From 6438df3a1e0fb944485cebf07976160184697d72 Mon Sep 17 00:00:00 2001
From: Robert Speicher <rspeicher@gmail.com>
Date: Wed, 20 Jan 2021 13:34:23 -0600
Subject: Add latest changes from gitlab-org/gitlab@13-8-stable-ee

---
 spec/lib/gitlab/auth/auth_finders_spec.rb          | 58 ++++++++++++++--------
 spec/lib/gitlab/auth/current_user_mode_spec.rb     |  2 +-
 spec/lib/gitlab/auth/ldap/config_spec.rb           | 22 +++++++-
 spec/lib/gitlab/auth/request_authenticator_spec.rb |  5 +-
 4 files changed, 64 insertions(+), 23 deletions(-)

(limited to 'spec/lib/gitlab/auth')

diff --git a/spec/lib/gitlab/auth/auth_finders_spec.rb b/spec/lib/gitlab/auth/auth_finders_spec.rb
index f927d5912bb..775f8f056b5 100644
--- a/spec/lib/gitlab/auth/auth_finders_spec.rb
+++ b/spec/lib/gitlab/auth/auth_finders_spec.rb
@@ -6,7 +6,8 @@ RSpec.describe Gitlab::Auth::AuthFinders do
   include described_class
   include HttpBasicAuthHelpers
 
-  let(:user) { create(:user) }
+  # Create the feed_token and static_object_token for the user
+  let_it_be(:user) { create(:user).tap(&:feed_token).tap(&:static_object_token) }
   let(:env) do
     {
       'rack.input' => ''
@@ -65,7 +66,7 @@ RSpec.describe Gitlab::Auth::AuthFinders do
   end
 
   describe '#find_user_from_bearer_token' do
-    let(:job) { create(:ci_build, user: user) }
+    let_it_be_with_reload(:job) { create(:ci_build, user: user) }
 
     subject { find_user_from_bearer_token }
 
@@ -91,7 +92,7 @@ RSpec.describe Gitlab::Auth::AuthFinders do
     end
 
     context 'with a personal access token' do
-      let(:pat) { create(:personal_access_token, user: user) }
+      let_it_be(:pat) { create(:personal_access_token, user: user) }
       let(:token) { pat.token }
 
       before do
@@ -148,7 +149,7 @@ RSpec.describe Gitlab::Auth::AuthFinders do
         end
 
         it 'returns nil if valid feed_token and disabled' do
-          allow(Gitlab::CurrentSettings).to receive(:disable_feed_token).and_return(true)
+          stub_application_setting(disable_feed_token: true)
           set_param(:feed_token, user.feed_token)
 
           expect(find_user_from_feed_token(:rss)).to be_nil
@@ -166,7 +167,7 @@ RSpec.describe Gitlab::Auth::AuthFinders do
       end
 
       context 'when rss_token param is provided' do
-        it 'returns user if valid rssd_token' do
+        it 'returns user if valid rss_token' do
           set_param(:rss_token, user.feed_token)
 
           expect(find_user_from_feed_token(:rss)).to eq user
@@ -347,7 +348,7 @@ RSpec.describe Gitlab::Auth::AuthFinders do
   end
 
   describe '#find_user_from_access_token' do
-    let(:personal_access_token) { create(:personal_access_token, user: user) }
+    let_it_be(:personal_access_token) { create(:personal_access_token, user: user) }
 
     before do
       set_header('SCRIPT_NAME', 'url.atom')
@@ -386,7 +387,7 @@ RSpec.describe Gitlab::Auth::AuthFinders do
       end
 
       context 'when using a non-prefixed access token' do
-        let(:personal_access_token) { create(:personal_access_token, :no_prefix, user: user) }
+        let_it_be(:personal_access_token) { create(:personal_access_token, :no_prefix, user: user) }
 
         it 'returns user' do
           set_header('HTTP_AUTHORIZATION', "Bearer #{personal_access_token.token}")
@@ -398,7 +399,7 @@ RSpec.describe Gitlab::Auth::AuthFinders do
   end
 
   describe '#find_user_from_web_access_token' do
-    let(:personal_access_token) { create(:personal_access_token, user: user) }
+    let_it_be_with_reload(:personal_access_token) { create(:personal_access_token, user: user) }
 
     before do
       set_header(described_class::PRIVATE_TOKEN_HEADER, personal_access_token.token)
@@ -449,6 +450,22 @@ RSpec.describe Gitlab::Auth::AuthFinders do
         expect(find_user_from_web_access_token(:api)).to be_nil
       end
 
+      context 'when the token has read_api scope' do
+        before do
+          personal_access_token.update!(scopes: ['read_api'])
+
+          set_header('SCRIPT_NAME', '/api/endpoint')
+        end
+
+        it 'raises InsufficientScopeError by default' do
+          expect { find_user_from_web_access_token(:api) }.to raise_error(Gitlab::Auth::InsufficientScopeError)
+        end
+
+        it 'finds the user when the read_api scope is passed' do
+          expect(find_user_from_web_access_token(:api, scopes: [:api, :read_api])).to eq(user)
+        end
+      end
+
       context 'when relative_url_root is set' do
         before do
           stub_config_setting(relative_url_root: '/relative_root')
@@ -464,7 +481,7 @@ RSpec.describe Gitlab::Auth::AuthFinders do
   end
 
   describe '#find_personal_access_token' do
-    let(:personal_access_token) { create(:personal_access_token, user: user) }
+    let_it_be(:personal_access_token) { create(:personal_access_token, user: user) }
 
     before do
       set_header('SCRIPT_NAME', 'url.atom')
@@ -534,7 +551,7 @@ RSpec.describe Gitlab::Auth::AuthFinders do
     end
 
     context 'access token is valid' do
-      let(:personal_access_token) { create(:personal_access_token, user: user) }
+      let_it_be(:personal_access_token) { create(:personal_access_token, user: user) }
       let(:route_authentication_setting) { { basic_auth_personal_access_token: true } }
 
       it 'finds the token from basic auth' do
@@ -555,7 +572,7 @@ RSpec.describe Gitlab::Auth::AuthFinders do
     end
 
     context 'route_setting is not set' do
-      let(:personal_access_token) { create(:personal_access_token, user: user) }
+      let_it_be(:personal_access_token) { create(:personal_access_token, user: user) }
 
       it 'returns nil' do
         auth_header_with(personal_access_token.token)
@@ -565,7 +582,7 @@ RSpec.describe Gitlab::Auth::AuthFinders do
     end
 
     context 'route_setting is not correct' do
-      let(:personal_access_token) { create(:personal_access_token, user: user) }
+      let_it_be(:personal_access_token) { create(:personal_access_token, user: user) }
       let(:route_authentication_setting) { { basic_auth_personal_access_token: false } }
 
       it 'returns nil' do
@@ -611,8 +628,9 @@ RSpec.describe Gitlab::Auth::AuthFinders do
 
     context 'with CI username' do
       let(:username) { ::Gitlab::Auth::CI_JOB_USER }
-      let(:user) { create(:user) }
-      let(:build) { create(:ci_build, user: user, status: :running) }
+
+      let_it_be(:user) { create(:user) }
+      let_it_be(:build) { create(:ci_build, user: user, status: :running) }
 
       it 'returns nil without password' do
         set_basic_auth_header(username, nil)
@@ -645,11 +663,11 @@ RSpec.describe Gitlab::Auth::AuthFinders do
   describe '#validate_access_token!' do
     subject { validate_access_token! }
 
-    let(:personal_access_token) { create(:personal_access_token, user: user) }
+    let_it_be_with_reload(:personal_access_token) { create(:personal_access_token, user: user) }
 
     context 'with a job token' do
+      let_it_be(:job) { create(:ci_build, user: user, status: :running) }
       let(:route_authentication_setting) { { job_token_allowed: true } }
-      let(:job) { create(:ci_build, user: user, status: :running) }
 
       before do
         env['HTTP_AUTHORIZATION'] = "Bearer #{job.token}"
@@ -671,7 +689,7 @@ RSpec.describe Gitlab::Auth::AuthFinders do
       end
 
       it 'returns Gitlab::Auth::ExpiredError if token expired' do
-        personal_access_token.expires_at = 1.day.ago
+        personal_access_token.update!(expires_at: 1.day.ago)
 
         expect { validate_access_token! }.to raise_error(Gitlab::Auth::ExpiredError)
       end
@@ -688,7 +706,7 @@ RSpec.describe Gitlab::Auth::AuthFinders do
     end
 
     context 'with impersonation token' do
-      let(:personal_access_token) { create(:personal_access_token, :impersonation, user: user) }
+      let_it_be(:personal_access_token) { create(:personal_access_token, :impersonation, user: user) }
 
       context 'when impersonation is disabled' do
         before do
@@ -704,7 +722,7 @@ RSpec.describe Gitlab::Auth::AuthFinders do
   end
 
   describe '#find_user_from_job_token' do
-    let(:job) { create(:ci_build, user: user, status: :running) }
+    let_it_be(:job) { create(:ci_build, user: user, status: :running) }
     let(:route_authentication_setting) { { job_token_allowed: true } }
 
     subject { find_user_from_job_token }
@@ -866,7 +884,7 @@ RSpec.describe Gitlab::Auth::AuthFinders do
   end
 
   describe '#find_runner_from_token' do
-    let(:runner) { create(:ci_runner) }
+    let_it_be(:runner) { create(:ci_runner) }
 
     context 'with API requests' do
       before do
diff --git a/spec/lib/gitlab/auth/current_user_mode_spec.rb b/spec/lib/gitlab/auth/current_user_mode_spec.rb
index ffd7813190a..a21f0931b78 100644
--- a/spec/lib/gitlab/auth/current_user_mode_spec.rb
+++ b/spec/lib/gitlab/auth/current_user_mode_spec.rb
@@ -2,7 +2,7 @@
 
 require 'spec_helper'
 
-RSpec.describe Gitlab::Auth::CurrentUserMode, :do_not_mock_admin_mode, :request_store do
+RSpec.describe Gitlab::Auth::CurrentUserMode, :request_store do
   let(:user) { build_stubbed(:user) }
 
   subject { described_class.new(user) }
diff --git a/spec/lib/gitlab/auth/ldap/config_spec.rb b/spec/lib/gitlab/auth/ldap/config_spec.rb
index e4c87a54365..7a657cce597 100644
--- a/spec/lib/gitlab/auth/ldap/config_spec.rb
+++ b/spec/lib/gitlab/auth/ldap/config_spec.rb
@@ -5,6 +5,10 @@ require 'spec_helper'
 RSpec.describe Gitlab::Auth::Ldap::Config do
   include LdapHelpers
 
+  before do
+    stub_ldap_setting(enabled: true)
+  end
+
   let(:config) { described_class.new('ldapmain') }
 
   def raw_cert
@@ -68,12 +72,28 @@ AtlErSqafbECNDSwS5BX8yDpu5yRBJ4xegO/rNlmb8ICRYkuJapD1xXicFOsmfUK
 
   describe '.servers' do
     it 'returns empty array if no server information is available' do
-      allow(Gitlab.config).to receive(:ldap).and_return('enabled' => false)
+      stub_ldap_setting(servers: {})
 
       expect(described_class.servers).to eq []
     end
   end
 
+  describe '.available_providers' do
+    before do
+      stub_licensed_features(multiple_ldap_servers: false)
+      stub_ldap_setting(
+        'servers' => {
+          'main' => { 'provider_name' => 'ldapmain' },
+          'secondary' => { 'provider_name' => 'ldapsecondary' }
+        }
+      )
+    end
+
+    it 'returns one provider' do
+      expect(described_class.available_providers).to match_array(%w(ldapmain))
+    end
+  end
+
   describe '#initialize' do
     it 'requires a provider' do
       expect { described_class.new }.to raise_error ArgumentError
diff --git a/spec/lib/gitlab/auth/request_authenticator_spec.rb b/spec/lib/gitlab/auth/request_authenticator_spec.rb
index ef6b1d72712..93e9cb06786 100644
--- a/spec/lib/gitlab/auth/request_authenticator_spec.rb
+++ b/spec/lib/gitlab/auth/request_authenticator_spec.rb
@@ -47,7 +47,10 @@ RSpec.describe Gitlab::Auth::RequestAuthenticator do
     let!(:job_token_user) { build(:user) }
 
     it 'returns access_token user first' do
-      allow_any_instance_of(described_class).to receive(:find_user_from_web_access_token).and_return(access_token_user)
+      allow_any_instance_of(described_class).to receive(:find_user_from_web_access_token)
+                                                  .with(anything, scopes: [:api, :read_api])
+                                                  .and_return(access_token_user)
+
       allow_any_instance_of(described_class).to receive(:find_user_from_feed_token).and_return(feed_token_user)
 
       expect(subject.find_sessionless_user(:api)).to eq access_token_user
-- 
cgit v1.2.3