diff options
author | Imre Farkas <ifarkas@gitlab.com> | 2019-04-09 18:38:58 +0300 |
---|---|---|
committer | Andreas Brandl <abrandl@gitlab.com> | 2019-04-09 18:38:58 +0300 |
commit | 9bc5ed14fe97fe63cd5be30c013c6af978715621 (patch) | |
tree | 74e1548a29b4683e94720b346a4fc41a068b2583 /spec/models | |
parent | a6218f1bcd78f656d57330e764d3f98e1fb1f3f3 (diff) |
Move Contribution Analytics related spec in spec/features/groups/group_page_with_external_authorization_service_spec to EE
Diffstat (limited to 'spec/models')
-rw-r--r-- | spec/models/application_setting_spec.rb | 48 | ||||
-rw-r--r-- | spec/models/concerns/protected_ref_access_spec.rb | 12 | ||||
-rw-r--r-- | spec/models/issue_spec.rb | 45 | ||||
-rw-r--r-- | spec/models/project_spec.rb | 20 |
4 files changed, 124 insertions, 1 deletions
diff --git a/spec/models/application_setting_spec.rb b/spec/models/application_setting_spec.rb index c81572d739e..c7d7dbac736 100644 --- a/spec/models/application_setting_spec.rb +++ b/spec/models/application_setting_spec.rb @@ -3,7 +3,7 @@ require 'spec_helper' describe ApplicationSetting do - let(:setting) { described_class.create_from_defaults } + subject(:setting) { described_class.create_from_defaults } it { include(CacheableAttributes) } it { include(ApplicationSettingImplementation) } @@ -284,6 +284,52 @@ describe ApplicationSetting do expect(subject).to be_valid end end + + describe 'when external authorization service is enabled' do + before do + setting.external_authorization_service_enabled = true + end + + it { is_expected.not_to allow_value('not a URL').for(:external_authorization_service_url) } + it { is_expected.to allow_value('https://example.com').for(:external_authorization_service_url) } + it { is_expected.to allow_value('').for(:external_authorization_service_url) } + it { is_expected.not_to allow_value(nil).for(:external_authorization_service_default_label) } + it { is_expected.not_to allow_value(11).for(:external_authorization_service_timeout) } + it { is_expected.not_to allow_value(0).for(:external_authorization_service_timeout) } + it { is_expected.not_to allow_value('not a certificate').for(:external_auth_client_cert) } + it { is_expected.to allow_value('').for(:external_auth_client_cert) } + it { is_expected.to allow_value('').for(:external_auth_client_key) } + + context 'when setting a valid client certificate for external authorization' do + let(:certificate_data) { File.read('spec/fixtures/passphrase_x509_certificate.crt') } + + before do + setting.external_auth_client_cert = certificate_data + end + + it 'requires a valid client key when a certificate is set' do + expect(setting).not_to allow_value('fefefe').for(:external_auth_client_key) + end + + it 'requires a matching certificate' do + other_private_key = File.read('spec/fixtures/x509_certificate_pk.key') + + expect(setting).not_to allow_value(other_private_key).for(:external_auth_client_key) + end + + it 'the credentials are valid when the private key can be read and matches the certificate' do + tls_attributes = [:external_auth_client_key_pass, + :external_auth_client_key, + :external_auth_client_cert] + setting.external_auth_client_key = File.read('spec/fixtures/passphrase_x509_certificate_pk.key') + setting.external_auth_client_key_pass = '5iveL!fe' + + setting.validate + + expect(setting.errors).not_to include(*tls_attributes) + end + end + end end context 'restrict creating duplicates' do diff --git a/spec/models/concerns/protected_ref_access_spec.rb b/spec/models/concerns/protected_ref_access_spec.rb index 94798f0590d..f63ad958ed3 100644 --- a/spec/models/concerns/protected_ref_access_spec.rb +++ b/spec/models/concerns/protected_ref_access_spec.rb @@ -3,6 +3,8 @@ require 'spec_helper' describe ProtectedRefAccess do + include ExternalAuthorizationServiceHelpers + subject(:protected_ref_access) do create(:protected_branch, :maintainers_can_push).push_access_levels.first end @@ -29,5 +31,15 @@ describe ProtectedRefAccess do expect(protected_ref_access.check_access(developer)).to be_falsy end + + context 'external authorization' do + it 'is false if external authorization denies access' do + maintainer = create(:user) + project.add_maintainer(maintainer) + external_service_deny_access(maintainer, project) + + expect(protected_ref_access.check_access(maintainer)).to be_falsey + end + end end end diff --git a/spec/models/issue_spec.rb b/spec/models/issue_spec.rb index 892dd053e39..0cd69cb4817 100644 --- a/spec/models/issue_spec.rb +++ b/spec/models/issue_spec.rb @@ -3,6 +3,8 @@ require 'spec_helper' describe Issue do + include ExternalAuthorizationServiceHelpers + describe "Associations" do it { is_expected.to belong_to(:milestone) } it { is_expected.to have_many(:assignees) } @@ -779,4 +781,47 @@ describe Issue do it_behaves_like 'throttled touch' do subject { create(:issue, updated_at: 1.hour.ago) } end + + context 'when an external authentication service' do + before do + enable_external_authorization_service_check + end + + describe '#visible_to_user?' do + it 'is `false` when an external authorization service is enabled' do + issue = build(:issue, project: build(:project, :public)) + + expect(issue).not_to be_visible_to_user + end + + it 'checks the external service to determine if an issue is readable by a user' do + project = build(:project, :public, + external_authorization_classification_label: 'a-label') + issue = build(:issue, project: project) + user = build(:user) + + expect(::Gitlab::ExternalAuthorization).to receive(:access_allowed?).with(user, 'a-label') { false } + expect(issue.visible_to_user?(user)).to be_falsy + end + + it 'does not check the external service if a user does not have access to the project' do + project = build(:project, :private, + external_authorization_classification_label: 'a-label') + issue = build(:issue, project: project) + user = build(:user) + + expect(::Gitlab::ExternalAuthorization).not_to receive(:access_allowed?) + expect(issue.visible_to_user?(user)).to be_falsy + end + + it 'does not check the external webservice for admins' do + issue = build(:issue) + user = build(:admin) + + expect(::Gitlab::ExternalAuthorization).not_to receive(:access_allowed?) + + issue.visible_to_user?(user) + end + end + end end diff --git a/spec/models/project_spec.rb b/spec/models/project_spec.rb index 5eb31430ccd..7222580e115 100644 --- a/spec/models/project_spec.rb +++ b/spec/models/project_spec.rb @@ -5,6 +5,7 @@ require 'spec_helper' describe Project do include ProjectForksHelper include GitHelpers + include ExternalAuthorizationServiceHelpers it_behaves_like 'having unique enum values' @@ -4417,6 +4418,25 @@ describe Project do end end + describe '#external_authorization_classification_label' do + it 'falls back to the default when none is configured' do + enable_external_authorization_service_check + + expect(build(:project).external_authorization_classification_label) + .to eq('default_label') + end + + it 'returns the classification label if it was configured on the project' do + enable_external_authorization_service_check + + project = build(:project, + external_authorization_classification_label: 'hello') + + expect(project.external_authorization_classification_label) + .to eq('hello') + end + end + describe "#pages_https_only?" do subject { build(:project) } |