Add latest changes from gitlab-org/gitlab@14-9-stable-eev14.9.0-rc42

5 files changed, 102 insertions, 74 deletions

diff --git a/spec/lib/gitlab/auth/ldap/access_spec.rb b/spec/lib/gitlab/auth/ldap/access_spec.rb
index 9e269f84b7e..1fcdd678746 100644
--- a/spec/lib/gitlab/auth/ldap/access_spec.rb
+++ b/spec/lib/gitlab/auth/ldap/access_spec.rb
@@ -5,7 +5,7 @@ require 'spec_helper'
 RSpec.describe Gitlab::Auth::Ldap::Access do
   include LdapHelpers
 
-  let(:user) { create(:omniauth_user) }
+  let(:user) { create(:omniauth_user, :ldap) }
 
   subject(:access) { described_class.new(user) }
 
diff --git a/spec/lib/gitlab/auth/ldap/authentication_spec.rb b/spec/lib/gitlab/auth/ldap/authentication_spec.rb
index 42a893417d8..4b0e21da6c6 100644
--- a/spec/lib/gitlab/auth/ldap/authentication_spec.rb
+++ b/spec/lib/gitlab/auth/ldap/authentication_spec.rb
@@ -4,7 +4,7 @@ require 'spec_helper'
 
 RSpec.describe Gitlab::Auth::Ldap::Authentication do
   let(:dn)       { 'uid=John Smith, ou=People, dc=example, dc=com' }
-  let(:user)     { create(:omniauth_user, extern_uid: Gitlab::Auth::Ldap::Person.normalize_dn(dn)) }
+  let(:user)     { create(:omniauth_user, :ldap, extern_uid: Gitlab::Auth::Ldap::Person.normalize_dn(dn)) }
   let(:login)    { 'john' }
   let(:password) { 'password' }
 
diff --git a/spec/lib/gitlab/auth/o_auth/provider_spec.rb b/spec/lib/gitlab/auth/o_auth/provider_spec.rb
index 57f17365190..c1b96819176 100644
--- a/spec/lib/gitlab/auth/o_auth/provider_spec.rb
+++ b/spec/lib/gitlab/auth/o_auth/provider_spec.rb
@@ -62,7 +62,7 @@ RSpec.describe Gitlab::Auth::OAuth::Provider do
 
     context 'for an OmniAuth provider' do
       before do
-        provider = OpenStruct.new(
+        provider = ActiveSupport::InheritableOptions.new(
           name: 'google_oauth2',
           app_id: 'asd123',
           app_secret: 'asd123'
@@ -74,7 +74,7 @@ RSpec.describe Gitlab::Auth::OAuth::Provider do
         subject { described_class.config_for('google_oauth2') }
 
         it 'returns the config' do
-          expect(subject).to be_a(OpenStruct)
+          expect(subject).to be_a(ActiveSupport::InheritableOptions)
         end
 
         it 'merges defaults with the given configuration' do
@@ -98,7 +98,7 @@ RSpec.describe Gitlab::Auth::OAuth::Provider do
     context 'when configuration specifies a custom label' do
       let(:name) { 'google_oauth2' }
       let(:label) { 'Custom Google Provider' }
-      let(:provider) { OpenStruct.new({ 'name' => name, 'label' => label }) }
+      let(:provider) { ActiveSupport::InheritableOptions.new(name: name, label: label) }
 
       before do
         stub_omniauth_setting(providers: [provider])
@@ -110,7 +110,7 @@ RSpec.describe Gitlab::Auth::OAuth::Provider do
     end
 
     context 'when configuration does not specify a custom label' do
-      let(:provider) { OpenStruct.new({ 'name' => name } ) }
+      let(:provider) { ActiveSupport::InheritableOptions.new(name: name) }
 
       before do
         stub_omniauth_setting(providers: [provider])
diff --git a/spec/lib/gitlab/auth/o_auth/user_spec.rb b/spec/lib/gitlab/auth/o_auth/user_spec.rb
index 8d36507ec7a..1a9e2f02de6 100644
--- a/spec/lib/gitlab/auth/o_auth/user_spec.rb
+++ b/spec/lib/gitlab/auth/o_auth/user_spec.rb
@@ -577,28 +577,66 @@ RSpec.describe Gitlab::Auth::OAuth::User do
         stub_omniauth_config(allow_single_sign_on: ['twitter'])
       end
 
-      context 'signup with omniauth only' do
-        context 'dont block on create' do
-          before do
-            stub_omniauth_config(block_auto_created_users: false)
+      shared_examples 'being blocked on creation' do
+        context 'when blocking on creation' do
+          it 'creates a blocked user' do
+            oauth_user.save # rubocop:disable Rails/SaveBang
+            expect(gl_user).to be_valid
+            expect(gl_user).to be_blocked
           end
 
-          it do
+          context 'when a sign up user cap has been set up but has not been reached yet' do
+            it 'still creates a blocked user' do
+              stub_application_setting(new_user_signups_cap: 999)
+
+              oauth_user.save # rubocop:disable Rails/SaveBang
+              expect(gl_user).to be_valid
+              expect(gl_user).to be_blocked
+            end
+          end
+        end
+      end
+
+      shared_examples 'not being blocked on creation' do
+        context 'when not blocking on creation' do
+          it 'creates a non-blocked user' do
             oauth_user.save # rubocop:disable Rails/SaveBang
             expect(gl_user).to be_valid
             expect(gl_user).not_to be_blocked
           end
         end
+      end
+
+      context 'signup with SAML' do
+        let(:provider) { 'saml' }
+
+        before do
+          stub_omniauth_config({
+            allow_single_sign_on: ['saml'],
+            auto_link_saml_user: true,
+            block_auto_created_users: block_auto_created_users
+          })
+        end
+
+        it_behaves_like 'being blocked on creation' do
+          let(:block_auto_created_users) { true }
+        end
+
+        it_behaves_like 'not being blocked on creation' do
+          let(:block_auto_created_users) { false }
+        end
+      end
 
-        context 'block on create' do
+      context 'signup with omniauth only' do
+        it_behaves_like 'being blocked on creation' do
           before do
             stub_omniauth_config(block_auto_created_users: true)
           end
+        end
 
-          it do
-            oauth_user.save # rubocop:disable Rails/SaveBang
-            expect(gl_user).to be_valid
-            expect(gl_user).to be_blocked
+        it_behaves_like 'not being blocked on creation' do
+          before do
+            stub_omniauth_config(block_auto_created_users: false)
           end
         end
       end
@@ -614,64 +652,40 @@ RSpec.describe Gitlab::Auth::OAuth::User do
         end
 
         context "and no account for the LDAP user" do
-          context 'dont block on create (LDAP)' do
+          it_behaves_like 'being blocked on creation' do
             before do
               allow_next_instance_of(Gitlab::Auth::Ldap::Config) do |instance|
-                allow(instance).to receive_messages(block_auto_created_users: false)
+                allow(instance).to receive_messages(block_auto_created_users: true)
               end
             end
-
-            it do
-              oauth_user.save # rubocop:disable Rails/SaveBang
-              expect(gl_user).to be_valid
-              expect(gl_user).not_to be_blocked
-            end
           end
 
-          context 'block on create (LDAP)' do
+          it_behaves_like 'not being blocked on creation' do
             before do
               allow_next_instance_of(Gitlab::Auth::Ldap::Config) do |instance|
-                allow(instance).to receive_messages(block_auto_created_users: true)
+                allow(instance).to receive_messages(block_auto_created_users: false)
               end
             end
-
-            it do
-              oauth_user.save # rubocop:disable Rails/SaveBang
-              expect(gl_user).to be_valid
-              expect(gl_user).to be_blocked
-            end
           end
         end
 
         context 'and LDAP user has an account already' do
           let!(:existing_user) { create(:omniauth_user, email: 'john@example.com', extern_uid: dn, provider: 'ldapmain', username: 'john') }
 
-          context 'dont block on create (LDAP)' do
+          it_behaves_like 'not being blocked on creation' do
             before do
               allow_next_instance_of(Gitlab::Auth::Ldap::Config) do |instance|
                 allow(instance).to receive_messages(block_auto_created_users: false)
               end
             end
-
-            it do
-              oauth_user.save # rubocop:disable Rails/SaveBang
-              expect(gl_user).to be_valid
-              expect(gl_user).not_to be_blocked
-            end
           end
 
-          context 'block on create (LDAP)' do
+          it_behaves_like 'not being blocked on creation' do
             before do
               allow_next_instance_of(Gitlab::Auth::Ldap::Config) do |instance|
                 allow(instance).to receive_messages(block_auto_created_users: true)
               end
             end
-
-            it do
-              oauth_user.save # rubocop:disable Rails/SaveBang
-              expect(gl_user).to be_valid
-              expect(gl_user).not_to be_blocked
-            end
           end
         end
       end
@@ -682,56 +696,32 @@ RSpec.describe Gitlab::Auth::OAuth::User do
           oauth_user.gl_user.activate
         end
 
-        context 'dont block on create' do
+        it_behaves_like 'not being blocked on creation' do
           before do
             stub_omniauth_config(block_auto_created_users: false)
           end
-
-          it do
-            oauth_user.save # rubocop:disable Rails/SaveBang
-            expect(gl_user).to be_valid
-            expect(gl_user).not_to be_blocked
-          end
         end
 
-        context 'block on create' do
+        it_behaves_like 'not being blocked on creation' do
           before do
             stub_omniauth_config(block_auto_created_users: true)
           end
-
-          it do
-            oauth_user.save # rubocop:disable Rails/SaveBang
-            expect(gl_user).to be_valid
-            expect(gl_user).not_to be_blocked
-          end
         end
 
-        context 'dont block on create (LDAP)' do
+        it_behaves_like 'not being blocked on creation' do
           before do
             allow_next_instance_of(Gitlab::Auth::Ldap::Config) do |instance|
               allow(instance).to receive_messages(block_auto_created_users: false)
             end
           end
-
-          it do
-            oauth_user.save # rubocop:disable Rails/SaveBang
-            expect(gl_user).to be_valid
-            expect(gl_user).not_to be_blocked
-          end
         end
 
-        context 'block on create (LDAP)' do
+        it_behaves_like 'not being blocked on creation' do
           before do
             allow_next_instance_of(Gitlab::Auth::Ldap::Config) do |instance|
               allow(instance).to receive_messages(block_auto_created_users: true)
             end
           end
-
-          it do
-            oauth_user.save # rubocop:disable Rails/SaveBang
-            expect(gl_user).to be_valid
-            expect(gl_user).not_to be_blocked
-          end
         end
       end
     end
@@ -1057,4 +1047,10 @@ RSpec.describe Gitlab::Auth::OAuth::User do
       expect(oauth_user.bypass_two_factor?).to be_falsey
     end
   end
+
+  describe '#protocol_name' do
+    it 'is OAuth' do
+      expect(oauth_user.protocol_name).to eq('OAuth')
+    end
+  end
 end
diff --git a/spec/lib/gitlab/auth/request_authenticator_spec.rb b/spec/lib/gitlab/auth/request_authenticator_spec.rb
index 5e9d07a8bf7..2bc80edb98c 100644
--- a/spec/lib/gitlab/auth/request_authenticator_spec.rb
+++ b/spec/lib/gitlab/auth/request_authenticator_spec.rb
@@ -44,6 +44,38 @@ RSpec.describe Gitlab::Auth::RequestAuthenticator do
     end
   end
 
+  describe '#can_sign_in_bot?' do
+    context 'the user is nil' do
+      it { is_expected.not_to be_can_sign_in_bot(nil) }
+    end
+
+    context 'the user is a bot, but for a web request' do
+      let(:user) { build(:user, :project_bot) }
+
+      it { is_expected.not_to be_can_sign_in_bot(user) }
+    end
+
+    context 'the user is a regular user, for an API request' do
+      let(:user) { build(:user) }
+
+      before do
+        env['SCRIPT_NAME'] = '/api/some_resource'
+      end
+
+      it { is_expected.not_to be_can_sign_in_bot(user) }
+    end
+
+    context 'the user is a project bot, for an API request' do
+      let(:user) { build(:user, :project_bot) }
+
+      before do
+        env['SCRIPT_NAME'] = '/api/some_resource'
+      end
+
+      it { is_expected.to be_can_sign_in_bot(user) }
+    end
+  end
+
   describe '#find_sessionless_user' do
     let_it_be(:dependency_proxy_user) { build(:user) }
     let_it_be(:access_token_user) { build(:user) }