Add latest changes from gitlab-org/gitlab@13-4-stable-ee

7 files changed, 279 insertions, 7 deletions

diff --git a/spec/lib/gitlab/auth/atlassian/auth_hash_spec.rb b/spec/lib/gitlab/auth/atlassian/auth_hash_spec.rb
new file mode 100644
index 00000000000..c57b15361c4
--- /dev/null
+++ b/spec/lib/gitlab/auth/atlassian/auth_hash_spec.rb
@@ -0,0 +1,50 @@
+# frozen_string_literal: true
+
+require 'spec_helper'
+
+RSpec.describe Gitlab::Auth::Atlassian::AuthHash do
+  let(:auth_hash) do
+    described_class.new(
+      OmniAuth::AuthHash.new(uid: 'john', credentials: credentials)
+    )
+  end
+
+  let(:credentials) do
+    {
+      token: 'super_secret_token',
+      refresh_token: 'super_secret_refresh_token',
+      expires_at: 2.weeks.from_now.to_i,
+      expires: true
+    }
+  end
+
+  describe '#uid' do
+    it 'returns the correct uid' do
+      expect(auth_hash.uid).to eq('john')
+    end
+  end
+
+  describe '#token' do
+    it 'returns the correct token' do
+      expect(auth_hash.token).to eq(credentials[:token])
+    end
+  end
+
+  describe '#refresh_token' do
+    it 'returns the correct refresh token' do
+      expect(auth_hash.refresh_token).to eq(credentials[:refresh_token])
+    end
+  end
+
+  describe '#token' do
+    it 'returns the correct expires boolean' do
+      expect(auth_hash.expires?).to eq(credentials[:expires])
+    end
+  end
+
+  describe '#token' do
+    it 'returns the correct expiration' do
+      expect(auth_hash.expires_at).to eq(credentials[:expires_at])
+    end
+  end
+end
diff --git a/spec/lib/gitlab/auth/atlassian/identity_linker_spec.rb b/spec/lib/gitlab/auth/atlassian/identity_linker_spec.rb
new file mode 100644
index 00000000000..ca6b91ac6f1
--- /dev/null
+++ b/spec/lib/gitlab/auth/atlassian/identity_linker_spec.rb
@@ -0,0 +1,71 @@
+# frozen_string_literal: true
+
+require 'spec_helper'
+
+RSpec.describe Gitlab::Auth::Atlassian::IdentityLinker do
+  let(:user) { create(:user) }
+  let(:extern_uid) { generate(:username) }
+  let(:oauth) do
+    OmniAuth::AuthHash.new(
+      uid: extern_uid,
+      provider: 'atlassian_oauth2',
+      info: { name: 'John', email: 'john@mail.com' },
+      credentials: credentials
+    )
+  end
+
+  let(:credentials) do
+    {
+      token: SecureRandom.alphanumeric(1254),
+      refresh_token: SecureRandom.alphanumeric(45),
+      expires_at: 2.weeks.from_now.to_i,
+      expires: true
+    }
+  end
+
+  subject { described_class.new(user, oauth) }
+
+  context 'linked identity exists' do
+    let!(:identity) { create(:atlassian_identity, user: user, extern_uid: extern_uid) }
+
+    before do
+      subject.link
+    end
+
+    it 'sets #changed? to false' do
+      expect(subject).not_to be_changed
+    end
+
+    it 'does not mark as failed' do
+      expect(subject).not_to be_failed
+    end
+  end
+
+  context 'identity already linked to different user' do
+    let!(:identity) { create(:atlassian_identity, extern_uid: extern_uid) }
+
+    it 'sets #changed? to false' do
+      subject.link
+
+      expect(subject).not_to be_changed
+    end
+
+    it 'exposes error message' do
+      expect(subject.error_message).to eq 'Extern uid has already been taken'
+    end
+  end
+
+  context 'identity needs to be created' do
+    let(:identity) { user.atlassian_identity }
+
+    before do
+      subject.link
+    end
+
+    it_behaves_like 'an atlassian identity'
+
+    it 'sets #changed? to true' do
+      expect(subject).to be_changed
+    end
+  end
+end
diff --git a/spec/lib/gitlab/auth/atlassian/user_spec.rb b/spec/lib/gitlab/auth/atlassian/user_spec.rb
new file mode 100644
index 00000000000..1db01102bc2
--- /dev/null
+++ b/spec/lib/gitlab/auth/atlassian/user_spec.rb
@@ -0,0 +1,60 @@
+# frozen_string_literal: true
+
+require 'spec_helper'
+
+RSpec.describe Gitlab::Auth::Atlassian::User do
+  let(:oauth_user) { described_class.new(oauth) }
+  let(:gl_user) { oauth_user.gl_user }
+  let(:extern_uid) { generate(:username) }
+  let(:oauth) do
+    OmniAuth::AuthHash.new(
+      uid: extern_uid,
+      provider: 'atlassian_oauth2',
+      info: { name: 'John', email: 'john@mail.com' },
+      credentials: credentials)
+  end
+
+  let(:credentials) do
+    {
+      token: SecureRandom.alphanumeric(1254),
+      refresh_token: SecureRandom.alphanumeric(45),
+      expires_at: 2.weeks.from_now.to_i,
+      expires: true
+    }
+  end
+
+  describe '.assign_identity_from_auth_hash!' do
+    let(:auth_hash) { ::Gitlab::Auth::Atlassian::AuthHash.new(oauth) }
+    let(:identity) { described_class.assign_identity_from_auth_hash!(Atlassian::Identity.new, auth_hash) }
+
+    it_behaves_like 'an atlassian identity'
+  end
+
+  describe '#save' do
+    context 'for an existing user' do
+      context 'with an existing Atlassian Identity' do
+        let!(:existing_user) { create(:atlassian_user, extern_uid: extern_uid) }
+        let(:identity) { gl_user.atlassian_identity }
+
+        before do
+          oauth_user.save # rubocop:disable Rails/SaveBang
+        end
+
+        it 'finds the existing user and identity' do
+          expect(gl_user.id).to eq(existing_user.id)
+          expect(identity.id).to eq(existing_user.atlassian_identity.id)
+        end
+
+        it_behaves_like 'an atlassian identity'
+      end
+
+      context 'for a new user' do
+        it 'creates the user and identity' do
+          oauth_user.save # rubocop:disable Rails/SaveBang
+
+          expect(gl_user).to be_valid
+        end
+      end
+    end
+  end
+end
diff --git a/spec/lib/gitlab/auth/ldap/adapter_spec.rb b/spec/lib/gitlab/auth/ldap/adapter_spec.rb
index 78970378b7f..8546d63cf77 100644
--- a/spec/lib/gitlab/auth/ldap/adapter_spec.rb
+++ b/spec/lib/gitlab/auth/ldap/adapter_spec.rb
@@ -128,7 +128,7 @@ RSpec.describe Gitlab::Auth::Ldap::Adapter do
       before do
         allow(adapter).to receive(:renew_connection_adapter).and_return(ldap)
         allow(ldap).to receive(:search) { raise Net::LDAP::Error, "some error" }
-        allow(Rails.logger).to receive(:warn)
+        allow(Gitlab::AppLogger).to receive(:warn)
       end
 
       context 'retries the operation' do
@@ -152,7 +152,7 @@ RSpec.describe Gitlab::Auth::Ldap::Adapter do
 
           it 'logs the error' do
             expect { subject }.to raise_error(Gitlab::Auth::Ldap::LdapConnectionError)
-            expect(Rails.logger).to have_received(:warn).with(
+            expect(Gitlab::AppLogger).to have_received(:warn).with(
               "LDAP search raised exception Net::LDAP::Error: some error")
           end
         end
diff --git a/spec/lib/gitlab/auth/ldap/config_spec.rb b/spec/lib/gitlab/auth/ldap/config_spec.rb
index 4287596af8f..e4c87a54365 100644
--- a/spec/lib/gitlab/auth/ldap/config_spec.rb
+++ b/spec/lib/gitlab/auth/ldap/config_spec.rb
@@ -168,7 +168,7 @@ AtlErSqafbECNDSwS5BX8yDpu5yRBJ4xegO/rNlmb8ICRYkuJapD1xXicFOsmfUK
     end
 
     it 'logs an error when an invalid key or cert are configured' do
-      allow(Rails.logger).to receive(:error)
+      allow(Gitlab::AppLogger).to receive(:error)
       stub_ldap_config(
         options: {
           'host'                => 'ldap.example.com',
@@ -183,7 +183,7 @@ AtlErSqafbECNDSwS5BX8yDpu5yRBJ4xegO/rNlmb8ICRYkuJapD1xXicFOsmfUK
 
       config.adapter_options
 
-      expect(Rails.logger).to have_received(:error).with(/LDAP TLS Options/).twice
+      expect(Gitlab::AppLogger).to have_received(:error).with(/LDAP TLS Options/).twice
     end
 
     context 'when verify_certificates is enabled' do
diff --git a/spec/lib/gitlab/auth/o_auth/provider_spec.rb b/spec/lib/gitlab/auth/o_auth/provider_spec.rb
index 658a9976cc2..57f17365190 100644
--- a/spec/lib/gitlab/auth/o_auth/provider_spec.rb
+++ b/spec/lib/gitlab/auth/o_auth/provider_spec.rb
@@ -45,7 +45,7 @@ RSpec.describe Gitlab::Auth::OAuth::Provider do
     end
   end
 
-  describe '#config_for' do
+  describe '.config_for' do
     context 'for an LDAP provider' do
       context 'when the provider exists' do
         it 'returns the config' do
@@ -91,4 +91,46 @@ RSpec.describe Gitlab::Auth::OAuth::Provider do
       end
     end
   end
+
+  describe '.label_for' do
+    subject { described_class.label_for(name) }
+
+    context 'when configuration specifies a custom label' do
+      let(:name) { 'google_oauth2' }
+      let(:label) { 'Custom Google Provider' }
+      let(:provider) { OpenStruct.new({ 'name' => name, 'label' => label }) }
+
+      before do
+        stub_omniauth_setting(providers: [provider])
+      end
+
+      it 'returns the custom label name' do
+        expect(subject).to eq(label)
+      end
+    end
+
+    context 'when configuration does not specify a custom label' do
+      let(:provider) { OpenStruct.new({ 'name' => name } ) }
+
+      before do
+        stub_omniauth_setting(providers: [provider])
+      end
+
+      context 'when the name does not correspond to a label mapping' do
+        let(:name) { 'twitter' }
+
+        it 'returns the titleized name' do
+          expect(subject).to eq(name.titleize)
+        end
+      end
+    end
+
+    context 'when the name corresponds to a label mapping' do
+      let(:name) { 'gitlab' }
+
+      it 'returns the mapped name' do
+        expect(subject).to eq('GitLab.com')
+      end
+    end
+  end
 end
diff --git a/spec/lib/gitlab/auth/o_auth/user_spec.rb b/spec/lib/gitlab/auth/o_auth/user_spec.rb
index 12e774ec1f8..243d0a4cb45 100644
--- a/spec/lib/gitlab/auth/o_auth/user_spec.rb
+++ b/spec/lib/gitlab/auth/o_auth/user_spec.rb
@@ -202,7 +202,56 @@ RSpec.describe Gitlab::Auth::OAuth::User do
         include_examples "to verify compliance with allow_single_sign_on"
       end
 
-      context "with auto_link_user enabled" do
+      context "with auto_link_user enabled for a different provider" do
+        before do
+          stub_omniauth_config(auto_link_user: ['saml'])
+        end
+
+        context "and a current GitLab user with a matching email" do
+          let!(:existing_user) { create(:user, email: 'john@mail.com', username: 'john') }
+
+          it "adds the OmniAuth identity to the GitLab user account" do
+            oauth_user.save
+
+            expect(gl_user).not_to be_valid
+          end
+        end
+
+        context "and no current GitLab user with a matching email" do
+          include_examples "to verify compliance with allow_single_sign_on"
+        end
+      end
+
+      context "with auto_link_user enabled for the correct provider" do
+        before do
+          stub_omniauth_config(auto_link_user: ['twitter'])
+        end
+
+        context "and a current GitLab user with a matching email" do
+          let!(:existing_user) { create(:user, email: 'john@mail.com', username: 'john') }
+
+          it "adds the OmniAuth identity to the GitLab user account" do
+            oauth_user.save
+
+            expect(gl_user).to be_valid
+            expect(gl_user.username).to eql 'john'
+            expect(gl_user.email).to eql 'john@mail.com'
+            expect(gl_user.identities.length).to be 1
+            identities_as_hash = gl_user.identities.map { |id| { provider: id.provider, extern_uid: id.extern_uid } }
+            expect(identities_as_hash).to match_array(
+              [
+                { provider: 'twitter', extern_uid: uid }
+              ]
+            )
+          end
+        end
+
+        context "and no current GitLab user with a matching email" do
+          include_examples "to verify compliance with allow_single_sign_on"
+        end
+      end
+
+      context "with auto_link_user enabled for all providers" do
         before do
           stub_omniauth_config(auto_link_user: true)
         end
@@ -421,7 +470,7 @@ RSpec.describe Gitlab::Auth::OAuth::User do
 
       context "with both auto_link_user and auto_link_ldap_user enabled" do
         before do
-          stub_omniauth_config(auto_link_user: true, auto_link_ldap_user: true)
+          stub_omniauth_config(auto_link_user: ['twitter'], auto_link_ldap_user: true)
         end
 
         context "and at least one LDAP provider is defined" do