1 files changed, 24 insertions, 23 deletions

diff --git a/spec/requests/api/keys_spec.rb b/spec/requests/api/keys_spec.rb
index d9a0f061156..3f600d24891 100644
--- a/spec/requests/api/keys_spec.rb
+++ b/spec/requests/api/keys_spec.rb
@@ -2,31 +2,35 @@
 
 require 'spec_helper'
 
-RSpec.describe API::Keys, feature_category: :authentication_and_authorization do
+RSpec.describe API::Keys, :aggregate_failures, feature_category: :system_access do
   let_it_be(:user)  { create(:user) }
   let_it_be(:admin) { create(:admin) }
   let_it_be(:email) { create(:email, user: user) }
   let_it_be(:key) { create(:rsa_key_4096, user: user, expires_at: 1.day.from_now) }
   let_it_be(:fingerprint_md5) { 'df:73:db:29:3c:a5:32:cf:09:17:7e:8e:9d:de:d7:f7' }
+  let_it_be(:path) { "/keys/#{key.id}" }
 
   describe 'GET /keys/:uid' do
+    it_behaves_like 'GET request permissions for admin mode'
+
     context 'when unauthenticated' do
       it 'returns authentication error' do
-        get api("/keys/#{key.id}")
+        get api(path)
         expect(response).to have_gitlab_http_status(:unauthorized)
       end
     end
 
     context 'when authenticated' do
       it 'returns 404 for non-existing key' do
-        get api('/keys/0', admin)
+        get api('/keys/0', admin, admin_mode: true)
+
         expect(response).to have_gitlab_http_status(:not_found)
         expect(json_response['message']).to eq('404 Not found')
       end
 
       it 'returns single ssh key with user information' do
-        get api("/keys/#{key.id}", admin)
-        expect(response).to have_gitlab_http_status(:ok)
+        get api(path, admin, admin_mode: true)
+
         expect(json_response['title']).to eq(key.title)
         expect(Time.parse(json_response['expires_at'])).to be_like_time(key.expires_at)
         expect(json_response['user']['id']).to eq(user.id)
@@ -34,7 +38,7 @@ RSpec.describe API::Keys, feature_category: :authentication_and_authorization do
       end
 
       it "does not include the user's `is_admin` flag" do
-        get api("/keys/#{key.id}", admin)
+        get api(path, admin, admin_mode: true)
 
         expect(json_response['user']['is_admin']).to be_nil
       end
@@ -42,31 +46,28 @@ RSpec.describe API::Keys, feature_category: :authentication_and_authorization do
   end
 
   describe 'GET /keys?fingerprint=' do
-    it 'returns authentication error' do
-      get api("/keys?fingerprint=#{fingerprint_md5}")
+    let_it_be(:path) { "/keys?fingerprint=#{fingerprint_md5}" }
 
-      expect(response).to have_gitlab_http_status(:unauthorized)
-    end
+    it_behaves_like 'GET request permissions for admin mode'
 
-    it 'returns authentication error when authenticated as user' do
-      get api("/keys?fingerprint=#{fingerprint_md5}", user)
+    it 'returns authentication error' do
+      get api(path, admin_mode: true)
 
-      expect(response).to have_gitlab_http_status(:forbidden)
+      expect(response).to have_gitlab_http_status(:unauthorized)
     end
 
     context 'when authenticated as admin' do
       context 'MD5 fingerprint' do
         it 'returns 404 for non-existing SSH md5 fingerprint' do
-          get api("/keys?fingerprint=11:11:11:11:11:11:11:11:11:11:11:11:11:11:11:11", admin)
+          get api("/keys?fingerprint=11:11:11:11:11:11:11:11:11:11:11:11:11:11:11:11", admin, admin_mode: true)
 
           expect(response).to have_gitlab_http_status(:not_found)
           expect(json_response['message']).to eq('404 Key Not Found')
         end
 
         it 'returns user if SSH md5 fingerprint found' do
-          get api("/keys?fingerprint=#{fingerprint_md5}", admin)
+          get api(path, admin, admin_mode: true)
 
-          expect(response).to have_gitlab_http_status(:ok)
           expect(json_response['title']).to eq(key.title)
           expect(json_response['user']['id']).to eq(user.id)
           expect(json_response['user']['username']).to eq(user.username)
@@ -74,14 +75,14 @@ RSpec.describe API::Keys, feature_category: :authentication_and_authorization do
 
         context 'with FIPS mode', :fips_mode do
           it 'returns 404 for non-existing SSH md5 fingerprint' do
-            get api("/keys?fingerprint=11:11:11:11:11:11:11:11:11:11:11:11:11:11:11:11", admin)
+            get api("/keys?fingerprint=11:11:11:11:11:11:11:11:11:11:11:11:11:11:11:11", admin, admin_mode: true)
 
             expect(response).to have_gitlab_http_status(:bad_request)
             expect(json_response['message']).to eq('Failed to return the key')
           end
 
           it 'returns 404 for existing SSH md5 fingerprint' do
-            get api("/keys?fingerprint=#{fingerprint_md5}", admin)
+            get api(path, admin, admin_mode: true)
 
             expect(response).to have_gitlab_http_status(:bad_request)
             expect(json_response['message']).to eq('Failed to return the key')
@@ -90,14 +91,14 @@ RSpec.describe API::Keys, feature_category: :authentication_and_authorization do
       end
 
       it 'returns 404 for non-existing SSH sha256 fingerprint' do
-        get api("/keys?fingerprint=#{URI.encode_www_form_component("SHA256:nUhzNyftwADy8AH3wFY31tAKs7HufskYTte2aXo1lCg")}", admin)
+        get api("/keys?fingerprint=#{URI.encode_www_form_component("SHA256:nUhzNyftwADy8AH3wFY31tAKs7HufskYTte2aXo1lCg")}", admin, admin_mode: true)
 
         expect(response).to have_gitlab_http_status(:not_found)
         expect(json_response['message']).to eq('404 Key Not Found')
       end
 
       it 'returns user if SSH sha256 fingerprint found' do
-        get api("/keys?fingerprint=#{URI.encode_www_form_component("SHA256:" + key.fingerprint_sha256)}", admin)
+        get api("/keys?fingerprint=#{URI.encode_www_form_component("SHA256:" + key.fingerprint_sha256)}", admin, admin_mode: true)
 
         expect(response).to have_gitlab_http_status(:ok)
         expect(json_response['title']).to eq(key.title)
@@ -106,7 +107,7 @@ RSpec.describe API::Keys, feature_category: :authentication_and_authorization do
       end
 
       it 'returns user if SSH sha256 fingerprint found' do
-        get api("/keys?fingerprint=#{URI.encode_www_form_component("sha256:" + key.fingerprint_sha256)}", admin)
+        get api("/keys?fingerprint=#{URI.encode_www_form_component("sha256:" + key.fingerprint_sha256)}", admin, admin_mode: true)
 
         expect(response).to have_gitlab_http_status(:ok)
         expect(json_response['title']).to eq(key.title)
@@ -115,7 +116,7 @@ RSpec.describe API::Keys, feature_category: :authentication_and_authorization do
       end
 
       it "does not include the user's `is_admin` flag" do
-        get api("/keys?fingerprint=#{URI.encode_www_form_component("sha256:" + key.fingerprint_sha256)}", admin)
+        get api("/keys?fingerprint=#{URI.encode_www_form_component("sha256:" + key.fingerprint_sha256)}", admin, admin_mode: true)
 
         expect(json_response['user']['is_admin']).to be_nil
       end
@@ -136,7 +137,7 @@ RSpec.describe API::Keys, feature_category: :authentication_and_authorization do
         it 'returns user and projects if SSH sha256 fingerprint for DeployKey found' do
           user.keys << deploy_key
 
-          get api("/keys?fingerprint=#{URI.encode_www_form_component("SHA256:" + deploy_key.fingerprint_sha256)}", admin)
+          get api("/keys?fingerprint=#{URI.encode_www_form_component("SHA256:" + deploy_key.fingerprint_sha256)}", admin, admin_mode: true)
 
           expect(response).to have_gitlab_http_status(:ok)
           expect(json_response['title']).to eq(deploy_key.title)