Commit f7b2745c authored by Rémy Coutable's avatar Rémy Coutable

Merge branch 'revert-7a281c5d' into 'master'

Revert merge of admin mode for sidekiq jobs

Closes #201891

See merge request gitlab-org/gitlab!24372
parents b156ca8b 408faf2c
...@@ -37,7 +37,6 @@ class ApplicationController < ActionController::Base ...@@ -37,7 +37,6 @@ class ApplicationController < ActionController::Base
around_action :set_current_context around_action :set_current_context
around_action :set_locale around_action :set_locale
around_action :set_session_storage around_action :set_session_storage
around_action :set_current_admin
after_action :set_page_title_header, if: :json_request? after_action :set_page_title_header, if: :json_request?
after_action :limit_session_time, if: -> { !current_user } after_action :limit_session_time, if: -> { !current_user }
...@@ -474,13 +473,6 @@ class ApplicationController < ActionController::Base ...@@ -474,13 +473,6 @@ class ApplicationController < ActionController::Base
response.headers['Page-Title'] = URI.escape(page_title('GitLab')) response.headers['Page-Title'] = URI.escape(page_title('GitLab'))
end end
def set_current_admin(&block)
return yield unless Feature.enabled?(:user_mode_in_session)
return yield unless current_user
Gitlab::Auth::CurrentUserMode.with_current_admin(current_user, &block)
end
def html_request? def html_request?
request.format.html? request.format.html?
end end
......
---
title: Admin mode support in sidekiq jobs
merge_request: 21792
author: Diego Louzán
type: changed
...@@ -10,54 +10,12 @@ module Gitlab ...@@ -10,54 +10,12 @@ module Gitlab
class CurrentUserMode class CurrentUserMode
NotRequestedError = Class.new(StandardError) NotRequestedError = Class.new(StandardError)
# RequestStore entries
CURRENT_REQUEST_BYPASS_SESSION_ADMIN_ID_RS_KEY = { res: :current_user_mode, data: :bypass_session_admin_id }.freeze
CURRENT_REQUEST_ADMIN_MODE_USER_RS_KEY = { res: :current_user_mode, data: :current_admin }.freeze
# SessionStore entries
SESSION_STORE_KEY = :current_user_mode SESSION_STORE_KEY = :current_user_mode
ADMIN_MODE_START_TIME_KEY = :admin_mode ADMIN_MODE_START_TIME_KEY = 'admin_mode'
ADMIN_MODE_REQUESTED_TIME_KEY = :admin_mode_requested ADMIN_MODE_REQUESTED_TIME_KEY = 'admin_mode_requested'
MAX_ADMIN_MODE_TIME = 6.hours MAX_ADMIN_MODE_TIME = 6.hours
ADMIN_MODE_REQUESTED_GRACE_PERIOD = 5.minutes ADMIN_MODE_REQUESTED_GRACE_PERIOD = 5.minutes
class << self
# Admin mode activation requires storing a flag in the user session. Using this
# method when scheduling jobs in Sidekiq will bypass the session check for a
# user that was already in admin mode
def bypass_session!(admin_id)
Gitlab::SafeRequestStore[CURRENT_REQUEST_BYPASS_SESSION_ADMIN_ID_RS_KEY] = admin_id
Gitlab::AppLogger.debug("Bypassing session in admin mode for: #{admin_id}")
yield
ensure
Gitlab::SafeRequestStore.delete(CURRENT_REQUEST_BYPASS_SESSION_ADMIN_ID_RS_KEY)
end
def bypass_session_admin_id
Gitlab::SafeRequestStore[CURRENT_REQUEST_BYPASS_SESSION_ADMIN_ID_RS_KEY]
end
# Store in the current request the provided user model (only if in admin mode)
# and yield
def with_current_admin(admin)
return yield unless self.new(admin).admin_mode?
Gitlab::SafeRequestStore[CURRENT_REQUEST_ADMIN_MODE_USER_RS_KEY] = admin
Gitlab::AppLogger.debug("Admin mode active for: #{admin.username}")
yield
ensure
Gitlab::SafeRequestStore.delete(CURRENT_REQUEST_ADMIN_MODE_USER_RS_KEY)
end
def current_admin
Gitlab::SafeRequestStore[CURRENT_REQUEST_ADMIN_MODE_USER_RS_KEY]
end
end
def initialize(user) def initialize(user)
@user = user @user = user
end end
...@@ -84,7 +42,7 @@ module Gitlab ...@@ -84,7 +42,7 @@ module Gitlab
raise NotRequestedError unless admin_mode_requested? raise NotRequestedError unless admin_mode_requested?
reset_request_store_cache_entries reset_request_store
current_session_data[ADMIN_MODE_REQUESTED_TIME_KEY] = nil current_session_data[ADMIN_MODE_REQUESTED_TIME_KEY] = nil
current_session_data[ADMIN_MODE_START_TIME_KEY] = Time.now current_session_data[ADMIN_MODE_START_TIME_KEY] = Time.now
...@@ -97,7 +55,7 @@ module Gitlab ...@@ -97,7 +55,7 @@ module Gitlab
def disable_admin_mode! def disable_admin_mode!
return unless user&.admin? return unless user&.admin?
reset_request_store_cache_entries reset_request_store
current_session_data[ADMIN_MODE_REQUESTED_TIME_KEY] = nil current_session_data[ADMIN_MODE_REQUESTED_TIME_KEY] = nil
current_session_data[ADMIN_MODE_START_TIME_KEY] = nil current_session_data[ADMIN_MODE_START_TIME_KEY] = nil
...@@ -106,7 +64,7 @@ module Gitlab ...@@ -106,7 +64,7 @@ module Gitlab
def request_admin_mode! def request_admin_mode!
return unless user&.admin? return unless user&.admin?
reset_request_store_cache_entries reset_request_store
current_session_data[ADMIN_MODE_REQUESTED_TIME_KEY] = Time.now current_session_data[ADMIN_MODE_REQUESTED_TIME_KEY] = Time.now
end end
...@@ -115,12 +73,10 @@ module Gitlab ...@@ -115,12 +73,10 @@ module Gitlab
attr_reader :user attr_reader :user
# RequestStore entry to cache #admin_mode? result
def admin_mode_rs_key def admin_mode_rs_key
@admin_mode_rs_key ||= { res: :current_user_mode, user: user.id, method: :admin_mode? } @admin_mode_rs_key ||= { res: :current_user_mode, user: user.id, method: :admin_mode? }
end end
# RequestStore entry to cache #admin_mode_requested? result
def admin_mode_requested_rs_key def admin_mode_requested_rs_key
@admin_mode_requested_rs_key ||= { res: :current_user_mode, user: user.id, method: :admin_mode_requested? } @admin_mode_requested_rs_key ||= { res: :current_user_mode, user: user.id, method: :admin_mode_requested? }
end end
...@@ -130,7 +86,6 @@ module Gitlab ...@@ -130,7 +86,6 @@ module Gitlab
end end
def any_session_with_admin_mode? def any_session_with_admin_mode?
return true if bypass_session?
return true if current_session_data.initiated? && current_session_data[ADMIN_MODE_START_TIME_KEY].to_i > MAX_ADMIN_MODE_TIME.ago.to_i return true if current_session_data.initiated? && current_session_data[ADMIN_MODE_START_TIME_KEY].to_i > MAX_ADMIN_MODE_TIME.ago.to_i
all_sessions.any? do |session| all_sessions.any? do |session|
...@@ -148,11 +103,7 @@ module Gitlab ...@@ -148,11 +103,7 @@ module Gitlab
current_session_data[ADMIN_MODE_REQUESTED_TIME_KEY].to_i > ADMIN_MODE_REQUESTED_GRACE_PERIOD.ago.to_i current_session_data[ADMIN_MODE_REQUESTED_TIME_KEY].to_i > ADMIN_MODE_REQUESTED_GRACE_PERIOD.ago.to_i
end end
def bypass_session? def reset_request_store
user&.id && user.id == self.class.bypass_session_admin_id
end
def reset_request_store_cache_entries
Gitlab::SafeRequestStore.delete(admin_mode_rs_key) Gitlab::SafeRequestStore.delete(admin_mode_rs_key)
Gitlab::SafeRequestStore.delete(admin_mode_requested_rs_key) Gitlab::SafeRequestStore.delete(admin_mode_requested_rs_key)
end end
......
...@@ -17,7 +17,6 @@ module Gitlab ...@@ -17,7 +17,6 @@ module Gitlab
chain.add Gitlab::SidekiqMiddleware::BatchLoader chain.add Gitlab::SidekiqMiddleware::BatchLoader
chain.add Labkit::Middleware::Sidekiq::Server chain.add Labkit::Middleware::Sidekiq::Server
chain.add Gitlab::SidekiqMiddleware::InstrumentationLogger chain.add Gitlab::SidekiqMiddleware::InstrumentationLogger
chain.add Gitlab::SidekiqMiddleware::AdminMode::Server
chain.add Gitlab::SidekiqStatus::ServerMiddleware chain.add Gitlab::SidekiqStatus::ServerMiddleware
chain.add Gitlab::SidekiqMiddleware::WorkerContext::Server chain.add Gitlab::SidekiqMiddleware::WorkerContext::Server
end end
...@@ -32,7 +31,6 @@ module Gitlab ...@@ -32,7 +31,6 @@ module Gitlab
chain.add Gitlab::SidekiqMiddleware::ClientMetrics chain.add Gitlab::SidekiqMiddleware::ClientMetrics
chain.add Gitlab::SidekiqMiddleware::WorkerContext::Client # needs to be before the Labkit middleware chain.add Gitlab::SidekiqMiddleware::WorkerContext::Client # needs to be before the Labkit middleware
chain.add Labkit::Middleware::Sidekiq::Client chain.add Labkit::Middleware::Sidekiq::Client
chain.add Gitlab::SidekiqMiddleware::AdminMode::Client
end end
end end
end end
......
# frozen_string_literal: true
module Gitlab
module SidekiqMiddleware
module AdminMode
# Checks if admin mode is enabled for the request creating the sidekiq job
# by examining if admin mode has been enabled for the user
# If enabled then it injects a job field that persists through the job execution
class Client
def call(_worker_class, job, _queue, _redis_pool)
return yield unless Feature.enabled?(:user_mode_in_session)
# Admin mode enabled in the original request or in a nested sidekiq job
admin_mode_user_id = find_admin_user_id
if admin_mode_user_id
job['admin_mode_user_id'] ||= admin_mode_user_id
Gitlab::AppLogger.debug("AdminMode::Client injected admin mode for job: #{job.inspect}")
end
yield
end
private
def find_admin_user_id
Gitlab::Auth::CurrentUserMode.current_admin&.id ||
Gitlab::Auth::CurrentUserMode.bypass_session_admin_id
end
end
end
end
end
# frozen_string_literal: true
module Gitlab
module SidekiqMiddleware
module AdminMode
class Server
def call(_worker, job, _queue)
return yield unless Feature.enabled?(:user_mode_in_session)
admin_mode_user_id = job['admin_mode_user_id']
# Do not bypass session if this job was not enabled with admin mode on
return yield unless admin_mode_user_id
Gitlab::Auth::CurrentUserMode.bypass_session!(admin_mode_user_id) do
Gitlab::AppLogger.debug("AdminMode::Server bypasses session for admin mode in job: #{job.inspect}")
yield
end
end
end
end
end
end
# frozen_string_literal: true
require 'spec_helper'
# Test an operation that triggers background jobs requiring administrative rights
describe 'Admin mode for workers', :do_not_mock_admin_mode, :request_store, :clean_gitlab_redis_shared_state do
let(:user) { create(:user) }
let(:user_to_delete) { create(:user) }
before do
add_sidekiq_middleware
sign_in(user)
end
context 'as a regular user' do
it 'cannot delete user' do
visit admin_user_path(user_to_delete)
expect(page).to have_gitlab_http_status(:not_found)
end
end
context 'as an admin user' do
let(:user) { create(:admin) }
context 'when admin mode disabled' do
it 'cannot delete user', :js do
visit admin_user_path(user_to_delete)
expect(page).to have_content('Re-authentication required')
end
end
context 'when admin mode enabled', :delete do
before do
gitlab_enable_admin_mode_sign_in(user)
end
it 'can delete user', :js do
visit admin_user_path(user_to_delete)
click_button 'Delete user'
page.within '.modal-dialog' do
find("input[name='username']").send_keys(user_to_delete.name)
click_button 'Delete user'
wait_for_requests
end
expect(page).to have_content('The user is being deleted.')
# Perform jobs while logged out so that admin mode is only enabled in job metadata
execute_jobs_signed_out(user)
visit admin_user_path(user_to_delete)
expect(page).to have_title('Not Found')
end
end
end
def add_sidekiq_middleware
Sidekiq::Testing.server_middleware do |chain|
chain.add Gitlab::SidekiqMiddleware::AdminMode::Server
end
end
def execute_jobs_signed_out(user)
gitlab_sign_out
Sidekiq::Worker.drain_all
sign_in(user)
gitlab_enable_admin_mode_sign_in(user)
end
end
...@@ -2,64 +2,46 @@ ...@@ -2,64 +2,46 @@
require 'spec_helper' require 'spec_helper'
describe 'Admin uses repository checks', :request_store, :clean_gitlab_redis_shared_state, :do_not_mock_admin_mode do describe 'Admin uses repository checks' do
include StubENV include StubENV
let(:admin) { create(:admin) }
before do before do
stub_env('IN_MEMORY_APPLICATION_SETTINGS', 'false') stub_env('IN_MEMORY_APPLICATION_SETTINGS', 'false')
sign_in(admin) sign_in(create(:admin))
end end
context 'when admin mode is disabled' do it 'to trigger a single check' do
it 'admin project page requires admin mode' do project = create(:project)
project = create(:project) visit_admin_project_page(project)
visit_admin_project_page(project)
expect(page).not_to have_css('.repository-check') page.within('.repository-check') do
expect(page).to have_content('Enter Admin Mode') click_button 'Trigger repository check'
end end
end
context 'when admin mode is enabled' do
before do
gitlab_enable_admin_mode_sign_in(admin)
end
it 'to trigger a single check', :js do
project = create(:project)
visit_admin_project_page(project)
page.within('.repository-check') do expect(page).to have_content('Repository check was triggered')
click_button 'Trigger repository check' end
end
expect(page).to have_content('Repository check was triggered')
end
it 'to see a single failed repository check', :js do it 'to see a single failed repository check', :js do
project = create(:project) project = create(:project)
project.update_columns( project.update_columns(
last_repository_check_failed: true, last_repository_check_failed: true,
last_repository_check_at: Time.now last_repository_check_at: Time.now
) )
visit_admin_project_page(project) visit_admin_project_page(project)
page.within('.alert') do page.within('.alert') do
expect(page.text).to match(/Last repository check \(just now\) failed/) expect(page.text).to match(/Last repository check \(just now\) failed/)
end
end end
end
it 'to clear all repository checks', :js do it 'to clear all repository checks', :js do
visit repository_admin_application_settings_path visit repository_admin_application_settings_path
expect(RepositoryCheck::ClearWorker).to receive(:perform_async) expect(RepositoryCheck::ClearWorker).to receive(:perform_async)
accept_confirm { find(:link, 'Clear all repository checks').send_keys(:return) } accept_confirm { find(:link, 'Clear all repository checks').send_keys(:return) }
expect(page).to have_content('Started asynchronous removal of all repository check states.') expect(page).to have_content('Started asynchronous removal of all repository check states.')
end
end end
def visit_admin_project_page(project) def visit_admin_project_page(project)
......
...@@ -2,10 +2,10 @@ ...@@ -2,10 +2,10 @@
require 'spec_helper' require 'spec_helper'
describe Gitlab::Auth::CurrentUserMode, :do_not_mock_admin_mode, :request_store do describe Gitlab::Auth::CurrentUserMode, :do_not_mock_admin_mode do
include_context 'custom session' include_context 'custom session'
let(:user) { build_stubbed(:user) } let(:user) { build(:user) }
subject { described_class.new(user) } subject { described_class.new(user) }
...@@ -13,66 +13,54 @@ describe Gitlab::Auth::CurrentUserMode, :do_not_mock_admin_mode, :request_store ...@@ -13,66 +13,54 @@ describe Gitlab::Auth::CurrentUserMode, :do_not_mock_admin_mode, :request_store
allow(ActiveSession).to receive(:list_sessions).with(user).and_return([session]) allow(ActiveSession).to receive(:list_sessions).with(user).and_return([session])
end end
shared_examples 'admin mode cannot be enabled' do describe '#admin_mode?', :request_store do
it 'is false by default' do context 'when the user is a regular user' do
expect(subject.admin_mode?).to be(false) it 'is false by default' do
end expect(subject.admin_mode?).to be(false)
end
it 'cannot be enabled with a valid password' do
subject.enable_admin_mode!(password: user.password)
expect(subject.admin_mode?).to be(false)
end
it 'cannot be enabled with an invalid password' do
subject.enable_admin_mode!(password: nil)
expect(subject.admin_mode?).to be(false)
end
it 'cannot be enabled with empty params' do it 'cannot be enabled with a valid password' do
subject.enable_admin_mode! subject.enable_admin_mode!(password: user.password)
expect(subject.admin_mode?).to be(false) expect(subject.admin_mode?).to be(false)
end end
it 'disable has no effect' do it 'cannot be enabled with an invalid password' do
subject.enable_admin_mode! subject.enable_admin_mode!(password: nil)
subject.disable_admin_mode!
expect(subject.admin_mode?).to be(false) expect(subject.admin_mode?).to be(false)
end end
context 'skipping password validation' do it 'cannot be enabled with empty params' do
it 'cannot be enabled with a valid password' do subject.enable_admin_mode!
subject.enable_admin_mode!(password: user.password, skip_password_validation: true)
expect(subject.admin_mode?).to be(false) expect(subject.admin_mode?).to be(false)
end end
it 'cannot be enabled with an invalid password' do it 'disable has no effect' do
subject.enable_admin_mode!(skip_password_validation: true) subject.enable_admin_mode!
subject.disable_admin_mode!
expect(subject.admin_mode?).to be(false) expect(subject.admin_mode?).to be(false)
end end
end
end
describe '#admin_mode?' do context 'skipping password validation' do
context 'when the user is a regular user' do it 'cannot be enabled with a valid password' do
it_behaves_like 'admin mode cannot be enabled' subject.enable_admin_mode!(password: user.password, skip_password_validation: true)
context 'bypassing session' do expect(subject.admin_mode?).to be(false)
it_behaves_like 'admin mode cannot be enabled' do end
around do |example|
described_class.bypass_session!(user.id) { example.run } it 'cannot be enabled with an invalid password' do
end subject.enable_admin_mode!(skip_password_validation: true)
expect(subject.admin_mode?).to be(false)
end end
end end
end end
context 'when the user is an admin' do context 'when the user is an admin' do
let(:user) { build_stubbed(:user, :admin) } let(:user) { build(:user, :admin) }
context 'when admin mode not requested' do context 'when admin mode not requested' do
it 'is false by default' do it 'is false by default' do
...@@ -160,36 +148,11 @@ describe Gitlab::Auth::CurrentUserMode, :do_not_mock_admin_mode, :request_store ...@@ -160,36 +148,11 @@ describe Gitlab::Auth::CurrentUserMode, :do_not_mock_admin_mode, :request_store
end end
end end
end end
context 'bypassing session' do
it 'is active by default' do
described_class.bypass_session!(user.id) do
expect(subject.admin_mode?).to be(true)
end
end
it 'enable has no effect' do
described_class.bypass_session!(user.id) do
subject.request_admin_mode!
subject.enable_admin_mode!(password: user.password)
expect(subject.admin_mode?).to be(true)
end
end
it 'disable has no effect' do
described_class.bypass_session!(user.id) do
subject.disable_admin_mode!
expect(subject.admin_mode?).to be(true)
end
end
end
end end
end end
describe '#enable_admin_mode!' do describe '#enable_admin_mode!' do
let(:user) { build_stubbed(:user, :admin) } let(:user) { build(:user, :admin) }
it 'creates a timestamp in the session' do it 'creates a timestamp in the session' do
subject.request_admin_mode! subject.request_admin_mode!
...@@ -200,7 +163,7 @@ describe Gitlab::Auth::CurrentUserMode, :do_not_mock_admin_mode, :request_store ...@@ -200,7 +163,7 @@ describe Gitlab::Auth::CurrentUserMode, :do_not_mock_admin_mode, :request_store
end end
describe '#enable_sessionless_admin_mode!' do describe '#enable_sessionless_admin_mode!' do
let(:user) { build_stubbed(:user, :admin) } let(:user) { build(:user, :admin) }
it 'enabled admin mode without password' do it 'enabled admin mode without password' do
subject.enable_sessionless_admin_mode! subject.enable_sessionless_admin_mode!
...@@ -210,7 +173,7 @@ describe Gitlab::Auth::CurrentUserMode, :do_not_mock_admin_mode, :request_store ...@@ -210,7 +173,7 @@ describe Gitlab::Auth::CurrentUserMode, :do_not_mock_admin_mode, :request_store
end end
describe '#disable_admin_mode!' do describe '#disable_admin_mode!' do
let(:user) { build_stubbed(:user, :admin) } let(:user) { build(:user, :admin) }
it 'sets the session timestamp to nil' do it 'sets the session timestamp to nil' do
subject.request_admin_mode! subject.request_admin_mode!
...@@ -220,73 +183,6 @@ describe Gitlab::Auth::CurrentUserMode, :do_not_mock_admin_mode, :request_store ...@@ -220,73 +183,6 @@ describe Gitlab::Auth::CurrentUserMode, :do_not_mock_admin_mode, :request_store
end end
end end
describe '.bypass_session!' do
context 'with a regular user' do
it 'admin mode is false' do
described_class.bypass_session!(user.id) do
expect(subject.admin_mode?).to be(false)
expect(described_class.bypass_session_admin_id).to be(user.id)
end
expect(described_class.bypass_session_admin_id).to be_nil
end
end
context 'with an admin user' do
let(:user) { build_stubbed(:user, :admin) }
it 'admin mode is true' do
described_class.bypass_session!(user.id) do
expect(subject.admin_mode?).to be(true)
expect(described_class.bypass_session_admin_id).to be(user.id)
end
expect(described_class.bypass_session_admin_id).to be_nil
end
end
end
describe '.with_current_request_admin_mode' do
context 'with a regular user' do
it 'user is not available inside nor outside the yielded block' do
described_class.with_current_admin(user) do
expect(described_class.current_admin).to be_nil
end
expect(described_class.bypass_session_admin_id).to be_nil
end
end
context 'with an admin user' do
let(:user) { build_stubbed(:user, :admin) }
context 'admin mode is disabled' do
it 'user is not available inside nor outside the yielded block' do
described_class.with_current_admin(user) do
expect(described_class.current_admin).to be_nil
end
expect(described_class.bypass_session_admin_id).to be_nil
end
end
context 'admin mode is enabled' do
before do
subject.request_admin_mode!
subject.enable_admin_mode!(password: user.password)
end
it 'user is available only inside the yielded block' do
described_class.with_current_admin(user) do
expect(described_class.current_admin).to be(user)
end
expect(described_class.current_admin).to be_nil
end
end
end
end
def expected_session_entry(value_matcher) def expected_session_entry(value_matcher)
{ {
Gitlab::Auth::CurrentUserMode::SESSION_STORE_KEY => a_hash_including( Gitlab::Auth::CurrentUserMode::SESSION_STORE_KEY => a_hash_including(
......
# frozen_string_literal: true
require 'spec_helper'
describe Gitlab::SidekiqMiddleware::AdminMode::Client, :do_not_mock_admin_mode, :request_store do
include AdminModeHelper
let(:worker) do
Class.new do
def perform; end
end
end
let(:job) { {} }
let(:queue) { :test }
it 'yields block' do
expect do |b|
subject.call(worker, job, queue, nil, &b)
end.to yield_control.once
end
context 'user is a regular user' do
it 'no admin mode field in payload' do
subject.call(worker, job, queue, nil) { nil }
expect(job).not_to include('admin_mode_user_id')
end
end
context 'user is an administrator' do
let(:admin) { create(:admin) }
context 'admin mode disabled' do
it 'no admin mode field in payload' do
subject.call(worker, job, queue, nil) { nil }
expect(job).not_to include('admin_mode_user_id')
end
end
context 'admin mode enabled' do
before do
enable_admin_mode!(admin)
end
context 'when sidekiq required context not set' do
it 'no admin mode field in payload' do
subject.call(worker, job, queue, nil) { nil }
expect(job).not_to include('admin_mode_user_id')
end
end
context 'when user stored in current request' do
it 'has admin mode field in payload' do
Gitlab::Auth::CurrentUserMode.with_current_admin(admin) do
subject.call(worker, job, queue, nil) { nil }
expect(job).to include('admin_mode_user_id' => admin.id)
end
end
end
context 'when bypassing session' do
it 'has admin mode field in payload' do
Gitlab::Auth::CurrentUserMode.bypass_session!(admin.id) do
subject.call(worker, job, queue, nil) { nil }
expect(job).to include('admin_mode_user_id' => admin.id)
end
end
end
end
end
context 'admin mode feature disabled' do
before do
stub_feature_flags(user_mode_in_session: false)
end
it 'yields block' do
expect do |b|
subject.call(worker, job, queue, nil, &b)
end.to yield_control.once
end
it 'no admin mode field in payload' do
subject.call(worker, job, queue, nil) { nil }
expect(job).not_to include('admin_mode_user_id')
end
end
end
# frozen_string_literal: true
require 'spec_helper'
describe Gitlab::SidekiqMiddleware::AdminMode::Server, :do_not_mock_admin_mode, :request_store do
include AdminModeHelper
let(:worker) do
Class.new do
def perform; end
end
end
let(:job) { {} }
let(:queue) { :test }
it 'yields block' do
expect do |b|
subject.call(worker, job, queue, &b)
end.to yield_control.once
end
context 'job has no admin mode field' do
it 'session is not bypassed' do
subject.call(worker, job, queue) do
expect(Gitlab::Auth::CurrentUserMode.bypass_session_admin_id).to be_nil
end
end
end
context 'job has admin mode field' do
let(:admin) { create(:admin) }
context 'nil admin mode id' do
let(:job) { { 'admin_mode_user_id' => nil } }
it 'session is not bypassed' do
subject.call(worker, job, queue) do
expect(Gitlab::Auth::CurrentUserMode.bypass_session_admin_id).to be_nil
end
end
end
context 'valid admin mode id' do
let(:job) { { 'admin_mode_user_id' => admin.id } }
it 'session is bypassed' do
subject.call(worker, job, queue) do
expect(Gitlab::Auth::CurrentUserMode.bypass_session_admin_id).to be(admin.id)
end
end
end
end
context 'admin mode feature disabled' do
before do
stub_feature_flags(user_mode_in_session: false)
end
it 'yields block' do
expect do |b|
subject.call(worker, job, queue, &b)
end.to yield_control.once
end
it 'session is not bypassed' do
subject.call(worker, job, queue) do
expect(Gitlab::Auth::CurrentUserMode.bypass_session_admin_id).to be_nil
end
end
end
end
...@@ -45,8 +45,7 @@ describe Gitlab::SidekiqMiddleware do ...@@ -45,8 +45,7 @@ describe Gitlab::SidekiqMiddleware do
Gitlab::SidekiqMiddleware::ArgumentsLogger, Gitlab::SidekiqMiddleware::ArgumentsLogger,
Gitlab::SidekiqMiddleware::MemoryKiller, Gitlab::SidekiqMiddleware::MemoryKiller,
Gitlab::SidekiqMiddleware::RequestStoreMiddleware, Gitlab::SidekiqMiddleware::RequestStoreMiddleware,
Gitlab::SidekiqMiddleware::WorkerContext::Server, Gitlab::SidekiqMiddleware::WorkerContext::Server
Gitlab::SidekiqMiddleware::AdminMode::Server
] ]
end end
let(:enabled_sidekiq_middlewares) { all_sidekiq_middlewares - disabled_sidekiq_middlewares } let(:enabled_sidekiq_middlewares) { all_sidekiq_middlewares - disabled_sidekiq_middlewares }
...@@ -116,8 +115,7 @@ describe Gitlab::SidekiqMiddleware do ...@@ -116,8 +115,7 @@ describe Gitlab::SidekiqMiddleware do
Gitlab::SidekiqStatus::ClientMiddleware, Gitlab::SidekiqStatus::ClientMiddleware,
Gitlab::SidekiqMiddleware::ClientMetrics, Gitlab::SidekiqMiddleware::ClientMetrics,
Gitlab::SidekiqMiddleware::WorkerContext::Client, Gitlab::SidekiqMiddleware::WorkerContext::Client,
Labkit::Middleware::Sidekiq::Client, Labkit::Middleware::Sidekiq::Client
Gitlab::SidekiqMiddleware::AdminMode::Client
] ]
end end
......
...@@ -2985,9 +2985,9 @@ describe User, :do_not_mock_admin_mode do ...@@ -2985,9 +2985,9 @@ describe User, :do_not_mock_admin_mode do
end end
end end
describe '#can_read_all_resources?', :request_store do describe '#can_read_all_resources?' do
it 'returns false for regular user' do it 'returns false for regular user' do
user = build_stubbed(:user) user = build(:user)
expect(user.can_read_all_resources?).to be_falsy expect(user.can_read_all_resources?).to be_falsy
end end
...@@ -2995,7 +2995,7 @@ describe User, :do_not_mock_admin_mode do ...@@ -2995,7 +2995,7 @@ describe User, :do_not_mock_admin_mode do
context 'for admin user' do context 'for admin user' do
include_context 'custom session' include_context 'custom session'
let(:user) { build_stubbed(:user, :admin) } let(:user) { build(:user, :admin) }
context 'when admin mode is disabled' do context 'when admin mode is disabled' do
it 'returns false' do it 'returns false' do
......
...@@ -23,8 +23,8 @@ describe BasePolicy, :do_not_mock_admin_mode do ...@@ -23,8 +23,8 @@ describe BasePolicy, :do_not_mock_admin_mode do
end end
describe 'read cross project' do describe 'read cross project' do
let(:current_user) { build_stubbed(:user) } let(:current_user) { create(:user) }
let(:user) { build_stubbed(:user) } let(:user) { create(:user) }
subject { described_class.new(current_user, [user]) } subject { described_class.new(current_user, [user]) }
...@@ -38,7 +38,7 @@ describe BasePolicy, :do_not_mock_admin_mode do ...@@ -38,7 +38,7 @@ describe BasePolicy, :do_not_mock_admin_mode do
it { is_expected.not_to be_allowed(:read_cross_project) } it { is_expected.not_to be_allowed(:read_cross_project) }
context 'for admins' do context 'for admins' do
let(:current_user) { build_stubbed(:admin) } let(:current_user) { build(:admin) }
subject { described_class.new(current_user, nil) } subject { described_class.new(current_user, nil) }
...@@ -56,14 +56,14 @@ describe BasePolicy, :do_not_mock_admin_mode do ...@@ -56,14 +56,14 @@ describe BasePolicy, :do_not_mock_admin_mode do
end end
describe 'full private access' do describe 'full private access' do
let(:current_user) { build_stubbed(:user) } let(:current_user) { create(:user) }
subject { described_class.new(current_user, nil) } subject { described_class.new(current_user, nil) }
it { is_expected.not_to be_allowed(:read_all_resources) } it { is_expected.not_to be_allowed(:read_all_resources) }
context 'for admins' do context 'for admins' do
let(:current_user) { build_stubbed(:admin) } let(:current_user) { build(:admin) }
it 'allowed when in admin mode' do it 'allowed when in admin mode' do
enable_admin_mode!(current_user) enable_admin_mode!(current_user)
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment