Convert AccessTokenValidationService into a class.

- Previously, AccessTokenValidationService was a module, and all its public methods accepted a token. It makes sense to convert it to a class which accepts a token during initialization. - Also rename the `sufficient_scope?` method to `include_any_scope?` - Based on feedback from @rymai

Convert AccessTokenValidationService into a class.
- Previously, AccessTokenValidationService was a module, and all its public methods accepted a token. It makes sense to convert it to a class which accepts a token during initialization. - Also rename the `sufficient_scope?` method to `include_any_scope?` - Based on feedback from @rymai
b303948f · Timothy Andrew · f706a973 · b303948f · b303948f · b303948f
Commit b303948f authored Dec 05, 2016 by Timothy Andrew
4 changed files
--- a/app/services/access_token_validation_service.rb
+++ b/app/services/access_token_validation_service.rb
-module AccessTokenValidationService
+AccessTokenValidationService = Struct.new(:token) do
  # Results:
  VALID = :valid
  EXPIRED = :expired
  REVOKED = :revoked
  INSUFFICIENT_SCOPE = :insufficient_scope
-  class << self
+  def validate(scopes: [])
-    def validate(token, scopes: [])
+    if token.expired?
-      if token.expired?
+      return EXPIRED
-        return EXPIRED
-      elsif token.revoked?
+    elsif token.revoked?
-        return REVOKED
+      return REVOKED
-      elsif !self.sufficient_scope?(token, scopes)
+    elsif !self.include_any_scope?(scopes)
-        return INSUFFICIENT_SCOPE
+      return INSUFFICIENT_SCOPE
-      else
+    else
-        return VALID
+      return VALID
-      end
    end
+  end
-    # True if the token's scope contains any of the required scopes.
+  # True if the token's scope contains any of the passed scopes.
-    def sufficient_scope?(token, required_scopes)
+  def include_any_scope?(scopes)
-      if required_scopes.blank?
+    if scopes.blank?
-        true
+      true
-      else
+    else
-        # Check whether the token is allowed access to any of the required scopes.
+      # Check whether the token is allowed access to any of the required scopes.
-        Set.new(required_scopes).intersection(Set.new(token.scopes)).present?
+      Set.new(scopes).intersection(Set.new(token.scopes)).present?
-      end
    end
  end
 end
--- a/lib/api/api_guard.rb
+++ b/lib/api/api_guard.rb
@@ -47,7 +47,7 @@ module API
        access_token = find_access_token
        return nil unless access_token
-        case AccessTokenValidationService.validate(access_token, scopes: scopes)
+        case AccessTokenValidationService.new(access_token).validate(scopes: scopes)
        when AccessTokenValidationService::INSUFFICIENT_SCOPE
          raise InsufficientScopeError.new(scopes)
@@ -96,7 +96,7 @@ module API
        access_token = PersonalAccessToken.active.find_by_token(token_string)
        return unless access_token
-        if AccessTokenValidationService.sufficient_scope?(access_token, scopes)
+        if AccessTokenValidationService.new(access_token).include_any_scope?(scopes)
          User.find(access_token.user_id)
        end
      end

--- a/lib/gitlab/auth.rb
+++ b/lib/gitlab/auth.rb
@@ -119,7 +119,7 @@ module Gitlab
      end
      def token_has_scope?(token)
-        AccessTokenValidationService.sufficient_scope?(token, ['api'])
+        AccessTokenValidationService.new(token).include_any_scope?(['api'])
      end
      def lfs_token_check(login, password)

--- a/spec/services/access_token_validation_service_spec.rb
+++ b/spec/services/access_token_validation_service_spec.rb
 require 'spec_helper'
 describe AccessTokenValidationService, services: true do
-  describe ".sufficient_scope?" do
+  describe ".include_any_scope?" do
    it "returns true if the required scope is present in the token's scopes" do
      token = double("token", scopes: [:api, :read_user])
-      expect(described_class.sufficient_scope?(token, [:api])).to be(true)
+      expect(described_class.new(token).include_any_scope?([:api])).to be(true)
    end
    it "returns true if more than one of the required scopes is present in the token's scopes" do
      token = double("token", scopes: [:api, :read_user, :other_scope])
-      expect(described_class.sufficient_scope?(token, [:api, :other_scope])).to be(true)
+      expect(described_class.new(token).include_any_scope?([:api, :other_scope])).to be(true)
    end
    it "returns true if the list of required scopes is an exact match for the token's scopes" do
      token = double("token", scopes: [:api, :read_user, :other_scope])
-      expect(described_class.sufficient_scope?(token, [:api, :read_user, :other_scope])).to be(true)
+      expect(described_class.new(token).include_any_scope?([:api, :read_user, :other_scope])).to be(true)
    end
    it "returns true if the list of required scopes contains all of the token's scopes, in addition to others" do
      token = double("token", scopes: [:api, :read_user])
-      expect(described_class.sufficient_scope?(token, [:api, :read_user, :other_scope])).to be(true)
+      expect(described_class.new(token).include_any_scope?([:api, :read_user, :other_scope])).to be(true)
    end
    it 'returns true if the list of required scopes is blank' do
      token = double("token", scopes: [])
-      expect(described_class.sufficient_scope?(token, [])).to be(true)
+      expect(described_class.new(token).include_any_scope?([])).to be(true)
    end
    it "returns false if there are no scopes in common between the required scopes and the token scopes" do
      token = double("token", scopes: [:api, :read_user])
-      expect(described_class.sufficient_scope?(token, [:other_scope])).to be(false)
+      expect(described_class.new(token).include_any_scope?([:other_scope])).to be(false)
    end
  end
 end