BigW Consortium Gitlab

user_spec.rb 11.2 KB
Newer Older
1 2
require 'spec_helper'

Douwe Maan committed
3
describe Gitlab::OAuth::User, lib: true do
4 5 6 7
  let(:oauth_user) { Gitlab::OAuth::User.new(auth_hash) }
  let(:gl_user) { oauth_user.gl_user }
  let(:uid) { 'my-uid' }
  let(:provider) { 'my-provider' }
8
  let(:auth_hash) { OmniAuth::AuthHash.new(uid: uid, provider: provider, info: info_hash) }
9 10
  let(:info_hash) do
    {
11
      nickname: '-john+gitlab-ETC%.git@gmail.com',
12 13
      name: 'John',
      email: 'john@mail.com'
14
    }
15
  end
16
  let(:ldap_user) { Gitlab::LDAP::Person.new(Net::LDAP::Entry.new, 'ldapmain') }
17

18
  describe '#persisted?' do
19
    let!(:existing_user) { create(:omniauth_user, extern_uid: 'my-uid', provider: 'my-provider') }
20 21

    it "finds an existing user based on uid and provider (facebook)" do
22
      expect( oauth_user.persisted? ).to be_truthy
23 24
    end

25
    it 'returns false if user is not found in database' do
26
      allow(auth_hash).to receive(:uid).and_return('non-existing')
27
      expect( oauth_user.persisted? ).to be_falsey
28 29 30
    end
  end

31
  describe '#save' do
32 33 34 35 36 37 38 39
    def stub_omniauth_config(messages)
      allow(Gitlab.config.omniauth).to receive_messages(messages)
    end

    def stub_ldap_config(messages)
      allow(Gitlab::LDAP::Config).to receive_messages(messages)
    end

40
    let(:provider) { 'twitter' }
41

42
    describe 'signup' do
43 44
      shared_examples 'to verify compliance with allow_single_sign_on' do
        context 'provider is marked as external' do
45
          it 'marks user as external' do
46 47 48 49 50 51 52 53
            stub_omniauth_config(allow_single_sign_on: ['twitter'], external_providers: ['twitter'])
            oauth_user.save
            expect(gl_user).to be_valid
            expect(gl_user.external).to be_truthy
          end
        end

        context 'provider was external, now has been removed' do
54
          it 'does not mark external user as internal' do
55 56 57 58
            create(:omniauth_user, extern_uid: 'my-uid', provider: 'twitter', external: true)
            stub_omniauth_config(allow_single_sign_on: ['twitter'], external_providers: ['facebook'])
            oauth_user.save
            expect(gl_user).to be_valid
59 60 61 62 63 64
            expect(gl_user.external).to be_truthy
          end
        end

        context 'provider is not external' do
          context 'when adding a new OAuth identity' do
65
            it 'does not promote an external user to internal' do
66 67 68 69 70 71 72
              user = create(:user, email: 'john@mail.com', external: true)
              user.identities.create(provider: provider, extern_uid: uid)

              oauth_user.save
              expect(gl_user).to be_valid
              expect(gl_user.external).to be_truthy
            end
73 74 75 76
          end
        end

        context 'with new allow_single_sign_on enabled syntax' do
77
          before { stub_omniauth_config(allow_single_sign_on: ['twitter']) }
78

79 80
          it "creates a user from Omniauth" do
            oauth_user.save
81

82 83 84 85 86 87 88
            expect(gl_user).to be_valid
            identity = gl_user.identities.first
            expect(identity.extern_uid).to eql uid
            expect(identity.provider).to eql 'twitter'
          end
        end

89 90 91 92 93 94 95 96 97 98 99 100 101
        context "with old allow_single_sign_on enabled syntax" do
          before { stub_omniauth_config(allow_single_sign_on: true) }

          it "creates a user from Omniauth" do
            oauth_user.save

            expect(gl_user).to be_valid
            identity = gl_user.identities.first
            expect(identity.extern_uid).to eql uid
            expect(identity.provider).to eql 'twitter'
          end
        end

102
        context 'with new allow_single_sign_on disabled syntax' do
103
          before { stub_omniauth_config(allow_single_sign_on: []) }
104
          it 'throws an error' do
105 106
            expect{ oauth_user.save }.to raise_error StandardError
          end
107
        end
108

109
        context 'with old allow_single_sign_on disabled (Default)' do
110
          before { stub_omniauth_config(allow_single_sign_on: false) }
111
          it 'throws an error' do
112 113 114
            expect{ oauth_user.save }.to raise_error StandardError
          end
        end
115
      end
116

117
      context "with auto_link_ldap_user disabled (default)" do
118
        before { stub_omniauth_config(auto_link_ldap_user: false) }
119 120 121 122
        include_examples "to verify compliance with allow_single_sign_on"
      end

      context "with auto_link_ldap_user enabled" do
123 124
        before { stub_omniauth_config(auto_link_ldap_user: true) }

125
        context "and no LDAP provider defined" do
126 127
          before { stub_ldap_config(providers: []) }

128 129
          include_examples "to verify compliance with allow_single_sign_on"
        end
130

131
        context "and at least one LDAP provider is defined" do
132
          before { stub_ldap_config(providers: %w(ldapmain)) }
133 134 135

          context "and a corresponding LDAP person" do
            before do
136 137
              allow(ldap_user).to receive(:uid) { uid }
              allow(ldap_user).to receive(:username) { uid }
138
              allow(ldap_user).to receive(:email) { ['johndoe@example.com', 'john2@example.com'] }
139
              allow(ldap_user).to receive(:dn) { 'uid=user1,ou=People,dc=example' }
140
              allow(Gitlab::LDAP::Person).to receive(:find_by_uid).and_return(ldap_user)
141
            end
142

143 144 145
            context "and no account for the LDAP user" do
              it "creates a user with dual LDAP and omniauth identities" do
                oauth_user.save
146

147 148 149 150 151 152 153 154 155 156 157
                expect(gl_user).to be_valid
                expect(gl_user.username).to eql uid
                expect(gl_user.email).to eql 'johndoe@example.com'
                expect(gl_user.identities.length).to eql 2
                identities_as_hash = gl_user.identities.map { |id| { provider: id.provider, extern_uid: id.extern_uid } }
                expect(identities_as_hash).to match_array(
                  [ { provider: 'ldapmain', extern_uid: 'uid=user1,ou=People,dc=example' },
                    { provider: 'twitter', extern_uid: uid }
                  ])
              end
            end
158

159 160 161 162
            context "and LDAP user has an account already" do
              let!(:existing_user) { create(:omniauth_user, email: 'john@example.com', extern_uid: 'uid=user1,ou=People,dc=example', provider: 'ldapmain', username: 'john') }
              it "adds the omniauth identity to the LDAP account" do
                oauth_user.save
163

164 165 166 167 168 169 170 171 172 173
                expect(gl_user).to be_valid
                expect(gl_user.username).to eql 'john'
                expect(gl_user.email).to eql 'john@example.com'
                expect(gl_user.identities.length).to eql 2
                identities_as_hash = gl_user.identities.map { |id| { provider: id.provider, extern_uid: id.extern_uid } }
                expect(identities_as_hash).to match_array(
                  [ { provider: 'ldapmain', extern_uid: 'uid=user1,ou=People,dc=example' },
                    { provider: 'twitter', extern_uid: uid }
                  ])
              end
174 175
            end
          end
176

177 178
          context "and no corresponding LDAP person" do
            before { allow(Gitlab::LDAP::Person).to receive(:find_by_uid).and_return(nil) }
179

180 181
            include_examples "to verify compliance with allow_single_sign_on"
          end
182
        end
183
      end
184
    end
185

186 187
    describe 'blocking' do
      let(:provider) { 'twitter' }
188
      before { stub_omniauth_config(allow_single_sign_on: ['twitter']) }
189

190
      context 'signup with omniauth only' do
191
        context 'dont block on create' do
192
          before { stub_omniauth_config(block_auto_created_users: false) }
193 194 195

          it do
            oauth_user.save
196 197
            expect(gl_user).to be_valid
            expect(gl_user).not_to be_blocked
198 199 200 201
          end
        end

        context 'block on create' do
202
          before { stub_omniauth_config(block_auto_created_users: true) }
203 204 205

          it do
            oauth_user.save
206 207
            expect(gl_user).to be_valid
            expect(gl_user).to be_blocked
208 209 210 211
          end
        end
      end

212 213
      context 'signup with linked omniauth and LDAP account' do
        before do
214 215 216
          stub_omniauth_config(auto_link_ldap_user: true)
          allow(ldap_user).to receive(:uid) { uid }
          allow(ldap_user).to receive(:username) { uid }
217
          allow(ldap_user).to receive(:email) { ['johndoe@example.com', 'john2@example.com'] }
218
          allow(ldap_user).to receive(:dn) { 'uid=user1,ou=People,dc=example' }
219 220 221 222 223
          allow(oauth_user).to receive(:ldap_person).and_return(ldap_user)
        end

        context "and no account for the LDAP user" do
          context 'dont block on create (LDAP)' do
224
            before { allow_any_instance_of(Gitlab::LDAP::Config).to receive_messages(block_auto_created_users: false) }
225 226 227 228 229 230 231 232 233

            it do
              oauth_user.save
              expect(gl_user).to be_valid
              expect(gl_user).not_to be_blocked
            end
          end

          context 'block on create (LDAP)' do
234
            before { allow_any_instance_of(Gitlab::LDAP::Config).to receive_messages(block_auto_created_users: true) }
235 236 237 238 239 240 241 242 243 244 245 246 247

            it do
              oauth_user.save
              expect(gl_user).to be_valid
              expect(gl_user).to be_blocked
            end
          end
        end

        context 'and LDAP user has an account already' do
          let!(:existing_user) { create(:omniauth_user, email: 'john@example.com', extern_uid: 'uid=user1,ou=People,dc=example', provider: 'ldapmain', username: 'john') }

          context 'dont block on create (LDAP)' do
248
            before { allow_any_instance_of(Gitlab::LDAP::Config).to receive_messages(block_auto_created_users: false) }
249 250 251 252 253 254 255 256 257

            it do
              oauth_user.save
              expect(gl_user).to be_valid
              expect(gl_user).not_to be_blocked
            end
          end

          context 'block on create (LDAP)' do
258
            before { allow_any_instance_of(Gitlab::LDAP::Config).to receive_messages(block_auto_created_users: true) }
259 260 261 262 263 264 265 266 267 268

            it do
              oauth_user.save
              expect(gl_user).to be_valid
              expect(gl_user).not_to be_blocked
            end
          end
        end
      end

269 270 271 272 273 274 275
      context 'sign-in' do
        before do
          oauth_user.save
          oauth_user.gl_user.activate
        end

        context 'dont block on create' do
276
          before { stub_omniauth_config(block_auto_created_users: false) }
277 278 279

          it do
            oauth_user.save
280 281
            expect(gl_user).to be_valid
            expect(gl_user).not_to be_blocked
282 283 284 285
          end
        end

        context 'block on create' do
286
          before { stub_omniauth_config(block_auto_created_users: true) }
287 288 289

          it do
            oauth_user.save
290 291
            expect(gl_user).to be_valid
            expect(gl_user).not_to be_blocked
292 293
          end
        end
294 295

        context 'dont block on create (LDAP)' do
296
          before { allow_any_instance_of(Gitlab::LDAP::Config).to receive_messages(block_auto_created_users: false) }
297 298 299 300 301 302 303 304 305

          it do
            oauth_user.save
            expect(gl_user).to be_valid
            expect(gl_user).not_to be_blocked
          end
        end

        context 'block on create (LDAP)' do
306
          before { allow_any_instance_of(Gitlab::LDAP::Config).to receive_messages(block_auto_created_users: true) }
307 308 309 310 311 312 313

          it do
            oauth_user.save
            expect(gl_user).to be_valid
            expect(gl_user).not_to be_blocked
          end
        end
314 315
      end
    end
316 317
  end
end