debian-mirror-gitlab/spec/lib/gitlab/auth/ldap/user_spec.rb

Ignoring revisions in .git-blame-ignore-revs. Click here to bypass and see the normal blame view.

261 lines
8 KiB
Ruby
Raw Normal View History

2019-10-12 21:52:04 +05:30
# frozen_string_literal: true
2015-04-26 12:48:37 +05:30
require 'spec_helper'
2020-07-28 23:09:34 +05:30
RSpec.describe Gitlab::Auth::Ldap::User do
2018-11-08 19:23:39 +05:30
include LdapHelpers
2017-09-10 17:25:29 +05:30
let(:ldap_user) { described_class.new(auth_hash) }
2015-04-26 12:48:37 +05:30
let(:gl_user) { ldap_user.gl_user }
let(:info) do
{
name: 'John',
email: 'john@example.com',
nickname: 'john'
}
end
2020-10-24 23:57:45 +05:30
2015-04-26 12:48:37 +05:30
let(:auth_hash) do
2018-03-17 18:26:18 +05:30
OmniAuth::AuthHash.new(uid: 'uid=John Smith,ou=People,dc=example,dc=com', provider: 'ldapmain', info: info)
2015-04-26 12:48:37 +05:30
end
2020-10-24 23:57:45 +05:30
2017-09-10 17:25:29 +05:30
let(:ldap_user_upper_case) { described_class.new(auth_hash_upper_case) }
2015-10-24 18:46:33 +05:30
let(:info_upper_case) do
{
name: 'John',
email: 'John@Example.com', # Email address has upper case chars
nickname: 'john'
}
end
2020-10-24 23:57:45 +05:30
2015-10-24 18:46:33 +05:30
let(:auth_hash_upper_case) do
2018-03-17 18:26:18 +05:30
OmniAuth::AuthHash.new(uid: 'uid=John Smith,ou=People,dc=example,dc=com', provider: 'ldapmain', info: info_upper_case)
2015-10-24 18:46:33 +05:30
end
2015-04-26 12:48:37 +05:30
2018-10-15 14:42:47 +05:30
describe '#should_save?' do
2015-04-26 12:48:37 +05:30
it "marks existing ldap user as changed" do
2018-03-17 18:26:18 +05:30
create(:omniauth_user, extern_uid: 'uid=John Smith,ou=People,dc=example,dc=com', provider: 'ldapmain')
2018-10-15 14:42:47 +05:30
expect(ldap_user.should_save?).to be_truthy
2015-04-26 12:48:37 +05:30
end
it "marks existing non-ldap user if the email matches as changed" do
2015-09-11 14:41:01 +05:30
create(:user, email: 'john@example.com')
2018-10-15 14:42:47 +05:30
expect(ldap_user.should_save?).to be_truthy
2015-04-26 12:48:37 +05:30
end
2016-09-13 17:45:13 +05:30
it "does not mark existing ldap user as changed" do
2018-03-17 18:26:18 +05:30
create(:omniauth_user, email: 'john@example.com', extern_uid: 'uid=john smith,ou=people,dc=example,dc=com', provider: 'ldapmain')
2018-10-15 14:42:47 +05:30
expect(ldap_user.should_save?).to be_falsey
2015-04-26 12:48:37 +05:30
end
end
2022-08-13 15:12:31 +05:30
describe '#valid_sign_in?' do
before do
gl_user.save!
end
it 'returns true' do
expect(Gitlab::Auth::Ldap::Access).to receive(:allowed?).and_return(true)
expect(ldap_user.valid_sign_in?).to be true
end
it 'returns false if the GitLab user is not valid' do
gl_user.update_column(:username, nil)
expect(Gitlab::Auth::Ldap::Access).not_to receive(:allowed?)
expect(ldap_user.valid_sign_in?).to be false
end
end
2017-08-17 22:00:37 +05:30
describe 'find or create' do
2015-04-26 12:48:37 +05:30
it "finds the user if already existing" do
2018-03-17 18:26:18 +05:30
create(:omniauth_user, extern_uid: 'uid=john smith,ou=people,dc=example,dc=com', provider: 'ldapmain')
2015-04-26 12:48:37 +05:30
2022-04-04 11:22:00 +05:30
expect { ldap_user.save }.not_to change { User.count } # rubocop:disable Rails/SaveBang
2015-04-26 12:48:37 +05:30
end
it "connects to existing non-ldap user if the email matches" do
existing_user = create(:omniauth_user, email: 'john@example.com', provider: "twitter")
2022-04-04 11:22:00 +05:30
expect { ldap_user.save }.not_to change { User.count } # rubocop:disable Rails/SaveBang
2015-04-26 12:48:37 +05:30
existing_user.reload
2018-03-17 18:26:18 +05:30
expect(existing_user.ldap_identity.extern_uid).to eql 'uid=john smith,ou=people,dc=example,dc=com'
2015-04-26 12:48:37 +05:30
expect(existing_user.ldap_identity.provider).to eql 'ldapmain'
end
2015-09-25 12:07:36 +05:30
it 'connects to existing ldap user if the extern_uid changes' do
existing_user = create(:omniauth_user, email: 'john@example.com', extern_uid: 'old-uid', provider: 'ldapmain')
2022-04-04 11:22:00 +05:30
expect { ldap_user.save }.not_to change { User.count } # rubocop:disable Rails/SaveBang
2015-09-25 12:07:36 +05:30
existing_user.reload
2018-03-17 18:26:18 +05:30
expect(existing_user.ldap_identity.extern_uid).to eql 'uid=john smith,ou=people,dc=example,dc=com'
2015-09-25 12:07:36 +05:30
expect(existing_user.ldap_identity.provider).to eql 'ldapmain'
2015-10-24 18:46:33 +05:30
expect(existing_user.id).to eql ldap_user.gl_user.id
end
it 'connects to existing ldap user if the extern_uid changes and email address has upper case characters' do
existing_user = create(:omniauth_user, email: 'john@example.com', extern_uid: 'old-uid', provider: 'ldapmain')
2022-04-04 11:22:00 +05:30
expect { ldap_user_upper_case.save }.not_to change { User.count } # rubocop:disable Rails/SaveBang
2015-10-24 18:46:33 +05:30
existing_user.reload
2018-03-17 18:26:18 +05:30
expect(existing_user.ldap_identity.extern_uid).to eql 'uid=john smith,ou=people,dc=example,dc=com'
2015-10-24 18:46:33 +05:30
expect(existing_user.ldap_identity.provider).to eql 'ldapmain'
2015-09-25 12:07:36 +05:30
expect(existing_user.id).to eql ldap_user.gl_user.id
end
it 'maintains an identity per provider' do
existing_user = create(:omniauth_user, email: 'john@example.com', provider: 'twitter')
2017-08-17 22:00:37 +05:30
expect(existing_user.identities.count).to be(1)
2015-09-25 12:07:36 +05:30
2022-04-04 11:22:00 +05:30
ldap_user.save # rubocop:disable Rails/SaveBang
2017-08-17 22:00:37 +05:30
expect(ldap_user.gl_user.identities.count).to be(2)
2015-09-25 12:07:36 +05:30
# Expect that find_by provider only returns a single instance of an identity and not an Enumerable
expect(ldap_user.gl_user.identities.find_by(provider: 'twitter')).to be_instance_of Identity
expect(ldap_user.gl_user.identities.find_by(provider: auth_hash.provider)).to be_instance_of Identity
end
2015-04-26 12:48:37 +05:30
it "creates a new user if not found" do
2022-04-04 11:22:00 +05:30
expect { ldap_user.save }.to change { User.count }.by(1) # rubocop:disable Rails/SaveBang
2015-04-26 12:48:37 +05:30
end
2017-08-17 22:00:37 +05:30
context 'when signup is disabled' do
before do
stub_application_setting signup_enabled: false
end
it 'creates the user' do
2022-04-04 11:22:00 +05:30
ldap_user.save # rubocop:disable Rails/SaveBang
2017-08-17 22:00:37 +05:30
expect(gl_user).to be_persisted
end
end
context 'when user confirmation email is enabled' do
before do
stub_application_setting send_user_confirmation_email: true
end
it 'creates and confirms the user anyway' do
2022-04-04 11:22:00 +05:30
ldap_user.save # rubocop:disable Rails/SaveBang
2017-08-17 22:00:37 +05:30
expect(gl_user).to be_persisted
expect(gl_user).to be_confirmed
end
end
2020-03-13 15:44:24 +05:30
context 'when the current minimum password length is different from the default minimum password length' do
before do
stub_application_setting minimum_password_length: 21
end
it 'creates the user' do
2022-04-04 11:22:00 +05:30
ldap_user.save # rubocop:disable Rails/SaveBang
2020-03-13 15:44:24 +05:30
expect(gl_user).to be_persisted
end
end
2015-04-26 12:48:37 +05:30
end
2016-01-29 22:53:50 +05:30
describe 'updating email' do
context "when LDAP sets an email" do
it "has a real email" do
expect(ldap_user.gl_user.email).to eq(info[:email])
end
2018-03-17 18:26:18 +05:30
it "has email set as synced" do
expect(ldap_user.gl_user.user_synced_attributes_metadata.email_synced).to be_truthy
end
it "has email set as read-only" do
expect(ldap_user.gl_user.read_only_attribute?(:email)).to be_truthy
2017-09-10 17:25:29 +05:30
end
2018-03-17 18:26:18 +05:30
it "has synced attributes provider set to ldapmain" do
expect(ldap_user.gl_user.user_synced_attributes_metadata.provider).to eql 'ldapmain'
2016-01-29 22:53:50 +05:30
end
end
context "when LDAP doesn't set an email" do
before do
info.delete(:email)
end
it "has a temp email" do
2018-03-17 18:26:18 +05:30
expect(ldap_user.gl_user.temp_oauth_email?).to be_truthy
end
it "has email set as not synced" do
expect(ldap_user.gl_user.user_synced_attributes_metadata.email_synced).to be_falsey
2016-01-29 22:53:50 +05:30
end
2018-03-17 18:26:18 +05:30
it "does not have email set as read-only" do
expect(ldap_user.gl_user.read_only_attribute?(:email)).to be_falsey
2016-01-29 22:53:50 +05:30
end
end
end
2015-04-26 12:48:37 +05:30
describe 'blocking' do
2015-09-11 14:41:01 +05:30
def configure_block(value)
2018-11-08 19:23:39 +05:30
stub_ldap_config(block_auto_created_users: value)
2015-09-11 14:41:01 +05:30
end
2015-04-26 12:48:37 +05:30
context 'signup' do
context 'dont block on create' do
2017-09-10 17:25:29 +05:30
before do
configure_block(false)
end
2015-04-26 12:48:37 +05:30
it do
2022-04-04 11:22:00 +05:30
ldap_user.save # rubocop:disable Rails/SaveBang
2015-04-26 12:48:37 +05:30
expect(gl_user).to be_valid
expect(gl_user).not_to be_blocked
end
end
context 'block on create' do
2017-09-10 17:25:29 +05:30
before do
configure_block(true)
end
2015-04-26 12:48:37 +05:30
it do
2022-04-04 11:22:00 +05:30
ldap_user.save # rubocop:disable Rails/SaveBang
2015-04-26 12:48:37 +05:30
expect(gl_user).to be_valid
expect(gl_user).to be_blocked
end
end
end
context 'sign-in' do
before do
2022-04-04 11:22:00 +05:30
ldap_user.save # rubocop:disable Rails/SaveBang
2015-04-26 12:48:37 +05:30
ldap_user.gl_user.activate
end
context 'dont block on create' do
2017-09-10 17:25:29 +05:30
before do
configure_block(false)
end
2015-04-26 12:48:37 +05:30
it do
2022-04-04 11:22:00 +05:30
ldap_user.save # rubocop:disable Rails/SaveBang
2015-04-26 12:48:37 +05:30
expect(gl_user).to be_valid
expect(gl_user).not_to be_blocked
end
end
context 'block on create' do
2017-09-10 17:25:29 +05:30
before do
configure_block(true)
end
2015-04-26 12:48:37 +05:30
it do
2022-04-04 11:22:00 +05:30
ldap_user.save # rubocop:disable Rails/SaveBang
2015-04-26 12:48:37 +05:30
expect(gl_user).to be_valid
expect(gl_user).not_to be_blocked
end
end
end
end
end