spec/support/shared_examples/requests/sessionless_auth_request_shared_examples.rb


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160

# frozen_string_literal: true

RSpec.shared_examples 'authenticates sessionless user for the request spec' do |name, public_resource:, ignore_metrics: false, params: {}|
  before do
    stub_authentication_activity_metrics(debug: false)
  end

  let_it_be(:user) { create(:user) }
  let(:personal_access_token) { create(:personal_access_token, user: user) }

  shared_examples 'authenticates user and returns response with ok status' do
    it 'authenticates user and returns response with ok status' do
      expect(authentication_metrics)
        .to increment(:user_authenticated_counter)
        .and increment(:user_session_override_counter)
        .and increment(:user_sessionless_authentication_counter)

      subject

      expect(controller.current_user).to eq(user)
      expect(response).to have_gitlab_http_status(:ok)
    end
  end

  shared_examples 'does not authenticate user and returns response with ok status' do
    it 'does not authenticate user and returns response with ok status' do
      subject

      expect(controller.current_user).to be_nil
      expect(response).to have_gitlab_http_status(:ok)
    end
  end

  shared_examples 'does not return response with ok status' do
    it 'does not return response with ok status' do
      # Several instances of where these specs are shared route the request
      #   through ApplicationController#route_not_found which does not involve
      #   the usual auth code from Devise, so does not increment the
      #   :user_unauthenticated_counter
      unless ignore_metrics
        expect(authentication_metrics)
          .to increment(:user_unauthenticated_counter)
      end

      subject

      expect(response).not_to have_gitlab_http_status(:ok)
    end
  end

  shared_examples 'using valid token' do
    context 'when resource is private', unless: public_resource do
      include_examples 'authenticates user and returns response with ok status'

      context 'when user with expired password' do
        let_it_be(:user) { create(:user, password_expires_at: 2.minutes.ago) }

        include_examples 'does not return response with ok status'
      end

      context 'when password expiration is not applicable' do
        context 'when ldap user' do
          let_it_be(:user) { create(:omniauth_user, provider: 'ldap', password_expires_at: 2.minutes.ago) }

          include_examples 'authenticates user and returns response with ok status'
        end
      end
    end

    context 'when resource is public', if: public_resource do
      include_examples 'authenticates user and returns response with ok status'

      context 'when user with expired password' do
        let_it_be(:user) { create(:user, password_expires_at: 2.minutes.ago) }

        include_examples 'does not authenticate user and returns response with ok status'
      end
    end
  end

  shared_examples 'using invalid token' do
    context 'when resource is private', unless: public_resource do
      include_examples 'does not return response with ok status'
    end

    context 'when resource is public', if: public_resource do
      include_examples 'does not authenticate user and returns response with ok status'
    end
  end

  shared_examples 'personal access token has no api scope' do
    context 'when the personal access token has no api scope' do
      before do
        personal_access_token.update!(scopes: [:read_user])
      end

      context 'when resource is private', unless: public_resource do
        include_examples 'does not return response with ok status'
      end

      context 'when resource is public', if: public_resource do
        include_examples 'does not authenticate user and returns response with ok status'
      end
    end
  end

  describe name do
    context "when the 'private_token' param is populated with the personal access token" do
      context 'when valid token' do
        subject { get url, params: params.merge(private_token: personal_access_token.token) }

        include_examples 'using valid token'

        include_examples 'personal access token has no api scope'
      end

      context 'when invalid token' do
        subject { get url, params: params.merge(private_token: 'invalid token') }

        include_examples 'using invalid token'
      end
    end

    context "when the 'PRIVATE-TOKEN' header is populated with the personal access token" do
      context 'when valid token' do
        subject do
          headers = { 'PRIVATE-TOKEN': personal_access_token.token }
          get url, params: params, headers: headers
        end

        include_examples 'using valid token'

        include_examples 'personal access token has no api scope'
      end

      context 'when invalid token' do
        subject do
          headers = { 'PRIVATE-TOKEN': 'invalid token' }
          get url, params: params, headers: headers
        end

        include_examples 'using invalid token'
      end
    end

    context "when the 'feed_token' param is populated with the feed token" do
      context 'when valid token' do
        subject { get url, params: params.merge(feed_token: user.feed_token) }

        include_examples 'using valid token'
      end

      context 'when invalid token' do
        subject { get url, params: params.merge(feed_token: 'invalid token') }

        include_examples 'using invalid token'
      end
    end
  end
end