user_spec.rb 7.33 KB
Newer Older
1 2
require 'spec_helper'

3
describe Gitlab::Auth::LDAP::User do
4 5
  include LdapHelpers

6
  let(:ldap_user) { described_class.new(auth_hash) }
7
  let(:gl_user) { ldap_user.gl_user }
8
  let(:info) do
9
    {
10
      name: 'John',
11
      email: 'john@example.com',
12
      nickname: 'john'
13 14 15
    }
  end
  let(:auth_hash) do
Michael Kozono's avatar
Michael Kozono committed
16
    OmniAuth::AuthHash.new(uid: 'uid=John Smith,ou=People,dc=example,dc=com', provider: 'ldapmain', info: info)
17
  end
18
  let(:ldap_user_upper_case) { described_class.new(auth_hash_upper_case) }
19 20 21 22 23 24 25 26
  let(:info_upper_case) do
    {
      name: 'John',
      email: 'John@Example.com', # Email address has upper case chars
      nickname: 'john'
    }
  end
  let(:auth_hash_upper_case) do
Michael Kozono's avatar
Michael Kozono committed
27
    OmniAuth::AuthHash.new(uid: 'uid=John Smith,ou=People,dc=example,dc=com', provider: 'ldapmain', info: info_upper_case)
28
  end
29

30
  describe '#should_save?' do
31
    it "marks existing ldap user as changed" do
Michael Kozono's avatar
Michael Kozono committed
32
      create(:omniauth_user, extern_uid: 'uid=John Smith,ou=People,dc=example,dc=com', provider: 'ldapmain')
33
      expect(ldap_user.should_save?).to be_truthy
34 35 36
    end

    it "marks existing non-ldap user if the email matches as changed" do
37
      create(:user, email: 'john@example.com')
38
      expect(ldap_user.should_save?).to be_truthy
39 40
    end

41
    it "does not mark existing ldap user as changed" do
Michael Kozono's avatar
Michael Kozono committed
42
      create(:omniauth_user, email: 'john@example.com', extern_uid: 'uid=john smith,ou=people,dc=example,dc=com', provider: 'ldapmain')
43
      expect(ldap_user.should_save?).to be_falsey
44 45 46
    end
  end

47
  describe '.find_by_uid_and_provider' do
48 49
    let(:dn) { 'CN=John Åström, CN=Users, DC=Example, DC=com' }

50 51 52 53 54 55
    it 'retrieves the correct user' do
      special_info = {
        name: 'John Åström',
        email: 'john@example.com',
        nickname: 'jastrom'
      }
56
      special_hash = OmniAuth::AuthHash.new(uid: dn, provider: 'ldapmain', info: special_info)
57 58 59
      special_chars_user = described_class.new(special_hash)
      user = special_chars_user.save

60
      expect(described_class.find_by_uid_and_provider(dn, 'ldapmain')).to eq user
61 62 63
    end
  end

64
  describe 'find or create' do
65
    it "finds the user if already existing" do
66
      create(:omniauth_user, extern_uid: 'uid=john smith,ou=people,dc=example,dc=com', provider: 'ldapmain')
67

68
      expect { ldap_user.save }.not_to change { User.count }
69 70
    end

71
    it "connects to existing non-ldap user if the email matches" do
Valery Sizov's avatar
Valery Sizov committed
72
      existing_user = create(:omniauth_user, email: 'john@example.com', provider: "twitter")
73
      expect { ldap_user.save }.not_to change { User.count }
74 75

      existing_user.reload
Michael Kozono's avatar
Michael Kozono committed
76
      expect(existing_user.ldap_identity.extern_uid).to eql 'uid=john smith,ou=people,dc=example,dc=com'
77
      expect(existing_user.ldap_identity.provider).to eql 'ldapmain'
78 79
    end

80 81
    it 'connects to existing ldap user if the extern_uid changes' do
      existing_user = create(:omniauth_user, email: 'john@example.com', extern_uid: 'old-uid', provider: 'ldapmain')
82
      expect { ldap_user.save }.not_to change { User.count }
83 84

      existing_user.reload
Michael Kozono's avatar
Michael Kozono committed
85
      expect(existing_user.ldap_identity.extern_uid).to eql 'uid=john smith,ou=people,dc=example,dc=com'
86
      expect(existing_user.ldap_identity.provider).to eql 'ldapmain'
87 88 89 90 91
      expect(existing_user.id).to eql ldap_user.gl_user.id
    end

    it 'connects to existing ldap user if the extern_uid changes and email address has upper case characters' do
      existing_user = create(:omniauth_user, email: 'john@example.com', extern_uid: 'old-uid', provider: 'ldapmain')
92
      expect { ldap_user_upper_case.save }.not_to change { User.count }
93 94

      existing_user.reload
Michael Kozono's avatar
Michael Kozono committed
95
      expect(existing_user.ldap_identity.extern_uid).to eql 'uid=john smith,ou=people,dc=example,dc=com'
96
      expect(existing_user.ldap_identity.provider).to eql 'ldapmain'
97 98 99 100 101
      expect(existing_user.id).to eql ldap_user.gl_user.id
    end

    it 'maintains an identity per provider' do
      existing_user = create(:omniauth_user, email: 'john@example.com', provider: 'twitter')
102
      expect(existing_user.identities.count).to be(1)
103 104

      ldap_user.save
105
      expect(ldap_user.gl_user.identities.count).to be(2)
106 107 108 109 110 111

      # Expect that find_by provider only returns a single instance of an identity and not an Enumerable
      expect(ldap_user.gl_user.identities.find_by(provider: 'twitter')).to be_instance_of Identity
      expect(ldap_user.gl_user.identities.find_by(provider: auth_hash.provider)).to be_instance_of Identity
    end

112
    it "creates a new user if not found" do
113
      expect { ldap_user.save }.to change { User.count }.by(1)
114
    end
115 116 117 118 119 120 121 122 123 124 125 126

    context 'when signup is disabled' do
      before do
        stub_application_setting signup_enabled: false
      end

      it 'creates the user' do
        ldap_user.save

        expect(gl_user).to be_persisted
      end
    end
127 128 129 130 131 132 133 134 135 136 137 138 139

    context 'when user confirmation email is enabled' do
      before do
        stub_application_setting send_user_confirmation_email: true
      end

      it 'creates and confirms the user anyway' do
        ldap_user.save

        expect(gl_user).to be_persisted
        expect(gl_user).to be_confirmed
      end
    end
140 141
  end

142 143 144 145 146 147
  describe 'updating email' do
    context "when LDAP sets an email" do
      it "has a real email" do
        expect(ldap_user.gl_user.email).to eq(info[:email])
      end

148
      it "has email set as synced" do
149
        expect(ldap_user.gl_user.user_synced_attributes_metadata.email_synced).to be_truthy
150 151
      end

152 153 154 155 156
      it "has email set as read-only" do
        expect(ldap_user.gl_user.read_only_attribute?(:email)).to be_truthy
      end

      it "has synced attributes provider set to ldapmain" do
157
        expect(ldap_user.gl_user.user_synced_attributes_metadata.provider).to eql 'ldapmain'
158 159 160 161 162 163 164 165 166
      end
    end

    context "when LDAP doesn't set an email" do
      before do
        info.delete(:email)
      end

      it "has a temp email" do
167
        expect(ldap_user.gl_user.temp_oauth_email?).to be_truthy
168 169
      end

170
      it "has email set as not synced" do
171
        expect(ldap_user.gl_user.user_synced_attributes_metadata.email_synced).to be_falsey
172
      end
173 174 175 176

      it "does not have email set as read-only" do
        expect(ldap_user.gl_user.read_only_attribute?(:email)).to be_falsey
      end
177 178 179
    end
  end

180
  describe 'blocking' do
181
    def configure_block(value)
182
      stub_ldap_config(block_auto_created_users: value)
183 184
    end

185 186
    context 'signup' do
      context 'dont block on create' do
187 188 189
        before do
          configure_block(false)
        end
190 191 192 193 194 195 196 197 198

        it do
          ldap_user.save
          expect(gl_user).to be_valid
          expect(gl_user).not_to be_blocked
        end
      end

      context 'block on create' do
199 200 201
        before do
          configure_block(true)
        end
202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217

        it do
          ldap_user.save
          expect(gl_user).to be_valid
          expect(gl_user).to be_blocked
        end
      end
    end

    context 'sign-in' do
      before do
        ldap_user.save
        ldap_user.gl_user.activate
      end

      context 'dont block on create' do
218 219 220
        before do
          configure_block(false)
        end
221 222 223 224 225 226 227 228 229

        it do
          ldap_user.save
          expect(gl_user).to be_valid
          expect(gl_user).not_to be_blocked
        end
      end

      context 'block on create' do
230 231 232
        before do
          configure_block(true)
        end
233 234 235 236 237 238 239

        it do
          ldap_user.save
          expect(gl_user).to be_valid
          expect(gl_user).not_to be_blocked
        end
      end
240 241 242
    end
  end
end