Refactor admin PAT creation for LDAP scenarios

cd2621bb · Mark Lapierre · 79837d18 · cd2621bb · cd2621bb · cd2621bb
Commit cd2621bb authored Sep 15, 2021 by Mark Lapierre
6 changed files
--- a/qa/qa/flow/login.rb
+++ b/qa/qa/flow/login.rb
@@ -5,10 +5,10 @@ module QA
    module Login
      module_function

-      def while_signed_in(as: nil, address: :gitlab)
+      def while_signed_in(as: nil, address: :gitlab, admin: false)
        Page::Main::Menu.perform(&:sign_out_if_signed_in)

-        sign_in(as: as, address: address)
+        sign_in(as: as, address: address, admin: admin)

        result = yield

@@ -17,19 +17,25 @@ module QA
      end

      def while_signed_in_as_admin(address: :gitlab)
-        while_signed_in(as: Runtime::User.admin, address: address) do
+        while_signed_in(address: address, admin: true) do
          yield
        end
      end

-      def sign_in(as: nil, address: :gitlab, skip_page_validation: false)
+      def sign_in(as: nil, address: :gitlab, skip_page_validation: false, admin: false)
        Page::Main::Menu.perform(&:sign_out) if Page::Main::Menu.perform(&:signed_in?)
        Runtime::Browser.visit(address, Page::Main::Login)
-        Page::Main::Login.perform { |login| login.sign_in_using_credentials(user: as, skip_page_validation: skip_page_validation) }
+        Page::Main::Login.perform do |login|
+          if admin
+            login.sign_in_using_admin_credentials
+          else
+            login.sign_in_using_credentials(user: as, skip_page_validation: skip_page_validation)
+          end
+        end
      end

      def sign_in_as_admin(address: :gitlab)
-        sign_in(as: Runtime::User.admin, address: address)
+        sign_in(as: Runtime::User.admin, address: address, admin: true)
      end

      def sign_in_unless_signed_in(as: nil, address: :gitlab)

--- a/qa/qa/page/main/login.rb
+++ b/qa/qa/page/main/login.rb
@@ -53,7 +53,7 @@ module QA
            set_initial_password_if_present

            if Runtime::User.ldap_user? && user && user.username != Runtime::User.ldap_username
-              raise 'If an LDAP user is provided, it must be used for sign-in', QA::Resource::User::InvalidUserError
+              raise QA::Resource::User::InvalidUserError, 'If an LDAP user is provided, it must be used for sign-in'
            end

            if Runtime::User.ldap_user?

--- a/qa/qa/resource/user.rb
+++ b/qa/qa/resource/user.rb
@@ -187,7 +187,8 @@ module QA
      end

      def fetching_own_data?
-        api_user&.username == username || Runtime::User.username == username
+        runtime_username = Runtime::User.ldap_user? ? Runtime::User.ldap_username : Runtime::User.username
+        api_user&.username == username || runtime_username == username
      end
    end
  end

--- a/qa/qa/runtime/api/client.rb
+++ b/qa/qa/runtime/api/client.rb
@@ -36,16 +36,28 @@ module QA
            if Runtime::Env.admin_personal_access_token
              Runtime::API::Client.new(:gitlab, personal_access_token: Runtime::Env.admin_personal_access_token)
            else
-              user = Resource::User.fabricate_via_api! do |user|
-                user.username = Runtime::User.admin_username
-                user.password = Runtime::User.admin_password
+              # To return an API client that has admin access, we need a user with admin access to confirm that
+              # the API client user has admin access.
+              client = nil
+              Flow::Login.while_signed_in_as_admin do
+                admin_token = Resource::PersonalAccessToken.fabricate! do |pat|
+                  pat.user = Runtime::User.admin
+                end.token
+
+                client = Runtime::API::Client.new(:gitlab, personal_access_token: admin_token)
+
+                user = QA::Resource::User.init do |user|
+                  user.username = QA::Runtime::User.admin_username
+                  user.password = QA::Runtime::User.admin_password
+                  user.api_client = client
+                end.reload!
+
+                unless user.admin? # rubocop: disable Cop/UserAdmin
+                  raise AuthorizationError, "User '#{user.username}' is not an administrator."
+                end
              end

-              unless user.admin?
-                raise AuthorizationError, "User '#{user.username}' is not an administrator."
-              end
-
-              Runtime::API::Client.new(:gitlab, user: user)
+              client
            end
          end
        end

--- a/qa/qa/runtime/user.rb
+++ b/qa/qa/runtime/user.rb
@@ -34,7 +34,7 @@ module QA
      end

      def ldap_user?
-        Runtime::Env.ldap_username && Runtime::Env.ldap_password
+        Runtime::Env.ldap_username.present? && Runtime::Env.ldap_password.present?
      end

      def ldap_username

--- a/qa/qa/specs/features/ee/browser_ui/1_manage/group/group_ldap_sync_spec.rb
+++ b/qa/qa/specs/features/ee/browser_ui/1_manage/group/group_ldap_sync_spec.rb
@@ -5,45 +5,24 @@ module QA
    describe 'LDAP Group sync' do
      include Support::API

+      let(:root_group) do
+        Resource::Sandbox.fabricate_via_api! do |resource|
+          resource.path = "group_sync_root_group-#{SecureRandom.hex(4)}"
+        end
+      end
+
      let(:group) do
        Resource::Group.fabricate_via_api! do |resource|
+          resource.sandbox = root_group
          resource.path = "#{group_name}-#{SecureRandom.hex(4)}"
        end
      end

-      before(:all) do
-        @original_personal_access_token = Runtime::Env.personal_access_token
-
-        # We need to nil out any existing personal token generated for the non-admin LDAP user and also set
-        # Runtime::Env.ldap_username=nil so that it is not used to create the api client.
-        Runtime::Env.personal_access_token = nil
-        ldap_username = Runtime::Env.ldap_username
-        Runtime::Env.ldap_username = nil
-        @admin_api_client = Runtime::API::Client.as_admin
-        Runtime::Feature.enable(:invite_members_group_modal)
-        Runtime::Env.ldap_username = ldap_username
-
-        # Create the sandbox group as the LDAP user. Without this the admin user
-        # would own the sandbox group and then in subsequent tests the LDAP user
-        # would not have enough permission to push etc.
-        Resource::Sandbox.fabricate_via_api!
-
-        Page::Main::Menu.perform do |menu|
-          menu.sign_out if menu.has_personal_area?
+      after do |example|
+        # If a test fails leave the groups so we can investigate them
+        unless example.exception
+          root_group.remove_via_api!
        end
-
-        Runtime::Browser.visit(:gitlab, Page::Main::Login)
-        Page::Main::Login.perform(&:sign_in_using_admin_credentials)
-
-        Runtime::Env.personal_access_token = Resource::PersonalAccessToken.fabricate!.token
-        Page::Main::Menu.perform(&:sign_out)
-      end
-
-      after(:all) do
-        # Restore the original personal access token so that subsequent tests
-        # don't perform API calls as an admin user while logged in as a non-root
-        # LDAP user
-        Runtime::Env.personal_access_token = @original_personal_access_token
      end

      context 'using group cn method' do
@@ -169,7 +148,7 @@ module QA
            resource.email = user[:email]
            resource.extern_uid = user[:extern_uid]
            resource.provider = user[:provider]
-            resource.api_client = @admin_api_client
+            resource.api_client = Runtime::API::Client.as_admin
          end
        end
        created_users