BigW Consortium Gitlab

user_spec.rb 12.1 KB
Newer Older
1 2
require 'spec_helper'

Douwe Maan committed
3
describe Gitlab::OAuth::User, lib: true do
4 5 6 7
  let(:oauth_user) { Gitlab::OAuth::User.new(auth_hash) }
  let(:gl_user) { oauth_user.gl_user }
  let(:uid) { 'my-uid' }
  let(:provider) { 'my-provider' }
8
  let(:auth_hash) { OmniAuth::AuthHash.new(uid: uid, provider: provider, info: info_hash) }
9 10
  let(:info_hash) do
    {
11
      nickname: '-john+gitlab-ETC%.git@gmail.com',
12 13
      name: 'John',
      email: 'john@mail.com'
14
    }
15
  end
16
  let(:ldap_user) { Gitlab::LDAP::Person.new(Net::LDAP::Entry.new, 'ldapmain') }
17

18
  describe '#persisted?' do
19
    let!(:existing_user) { create(:omniauth_user, extern_uid: 'my-uid', provider: 'my-provider') }
20 21

    it "finds an existing user based on uid and provider (facebook)" do
22
      expect( oauth_user.persisted? ).to be_truthy
23 24
    end

25
    it 'returns false if user is not found in database' do
26
      allow(auth_hash).to receive(:uid).and_return('non-existing')
27
      expect( oauth_user.persisted? ).to be_falsey
28 29 30
    end
  end

31
  describe '#save' do
32 33 34 35 36 37 38 39
    def stub_omniauth_config(messages)
      allow(Gitlab.config.omniauth).to receive_messages(messages)
    end

    def stub_ldap_config(messages)
      allow(Gitlab::LDAP::Config).to receive_messages(messages)
    end

40
    let(:provider) { 'twitter' }
41

42
    describe 'signup' do
43 44
      shared_examples 'to verify compliance with allow_single_sign_on' do
        context 'provider is marked as external' do
45
          it 'marks user as external' do
46 47 48 49 50 51 52 53
            stub_omniauth_config(allow_single_sign_on: ['twitter'], external_providers: ['twitter'])
            oauth_user.save
            expect(gl_user).to be_valid
            expect(gl_user.external).to be_truthy
          end
        end

        context 'provider was external, now has been removed' do
54
          it 'does not mark external user as internal' do
55 56 57 58
            create(:omniauth_user, extern_uid: 'my-uid', provider: 'twitter', external: true)
            stub_omniauth_config(allow_single_sign_on: ['twitter'], external_providers: ['facebook'])
            oauth_user.save
            expect(gl_user).to be_valid
59 60 61 62 63 64
            expect(gl_user.external).to be_truthy
          end
        end

        context 'provider is not external' do
          context 'when adding a new OAuth identity' do
65
            it 'does not promote an external user to internal' do
66 67 68 69 70 71 72
              user = create(:user, email: 'john@mail.com', external: true)
              user.identities.create(provider: provider, extern_uid: uid)

              oauth_user.save
              expect(gl_user).to be_valid
              expect(gl_user.external).to be_truthy
            end
73 74 75 76
          end
        end

        context 'with new allow_single_sign_on enabled syntax' do
77
          before { stub_omniauth_config(allow_single_sign_on: ['twitter']) }
78

79 80
          it "creates a user from Omniauth" do
            oauth_user.save
81

82 83 84 85 86 87 88
            expect(gl_user).to be_valid
            identity = gl_user.identities.first
            expect(identity.extern_uid).to eql uid
            expect(identity.provider).to eql 'twitter'
          end
        end

89 90 91 92 93 94 95 96 97 98 99 100 101
        context "with old allow_single_sign_on enabled syntax" do
          before { stub_omniauth_config(allow_single_sign_on: true) }

          it "creates a user from Omniauth" do
            oauth_user.save

            expect(gl_user).to be_valid
            identity = gl_user.identities.first
            expect(identity.extern_uid).to eql uid
            expect(identity.provider).to eql 'twitter'
          end
        end

102
        context 'with new allow_single_sign_on disabled syntax' do
103
          before { stub_omniauth_config(allow_single_sign_on: []) }
104
          it 'throws an error' do
105 106
            expect{ oauth_user.save }.to raise_error StandardError
          end
107
        end
108

109
        context 'with old allow_single_sign_on disabled (Default)' do
110
          before { stub_omniauth_config(allow_single_sign_on: false) }
111
          it 'throws an error' do
112 113 114
            expect{ oauth_user.save }.to raise_error StandardError
          end
        end
115
      end
116

117
      context "with auto_link_ldap_user disabled (default)" do
118
        before { stub_omniauth_config(auto_link_ldap_user: false) }
119 120 121 122
        include_examples "to verify compliance with allow_single_sign_on"
      end

      context "with auto_link_ldap_user enabled" do
123 124
        before { stub_omniauth_config(auto_link_ldap_user: true) }

125
        context "and no LDAP provider defined" do
126 127
          before { stub_ldap_config(providers: []) }

128 129
          include_examples "to verify compliance with allow_single_sign_on"
        end
130

131
        context "and at least one LDAP provider is defined" do
132
          before { stub_ldap_config(providers: %w(ldapmain)) }
133 134 135

          context "and a corresponding LDAP person" do
            before do
136 137
              allow(ldap_user).to receive(:uid) { uid }
              allow(ldap_user).to receive(:username) { uid }
138
              allow(ldap_user).to receive(:email) { ['johndoe@example.com', 'john2@example.com'] }
139
              allow(ldap_user).to receive(:dn) { 'uid=user1,ou=People,dc=example' }
140
            end
141

142 143
            context "and no account for the LDAP user" do
              it "creates a user with dual LDAP and omniauth identities" do
144 145
                allow(Gitlab::LDAP::Person).to receive(:find_by_uid).and_return(ldap_user)

146
                oauth_user.save
147

148 149 150 151 152 153 154 155 156 157 158
                expect(gl_user).to be_valid
                expect(gl_user.username).to eql uid
                expect(gl_user.email).to eql 'johndoe@example.com'
                expect(gl_user.identities.length).to eql 2
                identities_as_hash = gl_user.identities.map { |id| { provider: id.provider, extern_uid: id.extern_uid } }
                expect(identities_as_hash).to match_array(
                  [ { provider: 'ldapmain', extern_uid: 'uid=user1,ou=People,dc=example' },
                    { provider: 'twitter', extern_uid: uid }
                  ])
              end
            end
159

160 161 162
            context "and LDAP user has an account already" do
              let!(:existing_user) { create(:omniauth_user, email: 'john@example.com', extern_uid: 'uid=user1,ou=People,dc=example', provider: 'ldapmain', username: 'john') }
              it "adds the omniauth identity to the LDAP account" do
163 164
                allow(Gitlab::LDAP::Person).to receive(:find_by_uid).and_return(ldap_user)

165
                oauth_user.save
166

167 168 169 170 171 172 173 174 175 176
                expect(gl_user).to be_valid
                expect(gl_user.username).to eql 'john'
                expect(gl_user.email).to eql 'john@example.com'
                expect(gl_user.identities.length).to eql 2
                identities_as_hash = gl_user.identities.map { |id| { provider: id.provider, extern_uid: id.extern_uid } }
                expect(identities_as_hash).to match_array(
                  [ { provider: 'ldapmain', extern_uid: 'uid=user1,ou=People,dc=example' },
                    { provider: 'twitter', extern_uid: uid }
                  ])
              end
177
            end
178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195

            context 'when an LDAP person is not found by uid' do
              it 'tries to find an LDAP person by DN and adds the omniauth identity to the user' do
                allow(Gitlab::LDAP::Person).to receive(:find_by_uid).and_return(nil)
                allow(Gitlab::LDAP::Person).to receive(:find_by_dn).and_return(ldap_user)

                oauth_user.save

                identities_as_hash = gl_user.identities.map { |id| { provider: id.provider, extern_uid: id.extern_uid } }
                expect(identities_as_hash)
                  .to match_array(
                    [
                      { provider: 'ldapmain', extern_uid: 'uid=user1,ou=People,dc=example' },
                      { provider: 'twitter', extern_uid: uid }
                    ]
                  )
              end
            end
196
          end
197

198 199
          context "and no corresponding LDAP person" do
            before { allow(Gitlab::LDAP::Person).to receive(:find_by_uid).and_return(nil) }
200

201 202
            include_examples "to verify compliance with allow_single_sign_on"
          end
203
        end
204
      end
205
    end
206

207 208
    describe 'blocking' do
      let(:provider) { 'twitter' }
209
      before { stub_omniauth_config(allow_single_sign_on: ['twitter']) }
210

211
      context 'signup with omniauth only' do
212
        context 'dont block on create' do
213
          before { stub_omniauth_config(block_auto_created_users: false) }
214 215 216

          it do
            oauth_user.save
217 218
            expect(gl_user).to be_valid
            expect(gl_user).not_to be_blocked
219 220 221 222
          end
        end

        context 'block on create' do
223
          before { stub_omniauth_config(block_auto_created_users: true) }
224 225 226

          it do
            oauth_user.save
227 228
            expect(gl_user).to be_valid
            expect(gl_user).to be_blocked
229 230 231 232
          end
        end
      end

233 234
      context 'signup with linked omniauth and LDAP account' do
        before do
235 236 237
          stub_omniauth_config(auto_link_ldap_user: true)
          allow(ldap_user).to receive(:uid) { uid }
          allow(ldap_user).to receive(:username) { uid }
238
          allow(ldap_user).to receive(:email) { ['johndoe@example.com', 'john2@example.com'] }
239
          allow(ldap_user).to receive(:dn) { 'uid=user1,ou=People,dc=example' }
240 241 242 243 244
          allow(oauth_user).to receive(:ldap_person).and_return(ldap_user)
        end

        context "and no account for the LDAP user" do
          context 'dont block on create (LDAP)' do
245
            before { allow_any_instance_of(Gitlab::LDAP::Config).to receive_messages(block_auto_created_users: false) }
246 247 248 249 250 251 252 253 254

            it do
              oauth_user.save
              expect(gl_user).to be_valid
              expect(gl_user).not_to be_blocked
            end
          end

          context 'block on create (LDAP)' do
255
            before { allow_any_instance_of(Gitlab::LDAP::Config).to receive_messages(block_auto_created_users: true) }
256 257 258 259 260 261 262 263 264 265 266 267 268

            it do
              oauth_user.save
              expect(gl_user).to be_valid
              expect(gl_user).to be_blocked
            end
          end
        end

        context 'and LDAP user has an account already' do
          let!(:existing_user) { create(:omniauth_user, email: 'john@example.com', extern_uid: 'uid=user1,ou=People,dc=example', provider: 'ldapmain', username: 'john') }

          context 'dont block on create (LDAP)' do
269
            before { allow_any_instance_of(Gitlab::LDAP::Config).to receive_messages(block_auto_created_users: false) }
270 271 272 273 274 275 276 277 278

            it do
              oauth_user.save
              expect(gl_user).to be_valid
              expect(gl_user).not_to be_blocked
            end
          end

          context 'block on create (LDAP)' do
279
            before { allow_any_instance_of(Gitlab::LDAP::Config).to receive_messages(block_auto_created_users: true) }
280 281 282 283 284 285 286 287 288 289

            it do
              oauth_user.save
              expect(gl_user).to be_valid
              expect(gl_user).not_to be_blocked
            end
          end
        end
      end

290 291 292 293 294 295 296
      context 'sign-in' do
        before do
          oauth_user.save
          oauth_user.gl_user.activate
        end

        context 'dont block on create' do
297
          before { stub_omniauth_config(block_auto_created_users: false) }
298 299 300

          it do
            oauth_user.save
301 302
            expect(gl_user).to be_valid
            expect(gl_user).not_to be_blocked
303 304 305 306
          end
        end

        context 'block on create' do
307
          before { stub_omniauth_config(block_auto_created_users: true) }
308 309 310

          it do
            oauth_user.save
311 312
            expect(gl_user).to be_valid
            expect(gl_user).not_to be_blocked
313 314
          end
        end
315 316

        context 'dont block on create (LDAP)' do
317
          before { allow_any_instance_of(Gitlab::LDAP::Config).to receive_messages(block_auto_created_users: false) }
318 319 320 321 322 323 324 325 326

          it do
            oauth_user.save
            expect(gl_user).to be_valid
            expect(gl_user).not_to be_blocked
          end
        end

        context 'block on create (LDAP)' do
327
          before { allow_any_instance_of(Gitlab::LDAP::Config).to receive_messages(block_auto_created_users: true) }
328 329 330 331 332 333 334

          it do
            oauth_user.save
            expect(gl_user).to be_valid
            expect(gl_user).not_to be_blocked
          end
        end
335 336
      end
    end
337 338
  end
end