Merge branch...

Merge branch '290987-follow-up-from-draft-audit-event-logs-for-project-access-token-create-and-revoke-services' into 'master' Iterate on personal access token audit log specs See merge request gitlab-org/gitlab!49189

Merge branch...
Merge branch '290987-follow-up-from-draft-audit-event-logs-for-project-access-token-create-and-revoke-services' into 'master' Iterate on personal access token audit log specs See merge request gitlab-org/gitlab!49189
53dab498 · Mark Chao · b3fe7a2c · c657bad7 · 53dab498
Commit 53dab498 authored Dec 08, 2020 by Mark Chao
Show whitespace changes
Inline Side-by-side

Showing with 42 additions and 10 deletions

ee/spec/services/personal_access_tokens/create_service_audit_log_spec.rb ...s/personal_access_tokens/create_service_audit_log_spec.rb +42 -10

No files found.
--- a/ee/spec/services/personal_access_tokens/create_service_audit_log_spec.rb
+++ b/ee/spec/services/personal_access_tokens/create_service_audit_log_spec.rb
@@ -4,19 +4,51 @@ require 'spec_helper'

 RSpec.describe PersonalAccessTokens::CreateService do
  describe '#execute' do
-    subject { service.execute }
+    let_it_be(:user) { create(:user) }
+    let(:params) { { name: 'admin-token', impersonation: true, scopes: [:api], expires_at: Date.today + 1.month } }

-    let(:user) { create(:user) }
-    let(:params) { { name: 'Test token', impersonation: true, scopes: [:api], expires_at: Date.today + 1.month } }
-    let(:service) { described_class.new(current_user: user, target_user: user, params: params) }
+    context 'when non-admin user' do
+      context 'when user creates their own token' do
+        it 'creates audit logs with success message' do
+          expect_to_log(user, user, /Created personal access token with id \d+/)

-    it 'creates audit logs' do
-      expect(::AuditEventService)
-        .to receive(:new)
-        .with(user, user, action: :custom, custom_message: /Created personal access token with id \d+/, ip_address: nil)
-        .and_call_original
+          described_class.new(current_user: user, target_user: user, params: params).execute
+        end
+      end
+
+      context 'when user attempts to create a token for a different user' do
+        let(:other_user) { create(:user) }
+
+        it 'creates audit logs with failure message' do
+          expect_to_log(user, other_user, 'Attempted to create personal access token but failed with message: Not permitted to create')

-      subject
+          described_class.new(current_user: user, target_user: other_user, params: params).execute
        end
      end
+    end
+
+    context 'when admin' do
+      let(:admin) { create(:user, :admin) }
+
+      it 'with admin mode enabled', :enable_admin_mode do
+        expect_to_log(admin, user, /Created personal access token with id \d+/)
+
+        described_class.new(current_user: admin, target_user: user, params: params).execute
+      end
+
+      context 'with admin mode disabled' do
+        it 'creates audit logs with failure message' do
+          expect_to_log(admin, user, 'Attempted to create personal access token but failed with message: Not permitted to create')
+
+          described_class.new(current_user: admin, target_user: user, params: params).execute
+        end
+      end
+    end
+  end
+
+  def expect_to_log(current_user, target_user, message)
+    expect(::AuditEventService).to receive(:new)
+      .with(current_user, target_user, action: :custom, custom_message: message, ip_address: nil)
+      .and_call_original
+  end
 end