Welcome to mirror list, hosted at ThFree Co, Russian Federation.

gitlab.com/gitlab-org/gitlab-foss.git - Unnamed repository; edit this file 'description' to name the repository.
summaryrefslogtreecommitdiff
path: root/spec/services/resource_access_tokens
diff options
context:
space:
mode:
Diffstat (limited to 'spec/services/resource_access_tokens')
-rw-r--r--spec/services/resource_access_tokens/create_service_spec.rb58
-rw-r--r--spec/services/resource_access_tokens/revoke_service_spec.rb102
2 files changed, 99 insertions, 61 deletions
diff --git a/spec/services/resource_access_tokens/create_service_spec.rb b/spec/services/resource_access_tokens/create_service_spec.rb
index 42520ea26b2..5a88929334b 100644
--- a/spec/services/resource_access_tokens/create_service_spec.rb
+++ b/spec/services/resource_access_tokens/create_service_spec.rb
@@ -7,10 +7,14 @@ RSpec.describe ResourceAccessTokens::CreateService do
let_it_be(:user) { create(:user) }
let_it_be(:project) { create(:project, :private) }
+ let_it_be(:group) { create(:group, :private) }
let_it_be(:params) { {} }
+ before do
+ stub_config_setting(host: 'example.com')
+ end
+
describe '#execute' do
- # Created shared_examples as it will easy to include specs for group bots in https://gitlab.com/gitlab-org/gitlab/-/issues/214046
shared_examples 'token creation fails' do
let(:resource) { create(:project)}
@@ -31,7 +35,7 @@ RSpec.describe ResourceAccessTokens::CreateService do
access_token = response.payload[:access_token]
- expect(access_token.user.reload.user_type).to eq("#{resource_type}_bot")
+ expect(access_token.user.reload.user_type).to eq("project_bot")
expect(access_token.user.created_by_id).to eq(user.id)
end
@@ -88,6 +92,15 @@ RSpec.describe ResourceAccessTokens::CreateService do
end
end
+ context 'bot email' do
+ it 'check email domain' do
+ response = subject
+ access_token = response.payload[:access_token]
+
+ expect(access_token.user.email).to end_with("@noreply.#{Gitlab.config.gitlab.host}")
+ end
+ end
+
context 'access level' do
context 'when user does not specify an access level' do
it 'adds the bot user as a maintainer in the resource' do
@@ -112,10 +125,8 @@ RSpec.describe ResourceAccessTokens::CreateService do
end
context 'when user is external' do
- let(:user) { create(:user, :external) }
-
before do
- project.add_maintainer(user)
+ user.update!(external: true)
end
it 'creates resource bot user with external status' do
@@ -162,7 +173,7 @@ RSpec.describe ResourceAccessTokens::CreateService do
access_token = response.payload[:access_token]
project_bot = access_token.user
- expect(project.members.find_by(user_id: project_bot.id).expires_at).to eq(nil)
+ expect(resource.members.find_by(user_id: project_bot.id).expires_at).to eq(nil)
end
end
end
@@ -183,7 +194,7 @@ RSpec.describe ResourceAccessTokens::CreateService do
access_token = response.payload[:access_token]
project_bot = access_token.user
- expect(project.members.find_by(user_id: project_bot.id).expires_at).to eq(params[:expires_at])
+ expect(resource.members.find_by(user_id: project_bot.id).expires_at).to eq(params[:expires_at])
end
end
end
@@ -234,24 +245,41 @@ RSpec.describe ResourceAccessTokens::CreateService do
end
end
+ shared_examples 'when user does not have permission to create a resource bot' do
+ it_behaves_like 'token creation fails'
+
+ it 'returns the permission error message' do
+ response = subject
+
+ expect(response.error?).to be true
+ expect(response.errors).to include("User does not have permission to create #{resource_type} access token")
+ end
+ end
+
context 'when resource is a project' do
let_it_be(:resource_type) { 'project' }
let_it_be(:resource) { project }
- context 'when user does not have permission to create a resource bot' do
- it_behaves_like 'token creation fails'
-
- it 'returns the permission error message' do
- response = subject
+ it_behaves_like 'when user does not have permission to create a resource bot'
- expect(response.error?).to be true
- expect(response.errors).to include("User does not have permission to create #{resource_type} access token")
+ context 'user with valid permission' do
+ before_all do
+ resource.add_maintainer(user)
end
+
+ it_behaves_like 'allows creation of bot with valid params'
end
+ end
+
+ context 'when resource is a project' do
+ let_it_be(:resource_type) { 'group' }
+ let_it_be(:resource) { group }
+
+ it_behaves_like 'when user does not have permission to create a resource bot'
context 'user with valid permission' do
before_all do
- resource.add_maintainer(user)
+ resource.add_owner(user)
end
it_behaves_like 'allows creation of bot with valid params'
diff --git a/spec/services/resource_access_tokens/revoke_service_spec.rb b/spec/services/resource_access_tokens/revoke_service_spec.rb
index 4f4e2ab0c99..3d724a79fef 100644
--- a/spec/services/resource_access_tokens/revoke_service_spec.rb
+++ b/spec/services/resource_access_tokens/revoke_service_spec.rb
@@ -6,11 +6,12 @@ RSpec.describe ResourceAccessTokens::RevokeService do
subject { described_class.new(user, resource, access_token).execute }
let_it_be(:user) { create(:user) }
+ let_it_be(:user_non_priviledged) { create(:user) }
+ let_it_be(:resource_bot) { create(:user, :project_bot) }
let(:access_token) { create(:personal_access_token, user: resource_bot) }
describe '#execute', :sidekiq_inline do
- # Created shared_examples as it will easy to include specs for group bots in https://gitlab.com/gitlab-org/gitlab/-/issues/214046
shared_examples 'revokes access token' do
it { expect(subject.success?).to be true }
@@ -79,71 +80,80 @@ RSpec.describe ResourceAccessTokens::RevokeService do
end
end
- context 'when resource is a project' do
- let_it_be(:resource) { create(:project, :private) }
+ shared_examples 'revoke fails' do |resource_type|
+ let_it_be(:other_user) { create(:user) }
- let(:resource_bot) { create(:user, :project_bot) }
+ context "when access token does not belong to this #{resource_type}" do
+ it 'does not find the bot' do
+ other_access_token = create(:personal_access_token, user: other_user)
- before do
- resource.add_maintainer(user)
- resource.add_maintainer(resource_bot)
- end
+ response = described_class.new(user, resource, other_access_token).execute
- it_behaves_like 'revokes access token'
+ expect(response.success?).to be false
+ expect(response.message).to eq("Failed to find bot user")
+ expect(access_token.reload.revoked?).to be false
+ end
+ end
- context 'revoke fails' do
- let_it_be(:other_user) { create(:user) }
+ context 'when user does not have permission to destroy bot' do
+ context "when non-#{resource_type} member tries to delete project bot" do
+ it 'does not allow other user to delete bot' do
+ response = described_class.new(other_user, resource, access_token).execute
- context 'when access token does not belong to this project' do
- it 'does not find the bot' do
- other_access_token = create(:personal_access_token, user: other_user)
+ expect(response.success?).to be false
+ expect(response.message).to eq("#{other_user.name} cannot delete #{access_token.user.name}")
+ expect(access_token.reload.revoked?).to be false
+ end
+ end
- response = described_class.new(user, resource, other_access_token).execute
+ context "when non-priviledged #{resource_type} member tries to delete project bot" do
+ it 'does not allow developer to delete bot' do
+ response = described_class.new(user_non_priviledged, resource, access_token).execute
expect(response.success?).to be false
- expect(response.message).to eq("Failed to find bot user")
+ expect(response.message).to eq("#{user_non_priviledged.name} cannot delete #{access_token.user.name}")
expect(access_token.reload.revoked?).to be false
end
end
+ end
- context 'when user does not have permission to destroy bot' do
- context 'when non-project member tries to delete project bot' do
- it 'does not allow other user to delete bot' do
- response = described_class.new(other_user, resource, access_token).execute
-
- expect(response.success?).to be false
- expect(response.message).to eq("#{other_user.name} cannot delete #{access_token.user.name}")
- expect(access_token.reload.revoked?).to be false
- end
+ context 'when deletion of bot user fails' do
+ before do
+ allow_next_instance_of(::ResourceAccessTokens::RevokeService) do |service|
+ allow(service).to receive(:execute).and_return(false)
end
+ end
+
+ it_behaves_like 'rollback revoke steps'
+ end
+ end
- context 'when non-maintainer project member tries to delete project bot' do
- let(:developer) { create(:user) }
+ context 'when resource is a project' do
+ let_it_be(:resource) { create(:project, :private) }
- before do
- resource.add_developer(developer)
- end
+ before do
+ resource.add_maintainer(user)
+ resource.add_developer(user_non_priviledged)
+ resource.add_maintainer(resource_bot)
+ end
- it 'does not allow developer to delete bot' do
- response = described_class.new(developer, resource, access_token).execute
+ it_behaves_like 'revokes access token'
- expect(response.success?).to be false
- expect(response.message).to eq("#{developer.name} cannot delete #{access_token.user.name}")
- expect(access_token.reload.revoked?).to be false
- end
- end
- end
+ it_behaves_like 'revoke fails', 'project'
+ end
- context 'when deletion of bot user fails' do
- before do
- allow_next_instance_of(::ResourceAccessTokens::RevokeService) do |service|
- allow(service).to receive(:execute).and_return(false)
- end
- end
+ context 'when resource is a group' do
+ let_it_be(:resource) { create(:group, :private) }
- it_behaves_like 'rollback revoke steps'
- end
+ before do
+ resource.add_owner(user)
+ resource.add_maintainer(user_non_priviledged)
+ resource.add_maintainer(resource_bot)
end
+
+ it_behaves_like 'revokes access token'
+
+ it_behaves_like 'revoke fails', 'group'
end
end
end
generated by cgit v1.2.3 (git 2.25.1) at 2024-07-20 07:23:26 +0300