-
Notifications
You must be signed in to change notification settings - Fork 436
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Dany Marcoux
committed
Apr 26, 2021
1 parent
e7f4d57
commit 8579cc1
Showing
3 changed files
with
93 additions
and
29 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
97 changes: 81 additions & 16 deletions
97
src/api/spec/services/trigger_controller_service/token_extractor_spec.rb
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,29 +1,94 @@ | ||
require 'rails_helper' | ||
require 'ostruct' | ||
require 'ostruct' # for OpenStruct | ||
require 'stringio' # for StringIO | ||
|
||
RSpec.describe ::TriggerControllerService::TokenExtractor do | ||
let(:request) { OpenStruct.new(env: { 'HTTP_X_GITLAB_EVENT' => 'Push Hook', 'HTTP_X_GITLAB_TOKEN' => 'XY123456' }) } | ||
let(:token_extractor) { described_class.new(request) } | ||
describe '#call' do | ||
subject { described_class.new(request).call } | ||
|
||
describe '.new' do | ||
it { expect { token_extractor }.not_to raise_error } | ||
end | ||
let(:token) { create(:service_token) } | ||
let(:request_body) { 'Lorem Ipsum' } | ||
|
||
context 'without a token ID in the params and a token in HTTP headers' do | ||
let(:request) { OpenStruct.new(params: {}, body: StringIO.new(request_body), env: {}) } | ||
|
||
describe '#extract_auth_token' do | ||
it { expect(token_extractor.extract_auth_token).to eq('Token XY123456') } | ||
it 'returns nil' do | ||
expect(subject).to be_nil | ||
end | ||
end | ||
|
||
context 'with HTTP_AUTHORIZATION' do | ||
let(:request) { OpenStruct.new(env: { 'HTTP_AUTHORIZATION' => 'FOO1234' }) } | ||
context 'with the ID of a nonexistent token in the params' do | ||
let(:request) { OpenStruct.new(params: { id: -1 }, body: StringIO.new(request_body)) } | ||
|
||
it { expect(token_extractor.extract_auth_token).to eq('FOO1234') } | ||
it 'returns nil' do | ||
expect(subject).to be_nil | ||
end | ||
end | ||
end | ||
|
||
describe '#valid?' do | ||
before do | ||
token_extractor.extract_auth_token | ||
context 'with the ID of a token in the params and a valid signature in the HTTP headers' do | ||
let(:request) { OpenStruct.new(params: { id: token.id }, body: StringIO.new(request_body), env: {}) } | ||
|
||
it 'returns nil' do | ||
expect(subject).to be_nil | ||
end | ||
end | ||
|
||
it { expect(token_extractor).to be_valid } | ||
['HTTP_X_OBS_SIGNATURE', 'HTTP_X_HUB_SIGNATURE_256', 'HTTP_X-Pagure-Signature-256'].each do |http_header| | ||
context "with the ID of a token in the params and the HTTP header #{http_header} containing a signature of the request body" do | ||
let(:signature) { OpenSSL::HMAC.hexdigest(OpenSSL::Digest.new('sha256'), token.string, request_body) } | ||
let(:request) do | ||
OpenStruct.new(params: { id: token.id }, body: StringIO.new(request_body), | ||
env: { http_header => "sha256=#{signature}" }) | ||
end | ||
|
||
it 'returns the token' do | ||
expect(subject).to eq(token) | ||
end | ||
end | ||
end | ||
|
||
context 'with a wrong token in the HTTP header HTTP_X_GITLAB_TOKEN' do | ||
let(:request) do | ||
OpenStruct.new(params: {}, body: StringIO.new(request_body), | ||
env: { 'HTTP_X_GITLAB_TOKEN' => 'Québec' }) | ||
end | ||
|
||
it 'returns nil' do | ||
expect(subject).to be_nil | ||
end | ||
end | ||
|
||
context 'with a token in the HTTP header HTTP_X_GITLAB_TOKEN' do | ||
let(:request) do | ||
OpenStruct.new(params: {}, body: StringIO.new(request_body), | ||
env: { 'HTTP_X_GITLAB_TOKEN' => token.string }) | ||
end | ||
|
||
it 'returns the token' do | ||
expect(subject).to eq(token) | ||
end | ||
end | ||
|
||
context 'with an incorrectly formatted HTTP header HTTP_AUTHORIZATION' do | ||
let(:request) do | ||
OpenStruct.new(params: {}, body: StringIO.new(request_body), | ||
env: { 'HTTP_AUTHORIZATION' => token.string }) | ||
end | ||
|
||
it 'raises ActiveRecord::RecordNotFound' do | ||
expect { subject }.to raise_error(ActiveRecord::RecordNotFound, "Couldn't find Token") | ||
end | ||
end | ||
|
||
context 'with a token in the HTTP header HTTP_AUTHORIZATION' do | ||
let(:request) do | ||
OpenStruct.new(params: {}, body: StringIO.new(request_body), | ||
env: { 'HTTP_AUTHORIZATION' => "Basic #{token.string}" }) | ||
end | ||
|
||
it 'returns the token' do | ||
expect(subject).to eq(token) | ||
end | ||
end | ||
end | ||
end |