Merge branch '24537-reenable-private-token-with-sudo' into 'master'

Reenables /user API request to return private-token if user is admin and requested with sudo ## What does this MR do? Reenables the API /users to return `private-token` when sudo is either a parameter or passed as a header and the user is admin. ## Screenshots (if relevant) Without **sudo**: ![Screen_Shot_2016-11-21_at_11.44.49](/uploads/ebecf95dbadaf4a159b80c61c75771d9/Screen_Shot_2016-11-21_at_11.44.49.png) With **sudo**: ![Screen_Shot_2016-11-21_at_11.45.52](/uploads/f25f9ddffcf2b921e9694e5a250191d3/Screen_Shot_2016-11-21_at_11.45.52.png) ## Does this MR meet the acceptance criteria? - [x] [Changelog entry](https://docs.gitlab.com/ce/development/changelog.html) added - [x] [Documentation created/updated](https://gitlab.com/gitlab-org/gitlab-ce/blob/master/doc/development/doc_styleguide.md) - [x] API support added - Tests - [x] Added for this feature/bug - [x] All builds are passing - [x] Conform by the [merge request performance guides](http://docs.gitlab.com/ce/development/merge_request_performance_guidelines.html) - [x] Conform by the [style guides](https://gitlab.com/gitlab-org/gitlab-ce/blob/master/CONTRIBUTING.md#style-guides) - [x] Branch has no merge conflicts with `master` (if it does - rebase it please) - [x] [Squashed related commits together](https://git-scm.com/book/en/Git-Tools-Rewriting-History#Squashing-Commits) ## What are the relevant issue numbers? Closes #24537 See merge request !7615
author: Douwe Maan <douwe@gitlab.com> 2016-12-08 03:17:44 +0300
committer: Douwe Maan <douwe@gitlab.com> 2016-12-08 03:17:44 +0300
commit: cf2206eb2b16d12a1d9c18d47fc2105fbb650d33 (patch)
tree: 00f4f63354cd9664b1aa4e8d40403dc95d00fbd6 /spec
parent: e7b045eadaf315dc2ae4fc079af5d1199d3e5d25 (diff)
parent: 3ed96afc47c481db4f8c0a6581602abaee920808 (diff)
4 files changed, 312 insertions, 82 deletions
diff --git a/spec/fixtures/api/schemas/user/login.json b/spec/fixtures/api/schemas/user/login.json
new file mode 100644
index 00000000000..e6c1d9c9d84
--- /dev/null
+++ b/spec/fixtures/api/schemas/user/login.json
@@ -0,0 +1,37 @@
+{
+  "type": "object",
+  "required": [
+    "id",
+    "username",
+    "email",
+    "name",
+    "state",
+    "avatar_url",
+    "web_url",
+    "created_at",
+    "is_admin",
+    "bio",
+    "location",
+    "skype",
+    "linkedin",
+    "twitter",
+    "website_url",
+    "organization",
+    "last_sign_in_at",
+    "confirmed_at",
+    "theme_id",
+    "color_scheme_id",
+    "projects_limit",
+    "current_sign_in_at",
+    "identities",
+    "can_create_group",
+    "can_create_project",
+    "two_factor_enabled",
+    "external",
+    "private_token"
+  ],
+  "properties": {
+    "$ref": "full.json",
+    "private_token": { "type": "string" }
+  }
+}
diff --git a/spec/fixtures/api/schemas/user/public.json b/spec/fixtures/api/schemas/user/public.json
new file mode 100644
index 00000000000..dbd5d32e89c
--- /dev/null
+++ b/spec/fixtures/api/schemas/user/public.json
@@ -0,0 +1,79 @@
+{
+  "type": "object",
+  "required": [
+    "id",
+    "username",
+    "email",
+    "name",
+    "state",
+    "avatar_url",
+    "web_url",
+    "created_at",
+    "is_admin",
+    "bio",
+    "location",
+    "skype",
+    "linkedin",
+    "twitter",
+    "website_url",
+    "organization",
+    "last_sign_in_at",
+    "confirmed_at",
+    "theme_id",
+    "color_scheme_id",
+    "projects_limit",
+    "current_sign_in_at",
+    "identities",
+    "can_create_group",
+    "can_create_project",
+    "two_factor_enabled",
+    "external"
+  ],
+  "properties": {
+    "id": { "type": "integer" },
+    "username": { "type": "string" },
+    "email": { 
+      "type": "string",
+      "pattern": "^[^@]+@[^@]+$"
+    },
+    "name": { "type": "string" },
+    "state": { 
+      "type": "string",
+      "enum": ["active", "blocked"] 
+    },
+    "avatar_url": { "type": "string" },
+    "web_url": { "type": "string" },
+    "created_at": { "type": "date" },
+    "is_admin": { "type": "boolean" },
+    "bio": { "type": ["string", "null"] },
+    "location": { "type": ["string", "null"] },
+    "skype": { "type": "string" },
+    "linkedin": { "type": "string" },
+    "twitter": { "type": "string "},
+    "website_url": { "type": "string" },
+    "organization": { "type": ["string", "null"] },
+    "last_sign_in_at": { "type": "date" },
+    "confirmed_at": { "type": ["date", "null"] },
+    "theme_id": { "type": "integer" },
+    "color_scheme_id": { "type": "integer" },
+    "projects_limit": { "type": "integer" },
+    "current_sign_in_at": { "type": "date" },
+    "identities": { 
+      "type": "array",
+      "items": {
+        "type": "object",
+        "properties": {
+          "provider": { 
+            "type": "string",
+            "enum": ["github", "bitbucket", "google_oauth2"] 
+          },
+          "extern_uid": { "type": ["number", "string"] }
+        }
+      }
+    },
+    "can_create_group": { "type": "boolean" },
+    "can_create_project": { "type": "boolean" },
+    "two_factor_enabled": { "type": "boolean" },
+    "external": { "type": "boolean" } 
+  }
+}
diff --git a/spec/requests/api/api_helpers_spec.rb b/spec/requests/api/api_helpers_spec.rb
index 36517ad0f8c..3f34309f419 100644
--- a/spec/requests/api/api_helpers_spec.rb
+++ b/spec/requests/api/api_helpers_spec.rb
@@ -153,85 +153,144 @@ describe API::Helpers, api: true do
       end
     end
 
-    it "changes current user to sudo when admin" do
-      set_env(admin, user.id)
-      expect(current_user).to eq(user)
-      set_param(admin, user.id)
-      expect(current_user).to eq(user)
-      set_env(admin, user.username)
-      expect(current_user).to eq(user)
-      set_param(admin, user.username)
-      expect(current_user).to eq(user)
-    end
+    context 'sudo usage' do
+      context 'with admin' do
+        context 'with header' do
+          context 'with id' do
+            it 'changes current_user to sudo' do
+              set_env(admin, user.id)
 
-    it "throws an error when the current user is not an admin and attempting to sudo" do
-      set_env(user, admin.id)
-      expect { current_user }.to raise_error(Exception)
-      set_param(user, admin.id)
-      expect { current_user }.to raise_error(Exception)
-      set_env(user, admin.username)
-      expect { current_user }.to raise_error(Exception)
-      set_param(user, admin.username)
-      expect { current_user }.to raise_error(Exception)
-    end
+              expect(current_user).to eq(user)
+            end
 
-    it "throws an error when the user cannot be found for a given id" do
-      id = user.id + admin.id
-      expect(user.id).not_to eq(id)
-      expect(admin.id).not_to eq(id)
-      set_env(admin, id)
-      expect { current_user }.to raise_error(Exception)
+            it 'handles sudo to oneself' do
+              set_env(admin, admin.id)
 
-      set_param(admin, id)
-      expect { current_user }.to raise_error(Exception)
-    end
+              expect(current_user).to eq(admin)
+            end
 
-    it "throws an error when the user cannot be found for a given username" do
-      username = "#{user.username}#{admin.username}"
-      expect(user.username).not_to eq(username)
-      expect(admin.username).not_to eq(username)
-      set_env(admin, username)
-      expect { current_user }.to raise_error(Exception)
+            it 'throws an error when user cannot be found' do
+              id = user.id + admin.id
+              expect(user.id).not_to eq(id)
+              expect(admin.id).not_to eq(id)
 
-      set_param(admin, username)
-      expect { current_user }.to raise_error(Exception)
-    end
+              set_env(admin, id)
 
-    it "handles sudo's to oneself" do
-      set_env(admin, admin.id)
-      expect(current_user).to eq(admin)
-      set_param(admin, admin.id)
-      expect(current_user).to eq(admin)
-      set_env(admin, admin.username)
-      expect(current_user).to eq(admin)
-      set_param(admin, admin.username)
-      expect(current_user).to eq(admin)
-    end
+              expect { current_user }.to raise_error(Exception)
+            end
+          end
 
-    it "handles multiple sudo's to oneself" do
-      set_env(admin, user.id)
-      expect(current_user).to eq(user)
-      expect(current_user).to eq(user)
-      set_env(admin, user.username)
-      expect(current_user).to eq(user)
-      expect(current_user).to eq(user)
-
-      set_param(admin, user.id)
-      expect(current_user).to eq(user)
-      expect(current_user).to eq(user)
-      set_param(admin, user.username)
-      expect(current_user).to eq(user)
-      expect(current_user).to eq(user)
-    end
+          context 'with username' do
+            it 'changes current_user to sudo' do
+              set_env(admin, user.username)
+
+              expect(current_user).to eq(user)
+            end
+
+            it 'handles sudo to oneself' do
+              set_env(admin, admin.username)
+
+              expect(current_user).to eq(admin)
+            end
+
+            it "throws an error when the user cannot be found for a given username" do
+              username = "#{user.username}#{admin.username}"
+              expect(user.username).not_to eq(username)
+              expect(admin.username).not_to eq(username)
+
+              set_env(admin, username)
+
+              expect { current_user }.to raise_error(Exception)
+            end
+          end
+        end
+
+        context 'with param' do
+          context 'with id' do
+            it 'changes current_user to sudo' do
+              set_param(admin, user.id)
+
+              expect(current_user).to eq(user)
+            end
+
+            it 'handles sudo to oneself' do
+              set_param(admin, admin.id)
+
+              expect(current_user).to eq(admin)
+            end
+
+            it 'handles sudo to oneself using string' do
+              set_env(admin, user.id.to_s)
+
+              expect(current_user).to eq(user)
+            end
+
+            it 'throws an error when user cannot be found' do
+              id = user.id + admin.id
+              expect(user.id).not_to eq(id)
+              expect(admin.id).not_to eq(id)
 
-    it "handles multiple sudo's to oneself using string ids" do
-      set_env(admin, user.id.to_s)
-      expect(current_user).to eq(user)
-      expect(current_user).to eq(user)
+              set_param(admin, id)
 
-      set_param(admin, user.id.to_s)
-      expect(current_user).to eq(user)
-      expect(current_user).to eq(user)
+              expect { current_user }.to raise_error(Exception)
+            end
+          end
+
+          context 'with username' do
+            it 'changes current_user to sudo' do
+              set_param(admin, user.username)
+
+              expect(current_user).to eq(user)
+            end
+
+            it 'handles sudo to oneself' do
+              set_param(admin, admin.username)
+
+              expect(current_user).to eq(admin)
+            end
+
+            it "throws an error when the user cannot be found for a given username" do
+              username = "#{user.username}#{admin.username}"
+              expect(user.username).not_to eq(username)
+              expect(admin.username).not_to eq(username)
+
+              set_param(admin, username)
+
+              expect { current_user }.to raise_error(Exception)
+            end
+          end
+        end
+      end
+
+      context 'with regular user' do
+        context 'with env' do
+          it 'changes current_user to sudo when admin and user id' do
+            set_env(user, admin.id)
+
+            expect { current_user }.to raise_error(Exception)
+          end
+
+          it 'changes current_user to sudo when admin and user username' do
+            set_env(user, admin.username)
+
+            expect { current_user }.to raise_error(Exception)
+          end
+        end
+
+        context 'with params' do
+          it 'changes current_user to sudo when admin and user id' do
+            set_param(user, admin.id)
+
+            expect { current_user }.to raise_error(Exception)
+          end
+
+          it 'changes current_user to sudo when admin and user username' do
+            set_param(user, admin.username)
+
+            expect { current_user }.to raise_error(Exception)
+          end
+        end
+      end
     end
   end
 
diff --git a/spec/requests/api/users_spec.rb b/spec/requests/api/users_spec.rb
index f82f52e7399..c37dbfa0a33 100644
--- a/spec/requests/api/users_spec.rb
+++ b/spec/requests/api/users_spec.rb
@@ -651,20 +651,75 @@ describe API::Users, api: true  do
   end
 
   describe "GET /user" do
-    it "returns current user" do
-      get api("/user", user)
-      expect(response).to have_http_status(200)
-      expect(json_response['email']).to eq(user.email)
-      expect(json_response['is_admin']).to eq(user.is_admin?)
-      expect(json_response['can_create_project']).to eq(user.can_create_project?)
-      expect(json_response['can_create_group']).to eq(user.can_create_group?)
-      expect(json_response['projects_limit']).to eq(user.projects_limit)
-      expect(json_response['private_token']).to be_blank
+    let(:personal_access_token) { create(:personal_access_token, user: user) }
+    let(:private_token) { user.private_token }
+
+    context 'with regular user' do
+      context 'with personal access token' do
+        it 'returns 403 without private token when sudo is defined' do
+          get api("/user?private_token=#{personal_access_token.token}&sudo=#{user.id}")
+
+          expect(response).to have_http_status(403)
+        end
+      end
+
+      context 'with private token' do
+        it 'returns 403 without private token when sudo defined' do
+          get api("/user?private_token=#{private_token}&sudo=#{user.id}")
+
+          expect(response).to have_http_status(403)
+        end
+      end
+
+      it 'returns current user without private token when sudo not defined' do
+        get api("/user", user)
+
+        expect(response).to have_http_status(200)
+        expect(response).to match_response_schema('user/public')
+      end
     end
 
-    it "returns 401 error if user is unauthenticated" do
-      get api("/user")
-      expect(response).to have_http_status(401)
+    context 'with admin' do
+      let(:user) { create(:admin) }
+
+      context 'with personal access token' do
+        it 'returns 403 without private token when sudo defined' do
+          get api("/user?private_token=#{personal_access_token.token}&sudo=#{user.id}")
+
+          expect(response).to have_http_status(403)
+        end
+
+        it 'returns current user without private token when sudo not defined' do
+          get api("/user?private_token=#{personal_access_token.token}")
+
+          expect(response).to have_http_status(200)
+          expect(response).to match_response_schema('user/public')
+        end
+      end
+
+      context 'with private token' do
+        it 'returns current user with private token when sudo defined' do
+          get api("/user?private_token=#{private_token}&sudo=#{user.id}")
+
+          expect(response).to have_http_status(200)
+          expect(response).to match_response_schema('user/login')
+        end
+
+        it 'returns current user without private token when sudo not defined' do
+          get api("/user?private_token=#{private_token}")
+
+          expect(response).to have_http_status(200)
+          expect(response).to match_response_schema('user/public')
+        end
+      end
+    end
+
+    context 'with unauthenticated user' do
+      it "returns 401 error if user is unauthenticated" do
+        get api("/user")
+
+        expect(response).to have_http_status(401)
+      end
     end
   end
author	Douwe Maan <douwe@gitlab.com>	2016-12-08 03:17:44 +0300
committer	Douwe Maan <douwe@gitlab.com>	2016-12-08 03:17:44 +0300
commit	cf2206eb2b16d12a1d9c18d47fc2105fbb650d33 (patch)
tree	00f4f63354cd9664b1aa4e8d40403dc95d00fbd6 /spec
parent	e7b045eadaf315dc2ae4fc079af5d1199d3e5d25 (diff)
parent	3ed96afc47c481db4f8c0a6581602abaee920808 (diff)