diff options
Diffstat (limited to 'spec/requests/api/resource_access_tokens_spec.rb')
-rw-r--r-- | spec/requests/api/resource_access_tokens_spec.rb | 112 |
1 files changed, 104 insertions, 8 deletions
diff --git a/spec/requests/api/resource_access_tokens_spec.rb b/spec/requests/api/resource_access_tokens_spec.rb index 6a89e9a56df..ce05fa2b383 100644 --- a/spec/requests/api/resource_access_tokens_spec.rb +++ b/spec/requests/api/resource_access_tokens_spec.rb @@ -2,7 +2,7 @@ require "spec_helper" -RSpec.describe API::ResourceAccessTokens, feature_category: :authentication_and_authorization do +RSpec.describe API::ResourceAccessTokens, feature_category: :system_access do let_it_be(:user) { create(:user) } let_it_be(:user_non_priviledged) { create(:user) } @@ -336,13 +336,33 @@ RSpec.describe API::ResourceAccessTokens, feature_category: :authentication_and_ context "when 'expires_at' is not set" do let(:expires_at) { nil } - it "creates a #{source_type} access token with the params", :aggregate_failures do - create_token + context 'when default_pat_expiration feature flag is true' do + it "creates a #{source_type} access token with the default expires_at value", :aggregate_failures do + freeze_time do + create_token + expires_at = PersonalAccessToken::MAX_PERSONAL_ACCESS_TOKEN_LIFETIME_IN_DAYS.days.from_now + + expect(response).to have_gitlab_http_status(:created) + expect(json_response["name"]).to eq("test") + expect(json_response["scopes"]).to eq(["api"]) + expect(json_response["expires_at"]).to eq(expires_at.to_date.iso8601) + end + end + end - expect(response).to have_gitlab_http_status(:created) - expect(json_response["name"]).to eq("test") - expect(json_response["scopes"]).to eq(["api"]) - expect(json_response["expires_at"]).to eq(nil) + context 'when default_pat_expiration feature flag is false' do + before do + stub_feature_flags(default_pat_expiration: false) + end + + it "creates a #{source_type} access token with the params", :aggregate_failures do + create_token + + expect(response).to have_gitlab_http_status(:created) + expect(json_response["name"]).to eq("test") + expect(json_response["scopes"]).to eq(["api"]) + expect(json_response["expires_at"]).to eq(nil) + end end end @@ -468,10 +488,86 @@ RSpec.describe API::ResourceAccessTokens, feature_category: :authentication_and_ end end end + + context "POST #{source_type}s/:id/access_tokens/:token_id/rotate" do + let_it_be(:project_bot) { create(:user, :project_bot) } + let_it_be(:token) { create(:personal_access_token, user: project_bot) } + let_it_be(:resource_id) { resource.id } + let_it_be(:token_id) { token.id } + + let(:path) { "/#{source_type}s/#{resource_id}/access_tokens/#{token_id}/rotate" } + + before do + resource.add_maintainer(project_bot) + resource.add_owner(user) + end + + subject(:rotate_token) { post api(path, user) } + + it "allows owner to rotate token", :freeze_time do + rotate_token + + expect(response).to have_gitlab_http_status(:ok) + expect(json_response['token']).not_to eq(token.token) + expect(json_response['expires_at']).to eq((Date.today + 1.week).to_s) + end + + context 'without permission' do + it 'returns an error message' do + another_user = create(:user) + resource.add_developer(another_user) + + post api(path, another_user) + + expect(response).to have_gitlab_http_status(:unauthorized) + end + end + + context 'when service raises an error' do + let(:error_message) { 'boom!' } + + before do + allow_next_instance_of(PersonalAccessTokens::RotateService) do |service| + allow(service).to receive(:execute).and_return(ServiceResponse.error(message: error_message)) + end + end + + it 'returns the same error message' do + rotate_token + + expect(response).to have_gitlab_http_status(:bad_request) + expect(json_response['message']).to eq("400 Bad request - #{error_message}") + end + end + + context 'when token does not exist' do + let(:invalid_path) { "/#{source_type}s/#{resource_id}/access_tokens/#{non_existing_record_id}/rotate" } + + context 'for non-admin user' do + it 'returns unauthorized' do + user = create(:user) + resource.add_developer(user) + + post api(invalid_path, user) + + expect(response).to have_gitlab_http_status(:unauthorized) + end + end + + context 'for admin user', :enable_admin_mode do + it 'returns not found' do + admin = create(:admin) + post api(invalid_path, admin) + + expect(response).to have_gitlab_http_status(:not_found) + end + end + end + end end context 'when the resource is a project' do - let_it_be(:resource) { create(:project) } + let_it_be(:resource) { create(:project, group: create(:group)) } let_it_be(:other_resource) { create(:project) } let_it_be(:unknown_resource) { create(:project) } |