spec/migrations/remove_scim_token_and_scim_identity_non_root_group_spec.rb


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58

# frozen_string_literal: true

require 'spec_helper'
require_migration!

RSpec.describe RemoveScimTokenAndScimIdentityNonRootGroup, feature_category: :system_access do
  let(:namespaces) { table(:namespaces) }
  let(:scim_oauth_access_tokens) { table(:scim_oauth_access_tokens) }
  let(:scim_identities) { table(:scim_identities) }
  let(:users) { table(:users) }
  let(:root_group) do
    namespaces.create!(name: 'root_group', path: 'foo', parent_id: nil, type: 'Group')
  end

  let(:non_root_group) do
    namespaces.create!(name: 'non_root_group', path: 'non_root', parent_id: root_group.id, type: 'Group')
  end

  let(:root_group_user) do
    users.create!(name: 'Example User', email: 'user@example.com', projects_limit: 0)
  end

  let(:non_root_group_user) do
    users.create!(username: 'user2', email: 'user2@example.com', projects_limit: 10)
  end

  it 'removes scim_oauth_access_tokens that belong to non-root group and related scim_identities' do
    scim_oauth_access_token_root_group = scim_oauth_access_tokens.create!(
      group_id: root_group.id,
      token_encrypted: Gitlab::CryptoHelper.aes256_gcm_encrypt(SecureRandom.hex(50))
    )
    scim_oauth_access_token_non_root_group = scim_oauth_access_tokens.create!(
      group_id: non_root_group.id,
      token_encrypted: Gitlab::CryptoHelper.aes256_gcm_encrypt(SecureRandom.hex(50))
    )

    scim_identity_root_group = scim_identities.create!(
      group_id: root_group.id,
      extern_uid: "12345",
      user_id: root_group_user.id,
      active: true
    )

    scim_identity_non_root_group = scim_identities.create!(
      group_id: non_root_group.id,
      extern_uid: "12345",
      user_id: non_root_group_user.id,
      active: true
    )

    expect { migrate! }.to change { scim_oauth_access_tokens.count }.from(2).to(1)
    expect(scim_oauth_access_tokens.find_by_id(scim_oauth_access_token_non_root_group.id)).to be_nil
    expect(scim_identities.find_by_id(scim_identity_non_root_group.id)).to be_nil

    expect(scim_oauth_access_tokens.find_by_id(scim_oauth_access_token_root_group.id)).not_to be_nil
    expect(scim_identities.find_by_id(scim_identity_root_group.id)).not_to be_nil
  end
end