Commit 62efc75a authored by Mark Lapierre's avatar Mark Lapierre

Merge branch 'ml-refactor-ldap-admin-pat-creation' into 'master'

Refactor admin PAT creation for LDAP scenarios

See merge request gitlab-org/gitlab!70038
parents 0cf271dd cd2621bb
...@@ -5,10 +5,10 @@ module QA ...@@ -5,10 +5,10 @@ module QA
module Login module Login
module_function module_function
def while_signed_in(as: nil, address: :gitlab) def while_signed_in(as: nil, address: :gitlab, admin: false)
Page::Main::Menu.perform(&:sign_out_if_signed_in) Page::Main::Menu.perform(&:sign_out_if_signed_in)
sign_in(as: as, address: address) sign_in(as: as, address: address, admin: admin)
result = yield result = yield
...@@ -17,19 +17,25 @@ module QA ...@@ -17,19 +17,25 @@ module QA
end end
def while_signed_in_as_admin(address: :gitlab) def while_signed_in_as_admin(address: :gitlab)
while_signed_in(as: Runtime::User.admin, address: address) do while_signed_in(address: address, admin: true) do
yield yield
end end
end end
def sign_in(as: nil, address: :gitlab, skip_page_validation: false) def sign_in(as: nil, address: :gitlab, skip_page_validation: false, admin: false)
Page::Main::Menu.perform(&:sign_out) if Page::Main::Menu.perform(&:signed_in?) Page::Main::Menu.perform(&:sign_out) if Page::Main::Menu.perform(&:signed_in?)
Runtime::Browser.visit(address, Page::Main::Login) Runtime::Browser.visit(address, Page::Main::Login)
Page::Main::Login.perform { |login| login.sign_in_using_credentials(user: as, skip_page_validation: skip_page_validation) } Page::Main::Login.perform do |login|
if admin
login.sign_in_using_admin_credentials
else
login.sign_in_using_credentials(user: as, skip_page_validation: skip_page_validation)
end
end
end end
def sign_in_as_admin(address: :gitlab) def sign_in_as_admin(address: :gitlab)
sign_in(as: Runtime::User.admin, address: address) sign_in(as: Runtime::User.admin, address: address, admin: true)
end end
def sign_in_unless_signed_in(as: nil, address: :gitlab) def sign_in_unless_signed_in(as: nil, address: :gitlab)
......
...@@ -53,7 +53,7 @@ module QA ...@@ -53,7 +53,7 @@ module QA
set_initial_password_if_present set_initial_password_if_present
if Runtime::User.ldap_user? && user && user.username != Runtime::User.ldap_username if Runtime::User.ldap_user? && user && user.username != Runtime::User.ldap_username
raise 'If an LDAP user is provided, it must be used for sign-in', QA::Resource::User::InvalidUserError raise QA::Resource::User::InvalidUserError, 'If an LDAP user is provided, it must be used for sign-in'
end end
if Runtime::User.ldap_user? if Runtime::User.ldap_user?
......
...@@ -187,7 +187,8 @@ module QA ...@@ -187,7 +187,8 @@ module QA
end end
def fetching_own_data? def fetching_own_data?
api_user&.username == username || Runtime::User.username == username runtime_username = Runtime::User.ldap_user? ? Runtime::User.ldap_username : Runtime::User.username
api_user&.username == username || runtime_username == username
end end
end end
end end
......
...@@ -36,16 +36,28 @@ module QA ...@@ -36,16 +36,28 @@ module QA
if Runtime::Env.admin_personal_access_token if Runtime::Env.admin_personal_access_token
Runtime::API::Client.new(:gitlab, personal_access_token: Runtime::Env.admin_personal_access_token) Runtime::API::Client.new(:gitlab, personal_access_token: Runtime::Env.admin_personal_access_token)
else else
user = Resource::User.fabricate_via_api! do |user| # To return an API client that has admin access, we need a user with admin access to confirm that
user.username = Runtime::User.admin_username # the API client user has admin access.
user.password = Runtime::User.admin_password client = nil
Flow::Login.while_signed_in_as_admin do
admin_token = Resource::PersonalAccessToken.fabricate! do |pat|
pat.user = Runtime::User.admin
end.token
client = Runtime::API::Client.new(:gitlab, personal_access_token: admin_token)
user = QA::Resource::User.init do |user|
user.username = QA::Runtime::User.admin_username
user.password = QA::Runtime::User.admin_password
user.api_client = client
end.reload!
unless user.admin? # rubocop: disable Cop/UserAdmin
raise AuthorizationError, "User '#{user.username}' is not an administrator."
end
end end
unless user.admin? client
raise AuthorizationError, "User '#{user.username}' is not an administrator."
end
Runtime::API::Client.new(:gitlab, user: user)
end end
end end
end end
......
...@@ -34,7 +34,7 @@ module QA ...@@ -34,7 +34,7 @@ module QA
end end
def ldap_user? def ldap_user?
Runtime::Env.ldap_username && Runtime::Env.ldap_password Runtime::Env.ldap_username.present? && Runtime::Env.ldap_password.present?
end end
def ldap_username def ldap_username
......
...@@ -5,45 +5,24 @@ module QA ...@@ -5,45 +5,24 @@ module QA
describe 'LDAP Group sync' do describe 'LDAP Group sync' do
include Support::API include Support::API
let(:root_group) do
Resource::Sandbox.fabricate_via_api! do |resource|
resource.path = "group_sync_root_group-#{SecureRandom.hex(4)}"
end
end
let(:group) do let(:group) do
Resource::Group.fabricate_via_api! do |resource| Resource::Group.fabricate_via_api! do |resource|
resource.sandbox = root_group
resource.path = "#{group_name}-#{SecureRandom.hex(4)}" resource.path = "#{group_name}-#{SecureRandom.hex(4)}"
end end
end end
before(:all) do after do |example|
@original_personal_access_token = Runtime::Env.personal_access_token # If a test fails leave the groups so we can investigate them
unless example.exception
# We need to nil out any existing personal token generated for the non-admin LDAP user and also set root_group.remove_via_api!
# Runtime::Env.ldap_username=nil so that it is not used to create the api client.
Runtime::Env.personal_access_token = nil
ldap_username = Runtime::Env.ldap_username
Runtime::Env.ldap_username = nil
@admin_api_client = Runtime::API::Client.as_admin
Runtime::Feature.enable(:invite_members_group_modal)
Runtime::Env.ldap_username = ldap_username
# Create the sandbox group as the LDAP user. Without this the admin user
# would own the sandbox group and then in subsequent tests the LDAP user
# would not have enough permission to push etc.
Resource::Sandbox.fabricate_via_api!
Page::Main::Menu.perform do |menu|
menu.sign_out if menu.has_personal_area?
end end
Runtime::Browser.visit(:gitlab, Page::Main::Login)
Page::Main::Login.perform(&:sign_in_using_admin_credentials)
Runtime::Env.personal_access_token = Resource::PersonalAccessToken.fabricate!.token
Page::Main::Menu.perform(&:sign_out)
end
after(:all) do
# Restore the original personal access token so that subsequent tests
# don't perform API calls as an admin user while logged in as a non-root
# LDAP user
Runtime::Env.personal_access_token = @original_personal_access_token
end end
context 'using group cn method' do context 'using group cn method' do
...@@ -169,7 +148,7 @@ module QA ...@@ -169,7 +148,7 @@ module QA
resource.email = user[:email] resource.email = user[:email]
resource.extern_uid = user[:extern_uid] resource.extern_uid = user[:extern_uid]
resource.provider = user[:provider] resource.provider = user[:provider]
resource.api_client = @admin_api_client resource.api_client = Runtime::API::Client.as_admin
end end
end end
created_users created_users
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment