Welcome to mirror list, hosted at ThFree Co, Russian Federation.

gitlab.com/gitlab-org/gitlab-foss.git - Unnamed repository; edit this file 'description' to name the repository.
summaryrefslogtreecommitdiff
path: root/spec/lib/gitlab/auth_spec.rb
diff options
context:
space:
mode:
Diffstat (limited to 'spec/lib/gitlab/auth_spec.rb')
-rw-r--r--spec/lib/gitlab/auth_spec.rb145
1 files changed, 85 insertions, 60 deletions
diff --git a/spec/lib/gitlab/auth_spec.rb b/spec/lib/gitlab/auth_spec.rb
index f5b9555916c..020089b3880 100644
--- a/spec/lib/gitlab/auth_spec.rb
+++ b/spec/lib/gitlab/auth_spec.rb
@@ -8,6 +8,8 @@ RSpec.describe Gitlab::Auth, :use_clean_rails_memory_store_caching, feature_cate
let(:auth_failure) { { actor: nil, project: nil, type: nil, authentication_abilities: nil } }
let(:gl_auth) { described_class }
+ let(:request) { instance_double(ActionDispatch::Request, ip: 'ip') }
+
describe 'constants' do
it 'API_SCOPES contains all scopes for API access' do
expect(subject::API_SCOPES).to match_array %i[api read_user read_api create_runner k8s_proxy]
@@ -202,7 +204,7 @@ RSpec.describe Gitlab::Auth, :use_clean_rails_memory_store_caching, feature_cate
end
context 'when IP is already banned' do
- subject { gl_auth.find_for_git_client('username-does-not-matter', 'password-does-not-matter', project: nil, ip: 'ip') }
+ subject { gl_auth.find_for_git_client('username-does-not-matter', 'password-does-not-matter', project: nil, request: request) }
before do
expect_next_instance_of(Gitlab::Auth::IpRateLimiter) do |rate_limiter|
@@ -223,7 +225,7 @@ RSpec.describe Gitlab::Auth, :use_clean_rails_memory_store_caching, feature_cate
expect(rate_limiter).not_to receive(:reset!)
end
- gl_auth.find_for_git_client('gitlab-ci-token', build.token, project: build.project, ip: 'ip')
+ gl_auth.find_for_git_client('gitlab-ci-token', build.token, project: build.project, request: request)
end
it 'skips rate limiting for failed auth' do
@@ -231,7 +233,7 @@ RSpec.describe Gitlab::Auth, :use_clean_rails_memory_store_caching, feature_cate
expect(rate_limiter).not_to receive(:register_fail!)
end
- gl_auth.find_for_git_client('gitlab-ci-token', 'wrong_token', project: build.project, ip: 'ip')
+ gl_auth.find_for_git_client('gitlab-ci-token', 'wrong_token', project: build.project, request: request)
end
end
@@ -243,7 +245,7 @@ RSpec.describe Gitlab::Auth, :use_clean_rails_memory_store_caching, feature_cate
expect(rate_limiter).to receive(:reset!)
end
- gl_auth.find_for_git_client(user.username, user.password, project: nil, ip: 'ip')
+ gl_auth.find_for_git_client(user.username, user.password, project: nil, request: request)
end
it 'rate limits a user by unique IPs' do
@@ -252,7 +254,7 @@ RSpec.describe Gitlab::Auth, :use_clean_rails_memory_store_caching, feature_cate
end
expect(Gitlab::Auth::UniqueIpsLimiter).to receive(:limit_user!).twice.and_call_original
- gl_auth.find_for_git_client(user.username, user.password, project: nil, ip: 'ip')
+ gl_auth.find_for_git_client(user.username, user.password, project: nil, request: request)
end
it 'registers failure for failed auth' do
@@ -260,13 +262,36 @@ RSpec.describe Gitlab::Auth, :use_clean_rails_memory_store_caching, feature_cate
expect(rate_limiter).to receive(:register_fail!)
end
- gl_auth.find_for_git_client(user.username, 'wrong_password', project: nil, ip: 'ip')
+ gl_auth.find_for_git_client(user.username, 'wrong_password', project: nil, request: request)
+ end
+
+ context 'when failure goes over threshold' do
+ let(:request) { instance_double(ActionDispatch::Request, fullpath: '/some/project.git/info/refs', request_method: 'GET', ip: 'ip') }
+
+ before do
+ expect_next_instance_of(Gitlab::Auth::IpRateLimiter) do |rate_limiter|
+ expect(rate_limiter).to receive(:register_fail!).and_return(true)
+ end
+ end
+
+ it 'logs a message' do
+ expect(Gitlab::AuthLogger).to receive(:error).with(
+ message: include('IP has been temporarily banned from Git auth'),
+ env: :blocklist,
+ remote_ip: request.ip,
+ request_method: request.request_method,
+ path: request.fullpath,
+ login: user.username
+ )
+
+ gl_auth.find_for_git_client(user.username, 'wrong_password', project: nil, request: request)
+ end
end
end
end
context 'build token' do
- subject { gl_auth.find_for_git_client(username, build.token, project: project, ip: 'ip') }
+ subject { gl_auth.find_for_git_client(username, build.token, project: project, request: request) }
let(:username) { 'gitlab-ci-token' }
@@ -344,20 +369,20 @@ RSpec.describe Gitlab::Auth, :use_clean_rails_memory_store_caching, feature_cate
project.create_drone_ci_integration(active: true)
project.drone_ci_integration.update!(token: 'token', drone_url: generate(:url))
- expect(gl_auth.find_for_git_client('drone-ci-token', 'token', project: project, ip: 'ip')).to have_attributes(actor: nil, project: project, type: :ci, authentication_abilities: described_class.build_authentication_abilities)
+ expect(gl_auth.find_for_git_client('drone-ci-token', 'token', project: project, request: request)).to have_attributes(actor: nil, project: project, type: :ci, authentication_abilities: described_class.build_authentication_abilities)
end
it 'recognizes master passwords' do
user = create(:user)
- expect(gl_auth.find_for_git_client(user.username, user.password, project: nil, ip: 'ip')).to have_attributes(actor: user, project: nil, type: :gitlab_or_ldap, authentication_abilities: described_class.full_authentication_abilities)
+ expect(gl_auth.find_for_git_client(user.username, user.password, project: nil, request: request)).to have_attributes(actor: user, project: nil, type: :gitlab_or_ldap, authentication_abilities: described_class.full_authentication_abilities)
end
include_examples 'user login operation with unique ip limit' do
let(:user) { create(:user) }
def operation
- expect(gl_auth.find_for_git_client(user.username, user.password, project: nil, ip: 'ip')).to have_attributes(actor: user, project: nil, type: :gitlab_or_ldap, authentication_abilities: described_class.full_authentication_abilities)
+ expect(gl_auth.find_for_git_client(user.username, user.password, project: nil, request: request)).to have_attributes(actor: user, project: nil, type: :gitlab_or_ldap, authentication_abilities: described_class.full_authentication_abilities)
end
end
@@ -366,14 +391,14 @@ RSpec.describe Gitlab::Auth, :use_clean_rails_memory_store_caching, feature_cate
user = create(:user)
token = Gitlab::LfsToken.new(user).token
- expect(gl_auth.find_for_git_client(user.username, token, project: nil, ip: 'ip')).to have_attributes(actor: user, project: nil, type: :lfs_token, authentication_abilities: described_class.read_write_project_authentication_abilities)
+ expect(gl_auth.find_for_git_client(user.username, token, project: nil, request: request)).to have_attributes(actor: user, project: nil, type: :lfs_token, authentication_abilities: described_class.read_write_project_authentication_abilities)
end
it 'recognizes deploy key lfs tokens' do
key = create(:deploy_key)
token = Gitlab::LfsToken.new(key).token
- expect(gl_auth.find_for_git_client("lfs+deploy-key-#{key.id}", token, project: nil, ip: 'ip')).to have_attributes(actor: key, project: nil, type: :lfs_deploy_token, authentication_abilities: described_class.read_only_authentication_abilities)
+ expect(gl_auth.find_for_git_client("lfs+deploy-key-#{key.id}", token, project: nil, request: request)).to have_attributes(actor: key, project: nil, type: :lfs_deploy_token, authentication_abilities: described_class.read_only_authentication_abilities)
end
it 'does not try password auth before oauth' do
@@ -382,7 +407,7 @@ RSpec.describe Gitlab::Auth, :use_clean_rails_memory_store_caching, feature_cate
expect(gl_auth).not_to receive(:find_with_user_password)
- gl_auth.find_for_git_client(user.username, token, project: nil, ip: 'ip')
+ gl_auth.find_for_git_client(user.username, token, project: nil, request: request)
end
it 'grants deploy key write permissions' do
@@ -390,14 +415,14 @@ RSpec.describe Gitlab::Auth, :use_clean_rails_memory_store_caching, feature_cate
create(:deploy_keys_project, :write_access, deploy_key: key, project: project)
token = Gitlab::LfsToken.new(key).token
- expect(gl_auth.find_for_git_client("lfs+deploy-key-#{key.id}", token, project: project, ip: 'ip')).to have_attributes(actor: key, project: nil, type: :lfs_deploy_token, authentication_abilities: described_class.read_write_authentication_abilities)
+ expect(gl_auth.find_for_git_client("lfs+deploy-key-#{key.id}", token, project: project, request: request)).to have_attributes(actor: key, project: nil, type: :lfs_deploy_token, authentication_abilities: described_class.read_write_authentication_abilities)
end
it 'does not grant deploy key write permissions' do
key = create(:deploy_key)
token = Gitlab::LfsToken.new(key).token
- expect(gl_auth.find_for_git_client("lfs+deploy-key-#{key.id}", token, project: project, ip: 'ip')).to have_attributes(actor: key, project: nil, type: :lfs_deploy_token, authentication_abilities: described_class.read_only_authentication_abilities)
+ expect(gl_auth.find_for_git_client("lfs+deploy-key-#{key.id}", token, project: project, request: request)).to have_attributes(actor: key, project: nil, type: :lfs_deploy_token, authentication_abilities: described_class.read_only_authentication_abilities)
end
end
@@ -409,7 +434,7 @@ RSpec.describe Gitlab::Auth, :use_clean_rails_memory_store_caching, feature_cate
it 'fails' do
access_token = Doorkeeper::AccessToken.create!(application_id: application.id, resource_owner_id: user.id, scopes: 'api')
- expect(gl_auth.find_for_git_client("oauth2", access_token.token, project: nil, ip: 'ip'))
+ expect(gl_auth.find_for_git_client("oauth2", access_token.token, project: nil, request: request))
.to have_attributes(auth_failure)
end
end
@@ -436,7 +461,7 @@ RSpec.describe Gitlab::Auth, :use_clean_rails_memory_store_caching, feature_cate
it 'authenticates with correct abilities' do
access_token = Doorkeeper::AccessToken.create!(application_id: application.id, resource_owner_id: user.id, scopes: scopes)
- expect(gl_auth.find_for_git_client("oauth2", access_token.token, project: nil, ip: 'ip'))
+ expect(gl_auth.find_for_git_client("oauth2", access_token.token, project: nil, request: request))
.to have_attributes(actor: user, project: nil, type: :oauth, authentication_abilities: abilities)
end
end
@@ -447,7 +472,7 @@ RSpec.describe Gitlab::Auth, :use_clean_rails_memory_store_caching, feature_cate
expect(gl_auth).not_to receive(:find_with_user_password)
- gl_auth.find_for_git_client("oauth2", access_token.token, project: nil, ip: 'ip')
+ gl_auth.find_for_git_client("oauth2", access_token.token, project: nil, request: request)
end
context 'blocked user' do
@@ -513,7 +538,7 @@ RSpec.describe Gitlab::Auth, :use_clean_rails_memory_store_caching, feature_cate
impersonation_token = create(:personal_access_token, :impersonation, scopes: ['api'])
- expect(gl_auth.find_for_git_client('', impersonation_token.token, project: nil, ip: 'ip'))
+ expect(gl_auth.find_for_git_client('', impersonation_token.token, project: nil, request: request))
.to have_attributes(auth_failure)
end
@@ -536,7 +561,7 @@ RSpec.describe Gitlab::Auth, :use_clean_rails_memory_store_caching, feature_cate
end
it 'fails if user is blocked' do
- expect(gl_auth.find_for_git_client('', personal_access_token.token, project: nil, ip: 'ip'))
+ expect(gl_auth.find_for_git_client('', personal_access_token.token, project: nil, request: request))
.to have_attributes(auth_failure)
end
end
@@ -544,19 +569,19 @@ RSpec.describe Gitlab::Auth, :use_clean_rails_memory_store_caching, feature_cate
context 'when using a resource access token' do
shared_examples 'with a valid access token' do
it 'successfully authenticates the project bot' do
- expect(gl_auth.find_for_git_client(project_bot_user.username, access_token.token, project: project, ip: 'ip'))
+ expect(gl_auth.find_for_git_client(project_bot_user.username, access_token.token, project: project, request: request))
.to have_attributes(actor: project_bot_user, project: nil, type: :personal_access_token, authentication_abilities: described_class.full_authentication_abilities)
end
it 'successfully authenticates the project bot with a nil project' do
- expect(gl_auth.find_for_git_client(project_bot_user.username, access_token.token, project: nil, ip: 'ip'))
+ expect(gl_auth.find_for_git_client(project_bot_user.username, access_token.token, project: nil, request: request))
.to have_attributes(actor: project_bot_user, project: nil, type: :personal_access_token, authentication_abilities: described_class.full_authentication_abilities)
end
end
shared_examples 'with an invalid access token' do
it 'fails for a non-member' do
- expect(gl_auth.find_for_git_client(project_bot_user.username, access_token.token, project: project, ip: 'ip'))
+ expect(gl_auth.find_for_git_client(project_bot_user.username, access_token.token, project: project, request: request))
.to have_attributes(auth_failure)
end
@@ -566,7 +591,7 @@ RSpec.describe Gitlab::Auth, :use_clean_rails_memory_store_caching, feature_cate
end
it 'fails for a blocked project bot' do
- expect(gl_auth.find_for_git_client(project_bot_user.username, access_token.token, project: project, ip: 'ip'))
+ expect(gl_auth.find_for_git_client(project_bot_user.username, access_token.token, project: project, request: request))
.to have_attributes(auth_failure)
end
end
@@ -637,7 +662,7 @@ RSpec.describe Gitlab::Auth, :use_clean_rails_memory_store_caching, feature_cate
it 'updates last_used_at column if token is valid' do
personal_access_token = create(:personal_access_token, scopes: ['write_repository'])
- expect { gl_auth.find_for_git_client('', personal_access_token.token, project: nil, ip: 'ip') }.to change { personal_access_token.reload.last_used_at }
+ expect { gl_auth.find_for_git_client('', personal_access_token.token, project: nil, request: request) }.to change { personal_access_token.reload.last_used_at }
end
end
@@ -649,7 +674,7 @@ RSpec.describe Gitlab::Auth, :use_clean_rails_memory_store_caching, feature_cate
username: 'normal_user'
)
- expect(gl_auth.find_for_git_client(user.username, user.password, project: nil, ip: 'ip'))
+ expect(gl_auth.find_for_git_client(user.username, user.password, project: nil, request: request))
.to have_attributes(auth_failure)
end
@@ -665,14 +690,14 @@ RSpec.describe Gitlab::Auth, :use_clean_rails_memory_store_caching, feature_cate
it 'fails if grace period expired' do
stub_application_setting(two_factor_grace_period: 0)
- expect { gl_auth.find_for_git_client(user.username, user.password, project: nil, ip: 'ip') }
+ expect { gl_auth.find_for_git_client(user.username, user.password, project: nil, request: request) }
.to raise_error(Gitlab::Auth::MissingPersonalAccessTokenError)
end
it 'goes through if grace period is not expired yet' do
stub_application_setting(two_factor_grace_period: 72)
- expect(gl_auth.find_for_git_client(user.username, user.password, project: nil, ip: 'ip'))
+ expect(gl_auth.find_for_git_client(user.username, user.password, project: nil, request: request))
.to have_attributes(actor: user, project: nil, type: :gitlab_or_ldap, authentication_abilities: described_class.full_authentication_abilities)
end
end
@@ -683,7 +708,7 @@ RSpec.describe Gitlab::Auth, :use_clean_rails_memory_store_caching, feature_cate
end
it 'fails' do
- expect { gl_auth.find_for_git_client(user.username, user.password, project: nil, ip: 'ip') }
+ expect { gl_auth.find_for_git_client(user.username, user.password, project: nil, request: request) }
.to raise_error(Gitlab::Auth::MissingPersonalAccessTokenError)
end
end
@@ -694,7 +719,7 @@ RSpec.describe Gitlab::Auth, :use_clean_rails_memory_store_caching, feature_cate
username: 'normal_user'
)
- expect(gl_auth.find_for_git_client(user.username, user.password, project: nil, ip: 'ip'))
+ expect(gl_auth.find_for_git_client(user.username, user.password, project: nil, request: request))
.to have_attributes(actor: user, project: nil, type: :gitlab_or_ldap, authentication_abilities: described_class.full_authentication_abilities)
end
@@ -704,7 +729,7 @@ RSpec.describe Gitlab::Auth, :use_clean_rails_memory_store_caching, feature_cate
username: 'oauth2'
)
- expect(gl_auth.find_for_git_client(user.username, user.password, project: nil, ip: 'ip'))
+ expect(gl_auth.find_for_git_client(user.username, user.password, project: nil, request: request))
.to have_attributes(actor: user, project: nil, type: :gitlab_or_ldap, authentication_abilities: described_class.full_authentication_abilities)
end
end
@@ -712,34 +737,34 @@ RSpec.describe Gitlab::Auth, :use_clean_rails_memory_store_caching, feature_cate
it 'returns double nil for invalid credentials' do
login = 'foo'
- expect(gl_auth.find_for_git_client(login, 'bar', project: nil, ip: 'ip')).to have_attributes(auth_failure)
+ expect(gl_auth.find_for_git_client(login, 'bar', project: nil, request: request)).to have_attributes(auth_failure)
end
it 'throws an error suggesting user create a PAT when internal auth is disabled' do
allow_any_instance_of(ApplicationSetting).to receive(:password_authentication_enabled_for_git?) { false }
- expect { gl_auth.find_for_git_client('foo', 'bar', project: nil, ip: 'ip') }.to raise_error(Gitlab::Auth::MissingPersonalAccessTokenError)
+ expect { gl_auth.find_for_git_client('foo', 'bar', project: nil, request: request) }.to raise_error(Gitlab::Auth::MissingPersonalAccessTokenError)
end
context 'while using deploy tokens' do
shared_examples 'registry token scope' do
it 'fails when login is not valid' do
- expect(gl_auth.find_for_git_client('random_login', deploy_token.token, project: project, ip: 'ip'))
+ expect(gl_auth.find_for_git_client('random_login', deploy_token.token, project: project, request: request))
.to have_attributes(auth_failure)
end
it 'fails when token is not valid' do
- expect(gl_auth.find_for_git_client(login, '123123', project: project, ip: 'ip'))
+ expect(gl_auth.find_for_git_client(login, '123123', project: project, request: request))
.to have_attributes(auth_failure)
end
it 'fails if token is nil' do
- expect(gl_auth.find_for_git_client(login, nil, project: nil, ip: 'ip'))
+ expect(gl_auth.find_for_git_client(login, nil, project: nil, request: request))
.to have_attributes(auth_failure)
end
it 'fails if token is not related to project' do
- expect(gl_auth.find_for_git_client(login, 'abcdef', project: nil, ip: 'ip'))
+ expect(gl_auth.find_for_git_client(login, 'abcdef', project: nil, request: request))
.to have_attributes(auth_failure)
end
@@ -747,7 +772,7 @@ RSpec.describe Gitlab::Auth, :use_clean_rails_memory_store_caching, feature_cate
deploy_token.revoke!
expect(deploy_token.revoked?).to be_truthy
- expect(gl_auth.find_for_git_client('deploy-token', deploy_token.token, project: nil, ip: 'ip'))
+ expect(gl_auth.find_for_git_client('deploy-token', deploy_token.token, project: nil, request: request))
.to have_attributes(auth_failure)
end
end
@@ -759,7 +784,7 @@ RSpec.describe Gitlab::Auth, :use_clean_rails_memory_store_caching, feature_cate
end
it 'fails when login and token are valid' do
- expect(gl_auth.find_for_git_client(login, deploy_token.token, project: nil, ip: 'ip'))
+ expect(gl_auth.find_for_git_client(login, deploy_token.token, project: nil, request: request))
.to have_attributes(auth_failure)
end
end
@@ -768,7 +793,7 @@ RSpec.describe Gitlab::Auth, :use_clean_rails_memory_store_caching, feature_cate
let(:project) { create(:project, :repository_disabled) }
it 'fails when login and token are valid' do
- expect(gl_auth.find_for_git_client(login, deploy_token.token, project: project, ip: 'ip'))
+ expect(gl_auth.find_for_git_client(login, deploy_token.token, project: project, request: request))
.to have_attributes(auth_failure)
end
end
@@ -782,14 +807,14 @@ RSpec.describe Gitlab::Auth, :use_clean_rails_memory_store_caching, feature_cate
it 'succeeds for the token' do
auth_success = { actor: deploy_token, project: project, type: :deploy_token, authentication_abilities: [:download_code] }
- expect(gl_auth.find_for_git_client(username, deploy_token.token, project: project, ip: 'ip'))
+ expect(gl_auth.find_for_git_client(username, deploy_token.token, project: project, request: request))
.to have_attributes(auth_success)
end
it 'succeeds for the user' do
auth_success = { actor: user, project: nil, type: :gitlab_or_ldap, authentication_abilities: described_class.full_authentication_abilities }
- expect(gl_auth.find_for_git_client(username, user.password, project: project, ip: 'ip'))
+ expect(gl_auth.find_for_git_client(username, user.password, project: project, request: request))
.to have_attributes(auth_success)
end
end
@@ -801,12 +826,12 @@ RSpec.describe Gitlab::Auth, :use_clean_rails_memory_store_caching, feature_cate
let(:auth_success) { { actor: read_repository, project: project, type: :deploy_token, authentication_abilities: [:download_code] } }
it 'succeeds for the right token' do
- expect(gl_auth.find_for_git_client('deployer', read_repository.token, project: project, ip: 'ip'))
+ expect(gl_auth.find_for_git_client('deployer', read_repository.token, project: project, request: request))
.to have_attributes(auth_success)
end
it 'fails for the wrong token' do
- expect(gl_auth.find_for_git_client('deployer', read_registry.token, project: project, ip: 'ip'))
+ expect(gl_auth.find_for_git_client('deployer', read_registry.token, project: project, request: request))
.not_to have_attributes(auth_success)
end
end
@@ -819,12 +844,12 @@ RSpec.describe Gitlab::Auth, :use_clean_rails_memory_store_caching, feature_cate
let(:auth_success) { { actor: read_repository, project: other_project, type: :deploy_token, authentication_abilities: [:download_code] } }
it 'succeeds for the right token' do
- expect(gl_auth.find_for_git_client('deployer', read_repository.token, project: other_project, ip: 'ip'))
+ expect(gl_auth.find_for_git_client('deployer', read_repository.token, project: other_project, request: request))
.to have_attributes(auth_success)
end
it 'fails for the wrong token' do
- expect(gl_auth.find_for_git_client('deployer', read_registry.token, project: other_project, ip: 'ip'))
+ expect(gl_auth.find_for_git_client('deployer', read_registry.token, project: other_project, request: request))
.not_to have_attributes(auth_success)
end
end
@@ -837,7 +862,7 @@ RSpec.describe Gitlab::Auth, :use_clean_rails_memory_store_caching, feature_cate
it 'succeeds when login and token are valid' do
auth_success = { actor: deploy_token, project: project, type: :deploy_token, authentication_abilities: [:download_code] }
- expect(gl_auth.find_for_git_client(login, deploy_token.token, project: project, ip: 'ip'))
+ expect(gl_auth.find_for_git_client(login, deploy_token.token, project: project, request: request))
.to have_attributes(auth_success)
end
@@ -845,34 +870,34 @@ RSpec.describe Gitlab::Auth, :use_clean_rails_memory_store_caching, feature_cate
deploy_token = create(:deploy_token, username: 'deployer', read_registry: false, projects: [project])
auth_success = { actor: deploy_token, project: project, type: :deploy_token, authentication_abilities: [:download_code] }
- expect(gl_auth.find_for_git_client('deployer', deploy_token.token, project: project, ip: 'ip'))
+ expect(gl_auth.find_for_git_client('deployer', deploy_token.token, project: project, request: request))
.to have_attributes(auth_success)
end
it 'does not attempt to rate limit unique IPs for a deploy token' do
expect(Gitlab::Auth::UniqueIpsLimiter).not_to receive(:limit_user!)
- gl_auth.find_for_git_client(login, deploy_token.token, project: project, ip: 'ip')
+ gl_auth.find_for_git_client(login, deploy_token.token, project: project, request: request)
end
it 'fails when login is not valid' do
- expect(gl_auth.find_for_git_client('random_login', deploy_token.token, project: project, ip: 'ip'))
+ expect(gl_auth.find_for_git_client('random_login', deploy_token.token, project: project, request: request))
.to have_attributes(auth_failure)
end
it 'fails when token is not valid' do
- expect(gl_auth.find_for_git_client(login, '123123', project: project, ip: 'ip'))
+ expect(gl_auth.find_for_git_client(login, '123123', project: project, request: request))
.to have_attributes(auth_failure)
end
it 'fails if token is nil' do
- expect(gl_auth.find_for_git_client(login, nil, project: project, ip: 'ip'))
+ expect(gl_auth.find_for_git_client(login, nil, project: project, request: request))
.to have_attributes(auth_failure)
end
it 'fails if token is not related to project' do
another_deploy_token = create(:deploy_token)
- expect(gl_auth.find_for_git_client(another_deploy_token.username, another_deploy_token.token, project: project, ip: 'ip'))
+ expect(gl_auth.find_for_git_client(another_deploy_token.username, another_deploy_token.token, project: project, request: request))
.to have_attributes(auth_failure)
end
@@ -880,7 +905,7 @@ RSpec.describe Gitlab::Auth, :use_clean_rails_memory_store_caching, feature_cate
deploy_token.revoke!
expect(deploy_token.revoked?).to be_truthy
- expect(gl_auth.find_for_git_client('deploy-token', deploy_token.token, project: project, ip: 'ip'))
+ expect(gl_auth.find_for_git_client('deploy-token', deploy_token.token, project: project, request: request))
.to have_attributes(auth_failure)
end
end
@@ -890,7 +915,7 @@ RSpec.describe Gitlab::Auth, :use_clean_rails_memory_store_caching, feature_cate
let(:deploy_token) { create(:deploy_token, :group, read_repository: true, groups: [project_with_group.group]) }
let(:login) { deploy_token.username }
- subject { gl_auth.find_for_git_client(login, deploy_token.token, project: project_with_group, ip: 'ip') }
+ subject { gl_auth.find_for_git_client(login, deploy_token.token, project: project_with_group, request: request) }
it 'succeeds when login and a group deploy token are valid' do
auth_success = { actor: deploy_token, project: project_with_group, type: :deploy_token, authentication_abilities: [:download_code, :read_container_image] }
@@ -901,7 +926,7 @@ RSpec.describe Gitlab::Auth, :use_clean_rails_memory_store_caching, feature_cate
it 'fails if token is not related to group' do
another_deploy_token = create(:deploy_token, :group, read_repository: true)
- expect(gl_auth.find_for_git_client(another_deploy_token.username, another_deploy_token.token, project: project_with_group, ip: 'ip'))
+ expect(gl_auth.find_for_git_client(another_deploy_token.username, another_deploy_token.token, project: project_with_group, request: request))
.to have_attributes(auth_failure)
end
end
@@ -918,7 +943,7 @@ RSpec.describe Gitlab::Auth, :use_clean_rails_memory_store_caching, feature_cate
it 'succeeds when login and a project token are valid' do
auth_success = { actor: deploy_token, project: project, type: :deploy_token, authentication_abilities: [:read_container_image] }
- expect(gl_auth.find_for_git_client(login, deploy_token.token, project: project, ip: 'ip'))
+ expect(gl_auth.find_for_git_client(login, deploy_token.token, project: project, request: request))
.to have_attributes(auth_success)
end
@@ -940,7 +965,7 @@ RSpec.describe Gitlab::Auth, :use_clean_rails_memory_store_caching, feature_cate
it 'succeeds when login and a project token are valid' do
auth_success = { actor: deploy_token, project: project, type: :deploy_token, authentication_abilities: [:create_container_image] }
- expect(gl_auth.find_for_git_client(login, deploy_token.token, project: project, ip: 'ip'))
+ expect(gl_auth.find_for_git_client(login, deploy_token.token, project: project, request: request))
.to have_attributes(auth_success)
end
@@ -953,7 +978,7 @@ RSpec.describe Gitlab::Auth, :use_clean_rails_memory_store_caching, feature_cate
end
describe '#build_access_token_check' do
- subject { gl_auth.find_for_git_client('gitlab-ci-token', build.token, project: build.project, ip: '1.2.3.4') }
+ subject { gl_auth.find_for_git_client('gitlab-ci-token', build.token, project: build.project, request: request) }
let_it_be(:user) { create(:user) }
@@ -1143,7 +1168,7 @@ RSpec.describe Gitlab::Auth, :use_clean_rails_memory_store_caching, feature_cate
private
def expect_results_with_abilities(personal_access_token, abilities, success = true)
- expect(gl_auth.find_for_git_client('', personal_access_token&.token, project: nil, ip: 'ip'))
+ expect(gl_auth.find_for_git_client('', personal_access_token&.token, project: nil, request: request))
.to have_attributes(actor: personal_access_token&.user, project: nil, type: personal_access_token.nil? ? nil : :personal_access_token, authentication_abilities: abilities)
end
end
generated by cgit v1.2.3 (git 2.25.1) at 2024-08-01 12:02:25 +0300