access_spec.rb 4.33 KB
Newer Older
1 2
require 'spec_helper'

Douwe Maan's avatar
Douwe Maan committed
3
describe Gitlab::LDAP::Access, lib: true do
4
  let(:access) { Gitlab::LDAP::Access.new user }
Valery Sizov's avatar
Valery Sizov committed
5
  let(:user) { create(:omniauth_user) }
6

7 8 9 10 11 12 13 14 15 16
  describe '.allowed?' do
    it 'updates the users `last_credential_check_at' do
      expect(access).to receive(:allowed?) { true }
      expect(described_class).to receive(:open).and_yield(access)

      expect { described_class.allowed?(user) }
        .to change { user.last_credential_check_at }
    end
  end

17
  describe '#allowed?' do
18
    subject { access.allowed? }
19 20

    context 'when the user cannot be found' do
21 22 23
      before do
        allow(Gitlab::LDAP::Person).to receive(:find_by_dn).and_return(nil)
      end
24

25
      it { is_expected.to be_falsey }
26

Valery Sizov's avatar
Valery Sizov committed
27
      it 'blocks user in GitLab' do
28 29
        expect(access).to receive(:block_user).with(user, 'does not exist anymore')

30 31
        access.allowed?
      end
32 33 34
    end

    context 'when the user is found' do
35
      before do
36
        allow(Gitlab::LDAP::Person).to receive(:find_by_dn).and_return(:ldap_user)
37
      end
38

39
      context 'and the user is disabled via active directory' do
40
        before do
41
          allow(Gitlab::LDAP::Person).to receive(:disabled_via_active_directory?).and_return(true)
42
        end
43

44
        it { is_expected.to be_falsey }
45

46
        it 'blocks user in GitLab' do
47 48
          expect(access).to receive(:block_user).with(user, 'is disabled in Active Directory')

49 50
          access.allowed?
        end
51 52
      end

53
      context 'and has no disabled flag in active diretory' do
54
        before do
55
          allow(Gitlab::LDAP::Person).to receive(:disabled_via_active_directory?).and_return(false)
56
        end
57

58
        it { is_expected.to be_truthy }
59

60 61
        context 'when auto-created users are blocked' do
          before do
62
            user.block
63 64
          end

65
          it 'does not unblock user in GitLab' do
66 67
            expect(access).not_to receive(:unblock_user)

68
            access.allowed?
69

70
            expect(user).to be_blocked
71
            expect(user).not_to be_ldap_blocked # this block is handled by omniauth not by our internal logic
72 73 74
          end
        end

75
        context 'when auto-created users are not blocked' do
76
          before do
77
            user.ldap_block
78 79
          end

80
          it 'unblocks user in GitLab' do
81 82
            expect(access).to receive(:unblock_user).with(user, 'is not disabled anymore')

83 84
            access.allowed?
          end
85
        end
86
      end
87

88 89
      context 'without ActiveDirectory enabled' do
        before do
90
          allow(Gitlab::LDAP::Config).to receive(:enabled?).and_return(true)
91
          allow_any_instance_of(Gitlab::LDAP::Config).to receive(:active_directory).and_return(false)
92
        end
93

94
        it { is_expected.to be_truthy }
95 96 97 98 99 100 101 102 103

        context 'when user cannot be found' do
          before do
            allow(Gitlab::LDAP::Person).to receive(:find_by_dn).and_return(nil)
          end

          it { is_expected.to be_falsey }

          it 'blocks user in GitLab' do
104 105
            expect(access).to receive(:block_user).with(user, 'does not exist anymore')

106 107 108 109 110 111 112 113 114 115
            access.allowed?
          end
        end

        context 'when user was previously ldap_blocked' do
          before do
            user.ldap_block
          end

          it 'unblocks the user if it exists' do
116
            expect(access).to receive(:unblock_user).with(user, 'is available again')
117

118 119 120
            access.allowed?
          end
        end
121
      end
122 123
    end
  end
124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139

  describe '#block_user' do
    before do
      user.activate
      allow(Gitlab::AppLogger).to receive(:info)

      access.block_user user, 'reason'
    end

    it 'blocks the user' do
      expect(user).to be_blocked
      expect(user).to be_ldap_blocked
    end

    it 'logs the reason' do
      expect(Gitlab::AppLogger).to have_received(:info).with(
140
        "LDAP account \"123456\" reason, " \
141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160
        "blocking Gitlab user \"#{user.name}\" (#{user.email})"
      )
    end
  end

  describe '#unblock_user' do
    before do
      user.ldap_block
      allow(Gitlab::AppLogger).to receive(:info)

      access.unblock_user user, 'reason'
    end

    it 'activates the user' do
      expect(user).not_to be_blocked
      expect(user).not_to be_ldap_blocked
    end

    it 'logs the reason' do
      Gitlab::AppLogger.info(
161
        "LDAP account \"123456\" reason, " \
162 163 164 165
        "unblocking Gitlab user \"#{user.name}\" (#{user.email})"
      )
    end
  end
166
end