debian-mirror-gitlab/spec/controllers/registrations_controller_spec.rb
2022-10-11 01:57:18 +05:30

648 lines
22 KiB
Ruby

# frozen_string_literal: true
require 'spec_helper'
RSpec.describe RegistrationsController do
include TermsHelper
before do
stub_application_setting(require_admin_approval_after_user_signup: false)
stub_feature_flags(arkose_labs_signup_challenge: false)
end
describe '#new' do
subject { get :new }
it 'renders new template and sets the resource variable' do
expect(subject).to render_template(:new)
expect(response).to have_gitlab_http_status(:ok)
expect(assigns(:resource)).to be_a(User)
end
end
describe '#create' do
before do
allow(::Gitlab::ApplicationRateLimiter).to receive(:throttled?).and_return(false)
end
let_it_be(:base_user_params) do
{ first_name: 'first', last_name: 'last', username: 'new_username', email: 'new@user.com', password: User.random_password }
end
let_it_be(:user_params) { { user: base_user_params } }
let(:session_params) { {} }
subject { post(:create, params: user_params, session: session_params) }
context '`blocked_pending_approval` state' do
context 'when the `require_admin_approval_after_user_signup` setting is turned on' do
before do
stub_application_setting(require_admin_approval_after_user_signup: true)
end
it 'signs up the user in `blocked_pending_approval` state' do
subject
created_user = User.find_by(email: 'new@user.com')
expect(created_user).to be_present
expect(created_user.blocked_pending_approval?).to eq(true)
end
it 'does not log in the user after sign up' do
subject
expect(controller.current_user).to be_nil
end
it 'shows flash message after signing up' do
subject
expect(response).to redirect_to(new_user_session_path(anchor: 'login-pane'))
expect(flash[:notice])
.to eq('You have signed up successfully. However, we could not sign you in because your account is awaiting approval from your GitLab administrator.')
end
it 'emails the access request to approvers' do
expect_next_instance_of(NotificationService) do |notification|
allow(notification).to receive(:new_instance_access_request).with(User.find_by(email: 'new@user.com'))
end
subject
end
context 'email confirmation' do
context 'when `send_user_confirmation_email` is true' do
before do
stub_application_setting(send_user_confirmation_email: true)
end
it 'does not send a confirmation email' do
expect { subject }
.not_to have_enqueued_mail(DeviseMailer, :confirmation_instructions)
end
end
end
context 'audit events' do
context 'when not licensed' do
before do
stub_licensed_features(admin_audit_log: false)
end
it 'does not log any audit event' do
expect { subject }.not_to change(AuditEvent, :count)
end
end
end
end
context 'when the `require_admin_approval_after_user_signup` setting is turned off' do
it 'signs up the user in `active` state' do
subject
created_user = User.find_by(email: 'new@user.com')
expect(created_user).to be_present
expect(created_user.active?).to eq(true)
end
it 'does not show any flash message after signing up' do
subject
expect(flash[:notice]).to be_nil
end
it 'does not email the approvers' do
expect(NotificationService).not_to receive(:new)
subject
end
context 'email confirmation' do
context 'when `send_user_confirmation_email` is true' do
before do
stub_application_setting(send_user_confirmation_email: true)
stub_feature_flags(identity_verification: false)
end
it 'sends a confirmation email' do
expect { subject }
.to have_enqueued_mail(DeviseMailer, :confirmation_instructions)
end
end
end
end
end
context 'email confirmation' do
before do
stub_feature_flags(identity_verification: false)
end
context 'when send_user_confirmation_email is false' do
it 'signs the user in' do
stub_application_setting(send_user_confirmation_email: false)
expect { subject }.not_to have_enqueued_mail(DeviseMailer, :confirmation_instructions)
expect(controller.current_user).not_to be_nil
end
end
context 'when send_user_confirmation_email is true' do
before do
stub_application_setting(send_user_confirmation_email: true)
end
context 'when soft email confirmation is not enabled' do
before do
stub_feature_flags(soft_email_confirmation: false)
allow(User).to receive(:allow_unconfirmed_access_for).and_return 0
end
it 'does not authenticate the user and sends a confirmation email' do
expect { subject }.to have_enqueued_mail(DeviseMailer, :confirmation_instructions)
expect(controller.current_user).to be_nil
end
context 'when registration is triggered from an accepted invite' do
context 'when it is part from the initial invite email', :snowplow do
let_it_be(:member) { create(:project_member, :invited, invite_email: user_params.dig(:user, :email)) }
let(:originating_member_id) { member.id }
let(:session_params) do
{
invite_email: user_params.dig(:user, :email),
originating_member_id: originating_member_id
}
end
context 'when member exists from the session key value' do
it 'tracks the invite acceptance' do
subject
expect_snowplow_event(
category: 'RegistrationsController',
action: 'accepted',
label: 'invite_email',
property: member.id.to_s,
user: member.reload.user
)
end
end
context 'when member does not exist from the session key value' do
let(:originating_member_id) { -1 }
it 'does not track invite acceptance' do
subject
expect_no_snowplow_event(
category: 'RegistrationsController',
action: 'accepted',
label: 'invite_email'
)
end
end
end
context 'when invite email matches email used on registration' do
let(:session_params) { { invite_email: user_params.dig(:user, :email) } }
it 'signs the user in without sending a confirmation email', :aggregate_failures do
expect { subject }.not_to have_enqueued_mail(DeviseMailer, :confirmation_instructions)
expect(controller.current_user).to be_confirmed
end
end
context 'when invite email does not match the email used on registration' do
let(:session_params) { { invite_email: 'bogus@email.com' } }
it 'does not authenticate the user and sends a confirmation email', :aggregate_failures do
expect { subject }.to have_enqueued_mail(DeviseMailer, :confirmation_instructions)
expect(controller.current_user).to be_nil
end
end
end
end
context 'when the registration fails' do
let_it_be(:member) { create(:project_member, :invited) }
let_it_be(:missing_user_params) do
{ username: '', email: member.invite_email, password: User.random_password }
end
let_it_be(:user_params) { { user: missing_user_params } }
let(:session_params) { { invite_email: member.invite_email } }
subject { post(:create, params: user_params, session: session_params) }
it 'does not delete the invitation or register the new user' do
subject
expect(member.invite_token).not_to be_nil
expect(controller.current_user).to be_nil
end
end
context 'when soft email confirmation is enabled' do
before do
stub_feature_flags(soft_email_confirmation: true)
allow(User).to receive(:allow_unconfirmed_access_for).and_return 2.days
end
it 'authenticates the user and sends a confirmation email' do
expect { subject }.to have_enqueued_mail(DeviseMailer, :confirmation_instructions)
expect(controller.current_user).to be_present
expect(response).to redirect_to(users_sign_up_welcome_path)
end
context 'when invite email matches email used on registration' do
let(:session_params) { { invite_email: user_params.dig(:user, :email) } }
it 'signs the user in without sending a confirmation email', :aggregate_failures do
expect { subject }.not_to have_enqueued_mail(DeviseMailer, :confirmation_instructions)
expect(controller.current_user).to be_confirmed
end
end
context 'when invite email does not match the email used on registration' do
let(:session_params) { { invite_email: 'bogus@email.com' } }
it 'authenticates the user and sends a confirmation email without confirming', :aggregate_failures do
expect { subject }.to have_enqueued_mail(DeviseMailer, :confirmation_instructions)
expect(controller.current_user).not_to be_confirmed
end
end
end
end
context 'when signup_enabled? is false' do
it 'redirects to sign_in' do
stub_application_setting(signup_enabled: false)
expect { subject }.not_to change(User, :count)
expect(response).to redirect_to(new_user_session_path)
end
end
end
context 'when reCAPTCHA is enabled' do
before do
stub_application_setting(recaptcha_enabled: true)
end
after do
# Avoid test ordering issue and ensure `verify_recaptcha` returns true
unless Recaptcha.configuration.skip_verify_env.include?('test')
Recaptcha.configuration.skip_verify_env << 'test'
end
end
context 'when the reCAPTCHA is not solved' do
before do
allow_any_instance_of(described_class).to receive(:verify_recaptcha).and_return(false)
end
it 'displays an error' do
subject
expect(response).to render_template(:new)
expect(flash[:alert]).to eq(_('There was an error with the reCAPTCHA. Please solve the reCAPTCHA again.'))
end
it 'sets gon variables' do
Gon.clear
subject
expect(response).to render_template(:new)
expect(Gon.all_variables).not_to be_empty
end
end
it 'redirects to the welcome page when the reCAPTCHA is solved' do
subject
expect(response).to redirect_to(users_sign_up_welcome_path)
end
end
context 'when invisible captcha is enabled' do
before do
stub_application_setting(invisible_captcha_enabled: true)
InvisibleCaptcha.timestamp_threshold = treshold
end
let(:treshold) { 4 }
let(:session_params) { { invisible_captcha_timestamp: form_rendered_time.iso8601 } }
let(:form_rendered_time) { Time.current }
let(:submit_time) { form_rendered_time + treshold }
let(:auth_log_attributes) do
{
message: auth_log_message,
env: :invisible_captcha_signup_bot_detected,
remote_ip: '0.0.0.0',
request_method: 'POST',
path: '/users'
}
end
describe 'the honeypot has not been filled and the signup form has not been submitted too quickly' do
it 'creates an account' do
travel_to(submit_time) do
expect { post(:create, params: user_params, session: session_params) }.to change(User, :count).by(1)
end
end
end
describe 'honeypot spam detection' do
let(:user_params) { super().merge(firstname: 'Roy', lastname: 'Batty') }
let(:auth_log_message) { 'Invisible_Captcha_Honeypot_Request' }
it 'logs the request, refuses to create an account and renders an empty body' do
travel_to(submit_time) do
expect(Gitlab::Metrics).to receive(:counter)
.with(:bot_blocked_by_invisible_captcha_honeypot, 'Counter of blocked sign up attempts with filled honeypot')
.and_call_original
expect(Gitlab::AuthLogger).to receive(:error).with(auth_log_attributes).once
expect { post(:create, params: user_params, session: session_params) }.not_to change(User, :count)
expect(response).to have_gitlab_http_status(:ok)
expect(response.body).to be_empty
end
end
end
describe 'timestamp spam detection' do
let(:auth_log_message) { 'Invisible_Captcha_Timestamp_Request' }
context 'the sign up form has been submitted without the invisible_captcha_timestamp parameter' do
let(:session_params) { nil }
it 'logs the request, refuses to create an account and displays a flash alert' do
travel_to(submit_time) do
expect(Gitlab::Metrics).to receive(:counter)
.with(:bot_blocked_by_invisible_captcha_timestamp, 'Counter of blocked sign up attempts with invalid timestamp')
.and_call_original
expect(Gitlab::AuthLogger).to receive(:error).with(auth_log_attributes).once
expect { post(:create, params: user_params, session: session_params) }.not_to change(User, :count)
expect(response).to redirect_to(new_user_session_path)
expect(flash[:alert]).to eq(I18n.t('invisible_captcha.timestamp_error_message'))
end
end
end
context 'the sign up form has been submitted too quickly' do
let(:submit_time) { form_rendered_time }
it 'logs the request, refuses to create an account and displays a flash alert' do
travel_to(submit_time) do
expect(Gitlab::Metrics).to receive(:counter)
.with(:bot_blocked_by_invisible_captcha_timestamp, 'Counter of blocked sign up attempts with invalid timestamp')
.and_call_original
expect(Gitlab::AuthLogger).to receive(:error).with(auth_log_attributes).once
expect { post(:create, params: user_params, session: session_params) }.not_to change(User, :count)
expect(response).to redirect_to(new_user_session_path)
expect(flash[:alert]).to eq(I18n.t('invisible_captcha.timestamp_error_message'))
end
end
end
end
end
context 'terms of service' do
context 'when terms are enforced' do
before do
enforce_terms
end
it 'creates the user with accepted terms' do
subject
expect(controller.current_user).to be_present
expect(controller.current_user.terms_accepted?).to be(true)
end
end
context 'when terms are not enforced' do
it 'creates the user without accepted terms' do
subject
expect(controller.current_user).to be_present
expect(controller.current_user.terms_accepted?).to be(false)
end
end
end
context 'when the rate limit has been reached' do
it 'returns status 429 Too Many Requests', :aggregate_failures do
ip = '1.2.3.4'
expect(::Gitlab::ApplicationRateLimiter).to receive(:throttled?).with(:user_sign_up, scope: ip).and_return(true)
controller.request.env['REMOTE_ADDR'] = ip
post(:create, params: user_params, session: session_params)
expect(response).to have_gitlab_http_status(:too_many_requests)
end
end
it "logs a 'User Created' message" do
expect(Gitlab::AppLogger).to receive(:info).with(/\AUser Created: username=new_username email=new@user.com.+\z/).and_call_original
subject
end
it 'handles when params are new_user' do
post(:create, params: { new_user: base_user_params })
expect(controller.current_user).not_to be_nil
end
it 'sets name from first and last name' do
post :create, params: { new_user: base_user_params }
expect(User.last.first_name).to eq(base_user_params[:first_name])
expect(User.last.last_name).to eq(base_user_params[:last_name])
expect(User.last.name).to eq("#{base_user_params[:first_name]} #{base_user_params[:last_name]}")
end
it 'sets the caller_id in the context' do
expect(controller).to receive(:create).and_wrap_original do |m, *args|
m.call(*args)
expect(Gitlab::ApplicationContext.current)
.to include('meta.caller_id' => 'RegistrationsController#create')
end
subject
end
describe 'logged_out_marketing_header experiment', :experiment do
before do
stub_experiments(logged_out_marketing_header: :candidate)
end
it 'tracks signed_up event' do
expect(experiment(:logged_out_marketing_header)).to track(:signed_up).on_next_instance
subject
end
context 'when registration fails' do
let_it_be(:user_params) { { user: base_user_params.merge({ username: '' }) } }
it 'does not track signed_up event' do
expect(experiment(:logged_out_marketing_header)).not_to track(:signed_up)
subject
end
end
end
context 'when the password is weak' do
render_views
let_it_be(:new_user_params) { { new_user: base_user_params.merge({ password: "password" }) } }
subject { post(:create, params: new_user_params) }
context 'when block_weak_passwords is enabled (default)' do
it 'renders the form with errors' do
expect { subject }.not_to change(User, :count)
expect(controller.current_user).to be_nil
expect(response).to render_template(:new)
expect(response.body).to include(_('Password must not contain commonly used combinations of words and letters'))
end
end
context 'when block_weak_passwords is disabled' do
before do
stub_feature_flags(block_weak_passwords: false)
end
it 'permits weak passwords' do
expect { subject }.to change(User, :count).by(1)
end
end
end
end
describe '#destroy' do
let(:user) { create(:user) }
before do
sign_in(user)
end
def expect_failure(message)
expect(flash[:alert]).to eq(message)
expect(response).to have_gitlab_http_status(:see_other)
expect(response).to redirect_to profile_account_path
end
def expect_password_failure
expect_failure(s_('Profiles|Invalid password'))
end
def expect_username_failure
expect_failure(s_('Profiles|Invalid username'))
end
def expect_success
expect(flash[:notice]).to eq s_('Profiles|Account scheduled for removal.')
expect(response).to have_gitlab_http_status(:see_other)
expect(response).to redirect_to new_user_session_path
end
context 'user requires password confirmation' do
it 'fails if password confirmation is not provided' do
post :destroy
expect_password_failure
end
it 'fails if password confirmation is wrong' do
post :destroy, params: { password: 'wrong password' }
expect_password_failure
end
it 'succeeds if password is confirmed' do
post :destroy, params: { password: user.password }
expect_success
end
end
context 'user does not require password confirmation' do
before do
stub_application_setting(password_authentication_enabled_for_web: false)
stub_application_setting(password_authentication_enabled_for_git: false)
end
it 'fails if username confirmation is not provided' do
post :destroy
expect_username_failure
end
it 'fails if username confirmation is wrong' do
post :destroy, params: { username: 'wrong username' }
expect_username_failure
end
it 'succeeds if username is confirmed' do
post :destroy, params: { username: user.username }
expect_success
end
end
context 'prerequisites for account deletion' do
context 'solo-owned groups' do
let(:group) { create(:group) }
context 'if the user is the sole owner of at least one group' do
before do
create(:group_member, :owner, group: group, user: user)
end
it 'fails' do
delete :destroy, params: { password: user.password }
expect_failure(s_('Profiles|You must transfer ownership or delete groups you are an owner of before you can delete your account'))
end
end
end
end
context 'when user did not accept app terms' do
let(:user) { create(:user, accepted_term: nil) }
before do
stub_application_setting(password_authentication_enabled_for_web: false)
stub_application_setting(password_authentication_enabled_for_git: false)
stub_application_setting(enforce_terms: true)
end
it 'fails with message' do
post :destroy, params: { username: user.username }
expect_failure(s_('Profiles|You must accept the Terms of Service in order to perform this action.'))
end
end
it 'sets the username and caller_id in the context' do
expect(controller).to receive(:destroy).and_wrap_original do |m, *args|
m.call(*args)
expect(Gitlab::ApplicationContext.current)
.to include('meta.user' => user.username,
'meta.caller_id' => 'RegistrationsController#destroy')
end
post :destroy
end
end
end