diff options
Diffstat (limited to 'spec/services/auth/dependency_proxy_authentication_service_spec.rb')
| -rw-r--r-- | spec/services/auth/dependency_proxy_authentication_service_spec.rb | 87 |
1 files changed, 76 insertions, 11 deletions
diff --git a/spec/services/auth/dependency_proxy_authentication_service_spec.rb b/spec/services/auth/dependency_proxy_authentication_service_spec.rb index 3ef9c8fc96e..e81f59cff39 100644 --- a/spec/services/auth/dependency_proxy_authentication_service_spec.rb +++ b/spec/services/auth/dependency_proxy_authentication_service_spec.rb @@ -4,15 +4,17 @@ require 'spec_helper' RSpec.describe Auth::DependencyProxyAuthenticationService, feature_category: :dependency_proxy do let_it_be(:user) { create(:user) } + let_it_be(:params) { {} } - let(:service) { described_class.new(nil, user) } + let(:authentication_abilities) { nil } + let(:service) { described_class.new(nil, user, params) } before do - stub_config(dependency_proxy: { enabled: true }) + stub_config(dependency_proxy: { enabled: true }, registry: { enabled: true }) end describe '#execute' do - subject { service.execute(authentication_abilities: nil) } + subject { service.execute(authentication_abilities: authentication_abilities) } shared_examples 'returning' do |status:, message:| it "returns #{message}", :aggregate_failures do @@ -21,9 +23,13 @@ RSpec.describe Auth::DependencyProxyAuthenticationService, feature_category: :de end end - shared_examples 'returning a token' do - it 'returns a token' do - expect(subject[:token]).not_to be_nil + shared_examples 'returning a token with an encoded field' do |field| + it 'returns a token with encoded field' do + token = subject[:token] + expect(token).not_to be_nil + + decoded_token = decode(token) + expect(decoded_token[field]).not_to be_nil end end @@ -41,14 +47,73 @@ RSpec.describe Auth::DependencyProxyAuthenticationService, feature_category: :de it_behaves_like 'returning', status: 403, message: 'access forbidden' end - context 'with a deploy token as user' do - let_it_be(:user) { create(:deploy_token, :group, :dependency_proxy_scopes) } + context 'with a deploy token' do + let_it_be(:deploy_token) { create(:deploy_token, :group, :dependency_proxy_scopes) } + let_it_be(:params) { { deploy_token: deploy_token } } + + it_behaves_like 'returning a token with an encoded field', 'deploy_token' + end + + context 'with a human user' do + it_behaves_like 'returning a token with an encoded field', 'user_id' + end + + context 'all other user types' do + User::USER_TYPES.except(:human, :project_bot).each_value do |user_type| + context "with user_type #{user_type}" do + before do + user.update!(user_type: user_type) + end + + it_behaves_like 'returning a token with an encoded field', 'user_id' + end + end + end + + context 'with a group access token' do + let_it_be(:user) { create(:user, :project_bot) } + let_it_be_with_reload(:token) { create(:personal_access_token, user: user) } + + context 'with insufficient authentication abilities' do + it_behaves_like 'returning', status: 403, message: 'access forbidden' - it_behaves_like 'returning a token' + context 'packages_dependency_proxy_containers_scope_check disabled' do + before do + stub_feature_flags(packages_dependency_proxy_containers_scope_check: false) + end + + it_behaves_like 'returning a token with an encoded field', 'user_id' + end + end + + context 'with sufficient authentication abilities' do + let_it_be(:authentication_abilities) { Auth::DependencyProxyAuthenticationService::REQUIRED_ABILITIES } + let_it_be(:params) { { raw_token: token.token } } + + subject { service.execute(authentication_abilities: authentication_abilities) } + + it_behaves_like 'returning a token with an encoded field', 'user_id' + + context 'revoked' do + before do + token.revoke! + end + + it_behaves_like 'returning', status: 403, message: 'access forbidden' + end + + context 'expired' do + before do + token.update_column(:expires_at, 1.day.ago) + end + + it_behaves_like 'returning', status: 403, message: 'access forbidden' + end + end end - context 'with a user' do - it_behaves_like 'returning a token' + def decode(token) + DependencyProxy::AuthTokenService.new(token).execute end end end |