Add latest changes from gitlab-org/gitlab@master

4 files changed, 308 insertions, 36 deletions

diff --git a/spec/lib/gitlab/auth/current_user_mode_spec.rb b/spec/lib/gitlab/auth/current_user_mode_spec.rb
index 3b3db0f7315..7c2fdac6c25 100644
--- a/spec/lib/gitlab/auth/current_user_mode_spec.rb
+++ b/spec/lib/gitlab/auth/current_user_mode_spec.rb
@@ -2,10 +2,10 @@
 
 require 'spec_helper'
 
-describe Gitlab::Auth::CurrentUserMode, :do_not_mock_admin_mode do
+describe Gitlab::Auth::CurrentUserMode, :do_not_mock_admin_mode, :request_store do
   include_context 'custom session'
 
-  let(:user) { build(:user) }
+  let(:user) { build_stubbed(:user) }
 
   subject { described_class.new(user) }
 
@@ -13,54 +13,66 @@ describe Gitlab::Auth::CurrentUserMode, :do_not_mock_admin_mode do
     allow(ActiveSession).to receive(:list_sessions).with(user).and_return([session])
   end
 
-  describe '#admin_mode?', :request_store do
-    context 'when the user is a regular user' do
-      it 'is false by default' do
-        expect(subject.admin_mode?).to be(false)
-      end
+  shared_examples 'admin mode cannot be enabled' do
+    it 'is false by default' do
+      expect(subject.admin_mode?).to be(false)
+    end
 
-      it 'cannot be enabled with a valid password' do
-        subject.enable_admin_mode!(password: user.password)
+    it 'cannot be enabled with a valid password' do
+      subject.enable_admin_mode!(password: user.password)
 
-        expect(subject.admin_mode?).to be(false)
-      end
+      expect(subject.admin_mode?).to be(false)
+    end
 
-      it 'cannot be enabled with an invalid password' do
-        subject.enable_admin_mode!(password: nil)
+    it 'cannot be enabled with an invalid password' do
+      subject.enable_admin_mode!(password: nil)
 
-        expect(subject.admin_mode?).to be(false)
-      end
+      expect(subject.admin_mode?).to be(false)
+    end
 
-      it 'cannot be enabled with empty params' do
-        subject.enable_admin_mode!
+    it 'cannot be enabled with empty params' do
+      subject.enable_admin_mode!
 
-        expect(subject.admin_mode?).to be(false)
-      end
+      expect(subject.admin_mode?).to be(false)
+    end
 
-      it 'disable has no effect' do
-        subject.enable_admin_mode!
-        subject.disable_admin_mode!
+    it 'disable has no effect' do
+      subject.enable_admin_mode!
+      subject.disable_admin_mode!
+
+      expect(subject.admin_mode?).to be(false)
+    end
+
+    context 'skipping password validation' do
+      it 'cannot be enabled with a valid password' do
+        subject.enable_admin_mode!(password: user.password, skip_password_validation: true)
 
         expect(subject.admin_mode?).to be(false)
       end
 
-      context 'skipping password validation' do
-        it 'cannot be enabled with a valid password' do
-          subject.enable_admin_mode!(password: user.password, skip_password_validation: true)
+      it 'cannot be enabled with an invalid password' do
+        subject.enable_admin_mode!(skip_password_validation: true)
 
-          expect(subject.admin_mode?).to be(false)
-        end
+        expect(subject.admin_mode?).to be(false)
+      end
+    end
+  end
 
-        it 'cannot be enabled with an invalid password' do
-          subject.enable_admin_mode!(skip_password_validation: true)
+  describe '#admin_mode?' do
+    context 'when the user is a regular user' do
+      it_behaves_like 'admin mode cannot be enabled'
 
-          expect(subject.admin_mode?).to be(false)
+      context 'bypassing session' do
+        it_behaves_like 'admin mode cannot be enabled' do
+          around do |example|
+            described_class.bypass_session!(user.id) { example.run }
+          end
         end
       end
     end
 
     context 'when the user is an admin' do
-      let(:user) { build(:user, :admin) }
+      let(:user) { build_stubbed(:user, :admin) }
 
       context 'when admin mode not requested' do
         it 'is false by default' do
@@ -148,11 +160,36 @@ describe Gitlab::Auth::CurrentUserMode, :do_not_mock_admin_mode do
           end
         end
       end
+
+      context 'bypassing session' do
+        it 'is active by default' do
+          described_class.bypass_session!(user.id) do
+            expect(subject.admin_mode?).to be(true)
+          end
+        end
+
+        it 'enable has no effect' do
+          described_class.bypass_session!(user.id) do
+            subject.request_admin_mode!
+            subject.enable_admin_mode!(password: user.password)
+
+            expect(subject.admin_mode?).to be(true)
+          end
+        end
+
+        it 'disable has no effect' do
+          described_class.bypass_session!(user.id) do
+            subject.disable_admin_mode!
+
+            expect(subject.admin_mode?).to be(true)
+          end
+        end
+      end
     end
   end
 
   describe '#enable_admin_mode!' do
-    let(:user) { build(:user, :admin) }
+    let(:user) { build_stubbed(:user, :admin) }
 
     it 'creates a timestamp in the session' do
       subject.request_admin_mode!
@@ -163,7 +200,7 @@ describe Gitlab::Auth::CurrentUserMode, :do_not_mock_admin_mode do
   end
 
   describe '#enable_sessionless_admin_mode!' do
-    let(:user) { build(:user, :admin) }
+    let(:user) { build_stubbed(:user, :admin) }
 
     it 'enabled admin mode without password' do
       subject.enable_sessionless_admin_mode!
@@ -173,7 +210,7 @@ describe Gitlab::Auth::CurrentUserMode, :do_not_mock_admin_mode do
   end
 
   describe '#disable_admin_mode!' do
-    let(:user) { build(:user, :admin) }
+    let(:user) { build_stubbed(:user, :admin) }
 
     it 'sets the session timestamp to nil' do
       subject.request_admin_mode!
@@ -183,6 +220,73 @@ describe Gitlab::Auth::CurrentUserMode, :do_not_mock_admin_mode do
     end
   end
 
+  describe '.bypass_session!' do
+    context 'with a regular user' do
+      it 'admin mode is false' do
+        described_class.bypass_session!(user.id) do
+          expect(subject.admin_mode?).to be(false)
+          expect(described_class.bypass_session_admin_id).to be(user.id)
+        end
+
+        expect(described_class.bypass_session_admin_id).to be_nil
+      end
+    end
+
+    context 'with an admin user' do
+      let(:user) { build_stubbed(:user, :admin) }
+
+      it 'admin mode is true' do
+        described_class.bypass_session!(user.id) do
+          expect(subject.admin_mode?).to be(true)
+          expect(described_class.bypass_session_admin_id).to be(user.id)
+        end
+
+        expect(described_class.bypass_session_admin_id).to be_nil
+      end
+    end
+  end
+
+  describe '.with_current_request_admin_mode' do
+    context 'with a regular user' do
+      it 'user is not available inside nor outside the yielded block' do
+        described_class.with_current_admin(user) do
+          expect(described_class.current_admin).to be_nil
+        end
+
+        expect(described_class.bypass_session_admin_id).to be_nil
+      end
+    end
+
+    context 'with an admin user' do
+      let(:user) { build_stubbed(:user, :admin) }
+
+      context 'admin mode is disabled' do
+        it 'user is not available inside nor outside the yielded block' do
+          described_class.with_current_admin(user) do
+            expect(described_class.current_admin).to be_nil
+          end
+
+          expect(described_class.bypass_session_admin_id).to be_nil
+        end
+      end
+
+      context 'admin mode is enabled' do
+        before do
+          subject.request_admin_mode!
+          subject.enable_admin_mode!(password: user.password)
+        end
+
+        it 'user is available only inside the yielded block' do
+          described_class.with_current_admin(user) do
+            expect(described_class.current_admin).to be(user)
+          end
+
+          expect(described_class.current_admin).to be_nil
+        end
+      end
+    end
+  end
+
   def expected_session_entry(value_matcher)
     {
       Gitlab::Auth::CurrentUserMode::SESSION_STORE_KEY => a_hash_including(
diff --git a/spec/lib/gitlab/sidekiq_middleware/admin_mode/client_spec.rb b/spec/lib/gitlab/sidekiq_middleware/admin_mode/client_spec.rb
new file mode 100644
index 00000000000..f6449bae8c3
--- /dev/null
+++ b/spec/lib/gitlab/sidekiq_middleware/admin_mode/client_spec.rb
@@ -0,0 +1,94 @@
+# frozen_string_literal: true
+
+require 'spec_helper'
+
+describe Gitlab::SidekiqMiddleware::AdminMode::Client, :do_not_mock_admin_mode, :request_store do
+  include AdminModeHelper
+
+  let(:worker) do
+    Class.new do
+      def perform; end
+    end
+  end
+
+  let(:job) { {} }
+  let(:queue) { :test }
+
+  it 'yields block' do
+    expect do |b|
+      subject.call(worker, job, queue, nil, &b)
+    end.to yield_control.once
+  end
+
+  context 'user is a regular user' do
+    it 'no admin mode field in payload' do
+      subject.call(worker, job, queue, nil) { nil }
+
+      expect(job).not_to include('admin_mode_user_id')
+    end
+  end
+
+  context 'user is an administrator' do
+    let(:admin) { create(:admin) }
+
+    context 'admin mode disabled' do
+      it 'no admin mode field in payload' do
+        subject.call(worker, job, queue, nil) { nil }
+
+        expect(job).not_to include('admin_mode_user_id')
+      end
+    end
+
+    context 'admin mode enabled' do
+      before do
+        enable_admin_mode!(admin)
+      end
+
+      context 'when sidekiq required context not set' do
+        it 'no admin mode field in payload' do
+          subject.call(worker, job, queue, nil) { nil }
+
+          expect(job).not_to include('admin_mode_user_id')
+        end
+      end
+
+      context 'when user stored in current request' do
+        it 'has admin mode field in payload' do
+          Gitlab::Auth::CurrentUserMode.with_current_admin(admin) do
+            subject.call(worker, job, queue, nil) { nil }
+
+            expect(job).to include('admin_mode_user_id' => admin.id)
+          end
+        end
+      end
+
+      context 'when bypassing session' do
+        it 'has admin mode field in payload' do
+          Gitlab::Auth::CurrentUserMode.bypass_session!(admin.id) do
+            subject.call(worker, job, queue, nil) { nil }
+
+            expect(job).to include('admin_mode_user_id' => admin.id)
+          end
+        end
+      end
+    end
+  end
+
+  context 'admin mode feature disabled' do
+    before do
+      stub_feature_flags(user_mode_in_session: false)
+    end
+
+    it 'yields block' do
+      expect do |b|
+        subject.call(worker, job, queue, nil, &b)
+      end.to yield_control.once
+    end
+
+    it 'no admin mode field in payload' do
+      subject.call(worker, job, queue, nil) { nil }
+
+      expect(job).not_to include('admin_mode_user_id')
+    end
+  end
+end
diff --git a/spec/lib/gitlab/sidekiq_middleware/admin_mode/server_spec.rb b/spec/lib/gitlab/sidekiq_middleware/admin_mode/server_spec.rb
new file mode 100644
index 00000000000..60475f0e403
--- /dev/null
+++ b/spec/lib/gitlab/sidekiq_middleware/admin_mode/server_spec.rb
@@ -0,0 +1,72 @@
+# frozen_string_literal: true
+
+require 'spec_helper'
+
+describe Gitlab::SidekiqMiddleware::AdminMode::Server, :do_not_mock_admin_mode, :request_store do
+  include AdminModeHelper
+
+  let(:worker) do
+    Class.new do
+      def perform; end
+    end
+  end
+
+  let(:job) { {} }
+  let(:queue) { :test }
+
+  it 'yields block' do
+    expect do |b|
+      subject.call(worker, job, queue, &b)
+    end.to yield_control.once
+  end
+
+  context 'job has no admin mode field' do
+    it 'session is not bypassed' do
+      subject.call(worker, job, queue) do
+        expect(Gitlab::Auth::CurrentUserMode.bypass_session_admin_id).to be_nil
+      end
+    end
+  end
+
+  context 'job has admin mode field' do
+    let(:admin) { create(:admin) }
+
+    context 'nil admin mode id' do
+      let(:job) { { 'admin_mode_user_id' => nil } }
+
+      it 'session is not bypassed' do
+        subject.call(worker, job, queue) do
+          expect(Gitlab::Auth::CurrentUserMode.bypass_session_admin_id).to be_nil
+        end
+      end
+    end
+
+    context 'valid admin mode id' do
+      let(:job) { { 'admin_mode_user_id' => admin.id } }
+
+      it 'session is bypassed' do
+        subject.call(worker, job, queue) do
+          expect(Gitlab::Auth::CurrentUserMode.bypass_session_admin_id).to be(admin.id)
+        end
+      end
+    end
+  end
+
+  context 'admin mode feature disabled' do
+    before do
+      stub_feature_flags(user_mode_in_session: false)
+    end
+
+    it 'yields block' do
+      expect do |b|
+        subject.call(worker, job, queue, &b)
+      end.to yield_control.once
+    end
+
+    it 'session is not bypassed' do
+      subject.call(worker, job, queue) do
+        expect(Gitlab::Auth::CurrentUserMode.bypass_session_admin_id).to be_nil
+      end
+    end
+  end
+end
diff --git a/spec/lib/gitlab/sidekiq_middleware_spec.rb b/spec/lib/gitlab/sidekiq_middleware_spec.rb
index e8dcbbd2ee1..19242d25e27 100644
--- a/spec/lib/gitlab/sidekiq_middleware_spec.rb
+++ b/spec/lib/gitlab/sidekiq_middleware_spec.rb
@@ -45,7 +45,8 @@ describe Gitlab::SidekiqMiddleware do
        Gitlab::SidekiqMiddleware::ArgumentsLogger,
        Gitlab::SidekiqMiddleware::MemoryKiller,
        Gitlab::SidekiqMiddleware::RequestStoreMiddleware,
-       Gitlab::SidekiqMiddleware::WorkerContext::Server
+       Gitlab::SidekiqMiddleware::WorkerContext::Server,
+       Gitlab::SidekiqMiddleware::AdminMode::Server
       ]
     end
     let(:enabled_sidekiq_middlewares) { all_sidekiq_middlewares - disabled_sidekiq_middlewares }
@@ -115,7 +116,8 @@ describe Gitlab::SidekiqMiddleware do
         Gitlab::SidekiqStatus::ClientMiddleware,
         Gitlab::SidekiqMiddleware::ClientMetrics,
         Gitlab::SidekiqMiddleware::WorkerContext::Client,
-        Labkit::Middleware::Sidekiq::Client
+        Labkit::Middleware::Sidekiq::Client,
+        Gitlab::SidekiqMiddleware::AdminMode::Client
       ]
     end