user_spec.rb 10.7 KB
Newer Older
Dmitriy Zaporozhets's avatar
Dmitriy Zaporozhets committed
1 2
require 'spec_helper'

Douwe Maan's avatar
Douwe Maan committed
3
describe Gitlab::OAuth::User, lib: true do
4 5 6 7
  let(:oauth_user) { Gitlab::OAuth::User.new(auth_hash) }
  let(:gl_user) { oauth_user.gl_user }
  let(:uid) { 'my-uid' }
  let(:provider) { 'my-provider' }
8
  let(:auth_hash) { OmniAuth::AuthHash.new(uid: uid, provider: provider, info: info_hash) }
9 10
  let(:info_hash) do
    {
11
      nickname: '-john+gitlab-ETC%.git@gmail.com',
Dmitriy Zaporozhets's avatar
Dmitriy Zaporozhets committed
12 13
      name: 'John',
      email: 'john@mail.com'
14
    }
Dmitriy Zaporozhets's avatar
Dmitriy Zaporozhets committed
15
  end
16
  let(:ldap_user) { Gitlab::LDAP::Person.new(Net::LDAP::Entry.new, 'ldapmain') }
Dmitriy Zaporozhets's avatar
Dmitriy Zaporozhets committed
17

18
  describe '#persisted?' do
19
    let!(:existing_user) { create(:omniauth_user, extern_uid: 'my-uid', provider: 'my-provider') }
20 21

    it "finds an existing user based on uid and provider (facebook)" do
22
      expect( oauth_user.persisted? ).to be_truthy
23 24
    end

25
    it 'returns false if user is not found in database' do
26
      allow(auth_hash).to receive(:uid).and_return('non-existing')
27
      expect( oauth_user.persisted? ).to be_falsey
28 29 30
    end
  end

31
  describe '#save' do
32 33 34 35 36 37 38 39
    def stub_omniauth_config(messages)
      allow(Gitlab.config.omniauth).to receive_messages(messages)
    end

    def stub_ldap_config(messages)
      allow(Gitlab::LDAP::Config).to receive_messages(messages)
    end

40
    let(:provider) { 'twitter' }
Dmitriy Zaporozhets's avatar
Dmitriy Zaporozhets committed
41

42
    describe 'signup' do
43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63
      shared_examples 'to verify compliance with allow_single_sign_on' do
        context 'provider is marked as external' do
          it 'should mark user as external' do
            stub_omniauth_config(allow_single_sign_on: ['twitter'], external_providers: ['twitter'])
            oauth_user.save
            expect(gl_user).to be_valid
            expect(gl_user.external).to be_truthy
          end
        end

        context 'provider was external, now has been removed' do
          it 'should mark existing user internal' do
            create(:omniauth_user, extern_uid: 'my-uid', provider: 'twitter', external: true)
            stub_omniauth_config(allow_single_sign_on: ['twitter'], external_providers: ['facebook'])
            oauth_user.save
            expect(gl_user).to be_valid
            expect(gl_user.external).to be_falsey
          end
        end

        context 'with new allow_single_sign_on enabled syntax' do
64
          before { stub_omniauth_config(allow_single_sign_on: ['twitter']) }
65

66 67
          it "creates a user from Omniauth" do
            oauth_user.save
68

69 70 71 72 73 74 75
            expect(gl_user).to be_valid
            identity = gl_user.identities.first
            expect(identity.extern_uid).to eql uid
            expect(identity.provider).to eql 'twitter'
          end
        end

76 77 78 79 80 81 82 83 84 85 86 87 88
        context "with old allow_single_sign_on enabled syntax" do
          before { stub_omniauth_config(allow_single_sign_on: true) }

          it "creates a user from Omniauth" do
            oauth_user.save

            expect(gl_user).to be_valid
            identity = gl_user.identities.first
            expect(identity.extern_uid).to eql uid
            expect(identity.provider).to eql 'twitter'
          end
        end

89
        context 'with new allow_single_sign_on disabled syntax' do
90
          before { stub_omniauth_config(allow_single_sign_on: []) }
91
          it 'throws an error' do
92 93
            expect{ oauth_user.save }.to raise_error StandardError
          end
94
        end
95

96
        context 'with old allow_single_sign_on disabled (Default)' do
97
          before { stub_omniauth_config(allow_single_sign_on: false) }
98
          it 'throws an error' do
99 100 101
            expect{ oauth_user.save }.to raise_error StandardError
          end
        end
102
      end
103

104
      context "with auto_link_ldap_user disabled (default)" do
105
        before { stub_omniauth_config(auto_link_ldap_user: false) }
106 107 108 109
        include_examples "to verify compliance with allow_single_sign_on"
      end

      context "with auto_link_ldap_user enabled" do
110 111
        before { stub_omniauth_config(auto_link_ldap_user: true) }

112
        context "and no LDAP provider defined" do
113 114
          before { stub_ldap_config(providers: []) }

115 116
          include_examples "to verify compliance with allow_single_sign_on"
        end
117

118
        context "and at least one LDAP provider is defined" do
119
          before { stub_ldap_config(providers: %w(ldapmain)) }
120 121 122

          context "and a corresponding LDAP person" do
            before do
123 124 125 126
              allow(ldap_user).to receive(:uid) { uid }
              allow(ldap_user).to receive(:username) { uid }
              allow(ldap_user).to receive(:email) { ['johndoe@example.com','john2@example.com'] }
              allow(ldap_user).to receive(:dn) { 'uid=user1,ou=People,dc=example' }
127
              allow(Gitlab::LDAP::Person).to receive(:find_by_uid).and_return(ldap_user)
128
            end
129

130
            context "and no account for the LDAP user" do
131

132 133
              it "creates a user with dual LDAP and omniauth identities" do
                oauth_user.save
134

135 136 137 138 139 140 141 142 143 144 145
                expect(gl_user).to be_valid
                expect(gl_user.username).to eql uid
                expect(gl_user.email).to eql 'johndoe@example.com'
                expect(gl_user.identities.length).to eql 2
                identities_as_hash = gl_user.identities.map { |id| { provider: id.provider, extern_uid: id.extern_uid } }
                expect(identities_as_hash).to match_array(
                  [ { provider: 'ldapmain', extern_uid: 'uid=user1,ou=People,dc=example' },
                    { provider: 'twitter', extern_uid: uid }
                  ])
              end
            end
146

147 148 149 150
            context "and LDAP user has an account already" do
              let!(:existing_user) { create(:omniauth_user, email: 'john@example.com', extern_uid: 'uid=user1,ou=People,dc=example', provider: 'ldapmain', username: 'john') }
              it "adds the omniauth identity to the LDAP account" do
                oauth_user.save
151

152 153 154 155 156 157 158 159 160 161
                expect(gl_user).to be_valid
                expect(gl_user.username).to eql 'john'
                expect(gl_user.email).to eql 'john@example.com'
                expect(gl_user.identities.length).to eql 2
                identities_as_hash = gl_user.identities.map { |id| { provider: id.provider, extern_uid: id.extern_uid } }
                expect(identities_as_hash).to match_array(
                  [ { provider: 'ldapmain', extern_uid: 'uid=user1,ou=People,dc=example' },
                    { provider: 'twitter', extern_uid: uid }
                  ])
              end
162 163
            end
          end
164

165 166
          context "and no corresponding LDAP person" do
            before { allow(Gitlab::LDAP::Person).to receive(:find_by_uid).and_return(nil) }
167

168 169
            include_examples "to verify compliance with allow_single_sign_on"
          end
170
        end
171
      end
172

173
    end
174

175 176
    describe 'blocking' do
      let(:provider) { 'twitter' }
177
      before { stub_omniauth_config(allow_single_sign_on: ['twitter']) }
178

179
      context 'signup with omniauth only' do
180
        context 'dont block on create' do
181
          before { stub_omniauth_config(block_auto_created_users: false) }
182 183 184

          it do
            oauth_user.save
185 186
            expect(gl_user).to be_valid
            expect(gl_user).not_to be_blocked
187 188 189 190
          end
        end

        context 'block on create' do
191
          before { stub_omniauth_config(block_auto_created_users: true) }
192 193 194

          it do
            oauth_user.save
195 196
            expect(gl_user).to be_valid
            expect(gl_user).to be_blocked
197 198 199 200
          end
        end
      end

201 202
      context 'signup with linked omniauth and LDAP account' do
        before do
203 204 205 206 207
          stub_omniauth_config(auto_link_ldap_user: true)
          allow(ldap_user).to receive(:uid) { uid }
          allow(ldap_user).to receive(:username) { uid }
          allow(ldap_user).to receive(:email) { ['johndoe@example.com','john2@example.com'] }
          allow(ldap_user).to receive(:dn) { 'uid=user1,ou=People,dc=example' }
208 209 210 211 212
          allow(oauth_user).to receive(:ldap_person).and_return(ldap_user)
        end

        context "and no account for the LDAP user" do
          context 'dont block on create (LDAP)' do
213
            before { allow_any_instance_of(Gitlab::LDAP::Config).to receive_messages(block_auto_created_users: false) }
214 215 216 217 218 219 220 221 222

            it do
              oauth_user.save
              expect(gl_user).to be_valid
              expect(gl_user).not_to be_blocked
            end
          end

          context 'block on create (LDAP)' do
223
            before { allow_any_instance_of(Gitlab::LDAP::Config).to receive_messages(block_auto_created_users: true) }
224 225 226 227 228 229 230 231 232 233 234 235 236

            it do
              oauth_user.save
              expect(gl_user).to be_valid
              expect(gl_user).to be_blocked
            end
          end
        end

        context 'and LDAP user has an account already' do
          let!(:existing_user) { create(:omniauth_user, email: 'john@example.com', extern_uid: 'uid=user1,ou=People,dc=example', provider: 'ldapmain', username: 'john') }

          context 'dont block on create (LDAP)' do
237
            before { allow_any_instance_of(Gitlab::LDAP::Config).to receive_messages(block_auto_created_users: false) }
238 239 240 241 242 243 244 245 246

            it do
              oauth_user.save
              expect(gl_user).to be_valid
              expect(gl_user).not_to be_blocked
            end
          end

          context 'block on create (LDAP)' do
247
            before { allow_any_instance_of(Gitlab::LDAP::Config).to receive_messages(block_auto_created_users: true) }
248 249 250 251 252 253 254 255 256 257 258

            it do
              oauth_user.save
              expect(gl_user).to be_valid
              expect(gl_user).not_to be_blocked
            end
          end
        end
      end


259 260 261 262 263 264 265
      context 'sign-in' do
        before do
          oauth_user.save
          oauth_user.gl_user.activate
        end

        context 'dont block on create' do
266
          before { stub_omniauth_config(block_auto_created_users: false) }
267 268 269

          it do
            oauth_user.save
270 271
            expect(gl_user).to be_valid
            expect(gl_user).not_to be_blocked
272 273 274 275
          end
        end

        context 'block on create' do
276
          before { stub_omniauth_config(block_auto_created_users: true) }
277 278 279

          it do
            oauth_user.save
280 281
            expect(gl_user).to be_valid
            expect(gl_user).not_to be_blocked
282 283
          end
        end
284 285

        context 'dont block on create (LDAP)' do
286
          before { allow_any_instance_of(Gitlab::LDAP::Config).to receive_messages(block_auto_created_users: false) }
287 288 289 290 291 292 293 294 295

          it do
            oauth_user.save
            expect(gl_user).to be_valid
            expect(gl_user).not_to be_blocked
          end
        end

        context 'block on create (LDAP)' do
296
          before { allow_any_instance_of(Gitlab::LDAP::Config).to receive_messages(block_auto_created_users: true) }
297 298 299 300 301 302 303

          it do
            oauth_user.save
            expect(gl_user).to be_valid
            expect(gl_user).not_to be_blocked
          end
        end
304 305
      end
    end
Dmitriy Zaporozhets's avatar
Dmitriy Zaporozhets committed
306 307
  end
end