From 92d5172ad42ebc62eb78cac21b1e236ad6ace580 Mon Sep 17 00:00:00 2001
From: GitLab Bot <gitlab-bot@gitlab.com>
Date: Fri, 28 Aug 2020 21:20:15 +0000
Subject: Add latest changes from gitlab-org/security/gitlab@13-3-stable-ee

---
 spec/lib/gitlab/auth/auth_finders_spec.rb          | 46 ++++++++++++++++++----
 spec/lib/gitlab/auth/request_authenticator_spec.rb | 11 ++++--
 2 files changed, 47 insertions(+), 10 deletions(-)

(limited to 'spec/lib/gitlab/auth')

diff --git a/spec/lib/gitlab/auth/auth_finders_spec.rb b/spec/lib/gitlab/auth/auth_finders_spec.rb
index a73ac0b34af..1ac8ebe1369 100644
--- a/spec/lib/gitlab/auth/auth_finders_spec.rb
+++ b/spec/lib/gitlab/auth/auth_finders_spec.rb
@@ -37,11 +37,29 @@ RSpec.describe Gitlab::Auth::AuthFinders do
         expect { subject }.to raise_error(Gitlab::Auth::UnauthorizedError)
       end
 
-      it "return user if token is valid" do
-        set_token(job.token)
+      context 'with a running job' do
+        before do
+          job.update!(status: :running)
+        end
+
+        it 'return user if token is valid' do
+          set_token(job.token)
+
+          expect(subject).to eq(user)
+          expect(@current_authenticated_job).to eq job
+        end
+      end
 
-        expect(subject).to eq(user)
-        expect(@current_authenticated_job).to eq job
+      context 'with a job that is not running' do
+        before do
+          job.update!(status: :failed)
+        end
+
+        it 'returns an Unauthorized exception' do
+          set_token(job.token)
+
+          expect { subject }.to raise_error(Gitlab::Auth::UnauthorizedError)
+        end
       end
     end
   end
@@ -557,7 +575,7 @@ RSpec.describe Gitlab::Auth::AuthFinders do
     context 'with CI username' do
       let(:username) { ::Gitlab::Auth::CI_JOB_USER }
       let(:user) { create(:user) }
-      let(:build) { create(:ci_build, user: user) }
+      let(:build) { create(:ci_build, user: user, status: :running) }
 
       it 'returns nil without password' do
         set_basic_auth_header(username, nil)
@@ -576,6 +594,13 @@ RSpec.describe Gitlab::Auth::AuthFinders do
 
         expect { subject }.to raise_error(Gitlab::Auth::UnauthorizedError)
       end
+
+      it 'returns exception if the job is not running' do
+        set_basic_auth_header(username, build.token)
+        build.success!
+
+        expect { subject }.to raise_error(Gitlab::Auth::UnauthorizedError)
+      end
     end
   end
 
@@ -586,7 +611,7 @@ RSpec.describe Gitlab::Auth::AuthFinders do
 
     context 'with a job token' do
       let(:route_authentication_setting) { { job_token_allowed: true } }
-      let(:job) { create(:ci_build, user: user) }
+      let(:job) { create(:ci_build, user: user, status: :running) }
 
       before do
         env['HTTP_AUTHORIZATION'] = "Bearer #{job.token}"
@@ -641,7 +666,7 @@ RSpec.describe Gitlab::Auth::AuthFinders do
   end
 
   describe '#find_user_from_job_token' do
-    let(:job) { create(:ci_build, user: user) }
+    let(:job) { create(:ci_build, user: user, status: :running) }
     let(:route_authentication_setting) { { job_token_allowed: true } }
 
     subject { find_user_from_job_token }
@@ -666,6 +691,13 @@ RSpec.describe Gitlab::Auth::AuthFinders do
         expect { subject }.to raise_error(Gitlab::Auth::UnauthorizedError)
       end
 
+      it 'returns exception if the job is not running' do
+        set_header(described_class::JOB_TOKEN_HEADER, job.token)
+        job.success!
+
+        expect { subject }.to raise_error(Gitlab::Auth::UnauthorizedError)
+      end
+
       context 'when route is not allowed to be authenticated' do
         let(:route_authentication_setting) { { job_token_allowed: false } }
 
diff --git a/spec/lib/gitlab/auth/request_authenticator_spec.rb b/spec/lib/gitlab/auth/request_authenticator_spec.rb
index ef83321cc0e..b89ceb37076 100644
--- a/spec/lib/gitlab/auth/request_authenticator_spec.rb
+++ b/spec/lib/gitlab/auth/request_authenticator_spec.rb
@@ -88,7 +88,7 @@ RSpec.describe Gitlab::Auth::RequestAuthenticator do
 
   describe '#find_user_from_job_token' do
     let!(:user) { build(:user) }
-    let!(:job) { build(:ci_build, user: user) }
+    let!(:job) { build(:ci_build, user: user, status: :running) }
 
     before do
       env[Gitlab::Auth::AuthFinders::JOB_TOKEN_HEADER] = 'token'
@@ -97,13 +97,18 @@ RSpec.describe Gitlab::Auth::RequestAuthenticator do
     context 'with API requests' do
       before do
         env['SCRIPT_NAME'] = '/api/endpoint'
+        expect(::Ci::Build).to receive(:find_by_token).with('token').and_return(job)
       end
 
       it 'tries to find the user' do
-        expect(::Ci::Build).to receive(:find_by_token).and_return(job)
-
         expect(subject.find_sessionless_user([:api])).to eq user
       end
+
+      it 'returns nil if the job is not running' do
+        job.status = :success
+
+        expect(subject.find_sessionless_user([:api])).to be_blank
+      end
     end
 
     context 'without API requests' do
-- 
cgit v1.2.3