Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Support
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
G
gitlab-ce
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Issues
0
Issues
0
List
Boards
Labels
Milestones
Merge Requests
1
Merge Requests
1
Analytics
Analytics
Repository
Value Stream
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Create a new issue
Commits
Issue Boards
Open sidebar
nexedi
gitlab-ce
Commits
0ff1d161
Commit
0ff1d161
authored
Jun 20, 2017
by
Timothy Andrew
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
Test OAuth token scope verification in the `API::Users` endpoint
parent
d774825f
Changes
3
Show whitespace changes
Inline
Side-by-side
Showing
3 changed files
with
71 additions
and
14 deletions
+71
-14
spec/requests/api/helpers_spec.rb
spec/requests/api/helpers_spec.rb
+3
-1
spec/support/api/scopes/read_user_shared_examples.rb
spec/support/api/scopes/read_user_shared_examples.rb
+57
-10
spec/support/api_helpers.rb
spec/support/api_helpers.rb
+11
-3
No files found.
spec/requests/api/helpers_spec.rb
View file @
0ff1d161
...
...
@@ -14,7 +14,9 @@ describe API::Helpers do
let
(
:request
)
{
Rack
::
Request
.
new
(
env
)
}
let
(
:header
)
{
}
before
{
allow_any_instance_of
(
self
.
class
).
to
receive
(
:options
).
and_return
({})
}
before
do
allow_any_instance_of
(
self
.
class
).
to
receive
(
:options
).
and_return
({})
end
def
set_env
(
user_or_token
,
identifier
)
clear_env
...
...
spec/support/api/scopes/read_user_shared_examples.rb
View file @
0ff1d161
shared_examples_for
'allows the "read_user" scope'
do
describe
'when the requesting token has the "read_user" scope'
do
context
'for personal access tokens'
do
context
'when the requesting token has the "api" scope'
do
let
(
:token
)
{
create
(
:personal_access_token
,
scopes:
[
'api'
],
user:
user
)
}
it
'returns a "200" response'
do
get
api_call
.
call
(
path
,
user
,
personal_access_token:
token
)
expect
(
response
).
to
have_http_status
(
200
)
end
end
context
'when the requesting token has the "read_user" scope'
do
let
(
:token
)
{
create
(
:personal_access_token
,
scopes:
[
'read_user'
],
user:
user
)
}
it
'returns a "200" response'
do
...
...
@@ -9,7 +20,7 @@ shared_examples_for 'allows the "read_user" scope' do
end
end
describe
'when the requesting token does not have any required scope'
do
context
'when the requesting token does not have any required scope'
do
let
(
:token
)
{
create
(
:personal_access_token
,
scopes:
[
'read_registry'
],
user:
user
)
}
it
'returns a "401" response'
do
...
...
@@ -18,6 +29,42 @@ shared_examples_for 'allows the "read_user" scope' do
expect
(
response
).
to
have_http_status
(
401
)
end
end
end
context
'for doorkeeper (OAuth) tokens'
do
let!
(
:user
)
{
create
(
:user
)}
let!
(
:application
)
{
Doorkeeper
::
Application
.
create!
(
name:
"MyApp"
,
redirect_uri:
"https://app.com"
,
owner:
user
)
}
context
'when the requesting token has the "api" scope'
do
let!
(
:token
)
{
Doorkeeper
::
AccessToken
.
create!
application_id:
application
.
id
,
resource_owner_id:
user
.
id
,
scopes:
"api"
}
it
'returns a "200" response'
do
get
api_call
.
call
(
path
,
user
,
oauth_access_token:
token
)
expect
(
response
).
to
have_http_status
(
200
)
end
end
context
'when the requesting token has the "read_user" scope'
do
let!
(
:token
)
{
Doorkeeper
::
AccessToken
.
create!
application_id:
application
.
id
,
resource_owner_id:
user
.
id
,
scopes:
"read_user"
}
it
'returns a "200" response'
do
get
api_call
.
call
(
path
,
user
,
oauth_access_token:
token
)
expect
(
response
).
to
have_http_status
(
200
)
end
end
context
'when the requesting token does not have any required scope'
do
let!
(
:token
)
{
Doorkeeper
::
AccessToken
.
create!
application_id:
application
.
id
,
resource_owner_id:
user
.
id
,
scopes:
"invalid"
}
it
'returns a "403" response'
do
get
api_call
.
call
(
path
,
user
,
oauth_access_token:
token
)
expect
(
response
).
to
have_http_status
(
403
)
end
end
end
end
shared_examples_for
'does not allow the "read_user" scope'
do
...
...
spec/support/api_helpers.rb
View file @
0ff1d161
...
...
@@ -17,7 +17,7 @@ module ApiHelpers
# => "/api/v2/issues?foo=bar&private_token=..."
#
# Returns the relative path to the requested API resource
def
api
(
path
,
user
=
nil
,
version:
API
::
API
.
version
,
personal_access_token:
nil
)
def
api
(
path
,
user
=
nil
,
version:
API
::
API
.
version
,
personal_access_token:
nil
,
oauth_access_token:
nil
)
"/api/
#{
version
}#{
path
}
"
+
# Normalize query string
...
...
@@ -25,6 +25,8 @@ module ApiHelpers
if
personal_access_token
.
present?
"&private_token=
#{
personal_access_token
.
token
}
"
elsif
oauth_access_token
.
present?
"&access_token=
#{
oauth_access_token
.
token
}
"
# Append private_token if given a User object
elsif
user
.
respond_to?
(
:private_token
)
"&private_token=
#{
user
.
private_token
}
"
...
...
@@ -34,8 +36,14 @@ module ApiHelpers
end
# Temporary helper method for simplifying V3 exclusive API specs
def
v3_api
(
path
,
user
=
nil
,
personal_access_token:
nil
)
api
(
path
,
user
,
version:
'v3'
,
personal_access_token:
personal_access_token
)
def
v3_api
(
path
,
user
=
nil
,
personal_access_token:
nil
,
oauth_access_token:
nil
)
api
(
path
,
user
,
version:
'v3'
,
personal_access_token:
personal_access_token
,
oauth_access_token:
oauth_access_token
)
end
def
ci_api
(
path
,
user
=
nil
)
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment