Commit 6e993aa3 authored by Robert Speicher's avatar Robert Speicher

Merge branch '5913-extract-ee-specific-lines-for-lib-gitlab-auth' into 'master'

Resolve "Extract EE specific files/lines for lib/gitlab/auth"

Closes #5913

See merge request gitlab-org/gitlab-ee!5761
parents 501916fe 3fcdf8bc
module EE
module Gitlab
module Auth
module LDAP
module Access
extend ActiveSupport::Concern
extend ::Gitlab::Utils::Override
override :find_ldap_user
def find_ldap_user
found_user = super
return found_user if found_user
if ldap_identity
::Gitlab::Auth::LDAP::Person.find_by_email(user.email, adapter)
end
end
override :update_user
def update_user
update_email
update_memberships
update_identity
update_ssh_keys if sync_ssh_keys?
update_kerberos_identity if import_kerberos_identities?
end
# Update user ssh keys if they changed in LDAP
def update_ssh_keys
remove_old_ssh_keys
add_new_ssh_keys
end
# Add ssh keys that are in LDAP but not in GitLab
def add_new_ssh_keys
keys = ldap_user.ssh_keys - user.keys.ldap.pluck(:key)
keys.each do |key|
::Rails.logger.info "#{self.class.name}: adding LDAP SSH key #{key.inspect} to #{user.name} (#{user.id})"
new_key = ::LDAPKey.new(title: "LDAP - #{ldap_config.sync_ssh_keys}", key: key)
new_key.user = user
unless new_key.save
::Rails.logger.error "#{self.class.name}: failed to add LDAP SSH key #{key.inspect} to #{user.name} (#{user.id})\n"\
"error messages: #{new_key.errors.messages}"
end
end
end
# Remove ssh keys that do not exist in LDAP any more
def remove_old_ssh_keys
keys = user.keys.ldap.where.not(key: ldap_user.ssh_keys)
keys.each do |deleted_key|
::Rails.logger.info "#{self.class.name}: removing LDAP SSH key #{deleted_key.key} from #{user.name} (#{user.id})"
unless deleted_key.destroy
::Rails.logger.error "#{self.class.name}: failed to remove LDAP SSH key #{key.inspect} from #{user.name} (#{user.id})"
end
end
end
# Update user Kerberos identity with Kerberos principal name from Active Directory
def update_kerberos_identity
# there can be only one Kerberos identity in GitLab; if the user has a Kerberos identity in AD,
# replace any existing Kerberos identity for the user
return unless ldap_user.kerberos_principal.present?
kerberos_identity = user.identities.where(provider: :kerberos).first
return if kerberos_identity && kerberos_identity.extern_uid == ldap_user.kerberos_principal
kerberos_identity ||= ::Identity.new(provider: :kerberos, user: user)
kerberos_identity.extern_uid = ldap_user.kerberos_principal
unless kerberos_identity.save
::Rails.logger.error "#{self.class.name}: failed to add Kerberos principal #{principal} to #{user.name} (#{user.id})\n"\
"error messages: #{new_identity.errors.messages}"
end
end
# Update user email if it changed in LDAP
def update_email
return false unless ldap_user.try(:email)
ldap_email = ldap_user.email.last.to_s.downcase
return false if user.email == ldap_email
::Users::UpdateService.new(user, user: user, email: ldap_email).execute do |user|
user.skip_reconfirmation!
end
end
def update_identity
return if ldap_user.dn.empty? || ldap_user.dn == ldap_identity.extern_uid
unless ldap_identity.update(extern_uid: ldap_user.dn)
::Rails.logger.error "Could not update DN for #{user.name} (#{user.id})\n"\
"error messages: #{user.ldap_identity.errors.messages}"
end
end
delegate :sync_ssh_keys?, to: :ldap_config
def import_kerberos_identities?
# Kerberos may be enabled for Git HTTP access and/or as an Omniauth provider
ldap_config.active_directory && (::Gitlab.config.kerberos.enabled || ::AuthHelper.kerberos_enabled? )
end
def update_memberships
return if ldap_user.nil? || ldap_user.group_cns.empty?
group_ids = ::LdapGroupLink.where(cn: ldap_user.group_cns, provider: provider)
.distinct(:group_id)
.pluck(:group_id)
::LdapGroupSyncWorker.perform_async(group_ids, provider) if group_ids.any?
end
end
end
end
end
end
...@@ -6,9 +6,16 @@ module EE ...@@ -6,9 +6,16 @@ module EE
extend ActiveSupport::Concern extend ActiveSupport::Concern
class_methods do class_methods do
extend ::Gitlab::Utils::Override
def group_sync_enabled? def group_sync_enabled?
enabled? && ::License.feature_available?(:ldap_group_sync) enabled? && ::License.feature_available?(:ldap_group_sync)
end end
override :_available_servers
def _available_servers
::License.feature_available?(:multiple_ldap_servers) ? servers : super
end
end end
end end
end end
......
module EE
module Gitlab
module Auth
module Saml
module Config
extend ActiveSupport::Concern
class_methods do
def required_groups
Array(options[:required_groups])
end
end
end
end
end
end
end
module EE
module Gitlab
module Auth
module Saml
module User
extend ::Gitlab::Utils::Override
override :find_user
def find_user
user = super
if user_in_required_group?
unblock_user(user, "in required group") if user.persisted? && user.blocked?
elsif user.persisted?
block_user(user, "not in required group") unless user.blocked?
else
user = nil
end
if user
# Check if there is overlap between the user's groups and the external groups
# setting then set user as external or internal.
user.admin = !(auth_hash.groups & saml_config.admin_groups).empty? if admin_groups_enabled?
end
user
end
protected
def block_user(user, reason)
user.ldap_block
log_user_changes(user, "#{reason}, blocking")
end
def unblock_user(user, reason)
user.activate
log_user_changes(user, "#{reason}, unblocking")
end
def log_user_changes(user, message)
::Gitlab::AppLogger.info(
"SAML(#{auth_hash.provider}) account \"#{auth_hash.uid}\" #{message} " \
"Gitlab user \"#{user.name}\" (#{user.email})"
)
end
def user_in_required_group?
required_groups = saml_config.required_groups
required_groups.empty? || !(auth_hash.groups & required_groups).empty?
end
def admin_groups_enabled?
!saml_config.admin_groups.nil?
end
end
end
end
end
end
module EE
module Gitlab
module Auth
module UserAuthFinders
extend ActiveSupport::Concern
JOB_TOKEN_HEADER = "HTTP_JOB_TOKEN".freeze
JOB_TOKEN_PARAM = :job_token
def find_user_from_job_token
return unless route_authentication_setting[:job_token_allowed]
token = (params[JOB_TOKEN_PARAM] || env[JOB_TOKEN_HEADER]).to_s
return unless token.present?
job = ::Ci::Build.find_by(token: token)
raise ::Gitlab::Auth::UnauthorizedError unless job
@job_token_authentication = true # rubocop:disable Gitlab/ModuleWithInstanceVariables
job.user
end
end
end
end
end
This diff is collapsed.
require 'spec_helper'
describe Gitlab::Auth::Saml::User do
include LdapHelpers
include LoginHelpers
let(:saml_user) { described_class.new(auth_hash) }
let(:gl_user) { saml_user.gl_user }
let(:uid) { 'my-uid' }
let(:dn) { 'uid=user1,ou=people,dc=example' }
let(:provider) { 'saml' }
let(:raw_info_attr) { { 'groups' => %w(Developers Freelancers Designers) } }
let(:auth_hash) { OmniAuth::AuthHash.new(uid: uid, provider: provider, info: info_hash, extra: { raw_info: OneLogin::RubySaml::Attributes.new(raw_info_attr) }) }
let(:info_hash) do
{
name: 'John',
email: 'john@mail.com'
}
end
describe '#save' do
def stub_omniauth_config(messages)
allow(Gitlab.config.omniauth).to receive_messages(messages)
end
def stub_basic_saml_config
allow(Gitlab::Auth::Saml::Config).to receive_messages({ options: { name: 'saml', args: {} } })
end
def stub_saml_required_group_config(groups)
allow(Gitlab::Auth::Saml::Config).to receive_messages({ options: { name: 'saml', groups_attribute: 'groups', required_groups: groups, args: {} } })
end
def stub_saml_admin_group_config(groups)
allow(Gitlab::Auth::Saml::Config).to receive_messages({ options: { name: 'saml', groups_attribute: 'groups', admin_groups: groups, args: {} } })
end
before do
stub_basic_saml_config
end
describe 'account exists on server' do
before do
stub_omniauth_config({ allow_single_sign_on: ['saml'], auto_link_saml_user: true })
end
context 'admin groups' do
context 'are defined' do
it 'marks the user as admin' do
stub_saml_admin_group_config(%w(Developers))
saml_user.save
expect(gl_user).to be_valid
expect(gl_user.admin).to be_truthy
end
end
before do
stub_saml_admin_group_config(%w(Admins))
end
context 'are defined but the user does not belong there' do
it 'does not mark the user as admin' do
saml_user.save
expect(gl_user).to be_valid
expect(gl_user.admin).to be_falsey
end
end
context 'user was admin, now should not be' do
it 'makes user non admin' do
create(:user, email: 'john@mail.com', username: 'john').update_attribute('admin', true)
saml_user.save
expect(gl_user).to be_valid
expect(gl_user.admin).to be_falsey
end
end
end
end
describe 'no account exists on server' do
context 'required groups' do
context 'not defined' do
it 'lets anyone in' do
saml_user.save
expect(gl_user).to be_valid
end
end
context 'are defined' do
before do
stub_omniauth_config(block_auto_created_users: false)
end
it 'lets members in' do
stub_saml_required_group_config(%w(Developers))
saml_user.save
expect(gl_user).to be_valid
end
it 'unblocks already blocked members' do
stub_saml_required_group_config(%w(Developers))
saml_user.save.ldap_block
expect(saml_user.find_user).to be_active
end
it 'does not allow non-members' do
stub_saml_required_group_config(%w(ArchitectureAstronauts))
expect { saml_user.save }.to raise_error Gitlab::Auth::OAuth::User::SignupDisabledError
end
it 'blocks non-members' do
orig_groups = auth_hash.extra.raw_info["groups"]
auth_hash.extra.raw_info.add("groups", "ArchitectureAstronauts")
stub_saml_required_group_config(%w(ArchitectureAstronauts))
saml_user.save
auth_hash.extra.raw_info.set("groups", orig_groups)
expect(saml_user.find_user).to be_ldap_blocked
end
end
end
context 'admin groups' do
context 'are defined' do
it 'marks the user as admin' do
stub_saml_admin_group_config(%w(Developers))
saml_user.save
expect(gl_user).to be_valid
expect(gl_user.admin).to be_truthy
end
end
context 'are defined but the user does not belong there' do
it 'does not mark the user as admin' do
stub_saml_admin_group_config(%w(Admins))
saml_user.save
expect(gl_user).to be_valid
expect(gl_user.admin).to be_falsey
end
end
end
end
end
end
require 'spec_helper'
describe Gitlab::Auth::UserAuthFinders do
include described_class
let(:user) { create(:user) }
let(:env) do
{
'rack.input' => ''
}
end
let(:request) { Rack::Request.new(env)}
let(:params) { request.params }
def set_param(key, value)
request.update_param(key, value)
end
describe '#find_user_from_job_token' do
let(:job) { create(:ci_build, user: user) }
shared_examples 'find user from job token' do
context 'when route is allowed to be authenticated' do
let(:route_authentication_setting) { { job_token_allowed: true } }
it "returns an Unauthorized exception for an invalid token" do
set_token('invalid token')
expect { find_user_from_job_token }.to raise_error(Gitlab::Auth::UnauthorizedError)
end
it "return user if token is valid" do
set_token(job.token)
expect(find_user_from_job_token).to eq(user)
end
end
context 'when route is not allowed to be authenticated' do
let(:route_authentication_setting) { { job_token_allowed: false } }
it "sets current_user to nil" do
set_token(job.token)
allow_any_instance_of(Gitlab::UserAccess).to receive(:allowed?).and_return(true)
expect(find_user_from_job_token).to be_nil
end
end
end
context 'when the job token is in the headers' do
def set_token(token)
env[Gitlab::Auth::UserAuthFinders::JOB_TOKEN_HEADER] = token
end
it_behaves_like 'find user from job token'
end
context 'when the job token is in the params' do
def set_token(token)
set_param(Gitlab::Auth::UserAuthFinders::JOB_TOKEN_PARAM, token)
end
it_behaves_like 'find user from job token'
end
end
end
...@@ -6,6 +6,8 @@ module Gitlab ...@@ -6,6 +6,8 @@ module Gitlab
module Auth module Auth
module LDAP module LDAP
class Access class Access
prepend ::EE::Gitlab::Auth::LDAP::Access
attr_reader :provider, :user, :ldap_identity attr_reader :provider, :user, :ldap_identity
def self.open(user, &block) def self.open(user, &block)
...@@ -33,7 +35,7 @@ module Gitlab ...@@ -33,7 +35,7 @@ module Gitlab
@adapter = adapter @adapter = adapter
@user = user @user = user
@ldap_identity = user.ldap_identity @ldap_identity = user.ldap_identity
@provider = adapter&.provider || @ldap_identity&.provider @provider = adapter&.provider || ldap_identity&.provider
end end
def allowed? def allowed?
...@@ -69,17 +71,12 @@ module Gitlab ...@@ -69,17 +71,12 @@ module Gitlab
end end
def find_ldap_user def find_ldap_user
return unless provider Gitlab::Auth::LDAP::Person.find_by_dn(ldap_identity.extern_uid, adapter)
found_user = Gitlab::Auth::LDAP::Person.find_by_dn(ldap_identity.extern_uid, adapter)
return found_user if found_user
if ldap_identity
Gitlab::Auth::LDAP::Person.find_by_email(user.email, adapter)
end
end end
def ldap_user def ldap_user
return unless provider
@ldap_user ||= find_ldap_user @ldap_user ||= find_ldap_user
end end
...@@ -109,108 +106,7 @@ module Gitlab ...@@ -109,108 +106,7 @@ module Gitlab
end end
def update_user def update_user
update_email # no-op in CE
update_memberships
update_identity
update_ssh_keys if sync_ssh_keys?
update_kerberos_identity if import_kerberos_identities?
end
# Update user ssh keys if they changed in LDAP
def update_ssh_keys
remove_old_ssh_keys
add_new_ssh_keys
end
# Add ssh keys that are in LDAP but not in GitLab
def add_new_ssh_keys
keys = ldap_user.ssh_keys - user.keys.ldap.pluck(:key)
keys.each do |key|
logger.info "#{self.class.name}: adding LDAP SSH key #{key.inspect} to #{user.name} (#{user.id})"
new_key = LDAPKey.new(title: "LDAP - #{ldap_config.sync_ssh_keys}", key: key)
new_key.user = user
unless new_key.save
logger.error "#{self.class.name}: failed to add LDAP SSH key #{key.inspect} to #{user.name} (#{user.id})\n"\
"error messages: #{new_key.errors.messages}"
end
end
end
# Remove ssh keys that do not exist in LDAP any more
def remove_old_ssh_keys
keys = user.keys.ldap.where.not(key: ldap_user.ssh_keys)
keys.each do |deleted_key|
logger.info "#{self.class.name}: removing LDAP SSH key #{deleted_key.key} from #{user.name} (#{user.id})"
unless deleted_key.destroy
logger.error "#{self.class.name}: failed to remove LDAP SSH key #{key.inspect} from #{user.name} (#{user.id})"
end
end
end
# Update user Kerberos identity with Kerberos principal name from Active Directory
def update_kerberos_identity
# there can be only one Kerberos identity in GitLab; if the user has a Kerberos identity in AD,
# replace any existing Kerberos identity for the user
return unless ldap_user.kerberos_principal.present?
kerberos_identity = user.identities.where(provider: :kerberos).first
return if kerberos_identity && kerberos_identity.extern_uid == ldap_user.kerberos_principal
kerberos_identity ||= Identity.new(provider: :kerberos, user: user)
kerberos_identity.extern_uid = ldap_user.kerberos_principal
unless kerberos_identity.save
Rails.logger.error "#{self.class.name}: failed to add Kerberos principal #{principal} to #{user.name} (#{user.id})\n"\
"error messages: #{new_identity.errors.messages}"
end
end
# Update user email if it changed in LDAP
def update_email
return false unless ldap_user.try(:email)
ldap_email = ldap_user.email.last.to_s.downcase
return false if user.email == ldap_email
Users::UpdateService.new(user, user: user, email: ldap_email).execute do |user|
user.skip_reconfirmation!
end
end
def update_identity
return if ldap_user.dn.empty? || ldap_user.dn == ldap_identity.extern_uid
unless ldap_identity.update(extern_uid: ldap_user.dn)
Rails.logger.error "Could not update DN for #{user.name} (#{user.id})\n"\
"error messages: #{user.ldap_identity.errors.messages}"
end
end
delegate :sync_ssh_keys?, to: :ldap_config
def import_kerberos_identities?
# Kerberos may be enabled for Git HTTP access and/or as an Omniauth provider
ldap_config.active_directory && (Gitlab.config.kerberos.enabled || AuthHelper.kerberos_enabled? )
end
def update_memberships
return if ldap_user.nil? || ldap_user.group_cns.empty?
group_ids = LdapGroupLink.where(cn: ldap_user.group_cns, provider: provider)
.distinct(:group_id)
.pluck(:group_id)
LdapGroupSyncWorker.perform_async(group_ids, provider) if group_ids.any?
end
private
def logger
Rails.logger
end end
end end
end end
......
...@@ -3,7 +3,7 @@ module Gitlab ...@@ -3,7 +3,7 @@ module Gitlab
module Auth module Auth
module LDAP module LDAP
class Config class Config
include ::EE::Gitlab::Auth::LDAP::Config prepend ::EE::Gitlab::Auth::LDAP::Config
NET_LDAP_ENCRYPTION_METHOD = { NET_LDAP_ENCRYPTION_METHOD = {
simple_tls: :simple_tls, simple_tls: :simple_tls,
...@@ -26,7 +26,11 @@ module Gitlab ...@@ -26,7 +26,11 @@ module Gitlab
def self.available_servers def self.available_servers
return [] unless enabled? return [] unless enabled?
::License.feature_available?(:multiple_ldap_servers) ? servers : Array.wrap(servers.first) _available_servers
end
def self._available_servers
Array.wrap(servers.first)
end end
def self.providers def self.providers
......
# Contains methods common to both GitLab CE and EE.
# All EE methods should be in `EE::Gitlab::Auth::LDAP::Person` only.
module Gitlab module Gitlab
module Auth module Auth
module LDAP module LDAP
......
...@@ -2,6 +2,8 @@ module Gitlab ...@@ -2,6 +2,8 @@ module Gitlab
module Auth module Auth
module Saml module Saml
class Config class Config
prepend ::EE::Gitlab::Auth::Saml::Config
class << self class << self
def options def options
Gitlab::Auth::OAuth::Provider.config_for('saml') Gitlab::Auth::OAuth::Provider.config_for('saml')
...@@ -15,10 +17,6 @@ module Gitlab ...@@ -15,10 +17,6 @@ module Gitlab
options[:external_groups] options[:external_groups]
end end
def required_groups
Array(options[:required_groups])
end
def admin_groups def admin_groups
options[:admin_groups] options[:admin_groups]
end end
......
...@@ -7,6 +7,8 @@ module Gitlab ...@@ -7,6 +7,8 @@ module Gitlab
module Auth module Auth
module Saml module Saml
class User < Gitlab::Auth::OAuth::User class User < Gitlab::Auth::OAuth::User
prepend ::EE::Gitlab::Auth::Saml::User
extend ::Gitlab::Utils::Override extend ::Gitlab::Utils::Override
def save def save
...@@ -20,17 +22,8 @@ module Gitlab ...@@ -20,17 +22,8 @@ module Gitlab
user ||= find_or_build_ldap_user if auto_link_ldap_user? user ||= find_or_build_ldap_user if auto_link_ldap_user?
user ||= build_new_user if signup_enabled? user ||= build_new_user if signup_enabled?
if user_in_required_group?
unblock_user(user, "in required group") if user.persisted? && user.blocked?
elsif user.persisted?
block_user(user, "not in required group") unless user.blocked?
else
user = nil
end
if user if user
user.external = !(auth_hash.groups & saml_config.external_groups).empty? if external_users_enabled? user.external = !(auth_hash.groups & saml_config.external_groups).empty? if external_users_enabled?
user.admin = !(auth_hash.groups & saml_config.admin_groups).empty? if admin_groups_enabled?
end end
user user
...@@ -49,28 +42,6 @@ module Gitlab ...@@ -49,28 +42,6 @@ module Gitlab
Gitlab::Auth::Saml::Config Gitlab::Auth::Saml::Config
end end
def block_user(user, reason)
user.ldap_block
log_user_changes(user, "#{reason}, blocking")
end
def unblock_user(user, reason)
user.activate
log_user_changes(user, "#{reason}, unblocking")
end
def log_user_changes(user, message)
Gitlab::AppLogger.info(
"SAML(#{auth_hash.provider}) account \"#{auth_hash.uid}\" #{message} " \
"Gitlab user \"#{user.name}\" (#{user.email})"
)
end
def user_in_required_group?
required_groups = saml_config.required_groups
required_groups.empty? || !(auth_hash.groups & required_groups).empty?
end
def auto_link_saml_user? def auto_link_saml_user?
Gitlab.config.omniauth.auto_link_saml_user Gitlab.config.omniauth.auto_link_saml_user
end end
...@@ -82,10 +53,6 @@ module Gitlab ...@@ -82,10 +53,6 @@ module Gitlab
def auth_hash=(auth_hash) def auth_hash=(auth_hash)
@auth_hash = Gitlab::Auth::Saml::AuthHash.new(auth_hash) @auth_hash = Gitlab::Auth::Saml::AuthHash.new(auth_hash)
end end
def admin_groups_enabled?
!saml_config.admin_groups.nil?
end
end end
end end
end end
......
module Gitlab module Gitlab
module Auth module Auth
#
# Exceptions
#
AuthenticationError = Class.new(StandardError) AuthenticationError = Class.new(StandardError)
MissingTokenError = Class.new(AuthenticationError) MissingTokenError = Class.new(AuthenticationError)
TokenNotFoundError = Class.new(AuthenticationError) TokenNotFoundError = Class.new(AuthenticationError)
...@@ -19,12 +15,12 @@ module Gitlab ...@@ -19,12 +15,12 @@ module Gitlab
end end
module UserAuthFinders module UserAuthFinders
prepend ::EE::Gitlab::Auth::UserAuthFinders
include Gitlab::Utils::StrongMemoize include Gitlab::Utils::StrongMemoize
PRIVATE_TOKEN_HEADER = 'HTTP_PRIVATE_TOKEN'.freeze PRIVATE_TOKEN_HEADER = 'HTTP_PRIVATE_TOKEN'.freeze
PRIVATE_TOKEN_PARAM = :private_token PRIVATE_TOKEN_PARAM = :private_token
JOB_TOKEN_HEADER = "HTTP_JOB_TOKEN".freeze
JOB_TOKEN_PARAM = :job_token
# Check the Rails session for valid authentication details # Check the Rails session for valid authentication details
def find_user_from_warden def find_user_from_warden
...@@ -48,20 +44,6 @@ module Gitlab ...@@ -48,20 +44,6 @@ module Gitlab
access_token.user || raise(UnauthorizedError) access_token.user || raise(UnauthorizedError)
end end
def find_user_from_job_token
return unless route_authentication_setting[:job_token_allowed]
token = (params[JOB_TOKEN_PARAM] || env[JOB_TOKEN_HEADER]).to_s
return unless token.present?
job = ::Ci::Build.find_by(token: token)
raise UnauthorizedError unless job
@job_token_authentication = true # rubocop:disable Gitlab/ModuleWithInstanceVariables
job.user
end
def validate_access_token!(scopes: []) def validate_access_token!(scopes: [])
return unless access_token return unless access_token
......
This diff is collapsed.
...@@ -23,7 +23,7 @@ describe Gitlab::Auth::LDAP::Config do ...@@ -23,7 +23,7 @@ describe Gitlab::Auth::LDAP::Config do
end end
it 'raises an error if a unknown provider is used' do it 'raises an error if a unknown provider is used' do
expect { described_class.new 'unknown' }.to raise_error(Gitlab::Auth::LDAP::Config::InvalidProvider) expect { described_class.new 'unknown' }.to raise_error(described_class::InvalidProvider)
end end
end end
......
...@@ -20,26 +20,6 @@ describe Gitlab::Auth::Saml::User do ...@@ -20,26 +20,6 @@ describe Gitlab::Auth::Saml::User do
let(:ldap_user) { Gitlab::Auth::LDAP::Person.new(Net::LDAP::Entry.new, 'ldapmain') } let(:ldap_user) { Gitlab::Auth::LDAP::Person.new(Net::LDAP::Entry.new, 'ldapmain') }
describe '#save' do describe '#save' do
def stub_omniauth_config(messages)
allow(Gitlab.config.omniauth).to receive_messages(messages)
end
def stub_basic_saml_config
allow(Gitlab::Auth::Saml::Config).to receive_messages({ options: { name: 'saml', args: {} } })
end
def stub_saml_group_config(groups)
allow(Gitlab::Auth::Saml::Config).to receive_messages({ options: { name: 'saml', groups_attribute: 'groups', external_groups: groups, args: {} } })
end
def stub_saml_required_group_config(groups)
allow(Gitlab::Auth::Saml::Config).to receive_messages({ options: { name: 'saml', groups_attribute: 'groups', required_groups: groups, args: {} } })
end
def stub_saml_admin_group_config(groups)
allow(Gitlab::Auth::Saml::Config).to receive_messages({ options: { name: 'saml', groups_attribute: 'groups', admin_groups: groups, args: {} } })
end
before do before do
stub_basic_saml_config stub_basic_saml_config
end end
...@@ -93,38 +73,6 @@ describe Gitlab::Auth::Saml::User do ...@@ -93,38 +73,6 @@ describe Gitlab::Auth::Saml::User do
end end
end end
end end
context 'admin groups' do
context 'are defined' do
it 'marks the user as admin' do
stub_saml_admin_group_config(%w(Developers))
saml_user.save
expect(gl_user).to be_valid
expect(gl_user.admin).to be_truthy
end
end
before do
stub_saml_admin_group_config(%w(Admins))
end
context 'are defined but the user does not belong there' do
it 'does not mark the user as admin' do
saml_user.save
expect(gl_user).to be_valid
expect(gl_user.admin).to be_falsey
end
end
context 'user was admin, now should not be' do
it 'makes user non admin' do
existing_user.update_attribute('admin', true)
saml_user.save
expect(gl_user).to be_valid
expect(gl_user.admin).to be_falsey
end
end
end
end end
describe 'no account exists on server' do describe 'no account exists on server' do
...@@ -185,67 +133,6 @@ describe Gitlab::Auth::Saml::User do ...@@ -185,67 +133,6 @@ describe Gitlab::Auth::Saml::User do
end end
end end
context 'required groups' do
context 'not defined' do
it 'lets anyone in' do
saml_user.save
expect(gl_user).to be_valid
end
end
context 'are defined' do
before do
stub_omniauth_config(block_auto_created_users: false)
end
it 'lets members in' do
stub_saml_required_group_config(%w(Developers))
saml_user.save
expect(gl_user).to be_valid
end
it 'unblocks already blocked members' do
stub_saml_required_group_config(%w(Developers))
saml_user.save.ldap_block
expect(saml_user.find_user).to be_active
end
it 'does not allow non-members' do
stub_saml_required_group_config(%w(ArchitectureAstronauts))
expect { saml_user.save }.to raise_error Gitlab::Auth::OAuth::User::SignupDisabledError
end
it 'blocks non-members' do
orig_groups = auth_hash.extra.raw_info["groups"]
auth_hash.extra.raw_info.add("groups", "ArchitectureAstronauts")
stub_saml_required_group_config(%w(ArchitectureAstronauts))
saml_user.save
auth_hash.extra.raw_info.set("groups", orig_groups)
expect(saml_user.find_user).to be_ldap_blocked
end
end
end
context 'admin groups' do
context 'are defined' do
it 'marks the user as admin' do
stub_saml_admin_group_config(%w(Developers))
saml_user.save
expect(gl_user).to be_valid
expect(gl_user.admin).to be_truthy
end
end
context 'are defined but the user does not belong there' do
it 'does not mark the user as admin' do
stub_saml_admin_group_config(%w(Admins))
saml_user.save
expect(gl_user).to be_valid
expect(gl_user.admin).to be_falsey
end
end
end
context 'with auto_link_ldap_user disabled (default)' do context 'with auto_link_ldap_user disabled (default)' do
before do before do
stub_omniauth_config({ auto_link_ldap_user: false, auto_link_saml_user: false, allow_single_sign_on: ['saml'] }) stub_omniauth_config({ auto_link_ldap_user: false, auto_link_saml_user: false, allow_single_sign_on: ['saml'] })
......
...@@ -10,7 +10,6 @@ describe Gitlab::Auth::UserAuthFinders do ...@@ -10,7 +10,6 @@ describe Gitlab::Auth::UserAuthFinders do
} }
end end
let(:request) { Rack::Request.new(env)} let(:request) { Rack::Request.new(env)}
let(:params) { request.params }
def set_param(key, value) def set_param(key, value)
request.update_param(key, value) request.update_param(key, value)
...@@ -112,55 +111,6 @@ describe Gitlab::Auth::UserAuthFinders do ...@@ -112,55 +111,6 @@ describe Gitlab::Auth::UserAuthFinders do
end end
end end
describe '#find_user_from_job_token' do
let(:job) { create(:ci_build, user: user) }
shared_examples 'find user from job token' do
context 'when route is allowed to be authenticated' do
let(:route_authentication_setting) { { job_token_allowed: true } }
it "returns an Unauthorized exception for an invalid token" do
set_token('invalid token')
expect { find_user_from_job_token }.to raise_error(Gitlab::Auth::UnauthorizedError)
end
it "return user if token is valid" do
set_token(job.token)
expect(find_user_from_job_token).to eq(user)
end
end
context 'when route is not allowed to be authenticated' do
let(:route_authentication_setting) { { job_token_allowed: false } }
it "sets current_user to nil" do
set_token(job.token)
allow_any_instance_of(Gitlab::UserAccess).to receive(:allowed?).and_return(true)
expect(find_user_from_job_token).to be_nil
end
end
end
context 'when the job token is in the headers' do
def set_token(token)
env[Gitlab::Auth::UserAuthFinders::JOB_TOKEN_HEADER] = token
end
it_behaves_like 'find user from job token'
end
context 'when the job token is in the params' do
def set_token(token)
set_param(Gitlab::Auth::UserAuthFinders::JOB_TOKEN_PARAM, token)
end
it_behaves_like 'find user from job token'
end
end
describe '#find_personal_access_token' do describe '#find_personal_access_token' do
let(:personal_access_token) { create(:personal_access_token, user: user) } let(:personal_access_token) { create(:personal_access_token, user: user) }
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment