diff options
Diffstat (limited to 'spec/lib/gitlab/auth_spec.rb')
-rw-r--r-- | spec/lib/gitlab/auth_spec.rb | 145 |
1 files changed, 85 insertions, 60 deletions
diff --git a/spec/lib/gitlab/auth_spec.rb b/spec/lib/gitlab/auth_spec.rb index f5b9555916c..020089b3880 100644 --- a/spec/lib/gitlab/auth_spec.rb +++ b/spec/lib/gitlab/auth_spec.rb @@ -8,6 +8,8 @@ RSpec.describe Gitlab::Auth, :use_clean_rails_memory_store_caching, feature_cate let(:auth_failure) { { actor: nil, project: nil, type: nil, authentication_abilities: nil } } let(:gl_auth) { described_class } + let(:request) { instance_double(ActionDispatch::Request, ip: 'ip') } + describe 'constants' do it 'API_SCOPES contains all scopes for API access' do expect(subject::API_SCOPES).to match_array %i[api read_user read_api create_runner k8s_proxy] @@ -202,7 +204,7 @@ RSpec.describe Gitlab::Auth, :use_clean_rails_memory_store_caching, feature_cate end context 'when IP is already banned' do - subject { gl_auth.find_for_git_client('username-does-not-matter', 'password-does-not-matter', project: nil, ip: 'ip') } + subject { gl_auth.find_for_git_client('username-does-not-matter', 'password-does-not-matter', project: nil, request: request) } before do expect_next_instance_of(Gitlab::Auth::IpRateLimiter) do |rate_limiter| @@ -223,7 +225,7 @@ RSpec.describe Gitlab::Auth, :use_clean_rails_memory_store_caching, feature_cate expect(rate_limiter).not_to receive(:reset!) end - gl_auth.find_for_git_client('gitlab-ci-token', build.token, project: build.project, ip: 'ip') + gl_auth.find_for_git_client('gitlab-ci-token', build.token, project: build.project, request: request) end it 'skips rate limiting for failed auth' do @@ -231,7 +233,7 @@ RSpec.describe Gitlab::Auth, :use_clean_rails_memory_store_caching, feature_cate expect(rate_limiter).not_to receive(:register_fail!) end - gl_auth.find_for_git_client('gitlab-ci-token', 'wrong_token', project: build.project, ip: 'ip') + gl_auth.find_for_git_client('gitlab-ci-token', 'wrong_token', project: build.project, request: request) end end @@ -243,7 +245,7 @@ RSpec.describe Gitlab::Auth, :use_clean_rails_memory_store_caching, feature_cate expect(rate_limiter).to receive(:reset!) end - gl_auth.find_for_git_client(user.username, user.password, project: nil, ip: 'ip') + gl_auth.find_for_git_client(user.username, user.password, project: nil, request: request) end it 'rate limits a user by unique IPs' do @@ -252,7 +254,7 @@ RSpec.describe Gitlab::Auth, :use_clean_rails_memory_store_caching, feature_cate end expect(Gitlab::Auth::UniqueIpsLimiter).to receive(:limit_user!).twice.and_call_original - gl_auth.find_for_git_client(user.username, user.password, project: nil, ip: 'ip') + gl_auth.find_for_git_client(user.username, user.password, project: nil, request: request) end it 'registers failure for failed auth' do @@ -260,13 +262,36 @@ RSpec.describe Gitlab::Auth, :use_clean_rails_memory_store_caching, feature_cate expect(rate_limiter).to receive(:register_fail!) end - gl_auth.find_for_git_client(user.username, 'wrong_password', project: nil, ip: 'ip') + gl_auth.find_for_git_client(user.username, 'wrong_password', project: nil, request: request) + end + + context 'when failure goes over threshold' do + let(:request) { instance_double(ActionDispatch::Request, fullpath: '/some/project.git/info/refs', request_method: 'GET', ip: 'ip') } + + before do + expect_next_instance_of(Gitlab::Auth::IpRateLimiter) do |rate_limiter| + expect(rate_limiter).to receive(:register_fail!).and_return(true) + end + end + + it 'logs a message' do + expect(Gitlab::AuthLogger).to receive(:error).with( + message: include('IP has been temporarily banned from Git auth'), + env: :blocklist, + remote_ip: request.ip, + request_method: request.request_method, + path: request.fullpath, + login: user.username + ) + + gl_auth.find_for_git_client(user.username, 'wrong_password', project: nil, request: request) + end end end end context 'build token' do - subject { gl_auth.find_for_git_client(username, build.token, project: project, ip: 'ip') } + subject { gl_auth.find_for_git_client(username, build.token, project: project, request: request) } let(:username) { 'gitlab-ci-token' } @@ -344,20 +369,20 @@ RSpec.describe Gitlab::Auth, :use_clean_rails_memory_store_caching, feature_cate project.create_drone_ci_integration(active: true) project.drone_ci_integration.update!(token: 'token', drone_url: generate(:url)) - expect(gl_auth.find_for_git_client('drone-ci-token', 'token', project: project, ip: 'ip')).to have_attributes(actor: nil, project: project, type: :ci, authentication_abilities: described_class.build_authentication_abilities) + expect(gl_auth.find_for_git_client('drone-ci-token', 'token', project: project, request: request)).to have_attributes(actor: nil, project: project, type: :ci, authentication_abilities: described_class.build_authentication_abilities) end it 'recognizes master passwords' do user = create(:user) - expect(gl_auth.find_for_git_client(user.username, user.password, project: nil, ip: 'ip')).to have_attributes(actor: user, project: nil, type: :gitlab_or_ldap, authentication_abilities: described_class.full_authentication_abilities) + expect(gl_auth.find_for_git_client(user.username, user.password, project: nil, request: request)).to have_attributes(actor: user, project: nil, type: :gitlab_or_ldap, authentication_abilities: described_class.full_authentication_abilities) end include_examples 'user login operation with unique ip limit' do let(:user) { create(:user) } def operation - expect(gl_auth.find_for_git_client(user.username, user.password, project: nil, ip: 'ip')).to have_attributes(actor: user, project: nil, type: :gitlab_or_ldap, authentication_abilities: described_class.full_authentication_abilities) + expect(gl_auth.find_for_git_client(user.username, user.password, project: nil, request: request)).to have_attributes(actor: user, project: nil, type: :gitlab_or_ldap, authentication_abilities: described_class.full_authentication_abilities) end end @@ -366,14 +391,14 @@ RSpec.describe Gitlab::Auth, :use_clean_rails_memory_store_caching, feature_cate user = create(:user) token = Gitlab::LfsToken.new(user).token - expect(gl_auth.find_for_git_client(user.username, token, project: nil, ip: 'ip')).to have_attributes(actor: user, project: nil, type: :lfs_token, authentication_abilities: described_class.read_write_project_authentication_abilities) + expect(gl_auth.find_for_git_client(user.username, token, project: nil, request: request)).to have_attributes(actor: user, project: nil, type: :lfs_token, authentication_abilities: described_class.read_write_project_authentication_abilities) end it 'recognizes deploy key lfs tokens' do key = create(:deploy_key) token = Gitlab::LfsToken.new(key).token - expect(gl_auth.find_for_git_client("lfs+deploy-key-#{key.id}", token, project: nil, ip: 'ip')).to have_attributes(actor: key, project: nil, type: :lfs_deploy_token, authentication_abilities: described_class.read_only_authentication_abilities) + expect(gl_auth.find_for_git_client("lfs+deploy-key-#{key.id}", token, project: nil, request: request)).to have_attributes(actor: key, project: nil, type: :lfs_deploy_token, authentication_abilities: described_class.read_only_authentication_abilities) end it 'does not try password auth before oauth' do @@ -382,7 +407,7 @@ RSpec.describe Gitlab::Auth, :use_clean_rails_memory_store_caching, feature_cate expect(gl_auth).not_to receive(:find_with_user_password) - gl_auth.find_for_git_client(user.username, token, project: nil, ip: 'ip') + gl_auth.find_for_git_client(user.username, token, project: nil, request: request) end it 'grants deploy key write permissions' do @@ -390,14 +415,14 @@ RSpec.describe Gitlab::Auth, :use_clean_rails_memory_store_caching, feature_cate create(:deploy_keys_project, :write_access, deploy_key: key, project: project) token = Gitlab::LfsToken.new(key).token - expect(gl_auth.find_for_git_client("lfs+deploy-key-#{key.id}", token, project: project, ip: 'ip')).to have_attributes(actor: key, project: nil, type: :lfs_deploy_token, authentication_abilities: described_class.read_write_authentication_abilities) + expect(gl_auth.find_for_git_client("lfs+deploy-key-#{key.id}", token, project: project, request: request)).to have_attributes(actor: key, project: nil, type: :lfs_deploy_token, authentication_abilities: described_class.read_write_authentication_abilities) end it 'does not grant deploy key write permissions' do key = create(:deploy_key) token = Gitlab::LfsToken.new(key).token - expect(gl_auth.find_for_git_client("lfs+deploy-key-#{key.id}", token, project: project, ip: 'ip')).to have_attributes(actor: key, project: nil, type: :lfs_deploy_token, authentication_abilities: described_class.read_only_authentication_abilities) + expect(gl_auth.find_for_git_client("lfs+deploy-key-#{key.id}", token, project: project, request: request)).to have_attributes(actor: key, project: nil, type: :lfs_deploy_token, authentication_abilities: described_class.read_only_authentication_abilities) end end @@ -409,7 +434,7 @@ RSpec.describe Gitlab::Auth, :use_clean_rails_memory_store_caching, feature_cate it 'fails' do access_token = Doorkeeper::AccessToken.create!(application_id: application.id, resource_owner_id: user.id, scopes: 'api') - expect(gl_auth.find_for_git_client("oauth2", access_token.token, project: nil, ip: 'ip')) + expect(gl_auth.find_for_git_client("oauth2", access_token.token, project: nil, request: request)) .to have_attributes(auth_failure) end end @@ -436,7 +461,7 @@ RSpec.describe Gitlab::Auth, :use_clean_rails_memory_store_caching, feature_cate it 'authenticates with correct abilities' do access_token = Doorkeeper::AccessToken.create!(application_id: application.id, resource_owner_id: user.id, scopes: scopes) - expect(gl_auth.find_for_git_client("oauth2", access_token.token, project: nil, ip: 'ip')) + expect(gl_auth.find_for_git_client("oauth2", access_token.token, project: nil, request: request)) .to have_attributes(actor: user, project: nil, type: :oauth, authentication_abilities: abilities) end end @@ -447,7 +472,7 @@ RSpec.describe Gitlab::Auth, :use_clean_rails_memory_store_caching, feature_cate expect(gl_auth).not_to receive(:find_with_user_password) - gl_auth.find_for_git_client("oauth2", access_token.token, project: nil, ip: 'ip') + gl_auth.find_for_git_client("oauth2", access_token.token, project: nil, request: request) end context 'blocked user' do @@ -513,7 +538,7 @@ RSpec.describe Gitlab::Auth, :use_clean_rails_memory_store_caching, feature_cate impersonation_token = create(:personal_access_token, :impersonation, scopes: ['api']) - expect(gl_auth.find_for_git_client('', impersonation_token.token, project: nil, ip: 'ip')) + expect(gl_auth.find_for_git_client('', impersonation_token.token, project: nil, request: request)) .to have_attributes(auth_failure) end @@ -536,7 +561,7 @@ RSpec.describe Gitlab::Auth, :use_clean_rails_memory_store_caching, feature_cate end it 'fails if user is blocked' do - expect(gl_auth.find_for_git_client('', personal_access_token.token, project: nil, ip: 'ip')) + expect(gl_auth.find_for_git_client('', personal_access_token.token, project: nil, request: request)) .to have_attributes(auth_failure) end end @@ -544,19 +569,19 @@ RSpec.describe Gitlab::Auth, :use_clean_rails_memory_store_caching, feature_cate context 'when using a resource access token' do shared_examples 'with a valid access token' do it 'successfully authenticates the project bot' do - expect(gl_auth.find_for_git_client(project_bot_user.username, access_token.token, project: project, ip: 'ip')) + expect(gl_auth.find_for_git_client(project_bot_user.username, access_token.token, project: project, request: request)) .to have_attributes(actor: project_bot_user, project: nil, type: :personal_access_token, authentication_abilities: described_class.full_authentication_abilities) end it 'successfully authenticates the project bot with a nil project' do - expect(gl_auth.find_for_git_client(project_bot_user.username, access_token.token, project: nil, ip: 'ip')) + expect(gl_auth.find_for_git_client(project_bot_user.username, access_token.token, project: nil, request: request)) .to have_attributes(actor: project_bot_user, project: nil, type: :personal_access_token, authentication_abilities: described_class.full_authentication_abilities) end end shared_examples 'with an invalid access token' do it 'fails for a non-member' do - expect(gl_auth.find_for_git_client(project_bot_user.username, access_token.token, project: project, ip: 'ip')) + expect(gl_auth.find_for_git_client(project_bot_user.username, access_token.token, project: project, request: request)) .to have_attributes(auth_failure) end @@ -566,7 +591,7 @@ RSpec.describe Gitlab::Auth, :use_clean_rails_memory_store_caching, feature_cate end it 'fails for a blocked project bot' do - expect(gl_auth.find_for_git_client(project_bot_user.username, access_token.token, project: project, ip: 'ip')) + expect(gl_auth.find_for_git_client(project_bot_user.username, access_token.token, project: project, request: request)) .to have_attributes(auth_failure) end end @@ -637,7 +662,7 @@ RSpec.describe Gitlab::Auth, :use_clean_rails_memory_store_caching, feature_cate it 'updates last_used_at column if token is valid' do personal_access_token = create(:personal_access_token, scopes: ['write_repository']) - expect { gl_auth.find_for_git_client('', personal_access_token.token, project: nil, ip: 'ip') }.to change { personal_access_token.reload.last_used_at } + expect { gl_auth.find_for_git_client('', personal_access_token.token, project: nil, request: request) }.to change { personal_access_token.reload.last_used_at } end end @@ -649,7 +674,7 @@ RSpec.describe Gitlab::Auth, :use_clean_rails_memory_store_caching, feature_cate username: 'normal_user' ) - expect(gl_auth.find_for_git_client(user.username, user.password, project: nil, ip: 'ip')) + expect(gl_auth.find_for_git_client(user.username, user.password, project: nil, request: request)) .to have_attributes(auth_failure) end @@ -665,14 +690,14 @@ RSpec.describe Gitlab::Auth, :use_clean_rails_memory_store_caching, feature_cate it 'fails if grace period expired' do stub_application_setting(two_factor_grace_period: 0) - expect { gl_auth.find_for_git_client(user.username, user.password, project: nil, ip: 'ip') } + expect { gl_auth.find_for_git_client(user.username, user.password, project: nil, request: request) } .to raise_error(Gitlab::Auth::MissingPersonalAccessTokenError) end it 'goes through if grace period is not expired yet' do stub_application_setting(two_factor_grace_period: 72) - expect(gl_auth.find_for_git_client(user.username, user.password, project: nil, ip: 'ip')) + expect(gl_auth.find_for_git_client(user.username, user.password, project: nil, request: request)) .to have_attributes(actor: user, project: nil, type: :gitlab_or_ldap, authentication_abilities: described_class.full_authentication_abilities) end end @@ -683,7 +708,7 @@ RSpec.describe Gitlab::Auth, :use_clean_rails_memory_store_caching, feature_cate end it 'fails' do - expect { gl_auth.find_for_git_client(user.username, user.password, project: nil, ip: 'ip') } + expect { gl_auth.find_for_git_client(user.username, user.password, project: nil, request: request) } .to raise_error(Gitlab::Auth::MissingPersonalAccessTokenError) end end @@ -694,7 +719,7 @@ RSpec.describe Gitlab::Auth, :use_clean_rails_memory_store_caching, feature_cate username: 'normal_user' ) - expect(gl_auth.find_for_git_client(user.username, user.password, project: nil, ip: 'ip')) + expect(gl_auth.find_for_git_client(user.username, user.password, project: nil, request: request)) .to have_attributes(actor: user, project: nil, type: :gitlab_or_ldap, authentication_abilities: described_class.full_authentication_abilities) end @@ -704,7 +729,7 @@ RSpec.describe Gitlab::Auth, :use_clean_rails_memory_store_caching, feature_cate username: 'oauth2' ) - expect(gl_auth.find_for_git_client(user.username, user.password, project: nil, ip: 'ip')) + expect(gl_auth.find_for_git_client(user.username, user.password, project: nil, request: request)) .to have_attributes(actor: user, project: nil, type: :gitlab_or_ldap, authentication_abilities: described_class.full_authentication_abilities) end end @@ -712,34 +737,34 @@ RSpec.describe Gitlab::Auth, :use_clean_rails_memory_store_caching, feature_cate it 'returns double nil for invalid credentials' do login = 'foo' - expect(gl_auth.find_for_git_client(login, 'bar', project: nil, ip: 'ip')).to have_attributes(auth_failure) + expect(gl_auth.find_for_git_client(login, 'bar', project: nil, request: request)).to have_attributes(auth_failure) end it 'throws an error suggesting user create a PAT when internal auth is disabled' do allow_any_instance_of(ApplicationSetting).to receive(:password_authentication_enabled_for_git?) { false } - expect { gl_auth.find_for_git_client('foo', 'bar', project: nil, ip: 'ip') }.to raise_error(Gitlab::Auth::MissingPersonalAccessTokenError) + expect { gl_auth.find_for_git_client('foo', 'bar', project: nil, request: request) }.to raise_error(Gitlab::Auth::MissingPersonalAccessTokenError) end context 'while using deploy tokens' do shared_examples 'registry token scope' do it 'fails when login is not valid' do - expect(gl_auth.find_for_git_client('random_login', deploy_token.token, project: project, ip: 'ip')) + expect(gl_auth.find_for_git_client('random_login', deploy_token.token, project: project, request: request)) .to have_attributes(auth_failure) end it 'fails when token is not valid' do - expect(gl_auth.find_for_git_client(login, '123123', project: project, ip: 'ip')) + expect(gl_auth.find_for_git_client(login, '123123', project: project, request: request)) .to have_attributes(auth_failure) end it 'fails if token is nil' do - expect(gl_auth.find_for_git_client(login, nil, project: nil, ip: 'ip')) + expect(gl_auth.find_for_git_client(login, nil, project: nil, request: request)) .to have_attributes(auth_failure) end it 'fails if token is not related to project' do - expect(gl_auth.find_for_git_client(login, 'abcdef', project: nil, ip: 'ip')) + expect(gl_auth.find_for_git_client(login, 'abcdef', project: nil, request: request)) .to have_attributes(auth_failure) end @@ -747,7 +772,7 @@ RSpec.describe Gitlab::Auth, :use_clean_rails_memory_store_caching, feature_cate deploy_token.revoke! expect(deploy_token.revoked?).to be_truthy - expect(gl_auth.find_for_git_client('deploy-token', deploy_token.token, project: nil, ip: 'ip')) + expect(gl_auth.find_for_git_client('deploy-token', deploy_token.token, project: nil, request: request)) .to have_attributes(auth_failure) end end @@ -759,7 +784,7 @@ RSpec.describe Gitlab::Auth, :use_clean_rails_memory_store_caching, feature_cate end it 'fails when login and token are valid' do - expect(gl_auth.find_for_git_client(login, deploy_token.token, project: nil, ip: 'ip')) + expect(gl_auth.find_for_git_client(login, deploy_token.token, project: nil, request: request)) .to have_attributes(auth_failure) end end @@ -768,7 +793,7 @@ RSpec.describe Gitlab::Auth, :use_clean_rails_memory_store_caching, feature_cate let(:project) { create(:project, :repository_disabled) } it 'fails when login and token are valid' do - expect(gl_auth.find_for_git_client(login, deploy_token.token, project: project, ip: 'ip')) + expect(gl_auth.find_for_git_client(login, deploy_token.token, project: project, request: request)) .to have_attributes(auth_failure) end end @@ -782,14 +807,14 @@ RSpec.describe Gitlab::Auth, :use_clean_rails_memory_store_caching, feature_cate it 'succeeds for the token' do auth_success = { actor: deploy_token, project: project, type: :deploy_token, authentication_abilities: [:download_code] } - expect(gl_auth.find_for_git_client(username, deploy_token.token, project: project, ip: 'ip')) + expect(gl_auth.find_for_git_client(username, deploy_token.token, project: project, request: request)) .to have_attributes(auth_success) end it 'succeeds for the user' do auth_success = { actor: user, project: nil, type: :gitlab_or_ldap, authentication_abilities: described_class.full_authentication_abilities } - expect(gl_auth.find_for_git_client(username, user.password, project: project, ip: 'ip')) + expect(gl_auth.find_for_git_client(username, user.password, project: project, request: request)) .to have_attributes(auth_success) end end @@ -801,12 +826,12 @@ RSpec.describe Gitlab::Auth, :use_clean_rails_memory_store_caching, feature_cate let(:auth_success) { { actor: read_repository, project: project, type: :deploy_token, authentication_abilities: [:download_code] } } it 'succeeds for the right token' do - expect(gl_auth.find_for_git_client('deployer', read_repository.token, project: project, ip: 'ip')) + expect(gl_auth.find_for_git_client('deployer', read_repository.token, project: project, request: request)) .to have_attributes(auth_success) end it 'fails for the wrong token' do - expect(gl_auth.find_for_git_client('deployer', read_registry.token, project: project, ip: 'ip')) + expect(gl_auth.find_for_git_client('deployer', read_registry.token, project: project, request: request)) .not_to have_attributes(auth_success) end end @@ -819,12 +844,12 @@ RSpec.describe Gitlab::Auth, :use_clean_rails_memory_store_caching, feature_cate let(:auth_success) { { actor: read_repository, project: other_project, type: :deploy_token, authentication_abilities: [:download_code] } } it 'succeeds for the right token' do - expect(gl_auth.find_for_git_client('deployer', read_repository.token, project: other_project, ip: 'ip')) + expect(gl_auth.find_for_git_client('deployer', read_repository.token, project: other_project, request: request)) .to have_attributes(auth_success) end it 'fails for the wrong token' do - expect(gl_auth.find_for_git_client('deployer', read_registry.token, project: other_project, ip: 'ip')) + expect(gl_auth.find_for_git_client('deployer', read_registry.token, project: other_project, request: request)) .not_to have_attributes(auth_success) end end @@ -837,7 +862,7 @@ RSpec.describe Gitlab::Auth, :use_clean_rails_memory_store_caching, feature_cate it 'succeeds when login and token are valid' do auth_success = { actor: deploy_token, project: project, type: :deploy_token, authentication_abilities: [:download_code] } - expect(gl_auth.find_for_git_client(login, deploy_token.token, project: project, ip: 'ip')) + expect(gl_auth.find_for_git_client(login, deploy_token.token, project: project, request: request)) .to have_attributes(auth_success) end @@ -845,34 +870,34 @@ RSpec.describe Gitlab::Auth, :use_clean_rails_memory_store_caching, feature_cate deploy_token = create(:deploy_token, username: 'deployer', read_registry: false, projects: [project]) auth_success = { actor: deploy_token, project: project, type: :deploy_token, authentication_abilities: [:download_code] } - expect(gl_auth.find_for_git_client('deployer', deploy_token.token, project: project, ip: 'ip')) + expect(gl_auth.find_for_git_client('deployer', deploy_token.token, project: project, request: request)) .to have_attributes(auth_success) end it 'does not attempt to rate limit unique IPs for a deploy token' do expect(Gitlab::Auth::UniqueIpsLimiter).not_to receive(:limit_user!) - gl_auth.find_for_git_client(login, deploy_token.token, project: project, ip: 'ip') + gl_auth.find_for_git_client(login, deploy_token.token, project: project, request: request) end it 'fails when login is not valid' do - expect(gl_auth.find_for_git_client('random_login', deploy_token.token, project: project, ip: 'ip')) + expect(gl_auth.find_for_git_client('random_login', deploy_token.token, project: project, request: request)) .to have_attributes(auth_failure) end it 'fails when token is not valid' do - expect(gl_auth.find_for_git_client(login, '123123', project: project, ip: 'ip')) + expect(gl_auth.find_for_git_client(login, '123123', project: project, request: request)) .to have_attributes(auth_failure) end it 'fails if token is nil' do - expect(gl_auth.find_for_git_client(login, nil, project: project, ip: 'ip')) + expect(gl_auth.find_for_git_client(login, nil, project: project, request: request)) .to have_attributes(auth_failure) end it 'fails if token is not related to project' do another_deploy_token = create(:deploy_token) - expect(gl_auth.find_for_git_client(another_deploy_token.username, another_deploy_token.token, project: project, ip: 'ip')) + expect(gl_auth.find_for_git_client(another_deploy_token.username, another_deploy_token.token, project: project, request: request)) .to have_attributes(auth_failure) end @@ -880,7 +905,7 @@ RSpec.describe Gitlab::Auth, :use_clean_rails_memory_store_caching, feature_cate deploy_token.revoke! expect(deploy_token.revoked?).to be_truthy - expect(gl_auth.find_for_git_client('deploy-token', deploy_token.token, project: project, ip: 'ip')) + expect(gl_auth.find_for_git_client('deploy-token', deploy_token.token, project: project, request: request)) .to have_attributes(auth_failure) end end @@ -890,7 +915,7 @@ RSpec.describe Gitlab::Auth, :use_clean_rails_memory_store_caching, feature_cate let(:deploy_token) { create(:deploy_token, :group, read_repository: true, groups: [project_with_group.group]) } let(:login) { deploy_token.username } - subject { gl_auth.find_for_git_client(login, deploy_token.token, project: project_with_group, ip: 'ip') } + subject { gl_auth.find_for_git_client(login, deploy_token.token, project: project_with_group, request: request) } it 'succeeds when login and a group deploy token are valid' do auth_success = { actor: deploy_token, project: project_with_group, type: :deploy_token, authentication_abilities: [:download_code, :read_container_image] } @@ -901,7 +926,7 @@ RSpec.describe Gitlab::Auth, :use_clean_rails_memory_store_caching, feature_cate it 'fails if token is not related to group' do another_deploy_token = create(:deploy_token, :group, read_repository: true) - expect(gl_auth.find_for_git_client(another_deploy_token.username, another_deploy_token.token, project: project_with_group, ip: 'ip')) + expect(gl_auth.find_for_git_client(another_deploy_token.username, another_deploy_token.token, project: project_with_group, request: request)) .to have_attributes(auth_failure) end end @@ -918,7 +943,7 @@ RSpec.describe Gitlab::Auth, :use_clean_rails_memory_store_caching, feature_cate it 'succeeds when login and a project token are valid' do auth_success = { actor: deploy_token, project: project, type: :deploy_token, authentication_abilities: [:read_container_image] } - expect(gl_auth.find_for_git_client(login, deploy_token.token, project: project, ip: 'ip')) + expect(gl_auth.find_for_git_client(login, deploy_token.token, project: project, request: request)) .to have_attributes(auth_success) end @@ -940,7 +965,7 @@ RSpec.describe Gitlab::Auth, :use_clean_rails_memory_store_caching, feature_cate it 'succeeds when login and a project token are valid' do auth_success = { actor: deploy_token, project: project, type: :deploy_token, authentication_abilities: [:create_container_image] } - expect(gl_auth.find_for_git_client(login, deploy_token.token, project: project, ip: 'ip')) + expect(gl_auth.find_for_git_client(login, deploy_token.token, project: project, request: request)) .to have_attributes(auth_success) end @@ -953,7 +978,7 @@ RSpec.describe Gitlab::Auth, :use_clean_rails_memory_store_caching, feature_cate end describe '#build_access_token_check' do - subject { gl_auth.find_for_git_client('gitlab-ci-token', build.token, project: build.project, ip: '1.2.3.4') } + subject { gl_auth.find_for_git_client('gitlab-ci-token', build.token, project: build.project, request: request) } let_it_be(:user) { create(:user) } @@ -1143,7 +1168,7 @@ RSpec.describe Gitlab::Auth, :use_clean_rails_memory_store_caching, feature_cate private def expect_results_with_abilities(personal_access_token, abilities, success = true) - expect(gl_auth.find_for_git_client('', personal_access_token&.token, project: nil, ip: 'ip')) + expect(gl_auth.find_for_git_client('', personal_access_token&.token, project: nil, request: request)) .to have_attributes(actor: personal_access_token&.user, project: nil, type: personal_access_token.nil? ? nil : :personal_access_token, authentication_abilities: abilities) end end |