Add & fix specs for OAuth ROPS grant client auth

doc/api/oauth2.md

@@ -173,8 +173,8 @@ the following parameters:
 }
 ```
 
-Also you must use Basic authorization using `client_id` and `client_secret` values
-to authenticate the client that performs a request.
+Also you must use HTTP Basic authentication using the `client_id` and`client_secret`
+values to authenticate the client that performs a request.
 
 Example cURL request:
 

spec/requests/api/oauth_tokens_spec.rb

@@ -4,15 +4,32 @@ require 'spec_helper'
 
 describe 'OAuth tokens' do
   context 'Resource Owner Password Credentials' do
-    def request_oauth_token(user)
-      post '/oauth/token', params: { username: user.username, password: user.password, grant_type: 'password' }
+    def basic_auth_header(username, password)
+      {
+        'HTTP_AUTHORIZATION' => ActionController::HttpAuthentication::Basic.encode_credentials(
+          username,
+          password
+        )
+      }
     end
 
+    def client_basic_auth_header(client)
+      basic_auth_header(client.uid, client.secret)
+    end
+
+    def request_oauth_token(user, headers = {})
+      post '/oauth/token',
+         params: { username: user.username, password: user.password, grant_type: 'password' },
+         headers: headers
+    end
+
+    let(:client) { create(:oauth_application) }
+
     context 'when user has 2FA enabled' do
       it 'does not create an access token' do
         user = create(:user, :two_factor)
 
-        request_oauth_token(user)
+        request_oauth_token(user, client_basic_auth_header(client))
 
         expect(response).to have_gitlab_http_status(:unauthorized)
         expect(json_response['error']).to eq('invalid_grant')
@@ -20,13 +37,41 @@ describe 'OAuth tokens' do
     end
 
     context 'when user does not have 2FA enabled' do
-      it 'creates an access token' do
-        user = create(:user)
+      # NOTE: using ROPS grant flow without client credentials will be deprecated
+      # and removed in the next version of Doorkeeper.
+      context 'when no client credentials provided' do
+        it 'creates an access token' do
+          user = create(:user)
+
+          request_oauth_token(user)
+
+          expect(response).to have_gitlab_http_status(:ok)
+          expect(json_response['access_token']).not_to be_nil
+        end
+      end
+
+      context 'when client credentials provided' do
+        context "with valid credentials" do
+          it 'creates an access token' do
+            user = create(:user)
+
+            request_oauth_token(user, client_basic_auth_header(client))
+
+            expect(response).to have_gitlab_http_status(:ok)
+            expect(json_response['access_token']).not_to be_nil
+          end
+        end
+
+        context "with invalid credentials" do
+          it 'does not create an access token' do
+            user = create(:user)
 
-        request_oauth_token(user)
+            request_oauth_token(user, basic_auth_header(client.uid, 'invalid secret'))
 
-        expect(response).to have_gitlab_http_status(:ok)
-        expect(json_response['access_token']).not_to be_nil
+            expect(response).to have_gitlab_http_status(:unauthorized)
+            expect(json_response['error']).to eq('invalid_client')
+          end
+        end
       end
     end
 
@@ -40,7 +85,7 @@ describe 'OAuth tokens' do
       before do
         user.block
 
-        request_oauth_token(user)
+        request_oauth_token(user, client_basic_auth_header(client))
       end
 
       include_examples 'does not create an access token'
@@ -50,7 +95,7 @@ describe 'OAuth tokens' do
       before do
         user.ldap_block
 
-        request_oauth_token(user)
+        request_oauth_token(user, client_basic_auth_header(client))
       end
 
       include_examples 'does not create an access token'
@@ -60,7 +105,7 @@ describe 'OAuth tokens' do
       before do
         user.update!(confirmed_at: nil)
 
-        request_oauth_token(user)
+        request_oauth_token(user, client_basic_auth_header(client))
       end
 
       include_examples 'does not create an access token'