From a09983ae35713f5a2bbb100981116d31ce99826e Mon Sep 17 00:00:00 2001
From: GitLab Bot <gitlab-bot@gitlab.com>
Date: Mon, 20 Jul 2020 12:26:25 +0000
Subject: Add latest changes from gitlab-org/gitlab@13-2-stable-ee

---
 spec/lib/gitlab/auth/activity_spec.rb              |  2 +-
 spec/lib/gitlab/auth/auth_finders_spec.rb          | 75 +++++++++++++++++++++-
 spec/lib/gitlab/auth/blocked_user_tracker_spec.rb  |  2 +-
 spec/lib/gitlab/auth/current_user_mode_spec.rb     |  2 +-
 spec/lib/gitlab/auth/ip_rate_limiter_spec.rb       |  2 +-
 spec/lib/gitlab/auth/key_status_checker_spec.rb    |  2 +-
 spec/lib/gitlab/auth/ldap/access_spec.rb           |  2 +-
 spec/lib/gitlab/auth/ldap/adapter_spec.rb          |  2 +-
 spec/lib/gitlab/auth/ldap/auth_hash_spec.rb        |  2 +-
 spec/lib/gitlab/auth/ldap/authentication_spec.rb   |  2 +-
 spec/lib/gitlab/auth/ldap/config_spec.rb           |  2 +-
 spec/lib/gitlab/auth/ldap/dn_spec.rb               |  2 +-
 spec/lib/gitlab/auth/ldap/person_spec.rb           |  2 +-
 spec/lib/gitlab/auth/ldap/user_spec.rb             |  2 +-
 spec/lib/gitlab/auth/o_auth/auth_hash_spec.rb      |  2 +-
 .../lib/gitlab/auth/o_auth/identity_linker_spec.rb |  2 +-
 spec/lib/gitlab/auth/o_auth/provider_spec.rb       |  2 +-
 spec/lib/gitlab/auth/o_auth/user_spec.rb           |  2 +-
 spec/lib/gitlab/auth/request_authenticator_spec.rb |  2 +-
 spec/lib/gitlab/auth/saml/auth_hash_spec.rb        |  2 +-
 spec/lib/gitlab/auth/saml/identity_linker_spec.rb  |  2 +-
 spec/lib/gitlab/auth/saml/origin_validator_spec.rb |  2 +-
 spec/lib/gitlab/auth/saml/user_spec.rb             |  2 +-
 spec/lib/gitlab/auth/unique_ips_limiter_spec.rb    |  2 +-
 .../gitlab/auth/user_access_denied_reason_spec.rb  |  2 +-
 25 files changed, 98 insertions(+), 25 deletions(-)

(limited to 'spec/lib/gitlab/auth')

diff --git a/spec/lib/gitlab/auth/activity_spec.rb b/spec/lib/gitlab/auth/activity_spec.rb
index e03fafe3826..cbc42c46470 100644
--- a/spec/lib/gitlab/auth/activity_spec.rb
+++ b/spec/lib/gitlab/auth/activity_spec.rb
@@ -2,7 +2,7 @@
 
 require 'fast_spec_helper'
 
-describe Gitlab::Auth::Activity do
+RSpec.describe Gitlab::Auth::Activity do
   describe '.each_counter' do
     it 'has all static counters defined' do
       described_class.each_counter do |counter|
diff --git a/spec/lib/gitlab/auth/auth_finders_spec.rb b/spec/lib/gitlab/auth/auth_finders_spec.rb
index 2aef206c7fd..d0f5d0a9b35 100644
--- a/spec/lib/gitlab/auth/auth_finders_spec.rb
+++ b/spec/lib/gitlab/auth/auth_finders_spec.rb
@@ -2,7 +2,7 @@
 
 require 'spec_helper'
 
-describe Gitlab::Auth::AuthFinders do
+RSpec.describe Gitlab::Auth::AuthFinders do
   include described_class
   include HttpBasicAuthHelpers
 
@@ -26,6 +26,63 @@ describe Gitlab::Auth::AuthFinders do
     env.merge!(basic_auth_header(username, password))
   end
 
+  shared_examples 'find user from job token' do
+    context 'when route is allowed to be authenticated' do
+      let(:route_authentication_setting) { { job_token_allowed: true } }
+
+      it "returns an Unauthorized exception for an invalid token" do
+        set_token('invalid token')
+
+        expect { subject }.to raise_error(Gitlab::Auth::UnauthorizedError)
+      end
+
+      it "return user if token is valid" do
+        set_token(job.token)
+
+        expect(subject).to eq(user)
+        expect(@current_authenticated_job).to eq job
+      end
+    end
+  end
+
+  describe '#find_user_from_bearer_token' do
+    let(:job) { create(:ci_build, user: user) }
+
+    subject { find_user_from_bearer_token }
+
+    context 'when the token is passed as an oauth token' do
+      def set_token(token)
+        env['HTTP_AUTHORIZATION'] = "Bearer #{token}"
+      end
+
+      context 'with a job token' do
+        it_behaves_like 'find user from job token'
+      end
+
+      context 'with oauth token' do
+        let(:application) { Doorkeeper::Application.create!(name: 'MyApp', redirect_uri: 'https://app.com', owner: user) }
+        let(:token) { Doorkeeper::AccessToken.create!(application_id: application.id, resource_owner_id: user.id, scopes: 'api').token }
+
+        before do
+          set_token(token)
+        end
+
+        it { is_expected.to eq user }
+      end
+    end
+
+    context 'with a personal access token' do
+      let(:pat) { create(:personal_access_token, user: user) }
+      let(:token) { pat.token }
+
+      before do
+        env[described_class::PRIVATE_TOKEN_HEADER] = pat.token
+      end
+
+      it { is_expected.to eq user }
+    end
+  end
+
   describe '#find_user_from_warden' do
     context 'with CSRF token' do
       before do
@@ -522,8 +579,24 @@ describe Gitlab::Auth::AuthFinders do
   end
 
   describe '#validate_access_token!' do
+    subject { validate_access_token! }
+
     let(:personal_access_token) { create(:personal_access_token, user: user) }
 
+    context 'with a job token' do
+      let(:route_authentication_setting) { { job_token_allowed: true } }
+      let(:job) { create(:ci_build, user: user) }
+
+      before do
+        env['HTTP_AUTHORIZATION'] = "Bearer #{job.token}"
+        find_user_from_bearer_token
+      end
+
+      it 'does not raise an error' do
+        expect { subject }.not_to raise_error
+      end
+    end
+
     it 'returns nil if no access_token present' do
       expect(validate_access_token!).to be_nil
     end
diff --git a/spec/lib/gitlab/auth/blocked_user_tracker_spec.rb b/spec/lib/gitlab/auth/blocked_user_tracker_spec.rb
index 52849f8c172..76775db3a4a 100644
--- a/spec/lib/gitlab/auth/blocked_user_tracker_spec.rb
+++ b/spec/lib/gitlab/auth/blocked_user_tracker_spec.rb
@@ -2,7 +2,7 @@
 
 require 'spec_helper'
 
-describe Gitlab::Auth::BlockedUserTracker do
+RSpec.describe Gitlab::Auth::BlockedUserTracker do
   describe '#log_blocked_user_activity!' do
     context 'when user is not blocked' do
       it 'does not log blocked user activity' do
diff --git a/spec/lib/gitlab/auth/current_user_mode_spec.rb b/spec/lib/gitlab/auth/current_user_mode_spec.rb
index 26e44fa7cc8..60b403780c0 100644
--- a/spec/lib/gitlab/auth/current_user_mode_spec.rb
+++ b/spec/lib/gitlab/auth/current_user_mode_spec.rb
@@ -2,7 +2,7 @@
 
 require 'spec_helper'
 
-describe Gitlab::Auth::CurrentUserMode, :do_not_mock_admin_mode, :request_store do
+RSpec.describe Gitlab::Auth::CurrentUserMode, :do_not_mock_admin_mode, :request_store do
   let(:user) { build_stubbed(:user) }
 
   subject { described_class.new(user) }
diff --git a/spec/lib/gitlab/auth/ip_rate_limiter_spec.rb b/spec/lib/gitlab/auth/ip_rate_limiter_spec.rb
index aea1b2921b6..3d782272d7e 100644
--- a/spec/lib/gitlab/auth/ip_rate_limiter_spec.rb
+++ b/spec/lib/gitlab/auth/ip_rate_limiter_spec.rb
@@ -2,7 +2,7 @@
 
 require 'spec_helper'
 
-describe Gitlab::Auth::IpRateLimiter, :use_clean_rails_memory_store_caching do
+RSpec.describe Gitlab::Auth::IpRateLimiter, :use_clean_rails_memory_store_caching do
   let(:ip) { '10.2.2.3' }
   let(:whitelist) { ['127.0.0.1'] }
   let(:options) do
diff --git a/spec/lib/gitlab/auth/key_status_checker_spec.rb b/spec/lib/gitlab/auth/key_status_checker_spec.rb
index b1a540eae81..e8ac0d7c394 100644
--- a/spec/lib/gitlab/auth/key_status_checker_spec.rb
+++ b/spec/lib/gitlab/auth/key_status_checker_spec.rb
@@ -2,7 +2,7 @@
 
 require 'spec_helper'
 
-describe Gitlab::Auth::KeyStatusChecker do
+RSpec.describe Gitlab::Auth::KeyStatusChecker do
   let_it_be(:never_expires_key) { build(:personal_key, expires_at: nil) }
   let_it_be(:expired_key) { build(:personal_key, expires_at: 3.days.ago) }
   let_it_be(:expiring_soon_key) { build(:personal_key, expires_at: 3.days.from_now) }
diff --git a/spec/lib/gitlab/auth/ldap/access_spec.rb b/spec/lib/gitlab/auth/ldap/access_spec.rb
index 2f691429541..9e269f84b7e 100644
--- a/spec/lib/gitlab/auth/ldap/access_spec.rb
+++ b/spec/lib/gitlab/auth/ldap/access_spec.rb
@@ -2,7 +2,7 @@
 
 require 'spec_helper'
 
-describe Gitlab::Auth::Ldap::Access do
+RSpec.describe Gitlab::Auth::Ldap::Access do
   include LdapHelpers
 
   let(:user) { create(:omniauth_user) }
diff --git a/spec/lib/gitlab/auth/ldap/adapter_spec.rb b/spec/lib/gitlab/auth/ldap/adapter_spec.rb
index 34853acdd0f..78970378b7f 100644
--- a/spec/lib/gitlab/auth/ldap/adapter_spec.rb
+++ b/spec/lib/gitlab/auth/ldap/adapter_spec.rb
@@ -2,7 +2,7 @@
 
 require 'spec_helper'
 
-describe Gitlab::Auth::Ldap::Adapter do
+RSpec.describe Gitlab::Auth::Ldap::Adapter do
   include LdapHelpers
 
   let(:ldap) { double(:ldap) }
diff --git a/spec/lib/gitlab/auth/ldap/auth_hash_spec.rb b/spec/lib/gitlab/auth/ldap/auth_hash_spec.rb
index 7bc92d0abea..9dff7f7b3dc 100644
--- a/spec/lib/gitlab/auth/ldap/auth_hash_spec.rb
+++ b/spec/lib/gitlab/auth/ldap/auth_hash_spec.rb
@@ -2,7 +2,7 @@
 
 require 'spec_helper'
 
-describe Gitlab::Auth::Ldap::AuthHash do
+RSpec.describe Gitlab::Auth::Ldap::AuthHash do
   include LdapHelpers
 
   let(:auth_hash) do
diff --git a/spec/lib/gitlab/auth/ldap/authentication_spec.rb b/spec/lib/gitlab/auth/ldap/authentication_spec.rb
index 1f8b1474539..42a893417d8 100644
--- a/spec/lib/gitlab/auth/ldap/authentication_spec.rb
+++ b/spec/lib/gitlab/auth/ldap/authentication_spec.rb
@@ -2,7 +2,7 @@
 
 require 'spec_helper'
 
-describe Gitlab::Auth::Ldap::Authentication do
+RSpec.describe Gitlab::Auth::Ldap::Authentication do
   let(:dn)       { 'uid=John Smith, ou=People, dc=example, dc=com' }
   let(:user)     { create(:omniauth_user, extern_uid: Gitlab::Auth::Ldap::Person.normalize_dn(dn)) }
   let(:login)    { 'john' }
diff --git a/spec/lib/gitlab/auth/ldap/config_spec.rb b/spec/lib/gitlab/auth/ldap/config_spec.rb
index 124f072ebe6..4287596af8f 100644
--- a/spec/lib/gitlab/auth/ldap/config_spec.rb
+++ b/spec/lib/gitlab/auth/ldap/config_spec.rb
@@ -2,7 +2,7 @@
 
 require 'spec_helper'
 
-describe Gitlab::Auth::Ldap::Config do
+RSpec.describe Gitlab::Auth::Ldap::Config do
   include LdapHelpers
 
   let(:config) { described_class.new('ldapmain') }
diff --git a/spec/lib/gitlab/auth/ldap/dn_spec.rb b/spec/lib/gitlab/auth/ldap/dn_spec.rb
index 7aaffa52ae4..e89f764b040 100644
--- a/spec/lib/gitlab/auth/ldap/dn_spec.rb
+++ b/spec/lib/gitlab/auth/ldap/dn_spec.rb
@@ -2,7 +2,7 @@
 
 require 'spec_helper'
 
-describe Gitlab::Auth::Ldap::DN do
+RSpec.describe Gitlab::Auth::Ldap::DN do
   using RSpec::Parameterized::TableSyntax
 
   describe '#normalize_value' do
diff --git a/spec/lib/gitlab/auth/ldap/person_spec.rb b/spec/lib/gitlab/auth/ldap/person_spec.rb
index 403a48d40ef..6857b561370 100644
--- a/spec/lib/gitlab/auth/ldap/person_spec.rb
+++ b/spec/lib/gitlab/auth/ldap/person_spec.rb
@@ -2,7 +2,7 @@
 
 require 'spec_helper'
 
-describe Gitlab::Auth::Ldap::Person do
+RSpec.describe Gitlab::Auth::Ldap::Person do
   include LdapHelpers
 
   let(:entry) { ldap_user_entry('john.doe') }
diff --git a/spec/lib/gitlab/auth/ldap/user_spec.rb b/spec/lib/gitlab/auth/ldap/user_spec.rb
index 867633e54df..7ca2878e583 100644
--- a/spec/lib/gitlab/auth/ldap/user_spec.rb
+++ b/spec/lib/gitlab/auth/ldap/user_spec.rb
@@ -2,7 +2,7 @@
 
 require 'spec_helper'
 
-describe Gitlab::Auth::Ldap::User do
+RSpec.describe Gitlab::Auth::Ldap::User do
   include LdapHelpers
 
   let(:ldap_user) { described_class.new(auth_hash) }
diff --git a/spec/lib/gitlab/auth/o_auth/auth_hash_spec.rb b/spec/lib/gitlab/auth/o_auth/auth_hash_spec.rb
index a2d9e27ea5b..7a60acca95b 100644
--- a/spec/lib/gitlab/auth/o_auth/auth_hash_spec.rb
+++ b/spec/lib/gitlab/auth/o_auth/auth_hash_spec.rb
@@ -2,7 +2,7 @@
 
 require 'spec_helper'
 
-describe Gitlab::Auth::OAuth::AuthHash do
+RSpec.describe Gitlab::Auth::OAuth::AuthHash do
   let(:provider) { 'ldap'.freeze }
   let(:auth_hash) do
     described_class.new(
diff --git a/spec/lib/gitlab/auth/o_auth/identity_linker_spec.rb b/spec/lib/gitlab/auth/o_auth/identity_linker_spec.rb
index 45c1baa4089..8014fbe1687 100644
--- a/spec/lib/gitlab/auth/o_auth/identity_linker_spec.rb
+++ b/spec/lib/gitlab/auth/o_auth/identity_linker_spec.rb
@@ -2,7 +2,7 @@
 
 require 'spec_helper'
 
-describe Gitlab::Auth::OAuth::IdentityLinker do
+RSpec.describe Gitlab::Auth::OAuth::IdentityLinker do
   let(:user) { create(:user) }
   let(:provider) { 'twitter' }
   let(:uid) { user.email }
diff --git a/spec/lib/gitlab/auth/o_auth/provider_spec.rb b/spec/lib/gitlab/auth/o_auth/provider_spec.rb
index 8b0d4d786cd..658a9976cc2 100644
--- a/spec/lib/gitlab/auth/o_auth/provider_spec.rb
+++ b/spec/lib/gitlab/auth/o_auth/provider_spec.rb
@@ -2,7 +2,7 @@
 
 require 'spec_helper'
 
-describe Gitlab::Auth::OAuth::Provider do
+RSpec.describe Gitlab::Auth::OAuth::Provider do
   describe '.enabled?' do
     before do
       allow(described_class).to receive(:providers).and_return([:ldapmain, :google_oauth2])
diff --git a/spec/lib/gitlab/auth/o_auth/user_spec.rb b/spec/lib/gitlab/auth/o_auth/user_spec.rb
index 62b83ff8b88..ad04fddc675 100644
--- a/spec/lib/gitlab/auth/o_auth/user_spec.rb
+++ b/spec/lib/gitlab/auth/o_auth/user_spec.rb
@@ -2,7 +2,7 @@
 
 require 'spec_helper'
 
-describe Gitlab::Auth::OAuth::User do
+RSpec.describe Gitlab::Auth::OAuth::User do
   include LdapHelpers
 
   let(:oauth_user) { described_class.new(auth_hash) }
diff --git a/spec/lib/gitlab/auth/request_authenticator_spec.rb b/spec/lib/gitlab/auth/request_authenticator_spec.rb
index 87c96803c3a..32d64519e2c 100644
--- a/spec/lib/gitlab/auth/request_authenticator_spec.rb
+++ b/spec/lib/gitlab/auth/request_authenticator_spec.rb
@@ -2,7 +2,7 @@
 
 require 'spec_helper'
 
-describe Gitlab::Auth::RequestAuthenticator do
+RSpec.describe Gitlab::Auth::RequestAuthenticator do
   let(:env) do
     {
       'rack.input' => '',
diff --git a/spec/lib/gitlab/auth/saml/auth_hash_spec.rb b/spec/lib/gitlab/auth/saml/auth_hash_spec.rb
index 8b88c16f317..f1fad946f35 100644
--- a/spec/lib/gitlab/auth/saml/auth_hash_spec.rb
+++ b/spec/lib/gitlab/auth/saml/auth_hash_spec.rb
@@ -2,7 +2,7 @@
 
 require 'spec_helper'
 
-describe Gitlab::Auth::Saml::AuthHash do
+RSpec.describe Gitlab::Auth::Saml::AuthHash do
   include LoginHelpers
 
   let(:raw_info_attr) { { 'groups' => %w(Developers Freelancers) } }
diff --git a/spec/lib/gitlab/auth/saml/identity_linker_spec.rb b/spec/lib/gitlab/auth/saml/identity_linker_spec.rb
index 7912c8fb4b1..743163ad315 100644
--- a/spec/lib/gitlab/auth/saml/identity_linker_spec.rb
+++ b/spec/lib/gitlab/auth/saml/identity_linker_spec.rb
@@ -2,7 +2,7 @@
 
 require 'spec_helper'
 
-describe Gitlab::Auth::Saml::IdentityLinker do
+RSpec.describe Gitlab::Auth::Saml::IdentityLinker do
   let(:user) { create(:user) }
   let(:provider) { 'saml' }
   let(:uid) { user.email }
diff --git a/spec/lib/gitlab/auth/saml/origin_validator_spec.rb b/spec/lib/gitlab/auth/saml/origin_validator_spec.rb
index ae120b328ab..f13140cdcba 100644
--- a/spec/lib/gitlab/auth/saml/origin_validator_spec.rb
+++ b/spec/lib/gitlab/auth/saml/origin_validator_spec.rb
@@ -2,7 +2,7 @@
 
 require 'spec_helper'
 
-describe Gitlab::Auth::Saml::OriginValidator do
+RSpec.describe Gitlab::Auth::Saml::OriginValidator do
   let(:session) { instance_double(ActionDispatch::Request::Session) }
 
   subject { described_class.new(session) }
diff --git a/spec/lib/gitlab/auth/saml/user_spec.rb b/spec/lib/gitlab/auth/saml/user_spec.rb
index 55d2f22b923..7f8346f0486 100644
--- a/spec/lib/gitlab/auth/saml/user_spec.rb
+++ b/spec/lib/gitlab/auth/saml/user_spec.rb
@@ -2,7 +2,7 @@
 
 require 'spec_helper'
 
-describe Gitlab::Auth::Saml::User do
+RSpec.describe Gitlab::Auth::Saml::User do
   include LdapHelpers
   include LoginHelpers
 
diff --git a/spec/lib/gitlab/auth/unique_ips_limiter_spec.rb b/spec/lib/gitlab/auth/unique_ips_limiter_spec.rb
index ebf7de9c701..a08055ab852 100644
--- a/spec/lib/gitlab/auth/unique_ips_limiter_spec.rb
+++ b/spec/lib/gitlab/auth/unique_ips_limiter_spec.rb
@@ -2,7 +2,7 @@
 
 require 'spec_helper'
 
-describe Gitlab::Auth::UniqueIpsLimiter, :clean_gitlab_redis_shared_state do
+RSpec.describe Gitlab::Auth::UniqueIpsLimiter, :clean_gitlab_redis_shared_state do
   include_context 'unique ips sign in limit'
   let(:user) { create(:user) }
 
diff --git a/spec/lib/gitlab/auth/user_access_denied_reason_spec.rb b/spec/lib/gitlab/auth/user_access_denied_reason_spec.rb
index 7045105a2c7..a2a0eb5428a 100644
--- a/spec/lib/gitlab/auth/user_access_denied_reason_spec.rb
+++ b/spec/lib/gitlab/auth/user_access_denied_reason_spec.rb
@@ -2,7 +2,7 @@
 
 require 'spec_helper'
 
-describe Gitlab::Auth::UserAccessDeniedReason do
+RSpec.describe Gitlab::Auth::UserAccessDeniedReason do
   include TermsHelper
   let(:user) { build(:user) }
 
-- 
cgit v1.2.3