File: connection_spec.rb

package info (click to toggle)
gitlab 17.6.5-19
  • links: PTS, VCS
  • area: main
  • in suites: sid
  • size: 629,368 kB
  • sloc: ruby: 1,915,304; javascript: 557,307; sql: 60,639; xml: 6,509; sh: 4,567; makefile: 1,239; python: 406
file content (148 lines) | stat: -rw-r--r-- 4,676 bytes parent folder | download 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
 
# frozen_string_literal: true

require 'spec_helper'

RSpec.describe ApplicationCable::Connection, :clean_gitlab_redis_sessions do
  include SessionHelpers

  context 'when session cookie is set' do
    before do
      stub_session(session_data: session_hash)
    end

    context 'when user is logged in' do
      let(:user) { create(:user) }
      let(:session_hash) { { 'warden.user.user.key' => [[user.id], user.authenticatable_salt] } }

      it 'sets current_user' do
        connect

        expect(connection.current_user).to eq(user)
      end

      context 'with a stale password' do
        let(:partial_password_hash) { build(:user, password: User.random_password).authenticatable_salt }
        let(:session_hash) { { 'warden.user.user.key' => [[user.id], partial_password_hash] } }

        it 'sets current_user to nil' do
          connect

          expect(connection.current_user).to be_nil
        end
      end
    end

    context 'when user is not logged in' do
      let(:session_hash) { {} }

      it 'sets current_user to nil' do
        connect

        expect(connection.current_user).to be_nil
      end
    end
  end

  context 'when bearer header is provided' do
    context 'when it is a personal_access_token' do
      let(:user_pat) { create(:personal_access_token) }
      let(:app_context) { Gitlab::ApplicationContext.current }
      let_it_be(:expired_token) { create(:personal_access_token, :expired, scopes: %w[read_api]) }
      let_it_be(:revoked_token) { create(:personal_access_token, :revoked, scopes: %w[read_api]) }

      it 'finds user by PAT' do
        connect(ActionCable.server.config.mount_path, headers: { Authorization: "Bearer #{user_pat.token}" })

        expect(connection.current_user).to eq(user_pat.user)
      end

      context 'when an expired personal_access_token' do
        let_it_be(:user_pat) { expired_token }

        it 'sets the current_user as `nil`, and rejects the connection' do
          expect do
            connect(ActionCable.server.config.mount_path,
              headers: { Authorization: "Bearer #{user_pat.token}" }
            )
          end.to have_rejected_connection

          expect(connection.current_user).to be_nil
          expect(app_context['meta.auth_fail_reason']).to eq('token_expired')
          expect(app_context['meta.auth_fail_token_id']).to eq("PersonalAccessToken/#{user_pat.id}")
        end
      end

      context 'when a revoked personal_access_token' do
        let_it_be(:user_pat) { revoked_token }

        it 'sets the current_user as `nil`, and rejects the connection' do
          expect do
            connect(ActionCable.server.config.mount_path,
              headers: { Authorization: "Bearer #{user_pat.token}" }
            )
          end.to have_rejected_connection

          expect(connection.current_user).to be_nil
          expect(app_context['meta.auth_fail_reason']).to eq('token_revoked')
          expect(app_context['meta.auth_fail_token_id']).to eq("PersonalAccessToken/#{user_pat.id}")
        end
      end
    end

    context 'when it is an OAuth access token' do
      context 'when it is a valid OAuth access token' do
        let(:user) { create(:user) }

        let(:application) do
          Doorkeeper::Application.create!(name: "MyApp", redirect_uri: "https://app.com", owner: user)
        end

        let(:oauth_token) do
          create(:oauth_access_token,
            application_id: application.id,
            resource_owner_id: user.id,
            scopes: "api"
          )
        end

        it 'finds user by OAuth access token' do
          connect(ActionCable.server.config.mount_path, headers: {
            'Authorization' => "Bearer #{oauth_token.plaintext_token}"
          })

          expect(connection.current_user).to eq(oauth_token.user)
        end
      end

      context 'when it is an invalid OAuth access token' do
        it 'sets the current_user as `nil`, and rejects the connection' do
          expect do
            connect(ActionCable.server.config.mount_path, headers: {
              'Authorization' => "Bearer invalid_token"
            })
          end.to have_rejected_connection

          expect(connection.current_user).to be_nil
        end
      end
    end
  end

  context 'when session cookie is not set' do
    it 'sets current_user to nil' do
      connect

      expect(connection.current_user).to be_nil
    end
  end

  context 'when session cookie is an empty string' do
    it 'sets current_user to nil' do
      cookies[Gitlab::Application.config.session_options[:key]] = ''

      connect

      expect(connection.current_user).to be_nil
    end
  end
end