From 6e4e1050d9dba2b7b2523fdd1768823ab85feef4 Mon Sep 17 00:00:00 2001 From: GitLab Bot Date: Thu, 20 Aug 2020 18:42:06 +0000 Subject: Add latest changes from gitlab-org/gitlab@13-3-stable-ee --- spec/lib/gitlab/auth/auth_finders_spec.rb | 55 +++++- spec/lib/gitlab/auth/ldap/user_spec.rb | 3 + spec/lib/gitlab/auth/o_auth/auth_hash_spec.rb | 1 + spec/lib/gitlab/auth/o_auth/user_spec.rb | 195 ++++++++++++++++++--- spec/lib/gitlab/auth/request_authenticator_spec.rb | 1 + spec/lib/gitlab/auth/saml/user_spec.rb | 2 + 6 files changed, 227 insertions(+), 30 deletions(-) (limited to 'spec/lib/gitlab/auth') diff --git a/spec/lib/gitlab/auth/auth_finders_spec.rb b/spec/lib/gitlab/auth/auth_finders_spec.rb index d0f5d0a9b35..a73ac0b34af 100644 --- a/spec/lib/gitlab/auth/auth_finders_spec.rb +++ b/spec/lib/gitlab/auth/auth_finders_spec.rb @@ -12,6 +12,7 @@ RSpec.describe Gitlab::Auth::AuthFinders do 'rack.input' => '' } end + let(:request) { ActionDispatch::Request.new(env) } def set_param(key, value) @@ -554,7 +555,7 @@ RSpec.describe Gitlab::Auth::AuthFinders do end context 'with CI username' do - let(:username) { ::Ci::Build::CI_REGISTRY_USER } + let(:username) { ::Gitlab::Auth::CI_JOB_USER } let(:user) { create(:user) } let(:build) { create(:ci_build, user: user) } @@ -727,7 +728,7 @@ RSpec.describe Gitlab::Auth::AuthFinders do context 'when the job token is provided via basic auth' do let(:route_authentication_setting) { { job_token_allowed: :basic_auth } } - let(:username) { Ci::Build::CI_REGISTRY_USER } + let(:username) { ::Gitlab::Auth::CI_JOB_USER } let(:token) { job.token } before do @@ -744,6 +745,56 @@ RSpec.describe Gitlab::Auth::AuthFinders do end end + describe '#cluster_agent_token_from_authorization_token' do + let_it_be(:agent_token) { create(:cluster_agent_token) } + + context 'when route_setting is empty' do + it 'returns nil' do + expect(cluster_agent_token_from_authorization_token).to be_nil + end + end + + context 'when route_setting allows cluster agent token' do + let(:route_authentication_setting) { { cluster_agent_token_allowed: true } } + + context 'Authorization header is empty' do + it 'returns nil' do + expect(cluster_agent_token_from_authorization_token).to be_nil + end + end + + context 'Authorization header is incorrect' do + before do + request.headers['Authorization'] = 'Bearer ABCD' + end + + it 'returns nil' do + expect(cluster_agent_token_from_authorization_token).to be_nil + end + end + + context 'Authorization header is malformed' do + before do + request.headers['Authorization'] = 'Bearer' + end + + it 'returns nil' do + expect(cluster_agent_token_from_authorization_token).to be_nil + end + end + + context 'Authorization header matches agent token' do + before do + request.headers['Authorization'] = "Bearer #{agent_token.token}" + end + + it 'returns the agent token' do + expect(cluster_agent_token_from_authorization_token).to eq(agent_token) + end + end + end + end + describe '#find_runner_from_token' do let(:runner) { create(:ci_runner) } diff --git a/spec/lib/gitlab/auth/ldap/user_spec.rb b/spec/lib/gitlab/auth/ldap/user_spec.rb index 7ca2878e583..ccaed94b5c8 100644 --- a/spec/lib/gitlab/auth/ldap/user_spec.rb +++ b/spec/lib/gitlab/auth/ldap/user_spec.rb @@ -14,9 +14,11 @@ RSpec.describe Gitlab::Auth::Ldap::User do nickname: 'john' } end + let(:auth_hash) do OmniAuth::AuthHash.new(uid: 'uid=John Smith,ou=People,dc=example,dc=com', provider: 'ldapmain', info: info) end + let(:ldap_user_upper_case) { described_class.new(auth_hash_upper_case) } let(:info_upper_case) do { @@ -25,6 +27,7 @@ RSpec.describe Gitlab::Auth::Ldap::User do nickname: 'john' } end + let(:auth_hash_upper_case) do OmniAuth::AuthHash.new(uid: 'uid=John Smith,ou=People,dc=example,dc=com', provider: 'ldapmain', info: info_upper_case) end diff --git a/spec/lib/gitlab/auth/o_auth/auth_hash_spec.rb b/spec/lib/gitlab/auth/o_auth/auth_hash_spec.rb index 7a60acca95b..67ffdee0c4a 100644 --- a/spec/lib/gitlab/auth/o_auth/auth_hash_spec.rb +++ b/spec/lib/gitlab/auth/o_auth/auth_hash_spec.rb @@ -17,6 +17,7 @@ RSpec.describe Gitlab::Auth::OAuth::AuthHash do let(:uid_raw) do +"CN=Onur K\xC3\xBC\xC3\xA7\xC3\xBCk,OU=Test,DC=example,DC=net" end + let(:email_raw) { +"onur.k\xC3\xBC\xC3\xA7\xC3\xBCk_ABC-123@example.net" } let(:nickname_raw) { +"ok\xC3\xBC\xC3\xA7\xC3\xBCk" } let(:first_name_raw) { +'Onur' } diff --git a/spec/lib/gitlab/auth/o_auth/user_spec.rb b/spec/lib/gitlab/auth/o_auth/user_spec.rb index ad04fddc675..12e774ec1f8 100644 --- a/spec/lib/gitlab/auth/o_auth/user_spec.rb +++ b/spec/lib/gitlab/auth/o_auth/user_spec.rb @@ -22,6 +22,7 @@ RSpec.describe Gitlab::Auth::OAuth::User do } } end + let(:ldap_user) { Gitlab::Auth::Ldap::Person.new(Net::LDAP::Entry.new, 'ldapmain') } describe '#persisted?' do @@ -193,6 +194,43 @@ RSpec.describe Gitlab::Auth::OAuth::User do end end + context "with auto_link_user disabled (default)" do + before do + stub_omniauth_config(auto_link_user: false) + end + + include_examples "to verify compliance with allow_single_sign_on" + end + + context "with auto_link_user enabled" do + before do + stub_omniauth_config(auto_link_user: true) + end + + context "and a current GitLab user with a matching email" do + let!(:existing_user) { create(:user, email: 'john@mail.com', username: 'john') } + + it "adds the OmniAuth identity to the GitLab user account" do + oauth_user.save + + expect(gl_user).to be_valid + expect(gl_user.username).to eql 'john' + expect(gl_user.email).to eql 'john@mail.com' + expect(gl_user.identities.length).to be 1 + identities_as_hash = gl_user.identities.map { |id| { provider: id.provider, extern_uid: id.extern_uid } } + expect(identities_as_hash).to match_array( + [ + { provider: 'twitter', extern_uid: uid } + ] + ) + end + end + + context "and no current GitLab user with a matching email" do + include_examples "to verify compliance with allow_single_sign_on" + end + end + context "with auto_link_ldap_user disabled (default)" do before do stub_omniauth_config(auto_link_ldap_user: false) @@ -229,39 +267,56 @@ RSpec.describe Gitlab::Auth::OAuth::User do end context "and no account for the LDAP user" do - before do - allow(Gitlab::Auth::Ldap::Person).to receive(:find_by_uid).and_return(ldap_user) + context 'when the LDAP user is found by UID' do + before do + allow(Gitlab::Auth::Ldap::Person).to receive(:find_by_uid).and_return(ldap_user) - oauth_user.save - end + oauth_user.save + end - it "creates a user with dual LDAP and omniauth identities" do - expect(gl_user).to be_valid - expect(gl_user.username).to eql uid - expect(gl_user.name).to eql 'John Doe' - expect(gl_user.email).to eql 'johndoe@example.com' - expect(gl_user.identities.length).to be 2 - identities_as_hash = gl_user.identities.map { |id| { provider: id.provider, extern_uid: id.extern_uid } } - expect(identities_as_hash).to match_array( - [ - { provider: 'ldapmain', extern_uid: dn }, - { provider: 'twitter', extern_uid: uid } - ] - ) - end + it "creates a user with dual LDAP and omniauth identities" do + expect(gl_user).to be_valid + expect(gl_user.username).to eql uid + expect(gl_user.name).to eql 'John Doe' + expect(gl_user.email).to eql 'johndoe@example.com' + expect(gl_user.identities.length).to be 2 + identities_as_hash = gl_user.identities.map { |id| { provider: id.provider, extern_uid: id.extern_uid } } + expect(identities_as_hash).to match_array( + [ + { provider: 'ldapmain', extern_uid: dn }, + { provider: 'twitter', extern_uid: uid } + ] + ) + end - it "has name and email set as synced" do - expect(gl_user.user_synced_attributes_metadata.name_synced).to be_truthy - expect(gl_user.user_synced_attributes_metadata.email_synced).to be_truthy - end + it "has name and email set as synced" do + expect(gl_user.user_synced_attributes_metadata.name_synced).to be_truthy + expect(gl_user.user_synced_attributes_metadata.email_synced).to be_truthy + end - it "has name and email set as read-only" do - expect(gl_user.read_only_attribute?(:name)).to be_truthy - expect(gl_user.read_only_attribute?(:email)).to be_truthy + it "has name and email set as read-only" do + expect(gl_user.read_only_attribute?(:name)).to be_truthy + expect(gl_user.read_only_attribute?(:email)).to be_truthy + end + + it "has synced attributes provider set to ldapmain" do + expect(gl_user.user_synced_attributes_metadata.provider).to eql 'ldapmain' + end end - it "has synced attributes provider set to ldapmain" do - expect(gl_user.user_synced_attributes_metadata.provider).to eql 'ldapmain' + context 'when the LDAP user is found by email address' do + before do + allow(Gitlab::Auth::Ldap::Person).to receive(:find_by_uid).and_return(nil) + allow(Gitlab::Auth::Ldap::Person).to receive(:find_by_email).with(uid, any_args).and_return(nil) + allow(Gitlab::Auth::Ldap::Person).to receive(:find_by_email).with(info_hash[:email], any_args).and_return(ldap_user) + + oauth_user.save + end + + it 'creates the LDAP identity' do + identities_as_hash = gl_user.identities.map { |id| { provider: id.provider, extern_uid: id.extern_uid } } + expect(identities_as_hash).to include({ provider: 'ldapmain', extern_uid: dn }) + end end end @@ -363,6 +418,90 @@ RSpec.describe Gitlab::Auth::OAuth::User do end end end + + context "with both auto_link_user and auto_link_ldap_user enabled" do + before do + stub_omniauth_config(auto_link_user: true, auto_link_ldap_user: true) + end + + context "and at least one LDAP provider is defined" do + before do + stub_ldap_config(providers: %w(ldapmain)) + end + + context "and a corresponding LDAP person" do + before do + allow(ldap_user).to receive_messages( + uid: uid, + username: uid, + name: 'John Doe', + email: ['john@mail.com'], + dn: dn + ) + end + + context "and no account for the LDAP user" do + before do + allow(Gitlab::Auth::Ldap::Person).to receive(:find_by_uid).and_return(ldap_user) + + oauth_user.save + end + + it "creates a user with dual LDAP and omniauth identities" do + expect(gl_user).to be_valid + expect(gl_user.username).to eql uid + expect(gl_user.name).to eql 'John Doe' + expect(gl_user.email).to eql 'john@mail.com' + expect(gl_user.identities.length).to be 2 + identities_as_hash = gl_user.identities.map { |id| { provider: id.provider, extern_uid: id.extern_uid } } + expect(identities_as_hash).to match_array( + [ + { provider: 'ldapmain', extern_uid: dn }, + { provider: 'twitter', extern_uid: uid } + ] + ) + end + + it "has name and email set as synced" do + expect(gl_user.user_synced_attributes_metadata.name_synced).to be_truthy + expect(gl_user.user_synced_attributes_metadata.email_synced).to be_truthy + end + + it "has name and email set as read-only" do + expect(gl_user.read_only_attribute?(:name)).to be_truthy + expect(gl_user.read_only_attribute?(:email)).to be_truthy + end + + it "has synced attributes provider set to ldapmain" do + expect(gl_user.user_synced_attributes_metadata.provider).to eql 'ldapmain' + end + end + + context "and LDAP user has an account already" do + let!(:existing_user) { create(:omniauth_user, name: 'John Doe', email: 'john@mail.com', extern_uid: dn, provider: 'ldapmain', username: 'john') } + + it "adds the omniauth identity to the LDAP account" do + allow(Gitlab::Auth::Ldap::Person).to receive(:find_by_uid).and_return(ldap_user) + + oauth_user.save + + expect(gl_user).to be_valid + expect(gl_user.username).to eql 'john' + expect(gl_user.name).to eql 'John Doe' + expect(gl_user.email).to eql 'john@mail.com' + expect(gl_user.identities.length).to be 2 + identities_as_hash = gl_user.identities.map { |id| { provider: id.provider, extern_uid: id.extern_uid } } + expect(identities_as_hash).to match_array( + [ + { provider: 'ldapmain', extern_uid: dn }, + { provider: 'twitter', extern_uid: uid } + ] + ) + end + end + end + end + end end describe 'blocking' do @@ -790,7 +929,7 @@ RSpec.describe Gitlab::Auth::OAuth::User do end end - describe '.find_by_uid_and_provider' do + describe '._uid_and_provider' do let!(:existing_user) { create(:omniauth_user, extern_uid: 'my-uid', provider: 'my-provider') } it 'normalizes extern_uid' do diff --git a/spec/lib/gitlab/auth/request_authenticator_spec.rb b/spec/lib/gitlab/auth/request_authenticator_spec.rb index 32d64519e2c..ef83321cc0e 100644 --- a/spec/lib/gitlab/auth/request_authenticator_spec.rb +++ b/spec/lib/gitlab/auth/request_authenticator_spec.rb @@ -9,6 +9,7 @@ RSpec.describe Gitlab::Auth::RequestAuthenticator do 'REQUEST_METHOD' => 'GET' } end + let(:request) { ActionDispatch::Request.new(env) } subject { described_class.new(request) } diff --git a/spec/lib/gitlab/auth/saml/user_spec.rb b/spec/lib/gitlab/auth/saml/user_spec.rb index 7f8346f0486..fd48492f18d 100644 --- a/spec/lib/gitlab/auth/saml/user_spec.rb +++ b/spec/lib/gitlab/auth/saml/user_spec.rb @@ -19,6 +19,7 @@ RSpec.describe Gitlab::Auth::Saml::User do email: 'john@mail.com' } end + let(:ldap_user) { Gitlab::Auth::Ldap::Person.new(Net::LDAP::Entry.new, 'ldapmain') } describe '#save' do @@ -194,6 +195,7 @@ RSpec.describe Gitlab::Auth::Saml::User do } } end + let(:auth_hash) { OmniAuth::AuthHash.new(auth_hash_base_attributes) } let(:uid_types) { %w(uid dn email) } -- cgit v1.2.3