diff options
author | GitLab Bot <gitlab-bot@gitlab.com> | 2021-08-03 14:59:03 +0300 |
---|---|---|
committer | GitLab Bot <gitlab-bot@gitlab.com> | 2021-08-03 14:59:03 +0300 |
commit | acd33ab4ff107fc73b9dd310ba65e60bd3119c0b (patch) | |
tree | a9c6d3ff3d12576287f7428a6056b248f842ec65 /spec | |
parent | fd646aa53df4e56be42afe5f7ae4c894430ddcc9 (diff) |
Add latest changes from gitlab-org/security/gitlab@14-0-stable-ee
Diffstat (limited to 'spec')
-rw-r--r-- | spec/features/admin/admin_users_impersonation_tokens_spec.rb | 12 | ||||
-rw-r--r-- | spec/lib/gitlab/auth_spec.rb | 9 | ||||
-rw-r--r-- | spec/requests/admin/impersonation_tokens_controller_spec.rb | 38 | ||||
-rw-r--r-- | spec/requests/git_http_spec.rb | 26 |
4 files changed, 85 insertions, 0 deletions
diff --git a/spec/features/admin/admin_users_impersonation_tokens_spec.rb b/spec/features/admin/admin_users_impersonation_tokens_spec.rb index dc528dd92d4..0e9fe35faf7 100644 --- a/spec/features/admin/admin_users_impersonation_tokens_spec.rb +++ b/spec/features/admin/admin_users_impersonation_tokens_spec.rb @@ -83,4 +83,16 @@ RSpec.describe 'Admin > Users > Impersonation Tokens', :js do expect(no_personal_access_tokens_message).to have_text("This user has no active impersonation tokens.") end end + + describe "impersonation disabled state" do + before do + stub_config_setting(impersonation_enabled: false) + end + + it "does not show impersonation tokens tab" do + visit admin_user_path(user) + + expect(page).not_to have_content("Impersonation Tokens") + end + end end diff --git a/spec/lib/gitlab/auth_spec.rb b/spec/lib/gitlab/auth_spec.rb index d529d4a96e1..1d708b17076 100644 --- a/spec/lib/gitlab/auth_spec.rb +++ b/spec/lib/gitlab/auth_spec.rb @@ -336,6 +336,15 @@ RSpec.describe Gitlab::Auth, :use_clean_rails_memory_store_caching do expect_results_with_abilities(impersonation_token, described_class.full_authentication_abilities) end + it 'fails if it is an impersonation token but impersonation is blocked' do + stub_config_setting(impersonation_enabled: false) + + impersonation_token = create(:personal_access_token, :impersonation, scopes: ['api']) + + expect(gl_auth.find_for_git_client('', impersonation_token.token, project: nil, ip: 'ip')) + .to eq(Gitlab::Auth::Result.new(nil, nil, nil, nil)) + end + it 'limits abilities based on scope' do personal_access_token = create(:personal_access_token, scopes: %w[read_user sudo]) diff --git a/spec/requests/admin/impersonation_tokens_controller_spec.rb b/spec/requests/admin/impersonation_tokens_controller_spec.rb new file mode 100644 index 00000000000..018f497e7e5 --- /dev/null +++ b/spec/requests/admin/impersonation_tokens_controller_spec.rb @@ -0,0 +1,38 @@ +# frozen_string_literal: true + +require 'spec_helper' + +RSpec.describe Admin::ImpersonationTokensController, :enable_admin_mode do + let(:admin) { create(:admin) } + let!(:user) { create(:user) } + + before do + sign_in(admin) + end + + context "when impersonation is disabled" do + before do + stub_config_setting(impersonation_enabled: false) + end + + it "shows error page for index page" do + get admin_user_impersonation_tokens_path(user_id: user.username) + + expect(response).to have_gitlab_http_status(:not_found) + end + + it "responds with 404 for create action" do + post admin_user_impersonation_tokens_path(user_id: user.username) + + expect(response).to have_gitlab_http_status(:not_found) + end + + it "responds with 404 for revoke action" do + token = create(:personal_access_token, :impersonation, user: user) + + put revoke_admin_user_impersonation_token_path(user_id: user.username, id: token.id) + + expect(response).to have_gitlab_http_status(:not_found) + end + end +end diff --git a/spec/requests/git_http_spec.rb b/spec/requests/git_http_spec.rb index 40005596c3e..b0351507852 100644 --- a/spec/requests/git_http_spec.rb +++ b/spec/requests/git_http_spec.rb @@ -706,6 +706,32 @@ RSpec.describe 'Git HTTP requests' do end end end + + context 'when token is impersonated' do + context 'when impersonation is off' do + before do + stub_config_setting(impersonation_enabled: false) + end + + it 'responds to uploads with status 401 unauthorized' do + write_access_token = create(:personal_access_token, :impersonation, user: user, scopes: [:write_repository]) + + upload(path, user: user.username, password: write_access_token.token) do |response| + expect(response).to have_gitlab_http_status(:unauthorized) + end + end + end + + context 'when impersonation is on' do + it 'responds to uploads with status 200' do + write_access_token = create(:personal_access_token, :impersonation, user: user, scopes: [:write_repository]) + + upload(path, user: user.username, password: write_access_token.token) do |response| + expect(response).to have_gitlab_http_status(:ok) + end + end + end + end end end |