorization service configured with an url' do - enable_external_authorization_service_check - visit group_path(group) - - within('.nav-sidebar') do - expect(page).to have_link('Overview') - expect(page).to have_link('Details') - expect(page).not_to have_link('Activity') - expect(page).not_to have_link('Contribution Analytics') - - expect(page).not_to have_link('Issues') - expect(page).not_to have_link('Merge Requests') - expect(page).to have_link('Members') - end - end - end -end diff --git a/spec/features/projects/classification_label_on_project_pages_spec.rb b/spec/features/projects/classification_label_on_project_pages_spec.rb deleted file mode 100644 index 92f8aa8eb8d..00000000000 --- a/spec/features/projects/classification_label_on_project_pages_spec.rb +++ /dev/null @@ -1,22 +0,0 @@ -# frozen_string_literal: true - -require 'spec_helper' - -describe 'Classification label on project pages' do - let(:project) do - create(:project, external_authorization_classification_label: 'authorized label') - end - let(:user) { create(:user) } - - before do - stub_application_setting(external_authorization_service_enabled: true) - project.add_maintainer(user) - sign_in(user) - end - - it 'shows the classification label on the project page' do - visit project_path(project) - - expect(page).to have_content('authorized label') - end -end diff --git a/spec/features/projects/forks/fork_list_spec.rb b/spec/features/projects/forks/fork_list_spec.rb deleted file mode 100644 index 2c41c61a660..00000000000 --- a/spec/features/projects/forks/fork_list_spec.rb +++ /dev/null @@ -1,35 +0,0 @@ -require 'spec_helper' - -describe 'listing forks of a project' do - include ProjectForksHelper - include ExternalAuthorizationServiceHelpers - - let(:source) { create(:project, :public, :repository) } - let!(:fork) { fork_project(source, nil, repository: true) } - let(:user) { create(:user) } - - before do - source.add_maintainer(user) - sign_in(user) - end - - it 'shows the forked project in the list with commit as description' do - visit project_forks_path(source) - - page.within('li.project-row') do - expect(page).to have_content(fork.full_name) - expect(page).to have_css('a.commit-row-message') - end - end - - it 'does not show the commit message when an external authorization service is used' do - enable_external_authorization_service_check - - visit project_forks_path(source) - - page.within('li.project-row') do - expect(page).to have_content(fork.full_name) - expect(page).not_to have_css('a.commit-row-message') - end - end -end diff --git a/spec/features/projects/issues/viewing_issues_with_external_authorization_enabled_spec.rb b/spec/features/projects/issues/viewing_issues_with_external_authorization_enabled_spec.rb deleted file mode 100644 index a8612d77a5e..00000000000 --- a/spec/features/projects/issues/viewing_issues_with_external_authorization_enabled_spec.rb +++ /dev/null @@ -1,128 +0,0 @@ -require 'spec_helper' - -describe 'viewing an issue with cross project references' do - include ExternalAuthorizationServiceHelpers - include Gitlab::Routing.url_helpers - - let(:user) { create(:user) } - let(:other_project) do - create(:project, :public, - external_authorization_classification_label: 'other_label') - end - let(:other_issue) do - create(:issue, :closed, - title: 'I am in another project', - project: other_project) - end - let(:other_confidential_issue) do - create(:issue, :confidential, :closed, - title: 'I am in another project and confidential', - project: other_project) - end - let(:other_merge_request) do - create(:merge_request, :closed, - title: 'I am a merge request in another project', - source_project: other_project) - end - let(:description_referencing_other_issue) do - "Referencing: #{other_issue.to_reference(project)}, "\ - "a confidential issue #{confidential_issue.to_reference}, "\ - "a cross project confidential issue #{other_confidential_issue.to_reference(project)}, and "\ - "a cross project merge request #{other_merge_request.to_reference(project)}" - end - let(:project) { create(:project) } - let(:issue) do - create(:issue, - project: project, - description: description_referencing_other_issue ) - end - let(:confidential_issue) do - create(:issue, :confidential, :closed, - title: "I am in the same project and confidential", - project: project) - end - - before do - project.add_developer(user) - sign_in(user) - end - - it 'shows all information related to the cross project reference' do - visit project_issue_path(project, issue) - - expect(page).to have_link("#{other_issue.to_reference(project)} (#{other_issue.state})") - expect(page).to have_xpath("//a[@title='#{other_issue.title}']") - end - - it 'shows a link to the confidential issue in the same project' do - visit project_issue_path(project, issue) - - expect(page).to have_link("#{confidential_issue.to_reference(project)} (#{confidential_issue.state})") - expect(page).to have_xpath("//a[@title='#{confidential_issue.title}']") - end - - it 'does not show the link to a cross project confidential issue when the user does not have access' do - visit project_issue_path(project, issue) - - expect(page).not_to have_link("#{other_confidential_issue.to_reference(project)} (#{other_confidential_issue.state})") - expect(page).not_to have_xpath("//a[@title='#{other_confidential_issue.title}']") - end - - it 'shows the link to a cross project confidential issue when the user has access' do - other_project.add_developer(user) - - visit project_issue_path(project, issue) - - expect(page).to have_link("#{other_confidential_issue.to_reference(project)} (#{other_confidential_issue.state})") - expect(page).to have_xpath("//a[@title='#{other_confidential_issue.title}']") - end - - context 'when an external authorization service is enabled' do - before do - enable_external_authorization_service_check - end - - it 'only hits the external service for the project the user is viewing' do - expect(::Gitlab::ExternalAuthorization) - .to receive(:access_allowed?).with(user, 'default_label', any_args).at_least(1).and_return(true) - expect(::Gitlab::ExternalAuthorization) - .not_to receive(:access_allowed?).with(user, 'other_label', any_args) - - visit project_issue_path(project, issue) - end - - it 'shows only the link to the cross project references' do - visit project_issue_path(project, issue) - - expect(page).to have_link("#{other_issue.to_reference(project)}") - expect(page).to have_link("#{other_merge_request.to_reference(project)}") - expect(page).not_to have_content("#{other_issue.to_reference(project)} (#{other_issue.state})") - expect(page).not_to have_xpath("//a[@title='#{other_issue.title}']") - expect(page).not_to have_content("#{other_merge_request.to_reference(project)} (#{other_merge_request.state})") - expect(page).not_to have_xpath("//a[@title='#{other_merge_request.title}']") - end - - it 'does not link a cross project confidential issue if the user does not have access' do - visit project_issue_path(project, issue) - - expect(page).not_to have_link("#{other_confidential_issue.to_reference(project)}") - expect(page).not_to have_xpath("//a[@title='#{other_confidential_issue.title}']") - end - - it 'links a cross project confidential issue without exposing information when the user has access' do - other_project.add_developer(user) - - visit project_issue_path(project, issue) - - expect(page).to have_link("#{other_confidential_issue.to_reference(project)}") - expect(page).not_to have_xpath("//a[@title='#{other_confidential_issue.title}']") - end - - it 'shows a link to the confidential issue in the same project' do - visit project_issue_path(project, issue) - - expect(page).to have_link("#{confidential_issue.to_reference(project)} (#{confidential_issue.state})") - expect(page).to have_xpath("//a[@title='#{confidential_issue.title}']") - end - end -end diff --git a/spec/features/projects/settings/external_authorization_service_settings_spec.rb b/spec/features/projects/settings/external_authorization_service_settings_spec.rb deleted file mode 100644 index 31b2892cf6f..00000000000 --- a/spec/features/projects/settings/external_authorization_service_settings_spec.rb +++ /dev/null @@ -1,21 +0,0 @@ -# frozen_string_literal: true - -require 'spec_helper' - -describe 'Projects > Settings > External Authorization Classification Label setting' do - let(:user) { create(:user) } - let(:project) { create(:project_empty_repo) } - - before do - project.add_maintainer(user) - sign_in(user) - end - - it 'shows the field to set a classification label' do - stub_application_setting(external_authorization_service_enabled: true) - - visit edit_project_path(project) - - expect(page).to have_selector('#project_external_authorization_classification_label') - end -end diff --git a/spec/features/users/show_spec.rb b/spec/features/users/show_spec.rb index 351750c0179..86379164cf0 100644 --- a/spec/features/users/show_spec.rb +++ b/spec/features/users/show_spec.rb @@ -1,8 +1,6 @@ require 'spec_helper' describe 'User page' do - include ExternalAuthorizationServiceHelpers - let(:user) { create(:user) } context 'with public profile' do @@ -88,24 +86,4 @@ describe 'User page' do end end end - - context 'most recent activity' do - it 'shows the most recent activity' do - visit(user_path(user)) - - expect(page).to have_content('Most Recent Activity') - end - - context 'when external authorization is enabled' do - before do - enable_external_authorization_service_check - end - - it 'hides the most recent activity' do - visit(user_path(user)) - - expect(page).not_to have_content('Most Recent Activity') - end - end - end end diff --git a/spec/finders/issues_finder_spec.rb b/spec/finders/issues_finder_spec.rb index 4133987a07e..fe53fabe54c 100644 --- a/spec/finders/issues_finder_spec.rb +++ b/spec/finders/issues_finder_spec.rb @@ -559,13 +559,6 @@ describe IssuesFinder do expect(issues.count).to eq 0 end end - - context 'external authorization' do - it_behaves_like 'a finder with external authorization service' do - let!(:subject) { create(:issue, project: project) } - let(:project_params) { { project_id: project.id } } - end - end end describe '#row_count', :request_store do diff --git a/spec/finders/labels_finder_spec.rb b/spec/finders/labels_finder_spec.rb index 98b4933fef6..3f060ba0553 100644 --- a/spec/finders/labels_finder_spec.rb +++ b/spec/finders/labels_finder_spec.rb @@ -226,12 +226,5 @@ describe LabelsFinder do expect(finder.execute).to eq [project_label_1] end end - - context 'external authorization' do - it_behaves_like 'a finder with external authorization service' do - let!(:subject) { create(:label, project: project) } - let(:project_params) { { project_id: project.id } } - end - end end end diff --git a/spec/finders/merge_requests_finder_spec.rb b/spec/finders/merge_requests_finder_spec.rb index 9d4b9af3ec3..f508b9bdb6f 100644 --- a/spec/finders/merge_requests_finder_spec.rb +++ b/spec/finders/merge_requests_finder_spec.rb @@ -253,13 +253,6 @@ describe MergeRequestsFinder do expect(finder.row_count).to eq(1) end end - - context 'external authorization' do - it_behaves_like 'a finder with external authorization service' do - let!(:subject) { create(:merge_request, source_project: project) } - let(:project_params) { { project_id: project.id } } - end - end end context 'when projects require different access levels for merge requests' do diff --git a/spec/finders/snippets_finder_spec.rb b/spec/finders/snippets_finder_spec.rb index d367f9015c7..93287f3e9b8 100644 --- a/spec/finders/snippets_finder_spec.rb +++ b/spec/finders/snippets_finder_spec.rb @@ -1,7 +1,6 @@ require 'spec_helper' describe SnippetsFinder do - include ExternalAuthorizationServiceHelpers include Gitlab::Allowable describe '#initialize' do @@ -165,35 +164,4 @@ describe SnippetsFinder do end it_behaves_like 'snippet visibility' - - context 'external authorization' do - let(:user) { create(:user) } - let(:project) { create(:project) } - let!(:snippet) { create(:project_snippet, :public, project: project) } - - before do - project.add_maintainer(user) - end - - it_behaves_like 'a finder with external authorization service' do - let!(:subject) { create(:project_snippet, project: project) } - let(:project_params) { { project: project } } - end - - it 'includes the result if the external service allows access' do - external_service_allow_access(user, project) - - results = described_class.new(user, project: project).execute - - expect(results).to contain_exactly(snippet) - end - - it 'does not include any results if the external service denies access' do - external_service_deny_access(user, project) - - results = described_class.new(user, project: project).execute - - expect(results).to be_empty - end - end end diff --git a/spec/finders/todos_finder_spec.rb b/spec/finders/todos_finder_spec.rb index 22318a9946a..d4ed41d54f0 100644 --- a/spec/finders/todos_finder_spec.rb +++ b/spec/finders/todos_finder_spec.rb @@ -47,13 +47,6 @@ describe TodosFinder do end end end - - context 'external authorization' do - it_behaves_like 'a finder with external authorization service' do - let!(:subject) { create(:todo, project: project, user: user) } - let(:project_params) { { project_id: project.id } } - end - end end describe '#sort' do diff --git a/spec/fixtures/passphrase_x509_certificate.crt b/spec/fixtures/passphrase_x509_certificate.crt deleted file mode 100644 index 6973163b79e..00000000000 --- a/spec/fixtures/passphrase_x509_certificate.crt +++ /dev/null @@ -1,27 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIEpTCCAo0CAQEwDQYJKoZIhvcNAQEFBQAwFDESMBAGA1UEAwwJYXV0aG9yaXR5 -MB4XDTE4MDMyMzE0MDIwOFoXDTE5MDMyMzE0MDIwOFowHTEbMBkGA1UEAwwSZ2l0 -bGFiLXBhc3NwaHJhc2VkMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA -zpsWHOewP/khfDsLUWxaRCinrBzVJm2C01bVahKVR3g/JD4vEH901Wod9Pvbh/9e -PEfE+YZmgSUUopbL3JUheMnyW416F43HKE/fPW4+QeuIEceuhCXg20eOXmvnWWNM -0hXZh4hq69rwvMPREC/LkZy/QkTDKhJNLNAqAQu2AJ3C7Yga8hFQYEhx1hpfGtwD -z/Nf3efat9WN/d6yW9hfJ98NCmImTm5l9Pc0YPNWCAf96vsqsNHBrTkFy6CQwkhH -K1ynVYuqnHYxSc4FPCT5SAleD9gR/xFBAHb7pPy4yGxMSEmiWaMjjZCVPsghj1jM -Ej77MTDL3U9LeDfiILhvZ+EeQxqPiFwwG2eaIn3ZEs2Ujvw7Z2VpG9VMcPTnB4jK -ot6qPM1YXnkGWQ6iT0DTPS3h7zg1xIJXI5N2sI6GXuKrXXwZ1wPqzFLKPv+xBjp8 -P6dih+EImfReFi9zIO1LqGMY+XmRcqodsb6jzsmBimJkqBtatJM7FuUUUN56wiaj -q9+BWbm+ZdQ2lvqndMljjUjTh6pNERfGAJgkNuLn3X9hXVE0TSpmn0nOgaL5izP3 -7FWUt0PTyGgK2zq9SEhZmK2TKckLkKMk/ZBBBVM/nrnjs72IlbsqdcVoTnApytZr -xVYTj1hV7QlAfaU3w/M534qXDiy8+HfX5ksWQMtSklECAwEAATANBgkqhkiG9w0B -AQUFAAOCAgEAMMhzSRq9PqCpui74nwjhmn8Dm2ky7A+MmoXNtk70cS/HWrjzaacb -B/rxsAUp7f0pj4QMMM0ETMFpbNs8+NPd2FRY0PfWE4yyDpvZO2Oj1HZKLHX72Gjn -K5KB9DYlVsXhGPfuFWXpxGWF2Az9hDWnj58M3DOAps+6tHuAtudQUuwf5ENQZWwE -ySpr7yoHm1ykgl0Tsb9ZHi9qLrWRRMNYXRT+gvwP1bba8j9jOtjO/xYiIskwMPLM -W8SFmQxbg0Cvi8Q89PB6zoTNOhPQyoyeSlw9meeZJHAMK2zxeglEm8C4EQ+I9Y6/ -yylM5/Sc55TjWAvRFgbsq+OozgMvffk/Q2fzcGF44J9DEQ7nrhmJxJ+X4enLknR5 -Hw4+WhdYA+bwjx3YZBNTh9/YMgNPYwQhf5gtcZGTd6X4j6qZfJ6CXBmhkC1Cbfyl -yM7B7i4JAqPWMeDP50pXCgyKlwgw1JuFW+xkbkYQAj7wtggQ6z1Vjb5W8R8kYn9q -LXClVtThEeSV5KkVwNX21aFcUs8qeQ+zsgKqpEyM5oILQQ1gDSxLTtrr2KuN+WJN -wM0acwD45X7gA/aZYpCGkIgHIBq0zIDP1s6IqeebFJjW8lWofhRxOEWomWdRweJG -N7qQ1WCTQxAPGAkDI8QPjaspvnAhFKmpBG/mR5IXLFKDbttu7WNdYDo= ------END CERTIFICATE----- diff --git a/spec/fixtures/passphrase_x509_certificate_pk.key b/spec/fixtures/passphrase_x509_certificate_pk.key deleted file mode 100644 index f9760dfe70e..00000000000 --- a/spec/fixtures/passphrase_x509_certificate_pk.key +++ /dev/null @@ -1,54 +0,0 @@ ------BEGIN RSA PRIVATE KEY----- -Proc-Type: 4,ENCRYPTED -DEK-Info: AES-128-CBC,79CCB506B0FD42A6F1BAE6D72E1CB20C - -EuZQOfgaO6LVCNytTHNJmbiq1rbum9xg6ohfBTVt7Cw4+8yLezWva/3sJQtnEk2P -M2yEQYWIiCX+clPkRiRL8WLjRfLTNcYS6QxxuJdpOrowPrBYr4Aig8jBUUBI4VQf -w1ZEUQd0mxQGnyzkKpsudFOntCtZbvbrBsIAQUNLcrKEFk3XW/BqE1Q/ja6WfWqX -b6EKg6DoXi92V90O6sLDfpmTKZq3ThvVDFuWeJ2K/GVp2cs+MkBIBJ8XX+NT1nWg -g+Ok+yaSI/N9ILX4XDgXunJGwcooI8PhHSjkDWRusi8vbo7RFqIKiSF+h6tIwktF -Uss3JESKgXZCQ7upCnHSzK/aWFtwHtXxqOi7esqEZd+1sB0LY+XMnbaxweCMx2Kj -czktKYvoXUs69Whln+yyXULtl5XhJ8lbvlbIG2FbZ9y+/hHOyBqZyeUyCnXDzv8/ -0U0iZwreP3XPVMsy578pIdcdL27q+r05j4yjrJfbX3T9xp2u3F9uVubCa4euEBwV -yrFdsxJLKON8pFeDS49m5gHNsHmeZ0sUeTPZVGNXdabVetkOA0eAAGK4zAoqG79L -hEN7cDenz+E4XHp8gMzwwMiVyU4FuAb6SXkfSodctmSTWVbzNBja0FBek3UXy+pn -9qq7cIpe7NY5gzcbyoy9lSkyYVkAm8j6BIYtY1ZUAmtCklC2ADWARTjd7dI7aEbO -QbXxNIq2+O/zMOXfougSPoDP8SLyLuE1p6SwfWV7Dwf119hn+mjWlGzAZDxxHhsR -yYUQCUe0NIKzuUp3WYIx8xIb7/WFwit/JaFaxurjBnhkkEviBn+TgXiuFBO3tv/d -URpZ39rH0mrDsR61pCiIcoNVkQkynHcAFPd5VtaeSJPvZP280uOCPPS31cr6/0LB -1JX3lZoWWCuA+JQjxtZDaDTcvEUbfOQ2rexQQo4uylNkBF9F5WOdQBkKG/AfqBq8 -S/TdubYzvpcKhFAlXsI67JdbxGlU4HCsxOLwWzSUYclN4W3l7s7KZ5zxt+MU03Uf -vara9uuZHiKUjZohjXeqcXTc+UyC8VH1dF19M3Cj9RNrwl2xEDUMtIiALBjbGp1E -pu2nPj9NhWf9Vw5MtSszutesxXba2nPmvvGvvZ7N3h/k4NsKL7JdENF7XqkI0D2K -jpO1t6d3cazS1VpMWLZS45kWaM3Y07tVR3V+4Iv9Vo1e9H2u/Z5U4YeJ44sgMsct -dBOAhHdUAI5+P+ocLXiCKo+EcS0cKvz+CC4ux0vvcF3JrTqZJN1U/JxRka2EyJ1B -2Xtu3DF36XpBJcs+MJHjJ+kUn6DHYoYxZa+bB8LX6+FQ+G7ue+Dx/RsGlP7if1nq -DAaM6kZg7/FbFzOZyl5xhwAJMxfgNNU7nSbk9lrvQ4mdwgFjvgGu3jlER4+TcleE -4svXInxp1zK6ES44tI9fXkhPaFkafxAL7eUSyjjEwMC06h+FtqK3mmoKLo5NrGJE -zVl69r2WdoSQEylVN1Kbp+U4YbfncInLJqBq2q5w9ASL/8Rhe8b52q6PuVX/bjoz -0pkSu+At4jVbAhRpER5NGlzG884IaqqvBvMYR5zFJeRroIijyUyH0KslK37/sXRk -ty0yKrkm31De9gDa3+XlgAVDAgbEQmGVwVVcV0IYYJbjIf36lUdGh4+3krwxolr/ -vZct5Z7QxfJlBtdOstjz5U9o05yOhjoNrPZJXuKMmWOQjSwr7rRSdqmAABF9IrBf -Pa/ChF1y5j3gJESAFMyiea3kvLq1EbZRaKoybsQE2ctBQ8EQjzUz+OOxVO6GJ4W9 -XHyfcviFrpsVcJEpXQlEtGtKdfKLp48cytob1Fu1JOYPDCrafUQINCZP4H3Nt892 -zZiTmdwux7pbgf4KbONImN5XkpvdCGjQHSkYMmm5ETRK8s7Fmvt2aBPtlyXxJDOq -iJUqwDV5HZXOnQVE/v/yESKgo2Cb8BWqPZ4/8Ubgu/OADYyv/dtjQel8QQ2FMhO4 -2tnwWbBBJk8VpR/vjFHkGSnj+JJfW/vUVQ+06D3wHYhNp7mh4M+37AngwzGCp7k+ -9aFwb2FBGghArB03E4lIO/959T0cX95WZ6tZtLLEsf3+ug7PPOSswCqsoPsXzFJH -MgXVGKFXccNSsWol7VvrX/uja7LC1OE+pZNXxCRzSs4aljJBpvQ6Mty0lk2yBC0R -MdujMoZH9PG9U6stwFd+P17tlGrQdRD3H2uimn82Ck+j2l0z0pzN0JB2WBYEyK0O -1MC36wLICWjgIPLPOxDEEBeZPbc24DCcYfs/F/hSCHv/XTJzVVILCX11ShGPSXlI -FL9qyq6jTNh/pVz6NiN/WhUPBFfOSzLRDyU0MRsSHM8b/HPpf3NOI3Ywmmj65c2k -2kle1F2M5ZTL+XvLS61qLJ/8AgXWvDHP3xWuKGG/pM40CRTUkRW6NAokMr2/pEFw -IHTE2+84dOKnUIEczzMY3aqzNmYDCmhOY0jD/Ieb4hy9tN+1lbQ/msYMIJ1w7CFR -38yB/UbDD90NcuDhjrMbzVUv1At2rW7GM9lSbxGOlYDmtMNEL63md1pQ724v4gSE -mzoFcMkqdh+hjFvv11o4H32lF3mPYcXuL+po76tqxGOiUrLKe/ZqkT5XAclYV/7H -k3Me++PCh4ZqXBRPvR8Xr90NETtiFCkBQXLdhNWXrRe2v0EbSX+cYAWk68FQKCHa -HKTz9T7wAvB6QWBXFhH9iCP8rnQLCEhLEhdrt+4v2KFkIVzBgOlMoHsZsMp0sBeq -c5ZVbJdiKik3P/8ZQTn4jmOnQXCEyWx+LU4acks8Aho4lqq9yKq2DZpwbIRED47E -r7R/NUevhqqzEHZ2SGD6EDqRN+bHJEi64vq0ryaEielusYXZqlnFXDHJcfLCmR5X -3bj5pCwQF4ScTukrGQB/c4henG4vlF4CaD0CIIK3W6tH+AoDohYJts6YK49LGxmK -yXiyKNak8zHYBBoRvd2avRHyGuR5yC9KrN8cbC/kZqMDvAyM65pIK+U7exJwYJhv -ezCcbiH3bK3anpiRpdeNOot2ba/Y+/ks+DRC+xs4QDIhrmSEBCsLv1JbcWjtHSaG -lm+1DSVduUk/kN+fBnlfif+TQV9AP3/wb8ekk8jjKXsL7H1tJKHsLLIIvrgrpxjw ------END RSA PRIVATE KEY----- diff --git a/spec/fixtures/x509_certificate.crt b/spec/fixtures/x509_certificate.crt deleted file mode 100644 index 8a84890b928..00000000000 --- a/spec/fixtures/x509_certificate.crt +++ /dev/null @@ -1,27 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIEnDCCAoQCAQEwDQYJKoZIhvcNAQEFBQAwFDESMBAGA1UEAwwJYXV0aG9yaXR5 -MB4XDTE4MDMxOTE1MjYzMloXDTE5MDMxOTE1MjYzMlowFDESMBAGA1UEAwwJbG9j -YWxob3N0MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA+tcM7iphsLlR -ccUph2ixabRYnw1HeLCiA4O9a4O31oVUBuzAn/eVU4jyVWkaBym6MHa8CiDOro9H -OXodITMw+3G1sG/yQZ8Y/5dsOP2hEoSfs63/2FAgFWzrB2HnYSShiN8tBeeDI5cJ -ii4JVMfpfi9cvXZUXFR8+P0XR1HDxx6or6UTK37k2kbDQZ41rv1ng2w0AUZt0LRA -NWVE48zvUWIU0y+2JLP1yhrKj85RRjQc5cMK88zzWSZBcSjDGGeJ4C8B5Zh2gFlQ -+1aJkyyklORR3v/RyYO9prTeXPqQ3x/nNsNkI+cyv0Gle6tk+CkOfE1m0CvNWlNg -b8LdQ0XZsOYLZvxfpHk3gHA5GrHXvn5StkM5xMXpdUCsh22CZZHe/4SeFE64amkf -1/LuqY0LYc5UdG2SeJ0SDauPRAIuAr4OV7+Q/nLdY8haMC6KOtpbAWvKX/Jqq0z1 -nUXzQn1JWCNw1QMdq9Uz8wiWOjLTr2D/mIVrVef0pb2mfdtzjzUrYCP0PtnQExPB -rocP6BDXN7Ragcdis5/IfLuCOD6pAkmzy6o8RSvAoEUs9VbPiUfN7WAyU1K1rTYH -KV+zPfWF254nZ2SBeReN9CMKbMJE+TX2chRlq07Q5LDz33h9KXw1LZT8MWRinVJf -RePsQiyHpRBWRG0AhbD+YpiGKHzsat0CAwEAATANBgkqhkiG9w0BAQUFAAOCAgEA -Skp0tbvVsg3RG2pX0GP25j0ix+f78zG0+BJ6LiKGMoCIBtGKitfUjBg83ru/ILpa -fpgrQpNQVUnGQ9tmpnqV605ZBBRUC1CRDsvUnyN6p7+yQAq6Fl+2ZKONHpPk+Bl4 -CIewgdkHjTwTpvIM/1DFVCz4R1FxNjY3uqOVcNDczMYEk2Pn2GZNNN35hUHHxWh4 -89ZvI+XKuRFZq3cDPA60PySeJJpCRScWGgnkdEX1gTtWH3WUlq9llxIvRexyNyzZ -Yqvcfx5UT75/Pp+JPh9lpUCcKLHeUiadjkiLxu3IcrYa4gYx4lA8jgm7adNEahd0 -oMAHoO9DU6XMo7o6tnQH3xQv9RAbQanjuyJR9N7mwmc59bQ6mW+pxCk843GwT73F -slseJ1nE1fQQQD7mn/KGjmeWtxY2ElUjTay9ff9/AgJeQYRW+oH0cSdo8WCpc2+G -+LZtLWfBgFLHseRlmarSe2pP8KmbaTd3q7Bu0GekVQOxYcNX59Pj4muQZDVLh8aX -mSQ+Ifts/ljT649MISHn2AZMR4+BUx63tFcatQhbAGGH5LeFdbaGcaVdsUVyZ9a2 -HBmFWNsgEPtcC+WmNzCXbv7jQsLAJXufKG5MnurJgNf/n5uKCmpGsEJDT/KF1k/3 -x9YnqM7zTyV6un+LS3HjEJvwQmqPWe+vFAeXWGCoWxE= ------END CERTIFICATE----- diff --git a/spec/fixtures/x509_certificate_pk.key b/spec/fixtures/x509_certificate_pk.key deleted file mode 100644 index c02a3cf6189..00000000000 --- a/spec/fixtures/x509_certificate_pk.key +++ /dev/null @@ -1,51 +0,0 @@ ------BEGIN RSA PRIVATE KEY----- -MIIJKAIBAAKCAgEA+tcM7iphsLlRccUph2ixabRYnw1HeLCiA4O9a4O31oVUBuzA -n/eVU4jyVWkaBym6MHa8CiDOro9HOXodITMw+3G1sG/yQZ8Y/5dsOP2hEoSfs63/ -2FAgFWzrB2HnYSShiN8tBeeDI5cJii4JVMfpfi9cvXZUXFR8+P0XR1HDxx6or6UT -K37k2kbDQZ41rv1ng2w0AUZt0LRANWVE48zvUWIU0y+2JLP1yhrKj85RRjQc5cMK -88zzWSZBcSjDGGeJ4C8B5Zh2gFlQ+1aJkyyklORR3v/RyYO9prTeXPqQ3x/nNsNk -I+cyv0Gle6tk+CkOfE1m0CvNWlNgb8LdQ0XZsOYLZvxfpHk3gHA5GrHXvn5StkM5 -xMXpdUCsh22CZZHe/4SeFE64amkf1/LuqY0LYc5UdG2SeJ0SDauPRAIuAr4OV7+Q -/nLdY8haMC6KOtpbAWvKX/Jqq0z1nUXzQn1JWCNw1QMdq9Uz8wiWOjLTr2D/mIVr -Vef0pb2mfdtzjzUrYCP0PtnQExPBrocP6BDXN7Ragcdis5/IfLuCOD6pAkmzy6o8 -RSvAoEUs9VbPiUfN7WAyU1K1rTYHKV+zPfWF254nZ2SBeReN9CMKbMJE+TX2chRl -q07Q5LDz33h9KXw1LZT8MWRinVJfRePsQiyHpRBWRG0AhbD+YpiGKHzsat0CAwEA -AQKCAgBf1urJ1Meeji/gGETVx9qBWLbDjn9QTayZSyyEd78155tDShIPDLmxQRHW -MGIReo/5FGSkOgS+DWBZRZ77oGOGrtuMnjkheXhDr8dZvw5b1PBv5ntqWrLnfMYP -/Ag7xZMyiJLbPqmMX5j1gsFt8zPzUoVMnnl9DYryV0Edrs/utHgfJCM+6yzleUQB -PkGkqo1yWVVFZ3Nt2nDt9dNsdlC594+dYQ1m2JuArNvYNiw3dpHT98GnhRc1aLh4 -U+q22FiFn3BKGQat43JdlaLa6KO5f8MIQRYWuI8tss2DGPlhRv9AnUcVsLBjAuIH -bmUVrBosxCYUQ6giatjd2sZPfdC+VIDCbIWRthxkXJ9I/Ap8R98xx/7qIcPFc+XA -hcK1xOM7zIq2xgAOFeeh8O8Wq9cH8NmUhMCgzIE0WT32Zo0JAW6l0kZc82Y/Yofz -U+TJKo0NOFZe687HOhanOHbbQSG29XOqxMYTABZ7Ixf+4RZPD5+yQgZWP1BhLluy -PxZhsLl67xvbfB2i9VVorMN7PbFx5hbni3C7/p63Z0rG5q4/uJBbX3Uuh6KdhIo+ -Zh9UC6u29adIthdxz+ZV5wBccTOgaeHB9wRL9Hbp6ZxyqesQB4RTsFtPNXxZ7K43 -fmJgHZvHhF5gSbeB8JAeBf0cy3pytJM49ZxplifeGVzUJP2gAQKCAQEA/1T9quz5 -sOD03FxV//oRWD1kqfunq3v56sIBG4ZMVZKUqc6wLjTmeklLYKq85AWX8gnCHi0g -nmG/xDh/rt1/IngMWP98WVuD67hFbrj87g7A7YGIiwZ2gi6hqhqmALN+5JjCSTPp -XOiPvNnXP0XM4gIHBXV8diHq5rF9NsSh4vx3OExr8KQqVzWoDcnnWNfnDlrFB8cq -ViII+UqdovXp59hAVOsc+pYAe+8JeQDX17H3U/NMkUw4gU2aWUCvUVjxi9oBG/CW -ncIdYuW8zne4qXbX7YLC0QUUIDVOWzhLauAUBduTqRTldJo0KAxu887tf+uStXs8 -RACLGIaBQw7BXQKCAQEA+38NFnpflKquU92xRtmqWAVaW7rm865ZO6EIaS4JII/N -/Ebu1YZrAhT0ruGJQaolYj8w79BEZRF2CYDPZxKFv/ye0O7rWCAGtCdWQ0BXcrIU -7SdlsdfTNXO1R3WbwCyVxyjg6YF7FjbTaaOAoTiosTjDs2ZOgkbdh/sMeWkSN5HB -aQz4c8rqq0kkYucLqp4nWYSWSJn88bL8ctwEwW77MheJiSpo1ohNRP3ExHnbCbYw -RIj7ATSz74ebpd9NMauB5clvMMh4jRG0EQyt7KCoOyfPRFc3fddvTr03LlgFfX/n -qoxd2nejgAS3NnG1XMxdcUa7cPannt46Sef1uZo3gQKCAQB454zquCYQDKXGBu8u -NAKsjv2wxBqESENyV4VgvDo/NxawRdAFQUV12GkaEB87ti5aDSbfVS0h8lV1G+/S -JM5DyybFqcz/Hyebofk20d/q9g+DJ5g5hMjvIhepTc8Xe+d1ZaRyN2Oke/c8TMbx -DiNTTfR3MEfMRIlPzfHl0jx6GGR3wzBFleb6vsyiIt4qoqmlkXPFGBlDCgDH0v5M -ITgucacczuw8+HSoOut4Yd7TI1FjbkzubHJBQDb7VnbuBTjzqTpnOYiIkVeK8hBy -kBxgGodqz0Vi5o2+Jp/A8Co+JHc2wt/r65ovmali4WhUiMLLlQg2aXGDHeK/rUle -MIl9AoIBAQCPKCYSCnyHypRK5uG3W8VsLzfdCUnXogHnQGXiQTMu1szA8ruWzdnx -qG4TcgxIVYrMHv5DNAEKquLOzATDPjbmLu1ULvvGAQzv1Yhz5ZchkZ7507g+gIUY -YxHoaFjNDlP/txQ3tt2SqoizFD/vBap4nsA/SVgdLiuB8PSL07Rr70rx+lEe0H2+ -HHda2Pu6FiZ9/Uvybb0e8+xhkT4fwYW5YM6IRpzAqXuabv1nfZmiMJPPH04JxK88 -BKwjwjVVtbPOUlg5o5ODcXVXUylZjaXVbna8Bw1uU4hngKt9dNtDMeB0I0x1RC7M -e2Ky2g0LksUJ6uJdjfmiJAt38FLeYJuBAoIBAC2oqaqr86Dug5v8xHpgFoC5u7z7 -BRhaiHpVrUr+wnaNJEXfAEmyKf4xF5xDJqldnYG3c9ETG/7bLcg1dcrMPzXx94Si -MI3ykwiPeI/sVWYmUlq4U8zCIC7MY6sWzWt3oCBNoCN/EeYx9e7+eLNBB+fADAXq -v9RMGlUIy7beX0uac8Bs771dsxIb/RrYw58wz+jrwGlzuDmcPWiu+ARu7hnBqCAV -AITlCV/tsEk7u08oBuv47+rVGCh1Qb19pNswyTtTZARAGErJO0Q+39BNuu0M2TIn -G3M8eNmGHC+mNsZTVgKRuyk9Ye0s4Bo0KcqSndiPFGHjcrF7/t+RqEOXr/E= ------END RSA PRIVATE KEY----- diff --git a/spec/lib/gitlab/external_authorization/access_spec.rb b/spec/lib/gitlab/external_authorization/access_spec.rb deleted file mode 100644 index 5dc2521b310..00000000000 --- a/spec/lib/gitlab/external_authorization/access_spec.rb +++ /dev/null @@ -1,142 +0,0 @@ -require 'spec_helper' - -describe Gitlab::ExternalAuthorization::Access, :clean_gitlab_redis_cache do - subject(:access) { described_class.new(build(:user), 'dummy_label') } - - describe '#loaded?' do - it 'is `true` when it was loaded recently' do - Timecop.freeze do - allow(access).to receive(:loaded_at).and_return(5.minutes.ago) - - expect(access).to be_loaded - end - end - - it 'is `false` when there is no loading time' do - expect(access).not_to be_loaded - end - - it 'is `false` when there the result was loaded a long time ago' do - Timecop.freeze do - allow(access).to receive(:loaded_at).and_return(2.weeks.ago) - - expect(access).not_to be_loaded - end - end - end - - describe 'load!' do - let(:fake_client) { double('ExternalAuthorization::Client') } - let(:fake_response) do - double( - 'Response', - 'successful?' => true, - 'valid?' => true, - 'reason' => nil - ) - end - - before do - allow(access).to receive(:load_from_cache) - allow(fake_client).to receive(:request_access).and_return(fake_response) - allow(Gitlab::ExternalAuthorization::Client).to receive(:new) { fake_client } - end - - context 'when loading from the webservice' do - it 'loads from the webservice it the cache was empty' do - expect(access).to receive(:load_from_cache) - expect(access).to receive(:load_from_service).and_call_original - - access.load! - - expect(access).to be_loaded - end - - it 'assigns the accessibility, reason and loaded_at' do - allow(fake_response).to receive(:successful?).and_return(false) - allow(fake_response).to receive(:reason).and_return('Inaccessible label') - - access.load! - - expect(access.reason).to eq('Inaccessible label') - expect(access).not_to have_access - expect(access.loaded_at).not_to be_nil - end - - it 'returns itself' do - expect(access.load!).to eq(access) - end - - it 'stores the result in redis' do - Timecop.freeze do - fake_cache = double - expect(fake_cache).to receive(:store).with(true, nil, Time.now) - expect(access).to receive(:cache).and_return(fake_cache) - - access.load! - end - end - - context 'when the request fails' do - before do - allow(fake_client).to receive(:request_access) do - raise ::Gitlab::ExternalAuthorization::RequestFailed.new('Service unavailable') - end - end - - it 'is loaded' do - access.load! - - expect(access).to be_loaded - end - - it 'assigns the correct accessibility, reason and loaded_at' do - access.load! - - expect(access.reason).to eq('Service unavailable') - expect(access).not_to have_access - expect(access.loaded_at).not_to be_nil - end - - it 'does not store the result in redis' do - fake_cache = double - expect(fake_cache).not_to receive(:store) - allow(access).to receive(:cache).and_return(fake_cache) - - access.load! - end - end - end - - context 'When loading from cache' do - let(:fake_cache) { double('ExternalAuthorization::Cache') } - - before do - allow(access).to receive(:cache).and_return(fake_cache) - end - - it 'does not load from the webservice' do - Timecop.freeze do - expect(fake_cache).to receive(:load).and_return([true, nil, Time.now]) - - expect(access).to receive(:load_from_cache).and_call_original - expect(access).not_to receive(:load_from_service) - - access.load! - end - end - - it 'loads from the webservice when the cached result was too old' do - Timecop.freeze do - expect(fake_cache).to receive(:load).and_return([true, nil, 2.days.ago]) - - expect(access).to receive(:load_from_cache).and_call_original - expect(access).to receive(:load_from_service).and_call_original - allow(fake_cache).to receive(:store) - - access.load! - end - end - end - end -end diff --git a/spec/lib/gitlab/external_authorization/cache_spec.rb b/spec/lib/gitlab/external_authorization/cache_spec.rb deleted file mode 100644 index 58e7d626707..00000000000 --- a/spec/lib/gitlab/external_authorization/cache_spec.rb +++ /dev/null @@ -1,48 +0,0 @@ -require 'spec_helper' - -describe Gitlab::ExternalAuthorization::Cache, :clean_gitlab_redis_cache do - let(:user) { build_stubbed(:user) } - let(:cache_key) { "external_authorization:user-#{user.id}:label-dummy_label" } - - subject(:cache) { described_class.new(user, 'dummy_label') } - - def read_from_redis(key) - Gitlab::Redis::Cache.with do |redis| - redis.hget(cache_key, key) - end - end - - def set_in_redis(key, value) - Gitlab::Redis::Cache.with do |redis| - redis.hmset(cache_key, key, value) - end - end - - describe '#load' do - it 'reads stored info from redis' do - Timecop.freeze do - set_in_redis(:access, false) - set_in_redis(:reason, 'Access denied for now') - set_in_redis(:refreshed_at, Time.now) - - access, reason, refreshed_at = cache.load - - expect(access).to eq(false) - expect(reason).to eq('Access denied for now') - expect(refreshed_at).to be_within(1.second).of(Time.now) - end - end - end - - describe '#store' do - it 'sets the values in redis' do - Timecop.freeze do - cache.store(true, 'the reason', Time.now) - - expect(read_from_redis(:access)).to eq('true') - expect(read_from_redis(:reason)).to eq('the reason') - expect(read_from_redis(:refreshed_at)).to eq(Time.now.to_s) - end - end - end -end diff --git a/spec/lib/gitlab/external_authorization/client_spec.rb b/spec/lib/gitlab/external_authorization/client_spec.rb deleted file mode 100644 index fa18c1e56e8..00000000000 --- a/spec/lib/gitlab/external_authorization/client_spec.rb +++ /dev/null @@ -1,97 +0,0 @@ -require 'spec_helper' - -describe Gitlab::ExternalAuthorization::Client do - let(:user) { build(:user, email: 'dummy_user@example.com') } - let(:dummy_url) { 'https://dummy.net/' } - subject(:client) { described_class.new(user, 'dummy_label') } - - before do - stub_application_setting(external_authorization_service_url: dummy_url) - end - - describe '#request_access' do - it 'performs requests to the configured endpoint' do - expect(Excon).to receive(:post).with(dummy_url, any_args) - - client.request_access - end - - it 'adds the correct params for the user to the body of the request' do - expected_body = { - user_identifier: 'dummy_user@example.com', - project_classification_label: 'dummy_label' - }.to_json - expect(Excon).to receive(:post) - .with(dummy_url, hash_including(body: expected_body)) - - client.request_access - end - - it 'respects the the timeout' do - stub_application_setting( - external_authorization_service_timeout: 3 - ) - - expect(Excon).to receive(:post).with(dummy_url, - hash_including( - connect_timeout: 3, - read_timeout: 3, - write_timeout: 3 - )) - - client.request_access - end - - it 'adds the mutual tls params when they are present' do - stub_application_setting( - external_auth_client_cert: 'the certificate data', - external_auth_client_key: 'the key data', - external_auth_client_key_pass: 'open sesame' - ) - expected_params = { - client_cert_data: 'the certificate data', - client_key_data: 'the key data', - client_key_pass: 'open sesame' - } - - expect(Excon).to receive(:post).with(dummy_url, hash_including(expected_params)) - - client.request_access - end - - it 'returns an expected response' do - expect(Excon).to receive(:post) - - expect(client.request_access) - .to be_kind_of(::Gitlab::ExternalAuthorization::Response) - end - - it 'wraps exceptions if the request fails' do - expect(Excon).to receive(:post) { raise Excon::Error.new('the request broke') } - - expect { client.request_access } - .to raise_error(::Gitlab::ExternalAuthorization::RequestFailed) - end - - describe 'for ldap users' do - let(:user) do - create(:omniauth_user, - email: 'dummy_user@example.com', - extern_uid: 'external id', - provider: 'ldapprovider') - end - - it 'includes the ldap dn for ldap users' do - expected_body = { - user_identifier: 'dummy_user@example.com', - project_classification_label: 'dummy_label', - user_ldap_dn: 'external id' - }.to_json - expect(Excon).to receive(:post) - .with(dummy_url, hash_including(body: expected_body)) - - client.request_access - end - end - end -end diff --git a/spec/lib/gitlab/external_authorization/logger_spec.rb b/spec/lib/gitlab/external_authorization/logger_spec.rb deleted file mode 100644 index 81f1b2390e6..00000000000 --- a/spec/lib/gitlab/external_authorization/logger_spec.rb +++ /dev/null @@ -1,45 +0,0 @@ -require 'spec_helper' - -describe Gitlab::ExternalAuthorization::Logger do - let(:request_time) { Time.parse('2018-03-26 20:22:15') } - - def fake_access(has_access, user, load_type = :request) - access = double('access') - allow(access).to receive_messages(user: user, - has_access?: has_access, - loaded_at: request_time, - label: 'dummy_label', - load_type: load_type) - - access - end - - describe '.log_access' do - it 'logs a nice message for an access request' do - expected_message = "GRANTED admin@example.com access to 'dummy_label' (the/project/path)" - fake_access = fake_access(true, build(:user, email: 'admin@example.com')) - - expect(described_class).to receive(:info).with(expected_message) - - described_class.log_access(fake_access, 'the/project/path') - end - - it 'does not trip without a project path' do - expected_message = "DENIED admin@example.com access to 'dummy_label'" - fake_access = fake_access(false, build(:user, email: 'admin@example.com')) - - expect(described_class).to receive(:info).with(expected_message) - - described_class.log_access(fake_access, nil) - end - - it 'adds the load time for cached accesses' do - expected_message = "DENIED admin@example.com access to 'dummy_label' - cache #{request_time}" - fake_access = fake_access(false, build(:user, email: 'admin@example.com'), :cache) - - expect(described_class).to receive(:info).with(expected_message) - - described_class.log_access(fake_access, nil) - end - end -end diff --git a/spec/lib/gitlab/external_authorization/response_spec.rb b/spec/lib/gitlab/external_authorization/response_spec.rb deleted file mode 100644 index 43211043eca..00000000000 --- a/spec/lib/gitlab/external_authorization/response_spec.rb +++ /dev/null @@ -1,52 +0,0 @@ -require 'spec_helper' - -describe Gitlab::ExternalAuthorization::Response do - let(:excon_response) { double } - subject(:response) { described_class.new(excon_response) } - - describe '#valid?' do - it 'is valid for 200, 401, and 403 responses' do - [200, 401, 403].each do |status| - allow(excon_response).to receive(:status).and_return(status) - - expect(response).to be_valid - end - end - - it "is invalid for other statuses" do - expect(excon_response).to receive(:status).and_return(500) - - expect(response).not_to be_valid - end - end - - describe '#reason' do - it 'returns a reason if it was included in the response body' do - expect(excon_response).to receive(:body).and_return({ reason: 'Not authorized' }.to_json) - - expect(response.reason).to eq('Not authorized') - end - - it 'returns nil when there was no body' do - expect(excon_response).to receive(:body).and_return('') - - expect(response.reason).to eq(nil) - end - end - - describe '#successful?' do - it 'is `true` if the status is 200' do - allow(excon_response).to receive(:status).and_return(200) - - expect(response).to be_successful - end - - it 'is `false` if the status is 401 or 403' do - [401, 403].each do |status| - allow(excon_response).to receive(:status).and_return(status) - - expect(response).not_to be_successful - end - end - end -end diff --git a/spec/lib/gitlab/external_authorization_spec.rb b/spec/lib/gitlab/external_authorization_spec.rb deleted file mode 100644 index 7394fbfe0ce..00000000000 --- a/spec/lib/gitlab/external_authorization_spec.rb +++ /dev/null @@ -1,54 +0,0 @@ -require 'spec_helper' - -describe Gitlab::ExternalAuthorization, :request_store do - include ExternalAuthorizationServiceHelpers - - let(:user) { build(:user) } - let(:label) { 'dummy_label' } - - describe '#access_allowed?' do - it 'is always true when the feature is disabled' do - # Not using `stub_application_setting` because the method is prepended in - # `EE::ApplicationSetting` which breaks when using `any_instance` - # https://gitlab.com/gitlab-org/gitlab-ce/issues/33587 - expect(::Gitlab::CurrentSettings.current_application_settings) - .to receive(:external_authorization_service_enabled) { false } - - expect(described_class).not_to receive(:access_for_user_to_label) - - expect(described_class.access_allowed?(user, label)).to be_truthy - end - end - - describe '#rejection_reason' do - it 'is always nil when the feature is disabled' do - expect(::Gitlab::CurrentSettings.current_application_settings) - .to receive(:external_authorization_service_enabled) { false } - - expect(described_class).not_to receive(:access_for_user_to_label) - - expect(described_class.rejection_reason(user, label)).to be_nil - end - end - - describe '#access_for_user_to_label' do - it 'only loads the access once per request' do - enable_external_authorization_service_check - - expect(::Gitlab::ExternalAuthorization::Access) - .to receive(:new).with(user, label).once.and_call_original - - 2.times { described_class.access_for_user_to_label(user, label, nil) } - end - - it 'logs the access request once per request' do - expect(::Gitlab::ExternalAuthorization::Logger) - .to receive(:log_access) - .with(an_instance_of(::Gitlab::ExternalAuthorization::Access), - 'the/project/path') - .once - - 2.times { described_class.access_for_user_to_label(user, label, 'the/project/path') } - end - end -end diff --git a/spec/lib/gitlab/import_export/safe_model_attributes.yml b/spec/lib/gitlab/import_export/safe_model_attributes.yml index 30bb58ac990..d0ed588f05f 100644 --- a/spec/lib/gitlab/import_export/safe_model_attributes.yml +++ b/spec/lib/gitlab/import_export/safe_model_attributes.yml @@ -496,7 +496,6 @@ Project: - merge_requests_ff_only_enabled - merge_requests_rebase_enabled - jobs_cache_index -- external_authorization_classification_label - pages_https_only Author: - name diff --git a/spec/models/application_setting_spec.rb b/spec/models/application_setting_spec.rb index c7d7dbac736..c81572d739e 100644 --- a/spec/models/application_setting_spec.rb +++ b/spec/models/application_setting_spec.rb @@ -3,7 +3,7 @@ require 'spec_helper' describe ApplicationSetting do - subject(:setting) { described_class.create_from_defaults } + let(:setting) { described_class.create_from_defaults } it { include(CacheableAttributes) } it { include(ApplicationSettingImplementation) } @@ -284,52 +284,6 @@ describe ApplicationSetting do expect(subject).to be_valid end end - - describe 'when external authorization service is enabled' do - before do - setting.external_authorization_service_enabled = true - end - - it { is_expected.not_to allow_value('not a URL').for(:external_authorization_service_url) } - it { is_expected.to allow_value('https://example.com').for(:external_authorization_service_url) } - it { is_expected.to allow_value('').for(:external_authorization_service_url) } - it { is_expected.not_to allow_value(nil).for(:external_authorization_service_default_label) } - it { is_expected.not_to allow_value(11).for(:external_authorization_service_timeout) } - it { is_expected.not_to allow_value(0).for(:external_authorization_service_timeout) } - it { is_expected.not_to allow_value('not a certificate').for(:external_auth_client_cert) } - it { is_expected.to allow_value('').for(:external_auth_client_cert) } - it { is_expected.to allow_value('').for(:external_auth_client_key) } - - context 'when setting a valid client certificate for external authorization' do - let(:certificate_data) { File.read('spec/fixtures/passphrase_x509_certificate.crt') } - - before do - setting.external_auth_client_cert = certificate_data - end - - it 'requires a valid client key when a certificate is set' do - expect(setting).not_to allow_value('fefefe').for(:external_auth_client_key) - end - - it 'requires a matching certificate' do - other_private_key = File.read('spec/fixtures/x509_certificate_pk.key') - - expect(setting).not_to allow_value(other_private_key).for(:external_auth_client_key) - end - - it 'the credentials are valid when the private key can be read and matches the certificate' do - tls_attributes = [:external_auth_client_key_pass, - :external_auth_client_key, - :external_auth_client_cert] - setting.external_auth_client_key = File.read('spec/fixtures/passphrase_x509_certificate_pk.key') - setting.external_auth_client_key_pass = '5iveL!fe' - - setting.validate - - expect(setting.errors).not_to include(*tls_attributes) - end - end - end end context 'restrict creating duplicates' do diff --git a/spec/models/concerns/protected_ref_access_spec.rb b/spec/models/concerns/protected_ref_access_spec.rb index f63ad958ed3..94798f0590d 100644 --- a/spec/models/concerns/protected_ref_access_spec.rb +++ b/spec/models/concerns/protected_ref_access_spec.rb @@ -3,8 +3,6 @@ require 'spec_helper' describe ProtectedRefAccess do - include ExternalAuthorizationServiceHelpers - subject(:protected_ref_access) do create(:protected_branch, :maintainers_can_push).push_access_levels.first end @@ -31,15 +29,5 @@ describe ProtectedRefAccess do expect(protected_ref_access.check_access(developer)).to be_falsy end - - context 'external authorization' do - it 'is false if external authorization denies access' do - maintainer = create(:user) - project.add_maintainer(maintainer) - external_service_deny_access(maintainer, project) - - expect(protected_ref_access.check_access(maintainer)).to be_falsey - end - end end end diff --git a/spec/models/issue_spec.rb b/spec/models/issue_spec.rb index 0cd69cb4817..892dd053e39 100644 --- a/spec/models/issue_spec.rb +++ b/spec/models/issue_spec.rb @@ -3,8 +3,6 @@ require 'spec_helper' describe Issue do - include ExternalAuthorizationServiceHelpers - describe "Associations" do it { is_expected.to belong_to(:milestone) } it { is_expected.to have_many(:assignees) } @@ -781,47 +779,4 @@ describe Issue do it_behaves_like 'throttled touch' do subject { create(:issue, updated_at: 1.hour.ago) } end - - context 'when an external authentication service' do - before do - enable_external_authorization_service_check - end - - describe '#visible_to_user?' do - it 'is `false` when an external authorization service is enabled' do - issue = build(:issue, project: build(:project, :public)) - - expect(issue).not_to be_visible_to_user - end - - it 'checks the external service to determine if an issue is readable by a user' do - project = build(:project, :public, - external_authorization_classification_label: 'a-label') - issue = build(:issue, project: project) - user = build(:user) - - expect(::Gitlab::ExternalAuthorization).to receive(:access_allowed?).with(user, 'a-label') { false } - expect(issue.visible_to_user?(user)).to be_falsy - end - - it 'does not check the external service if a user does not have access to the project' do - project = build(:project, :private, - external_authorization_classification_label: 'a-label') - issue = build(:issue, project: project) - user = build(:user) - - expect(::Gitlab::ExternalAuthorization).not_to receive(:access_allowed?) - expect(issue.visible_to_user?(user)).to be_falsy - end - - it 'does not check the external webservice for admins' do - issue = build(:issue) - user = build(:admin) - - expect(::Gitlab::ExternalAuthorization).not_to receive(:access_allowed?) - - issue.visible_to_user?(user) - end - end - end end diff --git a/spec/models/project_spec.rb b/spec/models/project_spec.rb index 7222580e115..5eb31430ccd 100644 --- a/spec/models/project_spec.rb +++ b/spec/models/project_spec.rb @@ -5,7 +5,6 @@ require 'spec_helper' describe Project do include ProjectForksHelper include GitHelpers - include ExternalAuthorizationServiceHelpers it_behaves_like 'having unique enum values' @@ -4418,25 +4417,6 @@ describe Project do end end - describe '#external_authorization_classification_label' do - it 'falls back to the default when none is configured' do - enable_external_authorization_service_check - - expect(build(:project).external_authorization_classification_label) - .to eq('default_label') - end - - it 'returns the classification label if it was configured on the project' do - enable_external_authorization_service_check - - project = build(:project, - external_authorization_classification_label: 'hello') - - expect(project.external_authorization_classification_label) - .to eq('hello') - end - end - describe "#pages_https_only?" do subject { build(:project) } diff --git a/spec/policies/base_policy_spec.rb b/spec/policies/base_policy_spec.rb index 09be831dcd5..c03d95b34db 100644 --- a/spec/policies/base_policy_spec.rb +++ b/spec/policies/base_policy_spec.rb @@ -1,8 +1,6 @@ require 'spec_helper' describe BasePolicy do - include ExternalAuthorizationServiceHelpers - describe '.class_for' do it 'detects policy class based on the subject ancestors' do expect(DeclarativePolicy.class_for(GenericCommitStatus.new)).to eq(CommitStatusPolicy) @@ -18,25 +16,4 @@ describe BasePolicy do expect(DeclarativePolicy.class_for(:global)).to eq(GlobalPolicy) end end - - describe 'read cross project' do - let(:current_user) { create(:user) } - let(:user) { create(:user) } - - subject { described_class.new(current_user, [user]) } - - it { is_expected.to be_allowed(:read_cross_project) } - - context 'when an external authorization service is enabled' do - before do - enable_external_authorization_service_check - end - - it { is_expected.not_to be_allowed(:read_cross_project) } - - it 'allows admins' do - expect(described_class.new(build(:admin), nil)).to be_allowed(:read_cross_project) - end - end - end end diff --git a/spec/policies/issue_policy_spec.rb b/spec/policies/issue_policy_spec.rb index b149dbcf871..008d118b557 100644 --- a/spec/policies/issue_policy_spec.rb +++ b/spec/policies/issue_policy_spec.rb @@ -1,8 +1,6 @@ require 'spec_helper' describe IssuePolicy do - include ExternalAuthorizationServiceHelpers - let(:guest) { create(:user) } let(:author) { create(:user) } let(:assignee) { create(:user) } @@ -206,21 +204,4 @@ describe IssuePolicy do end end end - - context 'with external authorization enabled' do - let(:user) { create(:user) } - let(:project) { create(:project, :public) } - let(:issue) { create(:issue, project: project) } - let(:policies) { described_class.new(user, issue) } - - before do - enable_external_authorization_service_check - end - - it 'can read the issue iid without accessing the external service' do - expect(::Gitlab::ExternalAuthorization).not_to receive(:access_allowed?) - - expect(policies).to be_allowed(:read_issue_iid) - end - end end diff --git a/spec/policies/merge_request_policy_spec.rb b/spec/policies/merge_request_policy_spec.rb index 81279225d61..1efa70addc2 100644 --- a/spec/policies/merge_request_policy_spec.rb +++ b/spec/policies/merge_request_policy_spec.rb @@ -1,8 +1,6 @@ require 'spec_helper' describe MergeRequestPolicy do - include ExternalAuthorizationServiceHelpers - let(:guest) { create(:user) } let(:author) { create(:user) } let(:developer) { create(:user) } @@ -49,21 +47,4 @@ describe MergeRequestPolicy do expect(permissions(guest, merge_request_locked)).to be_disallowed(:reopen_merge_request) end end - - context 'with external authorization enabled' do - let(:user) { create(:user) } - let(:project) { create(:project, :public) } - let(:merge_request) { create(:merge_request, source_project: project) } - let(:policies) { described_class.new(user, merge_request) } - - before do - enable_external_authorization_service_check - end - - it 'can read the issue iid without accessing the external service' do - expect(::Gitlab::ExternalAuthorization).not_to receive(:access_allowed?) - - expect(policies).to be_allowed(:read_merge_request_iid) - end - end end diff --git a/spec/policies/project_policy_spec.rb b/spec/policies/project_policy_spec.rb index 42f8bf3137b..125ed818bc6 100644 --- a/spec/policies/project_policy_spec.rb +++ b/spec/policies/project_policy_spec.rb @@ -1,7 +1,6 @@ require 'spec_helper' describe ProjectPolicy do - include ExternalAuthorizationServiceHelpers include_context 'ProjectPolicy context' set(:guest) { create(:user) } set(:reporter) { create(:user) } @@ -293,56 +292,4 @@ describe ProjectPolicy do projects: [clusterable]) end end - - context 'reading a project' do - it 'allows access when a user has read access to the repo' do - expect(described_class.new(owner, project)).to be_allowed(:read_project) - expect(described_class.new(developer, project)).to be_allowed(:read_project) - expect(described_class.new(admin, project)).to be_allowed(:read_project) - end - - it 'never checks the external service' do - expect(::Gitlab::ExternalAuthorization).not_to receive(:access_allowed?) - - expect(described_class.new(owner, project)).to be_allowed(:read_project) - end - - context 'with an external authorization service' do - before do - enable_external_authorization_service_check - end - - it 'allows access when the external service allows it' do - external_service_allow_access(owner, project) - external_service_allow_access(developer, project) - - expect(described_class.new(owner, project)).to be_allowed(:read_project) - expect(described_class.new(developer, project)).to be_allowed(:read_project) - end - - it 'does not check the external service for admins and allows access' do - expect(::Gitlab::ExternalAuthorization).not_to receive(:access_allowed?) - - expect(described_class.new(admin, project)).to be_allowed(:read_project) - end - - it 'prevents all but seeing a public project in a list when access is denied' do - [developer, owner, build(:user), nil].each do |user| - external_service_deny_access(user, project) - policy = described_class.new(user, project) - - expect(policy).not_to be_allowed(:read_project) - expect(policy).not_to be_allowed(:owner_access) - expect(policy).not_to be_allowed(:change_namespace) - end - end - - it 'passes the full path to external authorization for logging purposes' do - expect(::Gitlab::ExternalAuthorization) - .to receive(:access_allowed?).with(owner, 'default_label', project.full_path).and_call_original - - described_class.new(owner, project).allowed?(:read_project) - end - end - end end diff --git a/spec/requests/api/projects_spec.rb b/spec/requests/api/projects_spec.rb index 352ea448c00..2bfb17d9c9a 100644 --- a/spec/requests/api/projects_spec.rb +++ b/spec/requests/api/projects_spec.rb @@ -46,8 +46,6 @@ shared_examples 'languages and percentages JSON response' do end describe API::Projects do - include ExternalAuthorizationServiceHelpers - let(:user) { create(:user) } let(:user2) { create(:user) } let(:user3) { create(:user) } @@ -1338,39 +1336,6 @@ describe API::Projects do end end end - - context 'with external authorization' do - let(:project) do - create(:project, - namespace: user.namespace, - external_authorization_classification_label: 'the-label') - end - - context 'when the user has access to the project' do - before do - external_service_allow_access(user, project) - end - - it 'includes the label in the response' do - get api("/projects/#{project.id}", user) - - expect(response).to have_gitlab_http_status(200) - expect(json_response['external_authorization_classification_label']).to eq('the-label') - end - end - - context 'when the external service denies access' do - before do - external_service_deny_access(user, project) - end - - it 'returns a 404' do - get api("/projects/#{project.id}", user) - - expect(response).to have_gitlab_http_status(404) - end - end - end end describe 'GET /projects/:id/users' do @@ -1925,20 +1890,6 @@ describe API::Projects do expect(response).to have_gitlab_http_status(403) end end - - context 'when updating external classification' do - before do - enable_external_authorization_service_check - end - - it 'updates the classification label' do - put(api("/projects/#{project.id}", user), params: { external_authorization_classification_label: 'new label' }) - - expect(response).to have_gitlab_http_status(200) - - expect(project.reload.external_authorization_classification_label).to eq('new label') - end - end end describe 'POST /projects/:id/archive' do diff --git a/spec/requests/api/settings_spec.rb b/spec/requests/api/settings_spec.rb index 2d6b2d5da23..f33eb5b9e02 100644 --- a/spec/requests/api/settings_spec.rb +++ b/spec/requests/api/settings_spec.rb @@ -114,39 +114,6 @@ describe API::Settings, 'Settings' do expect(json_response['performance_bar_allowed_group_id']).to be_nil end - context 'external policy classification settings' do - let(:settings) do - { - external_authorization_service_enabled: true, - external_authorization_service_url: 'https://custom.service/', - external_authorization_service_default_label: 'default', - external_authorization_service_timeout: 9.99, - external_auth_client_cert: File.read('spec/fixtures/passphrase_x509_certificate.crt'), - external_auth_client_key: File.read('spec/fixtures/passphrase_x509_certificate_pk.key'), - external_auth_client_key_pass: "5iveL!fe" - } - end - let(:attribute_names) { settings.keys.map(&:to_s) } - - it 'includes the attributes in the API' do - get api("/application/settings", admin) - - expect(response).to have_gitlab_http_status(200) - attribute_names.each do |attribute| - expect(json_response.keys).to include(attribute) - end - end - - it 'allows updating the settings' do - put api("/application/settings", admin), params: settings - - expect(response).to have_gitlab_http_status(200) - settings.each do |attribute, value| - expect(ApplicationSetting.current.public_send(attribute)).to eq(value) - end - end - end - context "missing plantuml_url value when plantuml_enabled is true" do it "returns a blank parameter error message" do put api("/application/settings", admin), params: { plantuml_enabled: true } diff --git a/spec/serializers/group_child_entity_spec.rb b/spec/serializers/group_child_entity_spec.rb index b58d95ccb43..d02b4c554b1 100644 --- a/spec/serializers/group_child_entity_spec.rb +++ b/spec/serializers/group_child_entity_spec.rb @@ -1,7 +1,6 @@ require 'spec_helper' describe GroupChildEntity do - include ExternalAuthorizationServiceHelpers include Gitlab::Routing.url_helpers let(:user) { create(:user) } @@ -110,22 +109,4 @@ describe GroupChildEntity do it_behaves_like 'group child json' end - - describe 'for a project with external authorization enabled' do - let(:object) do - create(:project, :with_avatar, - description: 'Awesomeness') - end - - before do - enable_external_authorization_service_check - object.add_maintainer(user) - end - - it 'does not hit the external authorization service' do - expect(::Gitlab::ExternalAuthorization).not_to receive(:access_allowed?) - - expect(json[:can_edit]).to eq(false) - end - end end diff --git a/spec/services/application_settings/update_service_spec.rb b/spec/services/application_settings/update_service_spec.rb index 258e5635113..a4a733eff77 100644 --- a/spec/services/application_settings/update_service_spec.rb +++ b/spec/services/application_settings/update_service_spec.rb @@ -1,8 +1,6 @@ require 'spec_helper' describe ApplicationSettings::UpdateService do - include ExternalAuthorizationServiceHelpers - let(:application_settings) { create(:application_setting) } let(:admin) { create(:user, :admin) } let(:params) { {} } @@ -145,37 +143,4 @@ describe ApplicationSettings::UpdateService do end end end - - context 'when external authorization is enabled' do - before do - enable_external_authorization_service_check - end - - it 'does not save the settings with an error if the service denies access' do - expect(::Gitlab::ExternalAuthorization) - .to receive(:access_allowed?).with(admin, 'new-label') { false } - - described_class.new(application_settings, admin, { external_authorization_service_default_label: 'new-label' }).execute - - expect(application_settings.errors[:external_authorization_service_default_label]).to be_present - end - - it 'saves the setting when the user has access to the label' do - expect(::Gitlab::ExternalAuthorization) - .to receive(:access_allowed?).with(admin, 'new-label') { true } - - described_class.new(application_settings, admin, { external_authorization_service_default_label: 'new-label' }).execute - - # Read the attribute directly to avoid the stub from - # `enable_external_authorization_service_check` - expect(application_settings[:external_authorization_service_default_label]).to eq('new-label') - end - - it 'does not validate the label if it was not passed' do - expect(::Gitlab::ExternalAuthorization) - .not_to receive(:access_allowed?) - - described_class.new(application_settings, admin, { home_page_url: 'http://foo.bar' }).execute - end - end end diff --git a/spec/services/notification_service_spec.rb b/spec/services/notification_service_spec.rb index 794a4b4ccd3..9ba4a11104a 100644 --- a/spec/services/notification_service_spec.rb +++ b/spec/services/notification_service_spec.rb @@ -2,7 +2,6 @@ require 'spec_helper' describe NotificationService, :mailer do include EmailSpec::Matchers - include ExternalAuthorizationServiceHelpers include NotificationHelpers let(:notification) { described_class.new } @@ -2218,46 +2217,6 @@ describe NotificationService, :mailer do end end - context 'with external authorization service' do - let(:issue) { create(:issue) } - let(:project) { issue.project } - let(:note) { create(:note, noteable: issue, project: project) } - let(:member) { create(:user) } - - subject { NotificationService.new } - - before do - project.add_maintainer(member) - member.global_notification_setting.update!(level: :watch) - end - - it 'sends email when the service is not enabled' do - expect(Notify).to receive(:new_issue_email).at_least(:once).with(member.id, issue.id, nil).and_call_original - - subject.new_issue(issue, member) - end - - context 'when the service is enabled' do - before do - enable_external_authorization_service_check - end - - it 'does not send an email' do - expect(Notify).not_to receive(:new_issue_email) - - subject.new_issue(issue, member) - end - - it 'still delivers email to admins' do - member.update!(admin: true) - - expect(Notify).to receive(:new_issue_email).at_least(:once).with(member.id, issue.id, nil).and_call_original - - subject.new_issue(issue, member) - end - end - end - def build_team(project) @u_watcher = create_global_setting_for(create(:user), :watch) @u_participating = create_global_setting_for(create(:user), :participating) diff --git a/spec/services/projects/create_service_spec.rb b/spec/services/projects/create_service_spec.rb index e1ec932918e..e8418b09dc2 100644 --- a/spec/services/projects/create_service_spec.rb +++ b/spec/services/projects/create_service_spec.rb @@ -1,7 +1,6 @@ require 'spec_helper' describe Projects::CreateService, '#execute' do - include ExternalAuthorizationServiceHelpers include GitHelpers let(:gitlab_shell) { Gitlab::Shell.new } @@ -345,42 +344,6 @@ describe Projects::CreateService, '#execute' do expect(rugged.config['gitlab.fullpath']).to eq project.full_path end - context 'with external authorization enabled' do - before do - enable_external_authorization_service_check - end - - it 'does not save the project with an error if the service denies access' do - expect(::Gitlab::ExternalAuthorization) - .to receive(:access_allowed?).with(user, 'new-label', any_args) { false } - - project = create_project(user, opts.merge({ external_authorization_classification_label: 'new-label' })) - - expect(project.errors[:external_authorization_classification_label]).to be_present - expect(project).not_to be_persisted - end - - it 'saves the project when the user has access to the label' do - expect(::Gitlab::ExternalAuthorization) - .to receive(:access_allowed?).with(user, 'new-label', any_args) { true } - - project = create_project(user, opts.merge({ external_authorization_classification_label: 'new-label' })) - - expect(project).to be_persisted - expect(project.external_authorization_classification_label).to eq('new-label') - end - - it 'does not save the project when the user has no access to the default label and no label is provided' do - expect(::Gitlab::ExternalAuthorization) - .to receive(:access_allowed?).with(user, 'default_label', any_args) { false } - - project = create_project(user, opts) - - expect(project.errors[:external_authorization_classification_label]).to be_present - expect(project).not_to be_persisted - end - end - def create_project(user, opts) Projects::CreateService.new(user, opts).execute end diff --git a/spec/services/projects/update_service_spec.rb b/spec/services/projects/update_service_spec.rb index 95eb17b5e3a..90eaea9c872 100644 --- a/spec/services/projects/update_service_spec.rb +++ b/spec/services/projects/update_service_spec.rb @@ -1,7 +1,6 @@ require 'spec_helper' describe Projects::UpdateService do - include ExternalAuthorizationServiceHelpers include ProjectForksHelper let(:user) { create(:user) } @@ -362,46 +361,6 @@ describe Projects::UpdateService do call_service end end - - context 'with external authorization enabled' do - before do - enable_external_authorization_service_check - end - - it 'does not save the project with an error if the service denies access' do - expect(::Gitlab::ExternalAuthorization) - .to receive(:access_allowed?).with(user, 'new-label') { false } - - result = update_project(project, user, { external_authorization_classification_label: 'new-label' }) - - expect(result[:message]).to be_present - expect(result[:status]).to eq(:error) - end - - it 'saves the new label if the service allows access' do - expect(::Gitlab::ExternalAuthorization) - .to receive(:access_allowed?).with(user, 'new-label') { true } - - result = update_project(project, user, { external_authorization_classification_label: 'new-label' }) - - expect(result[:status]).to eq(:success) - expect(project.reload.external_authorization_classification_label).to eq('new-label') - end - - it 'checks the default label when the classification label was cleared' do - expect(::Gitlab::ExternalAuthorization) - .to receive(:access_allowed?).with(user, 'default_label') { true } - - update_project(project, user, { external_authorization_classification_label: '' }) - end - - it 'does not check the label when it does not change' do - expect(::Gitlab::ExternalAuthorization) - .not_to receive(:access_allowed?) - - update_project(project, user, { name: 'New name' }) - end - end end describe '#run_auto_devops_pipeline?' do diff --git a/spec/support/external_authorization_service_helpers.rb b/spec/support/external_authorization_service_helpers.rb deleted file mode 100644 index 79dd9a3d58e..00000000000 --- a/spec/support/external_authorization_service_helpers.rb +++ /dev/null @@ -1,33 +0,0 @@ -module ExternalAuthorizationServiceHelpers - def enable_external_authorization_service_check - stub_application_setting(external_authorization_service_enabled: true) - - stub_application_setting(external_authorization_service_url: 'https://authorize.me') - stub_application_setting(external_authorization_service_default_label: 'default_label') - stub_request(:post, "https://authorize.me").to_return(status: 200) - end - - def external_service_set_access(allowed, user, project) - enable_external_authorization_service_check - classification_label = ::Gitlab::CurrentSettings.current_application_settings - .external_authorization_service_default_label - - # Reload the project so cached licensed features are reloaded - if project - classification_label = Project.find(project.id).external_authorization_classification_label - end - - allow(::Gitlab::ExternalAuthorization) - .to receive(:access_allowed?) - .with(user, classification_label, any_args) - .and_return(allowed) - end - - def external_service_allow_access(user, project = nil) - external_service_set_access(true, user, project) - end - - def external_service_deny_access(user, project = nil) - external_service_set_access(false, user, project) - end -end diff --git a/spec/support/shared_examples/controllers/external_authorization_service_shared_examples.rb b/spec/support/shared_examples/controllers/external_authorization_service_shared_examples.rb deleted file mode 100644 index 8dd78fd0a25..00000000000 --- a/spec/support/shared_examples/controllers/external_authorization_service_shared_examples.rb +++ /dev/null @@ -1,40 +0,0 @@ -require 'spec_helper' - -shared_examples 'disabled when using an external authorization service' do - include ExternalAuthorizationServiceHelpers - - it 'works when the feature is not enabled' do - subject - - expect(response).to be_success - end - - it 'renders a 404 with a message when the feature is enabled' do - enable_external_authorization_service_check - - subject - - expect(response).to have_gitlab_http_status(403) - end -end - -shared_examples 'unauthorized when external service denies access' do - include ExternalAuthorizationServiceHelpers - - it 'allows access when the authorization service allows it' do - external_service_allow_access(user, project) - - subject - - # Account for redirects after updates - expect(response.status).to be_between(200, 302) - end - - it 'allows access when the authorization service denies it' do - external_service_deny_access(user, project) - - subject - - expect(response).to have_gitlab_http_status(403) - end -end diff --git a/spec/support/shared_examples/finders/finder_with_external_authorization_enabled.rb b/spec/support/shared_examples/finders/finder_with_external_authorization_enabled.rb deleted file mode 100644 index d7e17cc0b70..00000000000 --- a/spec/support/shared_examples/finders/finder_with_external_authorization_enabled.rb +++ /dev/null @@ -1,30 +0,0 @@ -require 'spec_helper' - -shared_examples 'a finder with external authorization service' do - include ExternalAuthorizationServiceHelpers - - let(:user) { create(:user) } - let(:project) { create(:project) } - - before do - project.add_maintainer(user) - end - - it 'finds the subject' do - expect(described_class.new(user).execute).to include(subject) - end - - context 'with an external authorization service' do - before do - enable_external_authorization_service_check - end - - it 'does not include the subject when no project was given' do - expect(described_class.new(user).execute).not_to include(subject) - end - - it 'includes the subject when a project id was given' do - expect(described_class.new(user, project_params).execute).to include(subject) - end - end -end diff --git a/spec/validators/x509_certificate_credentials_validator_spec.rb b/spec/validators/x509_certificate_credentials_validator_spec.rb deleted file mode 100644 index 24ef68c1fab..00000000000 --- a/spec/validators/x509_certificate_credentials_validator_spec.rb +++ /dev/null @@ -1,87 +0,0 @@ -require 'spec_helper' - -describe X509CertificateCredentialsValidator do - let(:certificate_data) { File.read('spec/fixtures/x509_certificate.crt') } - let(:pkey_data) { File.read('spec/fixtures/x509_certificate_pk.key') } - - let(:validatable) do - Class.new do - include ActiveModel::Validations - - attr_accessor :certificate, :private_key, :passphrase - - def initialize(certificate, private_key, passphrase = nil) - @certificate, @private_key, @passphrase = certificate, private_key, passphrase - end - end - end - - subject(:validator) do - described_class.new(certificate: :certificate, pkey: :private_key) - end - - it 'is not valid when the certificate is not valid' do - record = validatable.new('not a certificate', nil) - - validator.validate(record) - - expect(record.errors[:certificate]).to include('is not a valid X509 certificate.') - end - - it 'is not valid without a certificate' do - record = validatable.new(nil, nil) - - validator.validate(record) - - expect(record.errors[:certificate]).not_to be_empty - end - - context 'when a valid certificate is passed' do - let(:record) { validatable.new(certificate_data, nil) } - - it 'does not track an error for the certificate' do - validator.validate(record) - - expect(record.errors[:certificate]).to be_empty - end - - it 'adds an error when not passing a correct private key' do - validator.validate(record) - - expect(record.errors[:private_key]).to include('could not read private key, is the passphrase correct?') - end - - it 'has no error when the private key is correct' do - record.private_key = pkey_data - - validator.validate(record) - - expect(record.errors).to be_empty - end - end - - context 'when using a passphrase' do - let(:passphrase_certificate_data) { File.read('spec/fixtures/passphrase_x509_certificate.crt') } - let(:passphrase_pkey_data) { File.read('spec/fixtures/passphrase_x509_certificate_pk.key') } - - let(:record) { validatable.new(passphrase_certificate_data, passphrase_pkey_data, '5iveL!fe') } - - subject(:validator) do - described_class.new(certificate: :certificate, pkey: :private_key, pass: :passphrase) - end - - it 'is valid with the correct data' do - validator.validate(record) - - expect(record.errors).to be_empty - end - - it 'adds an error when the passphrase is wrong' do - record.passphrase = 'wrong' - - validator.validate(record) - - expect(record.errors[:private_key]).not_to be_empty - end - end -end |