kotovalexarian-likes-gitlab
/
gitlab-org--gitlab-foss
1
0
Fork 0
Code Releases Activity
gitlab-org--gitlab-foss/spec/lib/gitlab/auth_spec.rb

300 lines
11 KiB
Ruby
Raw Normal View History

Refactorn oauth & ldap
2012-09-12 02:23:16 -04:00
require 'spec_helper'
Tag lib specs
2015-12-09 05:55:36 -05:00
describe Gitlab::Auth, lib: true do
Make CI/Oauth/rate limiting reusable
2016-04-29 12:58:55 -04:00
let(:gl_auth) { described_class }
Refactorn oauth & ldap
2012-09-12 02:23:16 -04:00
Only use API scopes for personal access tokens
2017-01-31 05:21:29 -05:00
describe 'constants' do
it 'API_SCOPES contains all scopes for API access' do
expect(subject::API_SCOPES).to eq [:api, :read_user]
end
it 'OPENID_SCOPES contains all scopes for OpenID Connect' do
expect(subject::OPENID_SCOPES).to eq [:openid]
end
it 'DEFAULT_SCOPES contains all default scopes' do
expect(subject::DEFAULT_SCOPES).to eq [:api]
end
it 'OPTIONAL_SCOPES contains all non-default scopes' do
expect(subject::OPTIONAL_SCOPES).to eq [:read_user, :openid]
end
end
Also rename "find" in the specs
2016-06-13 09:38:25 -04:00
describe 'find_for_git_client' do
Add access specs
2016-09-15 05:57:09 -04:00
context 'build token' do
subject { gl_auth.find_for_git_client('gitlab-ci-token', build.token, project: project, ip: 'ip') }
context 'for running build' do
let!(:build) { create(:ci_build, :running) }
let(:project) { build.project }
before do
expect(gl_auth).to receive(:rate_limit!).with('ip', success: true, login: 'gitlab-ci-token')
end
it 'recognises user-less build' do
Rename capabilities to authentication_abilities
2016-09-16 03:59:10 -04:00
expect(subject).to eq(Gitlab::Auth::Result.new(nil, build.project, :ci, build_authentication_abilities))
Add access specs
2016-09-15 05:57:09 -04:00
end
it 'recognises user token' do
build.update(user: create(:user))
Rename capabilities to authentication_abilities
2016-09-16 03:59:10 -04:00
expect(subject).to eq(Gitlab::Auth::Result.new(build.user, build.project, :build, build_authentication_abilities))
Add access specs
2016-09-15 05:57:09 -04:00
end
end
Fix specs for available statuses
2016-09-16 07:47:54 -04:00
(HasStatus::AVAILABLE_STATUSES - ['running']).each do |build_status|
Fix specs after renaming authentication_capabilities
2016-09-16 05:06:31 -04:00
context "for #{build_status} build" do
let!(:build) { create(:ci_build, status: build_status) }
let(:project) { build.project }
before do
expect(gl_auth).to receive(:rate_limit!).with('ip', success: false, login: 'gitlab-ci-token')
end
it 'denies authentication' do
Fix specs for available statuses
2016-09-16 07:47:54 -04:00
expect(subject).to eq(Gitlab::Auth::Result.new)
Fix specs after renaming authentication_capabilities
2016-09-16 05:06:31 -04:00
end
Add access specs
2016-09-15 05:57:09 -04:00
end
end
end
it 'recognizes other ci services' do
Make CI/Oauth/rate limiting reusable
2016-04-29 12:58:55 -04:00
project = create(:empty_project)
Add access specs
2016-09-15 05:57:09 -04:00
project.create_drone_ci_service(active: true)
project.drone_ci_service.update(token: 'token')
Project tools visibility level
2016-08-01 18:31:21 -04:00
View-related (and other minor) changes to !5951 based on @rymai's review. - The `scopes_form` partial can be used in the `admin/applications` view as well - Don't allow partials to access instance variables directly. Instead, pass in the instance variables as local variables, and use `local_assigns.fetch` to assert that the variables are passed in as expected. - Change a few instances of `render :partial` to `render` - Remove an instance of `required: false` in a view, since this is the default - Inline many instances of a local variable (`ip = 'ip'`) in `auth_spec`
2016-12-04 23:19:51 -05:00
expect(gl_auth).to receive(:rate_limit!).with('ip', success: true, login: 'drone-ci-token')
expect(gl_auth.find_for_git_client('drone-ci-token', 'token', project: project, ip: 'ip')).to eq(Gitlab::Auth::Result.new(nil, project, :ci, build_authentication_abilities))
Make CI/Oauth/rate limiting reusable
2016-04-29 12:58:55 -04:00
end
it 'recognizes master passwords' do
user = create(:user, password: 'password')
View-related (and other minor) changes to !5951 based on @rymai's review. - The `scopes_form` partial can be used in the `admin/applications` view as well - Don't allow partials to access instance variables directly. Instead, pass in the instance variables as local variables, and use `local_assigns.fetch` to assert that the variables are passed in as expected. - Change a few instances of `render :partial` to `render` - Remove an instance of `required: false` in a view, since this is the default - Inline many instances of a local variable (`ip = 'ip'`) in `auth_spec`
2016-12-04 23:19:51 -05:00
expect(gl_auth).to receive(:rate_limit!).with('ip', success: true, login: user.username)
expect(gl_auth.find_for_git_client(user.username, 'password', project: nil, ip: 'ip')).to eq(Gitlab::Auth::Result.new(user, nil, :gitlab_or_ldap, full_authentication_abilities))
Make CI/Oauth/rate limiting reusable
2016-04-29 12:58:55 -04:00
end
Cleanup RSpec tests
2017-02-17 07:24:32 -05:00
include_examples 'user login operation with unique ip limit' do
let(:user) { create(:user, password: 'password') }
Test various login scenarios if the limit gets enforced
2017-02-17 06:52:27 -05:00
Cleanup RSpec tests
2017-02-17 07:24:32 -05:00
def operation
Test various login scenarios if the limit gets enforced
2017-02-17 06:52:27 -05:00
expect(gl_auth.find_for_git_client(user.username, 'password', project: nil, ip: 'ip')).to eq(Gitlab::Auth::Result.new(user, nil, :gitlab_or_ldap, full_authentication_abilities))
end
end
Reduce hits to LDAP on Git HTTP auth by reordering auth mechanisms We accept half a dozen different authentication mechanisms for Git over HTTP. Fairly high in the list we were checking user password, which would also query LDAP. In the case of LFS, OAuth tokens or personal access tokens, we were unnecessarily hitting LDAP when the authentication will not succeed. This was causing some LDAP/AD systems to lock the account. Now, user password authentication is the last mechanism tried since it's the most expensive.
2017-01-24 12:12:49 -05:00
context 'while using LFS authenticate' do
it 'recognizes user lfs tokens' do
user = create(:user)
token = Gitlab::LfsToken.new(user).token
Revert "Revert all changes introduced by https://gitlab.com/gitlab-org/gitlab-ce/merge_requests/6043" This reverts commit 6d43c95b7011ec7ec4600e00bdc8df76bb39813c.
2016-09-19 10:34:32 -04:00
Reduce hits to LDAP on Git HTTP auth by reordering auth mechanisms We accept half a dozen different authentication mechanisms for Git over HTTP. Fairly high in the list we were checking user password, which would also query LDAP. In the case of LFS, OAuth tokens or personal access tokens, we were unnecessarily hitting LDAP when the authentication will not succeed. This was causing some LDAP/AD systems to lock the account. Now, user password authentication is the last mechanism tried since it's the most expensive.
2017-01-24 12:12:49 -05:00
expect(gl_auth).to receive(:rate_limit!).with('ip', success: true, login: user.username)
expect(gl_auth.find_for_git_client(user.username, token, project: nil, ip: 'ip')).to eq(Gitlab::Auth::Result.new(user, nil, :lfs_token, full_authentication_abilities))
end
Revert "Revert all changes introduced by https://gitlab.com/gitlab-org/gitlab-ce/merge_requests/6043" This reverts commit 6d43c95b7011ec7ec4600e00bdc8df76bb39813c.
2016-09-19 10:34:32 -04:00
Reduce hits to LDAP on Git HTTP auth by reordering auth mechanisms We accept half a dozen different authentication mechanisms for Git over HTTP. Fairly high in the list we were checking user password, which would also query LDAP. In the case of LFS, OAuth tokens or personal access tokens, we were unnecessarily hitting LDAP when the authentication will not succeed. This was causing some LDAP/AD systems to lock the account. Now, user password authentication is the last mechanism tried since it's the most expensive.
2017-01-24 12:12:49 -05:00
it 'recognizes deploy key lfs tokens' do
key = create(:deploy_key)
token = Gitlab::LfsToken.new(key).token
Revert "Revert all changes introduced by https://gitlab.com/gitlab-org/gitlab-ce/merge_requests/6043" This reverts commit 6d43c95b7011ec7ec4600e00bdc8df76bb39813c.
2016-09-19 10:34:32 -04:00
Reduce hits to LDAP on Git HTTP auth by reordering auth mechanisms We accept half a dozen different authentication mechanisms for Git over HTTP. Fairly high in the list we were checking user password, which would also query LDAP. In the case of LFS, OAuth tokens or personal access tokens, we were unnecessarily hitting LDAP when the authentication will not succeed. This was causing some LDAP/AD systems to lock the account. Now, user password authentication is the last mechanism tried since it's the most expensive.
2017-01-24 12:12:49 -05:00
expect(gl_auth).to receive(:rate_limit!).with('ip', success: true, login: "lfs+deploy-key-#{key.id}")
expect(gl_auth.find_for_git_client("lfs+deploy-key-#{key.id}", token, project: nil, ip: 'ip')).to eq(Gitlab::Auth::Result.new(key, nil, :lfs_deploy_token, read_authentication_abilities))
end
Revert "Revert all changes introduced by https://gitlab.com/gitlab-org/gitlab-ce/merge_requests/6043" This reverts commit 6d43c95b7011ec7ec4600e00bdc8df76bb39813c.
2016-09-19 10:34:32 -04:00
Reduce hits to LDAP on Git HTTP auth by reordering auth mechanisms We accept half a dozen different authentication mechanisms for Git over HTTP. Fairly high in the list we were checking user password, which would also query LDAP. In the case of LFS, OAuth tokens or personal access tokens, we were unnecessarily hitting LDAP when the authentication will not succeed. This was causing some LDAP/AD systems to lock the account. Now, user password authentication is the last mechanism tried since it's the most expensive.
2017-01-24 12:12:49 -05:00
it 'does not try password auth before oauth' do
Validate access token scopes in `Gitlab::Auth` - This module is used for git-over-http, as well as JWT. - The only valid scope here is `api`, currently.
2016-11-22 04:13:37 -05:00
user = create(:user)
Reduce hits to LDAP on Git HTTP auth by reordering auth mechanisms We accept half a dozen different authentication mechanisms for Git over HTTP. Fairly high in the list we were checking user password, which would also query LDAP. In the case of LFS, OAuth tokens or personal access tokens, we were unnecessarily hitting LDAP when the authentication will not succeed. This was causing some LDAP/AD systems to lock the account. Now, user password authentication is the last mechanism tried since it's the most expensive.
2017-01-24 12:12:49 -05:00
token = Gitlab::LfsToken.new(user).token
expect(gl_auth).not_to receive(:find_with_user_password)
Validate access token scopes in `Gitlab::Auth` - This module is used for git-over-http, as well as JWT. - The only valid scope here is `api`, currently.
2016-11-22 04:13:37 -05:00
Reduce hits to LDAP on Git HTTP auth by reordering auth mechanisms We accept half a dozen different authentication mechanisms for Git over HTTP. Fairly high in the list we were checking user password, which would also query LDAP. In the case of LFS, OAuth tokens or personal access tokens, we were unnecessarily hitting LDAP when the authentication will not succeed. This was causing some LDAP/AD systems to lock the account. Now, user password authentication is the last mechanism tried since it's the most expensive.
2017-01-24 12:12:49 -05:00
gl_auth.find_for_git_client(user.username, token, project: nil, ip: 'ip')
end
end
context 'while using OAuth tokens as passwords' do
let(:user) { create(:user) }
let(:token_w_api_scope) { Doorkeeper::AccessToken.create!(application_id: application.id, resource_owner_id: user.id, scopes: 'api') }
let(:application) { Doorkeeper::Application.create!(name: 'MyApp', redirect_uri: 'https://app.com', owner: user) }
it 'succeeds for OAuth tokens with the `api` scope' do
View-related (and other minor) changes to !5951 based on @rymai's review. - The `scopes_form` partial can be used in the `admin/applications` view as well - Don't allow partials to access instance variables directly. Instead, pass in the instance variables as local variables, and use `local_assigns.fetch` to assert that the variables are passed in as expected. - Change a few instances of `render :partial` to `render` - Remove an instance of `required: false` in a view, since this is the default - Inline many instances of a local variable (`ip = 'ip'`) in `auth_spec`
2016-12-04 23:19:51 -05:00
expect(gl_auth).to receive(:rate_limit!).with('ip', success: true, login: 'oauth2')
Reduce hits to LDAP on Git HTTP auth by reordering auth mechanisms We accept half a dozen different authentication mechanisms for Git over HTTP. Fairly high in the list we were checking user password, which would also query LDAP. In the case of LFS, OAuth tokens or personal access tokens, we were unnecessarily hitting LDAP when the authentication will not succeed. This was causing some LDAP/AD systems to lock the account. Now, user password authentication is the last mechanism tried since it's the most expensive.
2017-01-24 12:12:49 -05:00
expect(gl_auth.find_for_git_client("oauth2", token_w_api_scope.token, project: nil, ip: 'ip')).to eq(Gitlab::Auth::Result.new(user, nil, :oauth, read_authentication_abilities))
Validate access token scopes in `Gitlab::Auth` - This module is used for git-over-http, as well as JWT. - The only valid scope here is `api`, currently.
2016-11-22 04:13:37 -05:00
end
it 'fails for OAuth tokens with other scopes' do
Reduce hits to LDAP on Git HTTP auth by reordering auth mechanisms We accept half a dozen different authentication mechanisms for Git over HTTP. Fairly high in the list we were checking user password, which would also query LDAP. In the case of LFS, OAuth tokens or personal access tokens, we were unnecessarily hitting LDAP when the authentication will not succeed. This was causing some LDAP/AD systems to lock the account. Now, user password authentication is the last mechanism tried since it's the most expensive.
2017-01-24 12:12:49 -05:00
token = Doorkeeper::AccessToken.create!(application_id: application.id, resource_owner_id: user.id, scopes: 'read_user')
Validate access token scopes in `Gitlab::Auth` - This module is used for git-over-http, as well as JWT. - The only valid scope here is `api`, currently.
2016-11-22 04:13:37 -05:00
View-related (and other minor) changes to !5951 based on @rymai's review. - The `scopes_form` partial can be used in the `admin/applications` view as well - Don't allow partials to access instance variables directly. Instead, pass in the instance variables as local variables, and use `local_assigns.fetch` to assert that the variables are passed in as expected. - Change a few instances of `render :partial` to `render` - Remove an instance of `required: false` in a view, since this is the default - Inline many instances of a local variable (`ip = 'ip'`) in `auth_spec`
2016-12-04 23:19:51 -05:00
expect(gl_auth).to receive(:rate_limit!).with('ip', success: false, login: 'oauth2')
expect(gl_auth.find_for_git_client("oauth2", token.token, project: nil, ip: 'ip')).to eq(Gitlab::Auth::Result.new(nil, nil))
Validate access token scopes in `Gitlab::Auth` - This module is used for git-over-http, as well as JWT. - The only valid scope here is `api`, currently.
2016-11-22 04:13:37 -05:00
end
Reduce hits to LDAP on Git HTTP auth by reordering auth mechanisms We accept half a dozen different authentication mechanisms for Git over HTTP. Fairly high in the list we were checking user password, which would also query LDAP. In the case of LFS, OAuth tokens or personal access tokens, we were unnecessarily hitting LDAP when the authentication will not succeed. This was causing some LDAP/AD systems to lock the account. Now, user password authentication is the last mechanism tried since it's the most expensive.
2017-01-24 12:12:49 -05:00
it 'does not try password auth before oauth' do
expect(gl_auth).not_to receive(:find_with_user_password)
gl_auth.find_for_git_client("oauth2", token_w_api_scope.token, project: nil, ip: 'ip')
end
Validate access token scopes in `Gitlab::Auth` - This module is used for git-over-http, as well as JWT. - The only valid scope here is `api`, currently.
2016-11-22 04:13:37 -05:00
end
Reduce hits to LDAP on Git HTTP auth by reordering auth mechanisms We accept half a dozen different authentication mechanisms for Git over HTTP. Fairly high in the list we were checking user password, which would also query LDAP. In the case of LFS, OAuth tokens or personal access tokens, we were unnecessarily hitting LDAP when the authentication will not succeed. This was causing some LDAP/AD systems to lock the account. Now, user password authentication is the last mechanism tried since it's the most expensive.
2017-01-24 12:12:49 -05:00
context 'while using personal access tokens as passwords' do
it 'succeeds for personal access tokens with the `api` scope' do
add impersonation token
2016-12-28 11:19:08 -05:00
personal_access_token = create(:personal_access_token, scopes: ['api'])
expect(gl_auth).to receive(:rate_limit!).with('ip', success: true, login: '')
expect(gl_auth.find_for_git_client('', personal_access_token.token, project: nil, ip: 'ip')).to eq(Gitlab::Auth::Result.new(personal_access_token.user, nil, :personal_token, full_authentication_abilities))
Validate access token scopes in `Gitlab::Auth` - This module is used for git-over-http, as well as JWT. - The only valid scope here is `api`, currently.
2016-11-22 04:13:37 -05:00
end
add impersonation token
2016-12-28 11:19:08 -05:00
it 'succeeds if it is an impersonation token' do
apply codestyle and implementation changes to the respective feature code
2017-03-01 11:59:03 -05:00
impersonation_token = create(:personal_access_token, :impersonation, scopes: ['api'])
Make CI/Oauth/rate limiting reusable
2016-04-29 12:58:55 -04:00
add impersonation token
2016-12-28 11:19:08 -05:00
expect(gl_auth).to receive(:rate_limit!).with('ip', success: true, login: '')
refactors finder and correlated code
2017-02-27 13:56:54 -05:00
expect(gl_auth.find_for_git_client('', impersonation_token.token, project: nil, ip: 'ip')).to eq(Gitlab::Auth::Result.new(impersonation_token.user, nil, :personal_token, full_authentication_abilities))
Validate access token scopes in `Gitlab::Auth` - This module is used for git-over-http, as well as JWT. - The only valid scope here is `api`, currently.
2016-11-22 04:13:37 -05:00
end
it 'fails for personal access tokens with other scopes' do
add impersonation token
2016-12-28 11:19:08 -05:00
personal_access_token = create(:personal_access_token, scopes: ['read_user'])
Make CI/Oauth/rate limiting reusable
2016-04-29 12:58:55 -04:00
add impersonation token
2016-12-28 11:19:08 -05:00
expect(gl_auth).to receive(:rate_limit!).with('ip', success: false, login: '')
expect(gl_auth.find_for_git_client('', personal_access_token.token, project: nil, ip: 'ip')).to eq(Gitlab::Auth::Result.new(nil, nil))
Validate access token scopes in `Gitlab::Auth` - This module is used for git-over-http, as well as JWT. - The only valid scope here is `api`, currently.
2016-11-22 04:13:37 -05:00
end
Reduce hits to LDAP on Git HTTP auth by reordering auth mechanisms We accept half a dozen different authentication mechanisms for Git over HTTP. Fairly high in the list we were checking user password, which would also query LDAP. In the case of LFS, OAuth tokens or personal access tokens, we were unnecessarily hitting LDAP when the authentication will not succeed. This was causing some LDAP/AD systems to lock the account. Now, user password authentication is the last mechanism tried since it's the most expensive.
2017-01-24 12:12:49 -05:00
refactors finder and correlated code
2017-02-27 13:56:54 -05:00
it 'fails for impersonation token with other scopes' do
impersonation_token = create(:personal_access_token, scopes: ['read_user'])
expect(gl_auth).to receive(:rate_limit!).with('ip', success: false, login: '')
expect(gl_auth.find_for_git_client('', impersonation_token.token, project: nil, ip: 'ip')).to eq(Gitlab::Auth::Result.new(nil, nil))
end
Reduce hits to LDAP on Git HTTP auth by reordering auth mechanisms We accept half a dozen different authentication mechanisms for Git over HTTP. Fairly high in the list we were checking user password, which would also query LDAP. In the case of LFS, OAuth tokens or personal access tokens, we were unnecessarily hitting LDAP when the authentication will not succeed. This was causing some LDAP/AD systems to lock the account. Now, user password authentication is the last mechanism tried since it's the most expensive.
2017-01-24 12:12:49 -05:00
add impersonation token
2016-12-28 11:19:08 -05:00
it 'fails if password is nil' do
expect(gl_auth).to receive(:rate_limit!).with('ip', success: false, login: '')
expect(gl_auth.find_for_git_client('', nil, project: nil, ip: 'ip')).to eq(Gitlab::Auth::Result.new(nil, nil))
Reduce hits to LDAP on Git HTTP auth by reordering auth mechanisms We accept half a dozen different authentication mechanisms for Git over HTTP. Fairly high in the list we were checking user password, which would also query LDAP. In the case of LFS, OAuth tokens or personal access tokens, we were unnecessarily hitting LDAP when the authentication will not succeed. This was causing some LDAP/AD systems to lock the account. Now, user password authentication is the last mechanism tried since it's the most expensive.
2017-01-24 12:12:49 -05:00
end
end
context 'while using regular user and password' do
it 'falls through lfs authentication' do
user = create(
:user,
username: 'normal_user',
password: 'my-secret',
)
expect(gl_auth.find_for_git_client(user.username, user.password, project: nil, ip: 'ip'))
.to eq(Gitlab::Auth::Result.new(user, nil, :gitlab_or_ldap, full_authentication_abilities))
end
it 'falls through oauth authentication when the username is oauth2' do
user = create(
:user,
username: 'oauth2',
password: 'my-secret',
)
expect(gl_auth.find_for_git_client(user.username, user.password, project: nil, ip: 'ip'))
.to eq(Gitlab::Auth::Result.new(user, nil, :gitlab_or_ldap, full_authentication_abilities))
end
Make CI/Oauth/rate limiting reusable
2016-04-29 12:58:55 -04:00
end
it 'returns double nil for invalid credentials' do
login = 'foo'
View-related (and other minor) changes to !5951 based on @rymai's review. - The `scopes_form` partial can be used in the `admin/applications` view as well - Don't allow partials to access instance variables directly. Instead, pass in the instance variables as local variables, and use `local_assigns.fetch` to assert that the variables are passed in as expected. - Change a few instances of `render :partial` to `render` - Remove an instance of `required: false` in a view, since this is the default - Inline many instances of a local variable (`ip = 'ip'`) in `auth_spec`
2016-12-04 23:19:51 -05:00
expect(gl_auth).to receive(:rate_limit!).with('ip', success: false, login: login)
expect(gl_auth.find_for_git_client(login, 'bar', project: nil, ip: 'ip')).to eq(Gitlab::Auth::Result.new)
Make CI/Oauth/rate limiting reusable
2016-04-29 12:58:55 -04:00
end
end
Improve Gitlab::Auth method names Auth.find was a very generic name for a very specific method. Auth.find_in_gitlab_or_ldap was inaccurate in GitLab EE where it also looks in Kerberos.
2016-06-10 08:51:16 -04:00
describe 'find_with_user_password' do
Refactor gitlab auth tests
2014-09-08 07:11:39 -04:00
let!(:user) do
create(:user,
username: username,
password: password,
password_confirmation: password)
Refactorn oauth & ldap
2012-09-12 02:23:16 -04:00
end
Session API: Use case-insensitive authentication like in UI
2014-10-22 11:29:26 -04:00
let(:username) { 'John' } # username isn't lowercase, test this
Refactor gitlab auth tests
2014-09-08 07:11:39 -04:00
let(:password) { 'my-secret' }
Refactorn oauth & ldap
2012-09-12 02:23:16 -04:00
adds second batch of tests changed to active tense
2016-08-01 11:00:44 -04:00
it "finds user by valid login/password" do
Improve Gitlab::Auth method names Auth.find was a very generic name for a very specific method. Auth.find_in_gitlab_or_ldap was inaccurate in GitLab EE where it also looks in Kerberos.
2016-06-10 08:51:16 -04:00
expect( gl_auth.find_with_user_password(username, password) ).to eql user
Refactorn oauth & ldap
2012-09-12 02:23:16 -04:00
end
adds second batch of tests changed to active tense
2016-08-01 11:00:44 -04:00
it 'finds user by valid email/password with case-insensitive email' do
Improve Gitlab::Auth method names Auth.find was a very generic name for a very specific method. Auth.find_in_gitlab_or_ldap was inaccurate in GitLab EE where it also looks in Kerberos.
2016-06-10 08:51:16 -04:00
expect(gl_auth.find_with_user_password(user.email.upcase, password)).to eql user
Session API: Use case-insensitive authentication like in UI
2014-10-22 11:29:26 -04:00
end
adds second batch of tests changed to active tense
2016-08-01 11:00:44 -04:00
it 'finds user by valid username/password with case-insensitive username' do
Improve Gitlab::Auth method names Auth.find was a very generic name for a very specific method. Auth.find_in_gitlab_or_ldap was inaccurate in GitLab EE where it also looks in Kerberos.
2016-06-10 08:51:16 -04:00
expect(gl_auth.find_with_user_password(username.upcase, password)).to eql user
Session API: Use case-insensitive authentication like in UI
2014-10-22 11:29:26 -04:00
end
adds second batch of tests changed to active tense
2016-08-01 11:00:44 -04:00
it "does not find user with invalid password" do
Refactor gitlab auth tests
2014-09-08 07:11:39 -04:00
password = 'wrong'
Improve Gitlab::Auth method names Auth.find was a very generic name for a very specific method. Auth.find_in_gitlab_or_ldap was inaccurate in GitLab EE where it also looks in Kerberos.
2016-06-10 08:51:16 -04:00
expect( gl_auth.find_with_user_password(username, password) ).not_to eql user
Refactorn oauth & ldap
2012-09-12 02:23:16 -04:00
end
adds second batch of tests changed to active tense
2016-08-01 11:00:44 -04:00
it "does not find user with invalid login" do
Refactor gitlab auth tests
2014-09-08 07:11:39 -04:00
user = 'wrong'
Improve Gitlab::Auth method names Auth.find was a very generic name for a very specific method. Auth.find_in_gitlab_or_ldap was inaccurate in GitLab EE where it also looks in Kerberos.
2016-06-10 08:51:16 -04:00
expect( gl_auth.find_with_user_password(username, password) ).not_to eql user
Add settings for user permission defaults “Can create groups” and “Can create teams” had hardcoded defaults to `true`. Sometimes it is desirable to prohibit these for newly created users by default.
2013-03-11 02:44:45 -04:00
end
Ensure Gitlab::LDAP::authentication is tested
2014-09-08 07:26:25 -04:00
Cleanup RSpec tests
2017-02-17 07:24:32 -05:00
include_examples 'user login operation with unique ip limit' do
def operation
Remove unecessary calls to limit_user!, UniqueIps Middleware, and address MR review - cleanup formating in haml - clarify time window is in seconds - cleanup straneous chunks in db/schema - rename count_uniqe_ips to update_and_return_ips_count - other
2017-02-20 09:09:05 -05:00
expect(gl_auth.find_with_user_password(username, password)).to eq(user)
Cleanup RSpec tests
2017-02-17 07:24:32 -05:00
end
end
Don't allow blocked users to authenticate through other means Gitlab::Auth.find_with_user_password is currently used in these places: - resource_owner_from_credentials in config/initializers/doorkeeper.rb, which is used for the OAuth Resource Owner Password Credentials flow - the /session API call in lib/api/session.rb, which is used to reveal the user's current authentication_token In both cases users should only be authenticated if they're in the active state.
2017-01-18 05:23:25 -05:00
it "does not find user in blocked state" do
user.block
expect( gl_auth.find_with_user_password(username, password) ).not_to eql user
end
it "does not find user in ldap_blocked state" do
user.ldap_block
expect( gl_auth.find_with_user_password(username, password) ).not_to eql user
end
Ensure Gitlab::LDAP::authentication is tested
2014-09-08 07:26:25 -04:00
context "with ldap enabled" do
Update mock and stub syntax for specs
2015-05-21 17:49:06 -04:00
before do
allow(Gitlab::LDAP::Config).to receive(:enabled?).and_return(true)
end
Ensure Gitlab::LDAP::authentication is tested
2014-09-08 07:26:25 -04:00
it "tries to autheticate with db before ldap" do
Merge tests to support Multiple LDAP groups
2014-10-13 11:33:44 -04:00
expect(Gitlab::LDAP::Authentication).not_to receive(:login)
Ensure Gitlab::LDAP::authentication is tested
2014-09-08 07:26:25 -04:00
Improve Gitlab::Auth method names Auth.find was a very generic name for a very specific method. Auth.find_in_gitlab_or_ldap was inaccurate in GitLab EE where it also looks in Kerberos.
2016-06-10 08:51:16 -04:00
gl_auth.find_with_user_password(username, password)
Ensure Gitlab::LDAP::authentication is tested
2014-09-08 07:26:25 -04:00
end
it "uses ldap as fallback to for authentication" do
Merge tests to support Multiple LDAP groups
2014-10-13 11:33:44 -04:00
expect(Gitlab::LDAP::Authentication).to receive(:login)
Ensure Gitlab::LDAP::authentication is tested
2014-09-08 07:26:25 -04:00
Improve Gitlab::Auth method names Auth.find was a very generic name for a very specific method. Auth.find_in_gitlab_or_ldap was inaccurate in GitLab EE where it also looks in Kerberos.
2016-06-10 08:51:16 -04:00
gl_auth.find_with_user_password('ldap_user', 'password')
Ensure Gitlab::LDAP::authentication is tested
2014-09-08 07:26:25 -04:00
end
end
Refactorn oauth & ldap
2012-09-12 02:23:16 -04:00
end
Add access specs
2016-09-15 05:57:09 -04:00
private
Rename capabilities to authentication_abilities
2016-09-16 03:59:10 -04:00
def build_authentication_abilities
Add access specs
2016-09-15 05:57:09 -04:00
[
:read_project,
:build_download_code,
:build_read_container_image,
:build_create_container_image
]
end
Rename capabilities to authentication_abilities
2016-09-16 03:59:10 -04:00
def read_authentication_abilities
Add access specs
2016-09-15 05:57:09 -04:00
[
:read_project,
:download_code,
:read_container_image
]
end
Rename capabilities to authentication_abilities
2016-09-16 03:59:10 -04:00
def full_authentication_abilities
read_authentication_abilities + [
Add access specs
2016-09-15 05:57:09 -04:00
:push_code,
Fix spec failures
2016-09-19 07:29:48 -04:00
:create_container_image
Add access specs
2016-09-15 05:57:09 -04:00
]
end
Refactorn oauth & ldap
2012-09-12 02:23:16 -04:00
end