From b1bbcf85684cee176ed5bb7eb43dd487a75f18fa Mon Sep 17 00:00:00 2001
From: GitLab Bot <gitlab-bot@gitlab.com>
Date: Tue, 3 Aug 2021 12:00:08 +0000
Subject: Add latest changes from gitlab-org/security/gitlab@14-1-stable-ee

---
 .../admin/impersonation_tokens_controller_spec.rb  | 38 ++++++++++++++++++++++
 spec/requests/git_http_spec.rb                     | 26 +++++++++++++++
 2 files changed, 64 insertions(+)
 create mode 100644 spec/requests/admin/impersonation_tokens_controller_spec.rb

(limited to 'spec/requests')

diff --git a/spec/requests/admin/impersonation_tokens_controller_spec.rb b/spec/requests/admin/impersonation_tokens_controller_spec.rb
new file mode 100644
index 00000000000..018f497e7e5
--- /dev/null
+++ b/spec/requests/admin/impersonation_tokens_controller_spec.rb
@@ -0,0 +1,38 @@
+# frozen_string_literal: true
+
+require 'spec_helper'
+
+RSpec.describe Admin::ImpersonationTokensController, :enable_admin_mode do
+  let(:admin) { create(:admin) }
+  let!(:user) { create(:user) }
+
+  before do
+    sign_in(admin)
+  end
+
+  context "when impersonation is disabled" do
+    before do
+      stub_config_setting(impersonation_enabled: false)
+    end
+
+    it "shows error page for index page" do
+      get admin_user_impersonation_tokens_path(user_id: user.username)
+
+      expect(response).to have_gitlab_http_status(:not_found)
+    end
+
+    it "responds with 404 for create action" do
+      post admin_user_impersonation_tokens_path(user_id: user.username)
+
+      expect(response).to have_gitlab_http_status(:not_found)
+    end
+
+    it "responds with 404 for revoke action" do
+      token = create(:personal_access_token, :impersonation, user: user)
+
+      put revoke_admin_user_impersonation_token_path(user_id: user.username, id: token.id)
+
+      expect(response).to have_gitlab_http_status(:not_found)
+    end
+  end
+end
diff --git a/spec/requests/git_http_spec.rb b/spec/requests/git_http_spec.rb
index 3fb683ea0fa..34f8a479719 100644
--- a/spec/requests/git_http_spec.rb
+++ b/spec/requests/git_http_spec.rb
@@ -706,6 +706,32 @@ RSpec.describe 'Git HTTP requests' do
                       end
                     end
                   end
+
+                  context 'when token is impersonated' do
+                    context 'when impersonation is off' do
+                      before do
+                        stub_config_setting(impersonation_enabled: false)
+                      end
+
+                      it 'responds to uploads with status 401 unauthorized' do
+                        write_access_token = create(:personal_access_token, :impersonation, user: user, scopes: [:write_repository])
+
+                        upload(path, user: user.username, password: write_access_token.token) do |response|
+                          expect(response).to have_gitlab_http_status(:unauthorized)
+                        end
+                      end
+                    end
+
+                    context 'when impersonation is on' do
+                      it 'responds to uploads with status 200' do
+                        write_access_token = create(:personal_access_token, :impersonation, user: user, scopes: [:write_repository])
+
+                        upload(path, user: user.username, password: write_access_token.token) do |response|
+                          expect(response).to have_gitlab_http_status(:ok)
+                        end
+                      end
+                    end
+                  end
                 end
               end
 
-- 
cgit v1.2.3