gitlab-org--gitlab-foss/spec/lib/gitlab/auth_spec.rb

require 'spec_helper'

describe Gitlab::Auth, lib: true do
  let(:gl_auth) { described_class }

  describe 'find_for_git_client' do
    context 'build token' do
      subject { gl_auth.find_for_git_client('gitlab-ci-token', build.token, project: project, ip: 'ip') }

      context 'for running build' do
        let!(:build) { create(:ci_build, :running) }
        let(:project) { build.project }

        before do
          expect(gl_auth).to receive(:rate_limit!).with('ip', success: true, login: 'gitlab-ci-token')
        end

        it 'recognises user-less build' do
          expect(subject).to eq(Gitlab::Auth::Result.new(nil, build.project, :ci, build_authentication_abilities))
        end

        it 'recognises user token' do
          build.update(user: create(:user))

          expect(subject).to eq(Gitlab::Auth::Result.new(build.user, build.project, :build, build_authentication_abilities))
        end
      end

      (HasStatus::AVAILABLE_STATUSES - ['running']).each do |build_status|
        context "for #{build_status} build" do
          let!(:build) { create(:ci_build, status: build_status) }
          let(:project) { build.project }

          before do
            expect(gl_auth).to receive(:rate_limit!).with('ip', success: false, login: 'gitlab-ci-token')
          end

          it 'denies authentication' do
            expect(subject).to eq(Gitlab::Auth::Result.new)
          end
        end
      end
    end

    it 'recognizes other ci services' do
      project = create(:empty_project)
      project.create_drone_ci_service(active: true)
      project.drone_ci_service.update(token: 'token')

      ip = 'ip'

      expect(gl_auth).to receive(:rate_limit!).with(ip, success: true, login: 'drone-ci-token')
      expect(gl_auth.find_for_git_client('drone-ci-token', 'token', project: project, ip: ip)).to eq(Gitlab::Auth::Result.new(nil, project, :ci, build_authentication_abilities))
    end

    it 'recognizes master passwords' do
      user = create(:user, password: 'password')
      ip = 'ip'

      expect(gl_auth).to receive(:rate_limit!).with(ip, success: true, login: user.username)
      expect(gl_auth.find_for_git_client(user.username, 'password', project: nil, ip: ip)).to eq(Gitlab::Auth::Result.new(user, nil, :gitlab_or_ldap, full_authentication_abilities))
    end

    it 'recognizes user lfs tokens' do
      user = create(:user)
      ip = 'ip'
      token = Gitlab::LfsToken.new(user).token

      expect(gl_auth).to receive(:rate_limit!).with(ip, success: true, login: user.username)
      expect(gl_auth.find_for_git_client(user.username, token, project: nil, ip: ip)).to eq(Gitlab::Auth::Result.new(user, nil, :lfs_token, full_authentication_abilities))
    end

    it 'recognizes deploy key lfs tokens' do
      key = create(:deploy_key)
      ip = 'ip'
      token = Gitlab::LfsToken.new(key).token

      expect(gl_auth).to receive(:rate_limit!).with(ip, success: true, login: "lfs+deploy-key-#{key.id}")
      expect(gl_auth.find_for_git_client("lfs+deploy-key-#{key.id}", token, project: nil, ip: ip)).to eq(Gitlab::Auth::Result.new(key, nil, :lfs_deploy_token, read_authentication_abilities))
    end

    it 'recognizes OAuth tokens' do
      user = create(:user)
      application = Doorkeeper::Application.create!(name: "MyApp", redirect_uri: "https://app.com", owner: user)
      token = Doorkeeper::AccessToken.create!(application_id: application.id, resource_owner_id: user.id)
      ip = 'ip'

      expect(gl_auth).to receive(:rate_limit!).with(ip, success: true, login: 'oauth2')
      expect(gl_auth.find_for_git_client("oauth2", token.token, project: nil, ip: ip)).to eq(Gitlab::Auth::Result.new(user, nil, :oauth, read_authentication_abilities))
    end

    it 'returns double nil for invalid credentials' do
      login = 'foo'
      ip = 'ip'

      expect(gl_auth).to receive(:rate_limit!).with(ip, success: false, login: login)
      expect(gl_auth.find_for_git_client(login, 'bar', project: nil, ip: ip)).to eq(Gitlab::Auth::Result.new)
    end
  end

  describe 'find_with_user_password' do
    let!(:user) do
      create(:user,
        username: username,
        password: password,
        password_confirmation: password)
    end
    let(:username) { 'John' }     # username isn't lowercase, test this
    let(:password) { 'my-secret' }

    it "finds user by valid login/password" do
      expect( gl_auth.find_with_user_password(username, password) ).to eql user
    end

    it 'finds user by valid email/password with case-insensitive email' do
      expect(gl_auth.find_with_user_password(user.email.upcase, password)).to eql user
    end

    it 'finds user by valid username/password with case-insensitive username' do
      expect(gl_auth.find_with_user_password(username.upcase, password)).to eql user
    end

    it "does not find user with invalid password" do
      password = 'wrong'
      expect( gl_auth.find_with_user_password(username, password) ).not_to eql user
    end

    it "does not find user with invalid login" do
      user = 'wrong'
      expect( gl_auth.find_with_user_password(username, password) ).not_to eql user
    end

    context "with ldap enabled" do
      before do
        allow(Gitlab::LDAP::Config).to receive(:enabled?).and_return(true)
      end

      it "tries to autheticate with db before ldap" do
        expect(Gitlab::LDAP::Authentication).not_to receive(:login)

        gl_auth.find_with_user_password(username, password)
      end

      it "uses ldap as fallback to for authentication" do
        expect(Gitlab::LDAP::Authentication).to receive(:login)

        gl_auth.find_with_user_password('ldap_user', 'password')
      end
    end
  end

  private

  def build_authentication_abilities
    [
      :read_project,
      :build_download_code,
      :build_read_container_image,
      :build_create_container_image
    ]
  end

  def read_authentication_abilities
    [
      :read_project,
      :download_code,
      :read_container_image
    ]
  end

  def full_authentication_abilities
    read_authentication_abilities + [
      :push_code,
      :create_container_image
    ]
  end
end
Refactorn oauth & ldap 2012-09-12 02:23:16 -04:00			`require 'spec_helper'`

Tag lib specs 2015-12-09 05:55:36 -05:00			`describe Gitlab::Auth, lib: true do`
Make CI/Oauth/rate limiting reusable 2016-04-29 12:58:55 -04:00			`let(:gl_auth) { described_class }`
Refactorn oauth & ldap 2012-09-12 02:23:16 -04:00
Also rename "find" in the specs 2016-06-13 09:38:25 -04:00			`describe 'find_for_git_client' do`
Add access specs 2016-09-15 05:57:09 -04:00			`context 'build token' do`
			`subject { gl_auth.find_for_git_client('gitlab-ci-token', build.token, project: project, ip: 'ip') }`

			`context 'for running build' do`
			`let!(:build) { create(:ci_build, :running) }`
			`let(:project) { build.project }`

			`before do`
			`expect(gl_auth).to receive(:rate_limit!).with('ip', success: true, login: 'gitlab-ci-token')`
			`end`

			`it 'recognises user-less build' do`
Rename capabilities to authentication_abilities 2016-09-16 03:59:10 -04:00			`expect(subject).to eq(Gitlab::Auth::Result.new(nil, build.project, :ci, build_authentication_abilities))`
Add access specs 2016-09-15 05:57:09 -04:00			`end`

			`it 'recognises user token' do`
			`build.update(user: create(:user))`

Rename capabilities to authentication_abilities 2016-09-16 03:59:10 -04:00			`expect(subject).to eq(Gitlab::Auth::Result.new(build.user, build.project, :build, build_authentication_abilities))`
Add access specs 2016-09-15 05:57:09 -04:00			`end`
			`end`

Fix specs for available statuses 2016-09-16 07:47:54 -04:00			`(HasStatus::AVAILABLE_STATUSES - ['running']).each do \|build_status\|`
Fix specs after renaming authentication_capabilities 2016-09-16 05:06:31 -04:00			`context "for #{build_status} build" do`
			`let!(:build) { create(:ci_build, status: build_status) }`
			`let(:project) { build.project }`

			`before do`
			`expect(gl_auth).to receive(:rate_limit!).with('ip', success: false, login: 'gitlab-ci-token')`
			`end`

			`it 'denies authentication' do`
Fix specs for available statuses 2016-09-16 07:47:54 -04:00			`expect(subject).to eq(Gitlab::Auth::Result.new)`
Fix specs after renaming authentication_capabilities 2016-09-16 05:06:31 -04:00			`end`
Add access specs 2016-09-15 05:57:09 -04:00			`end`
			`end`
			`end`

			`it 'recognizes other ci services' do`
Make CI/Oauth/rate limiting reusable 2016-04-29 12:58:55 -04:00			`project = create(:empty_project)`
Add access specs 2016-09-15 05:57:09 -04:00			`project.create_drone_ci_service(active: true)`
			`project.drone_ci_service.update(token: 'token')`
Project tools visibility level 2016-08-01 18:31:21 -04:00
Make CI/Oauth/rate limiting reusable 2016-04-29 12:58:55 -04:00			`ip = 'ip'`

Add access specs 2016-09-15 05:57:09 -04:00			`expect(gl_auth).to receive(:rate_limit!).with(ip, success: true, login: 'drone-ci-token')`
Rename capabilities to authentication_abilities 2016-09-16 03:59:10 -04:00			`expect(gl_auth.find_for_git_client('drone-ci-token', 'token', project: project, ip: ip)).to eq(Gitlab::Auth::Result.new(nil, project, :ci, build_authentication_abilities))`
Make CI/Oauth/rate limiting reusable 2016-04-29 12:58:55 -04:00			`end`

			`it 'recognizes master passwords' do`
			`user = create(:user, password: 'password')`
			`ip = 'ip'`

			`expect(gl_auth).to receive(:rate_limit!).with(ip, success: true, login: user.username)`
Rename capabilities to authentication_abilities 2016-09-16 03:59:10 -04:00			`expect(gl_auth.find_for_git_client(user.username, 'password', project: nil, ip: ip)).to eq(Gitlab::Auth::Result.new(user, nil, :gitlab_or_ldap, full_authentication_abilities))`
Make CI/Oauth/rate limiting reusable 2016-04-29 12:58:55 -04:00			`end`

Revert "Revert all changes introduced by https://gitlab.com/gitlab-org/gitlab-ce/merge_requests/6043" This reverts commit 6d43c95b7011ec7ec4600e00bdc8df76bb39813c. 2016-09-19 10:34:32 -04:00			`it 'recognizes user lfs tokens' do`
			`user = create(:user)`
			`ip = 'ip'`
Handle LFS token creation and retrieval in the same method, and in the same Redis connection. Reset expiry time of token, if token is retrieved again before it expires. 2016-09-28 12:02:31 -04:00			`token = Gitlab::LfsToken.new(user).token`
Revert "Revert all changes introduced by https://gitlab.com/gitlab-org/gitlab-ce/merge_requests/6043" This reverts commit 6d43c95b7011ec7ec4600e00bdc8df76bb39813c. 2016-09-19 10:34:32 -04:00
			`expect(gl_auth).to receive(:rate_limit!).with(ip, success: true, login: user.username)`
Fix test failure 2016-09-19 14:22:10 -04:00			`expect(gl_auth.find_for_git_client(user.username, token, project: nil, ip: ip)).to eq(Gitlab::Auth::Result.new(user, nil, :lfs_token, full_authentication_abilities))`
Revert "Revert all changes introduced by https://gitlab.com/gitlab-org/gitlab-ce/merge_requests/6043" This reverts commit 6d43c95b7011ec7ec4600e00bdc8df76bb39813c. 2016-09-19 10:34:32 -04:00			`end`

			`it 'recognizes deploy key lfs tokens' do`
			`key = create(:deploy_key)`
			`ip = 'ip'`
Handle LFS token creation and retrieval in the same method, and in the same Redis connection. Reset expiry time of token, if token is retrieved again before it expires. 2016-09-28 12:02:31 -04:00			`token = Gitlab::LfsToken.new(key).token`
Revert "Revert all changes introduced by https://gitlab.com/gitlab-org/gitlab-ce/merge_requests/6043" This reverts commit 6d43c95b7011ec7ec4600e00bdc8df76bb39813c. 2016-09-19 10:34:32 -04:00
			`expect(gl_auth).to receive(:rate_limit!).with(ip, success: true, login: "lfs+deploy-key-#{key.id}")`
			`expect(gl_auth.find_for_git_client("lfs+deploy-key-#{key.id}", token, project: nil, ip: ip)).to eq(Gitlab::Auth::Result.new(key, nil, :lfs_deploy_token, read_authentication_abilities))`
			`end`

Make CI/Oauth/rate limiting reusable 2016-04-29 12:58:55 -04:00			`it 'recognizes OAuth tokens' do`
			`user = create(:user)`
			`application = Doorkeeper::Application.create!(name: "MyApp", redirect_uri: "https://app.com", owner: user)`
			`token = Doorkeeper::AccessToken.create!(application_id: application.id, resource_owner_id: user.id)`
			`ip = 'ip'`

			`expect(gl_auth).to receive(:rate_limit!).with(ip, success: true, login: 'oauth2')`
Rename capabilities to authentication_abilities 2016-09-16 03:59:10 -04:00			`expect(gl_auth.find_for_git_client("oauth2", token.token, project: nil, ip: ip)).to eq(Gitlab::Auth::Result.new(user, nil, :oauth, read_authentication_abilities))`
Make CI/Oauth/rate limiting reusable 2016-04-29 12:58:55 -04:00			`end`

			`it 'returns double nil for invalid credentials' do`
			`login = 'foo'`
			`ip = 'ip'`

Fix specs after merging LFS changes 2016-09-15 16:17:12 -04:00			`expect(gl_auth).to receive(:rate_limit!).with(ip, success: false, login: login)`
Also rename "find" in the specs 2016-06-13 09:38:25 -04:00			`expect(gl_auth.find_for_git_client(login, 'bar', project: nil, ip: ip)).to eq(Gitlab::Auth::Result.new)`
Make CI/Oauth/rate limiting reusable 2016-04-29 12:58:55 -04:00			`end`
			`end`

Improve Gitlab::Auth method names Auth.find was a very generic name for a very specific method. Auth.find_in_gitlab_or_ldap was inaccurate in GitLab EE where it also looks in Kerberos. 2016-06-10 08:51:16 -04:00			`describe 'find_with_user_password' do`
Refactor gitlab auth tests 2014-09-08 07:11:39 -04:00			`let!(:user) do`
			`create(:user,`
			`username: username,`
			`password: password,`
			`password_confirmation: password)`
Refactorn oauth & ldap 2012-09-12 02:23:16 -04:00			`end`
Session API: Use case-insensitive authentication like in UI 2014-10-22 11:29:26 -04:00			`let(:username) { 'John' } # username isn't lowercase, test this`
Refactor gitlab auth tests 2014-09-08 07:11:39 -04:00			`let(:password) { 'my-secret' }`
Refactorn oauth & ldap 2012-09-12 02:23:16 -04:00
adds second batch of tests changed to active tense 2016-08-01 11:00:44 -04:00			`it "finds user by valid login/password" do`
Improve Gitlab::Auth method names Auth.find was a very generic name for a very specific method. Auth.find_in_gitlab_or_ldap was inaccurate in GitLab EE where it also looks in Kerberos. 2016-06-10 08:51:16 -04:00			`expect( gl_auth.find_with_user_password(username, password) ).to eql user`
Refactorn oauth & ldap 2012-09-12 02:23:16 -04:00			`end`

adds second batch of tests changed to active tense 2016-08-01 11:00:44 -04:00			`it 'finds user by valid email/password with case-insensitive email' do`
Improve Gitlab::Auth method names Auth.find was a very generic name for a very specific method. Auth.find_in_gitlab_or_ldap was inaccurate in GitLab EE where it also looks in Kerberos. 2016-06-10 08:51:16 -04:00			`expect(gl_auth.find_with_user_password(user.email.upcase, password)).to eql user`
Session API: Use case-insensitive authentication like in UI 2014-10-22 11:29:26 -04:00			`end`

adds second batch of tests changed to active tense 2016-08-01 11:00:44 -04:00			`it 'finds user by valid username/password with case-insensitive username' do`
Improve Gitlab::Auth method names Auth.find was a very generic name for a very specific method. Auth.find_in_gitlab_or_ldap was inaccurate in GitLab EE where it also looks in Kerberos. 2016-06-10 08:51:16 -04:00			`expect(gl_auth.find_with_user_password(username.upcase, password)).to eql user`
Session API: Use case-insensitive authentication like in UI 2014-10-22 11:29:26 -04:00			`end`

adds second batch of tests changed to active tense 2016-08-01 11:00:44 -04:00			`it "does not find user with invalid password" do`
Refactor gitlab auth tests 2014-09-08 07:11:39 -04:00			`password = 'wrong'`
Improve Gitlab::Auth method names Auth.find was a very generic name for a very specific method. Auth.find_in_gitlab_or_ldap was inaccurate in GitLab EE where it also looks in Kerberos. 2016-06-10 08:51:16 -04:00			`expect( gl_auth.find_with_user_password(username, password) ).not_to eql user`
Refactorn oauth & ldap 2012-09-12 02:23:16 -04:00			`end`

adds second batch of tests changed to active tense 2016-08-01 11:00:44 -04:00			`it "does not find user with invalid login" do`
Refactor gitlab auth tests 2014-09-08 07:11:39 -04:00			`user = 'wrong'`
Improve Gitlab::Auth method names Auth.find was a very generic name for a very specific method. Auth.find_in_gitlab_or_ldap was inaccurate in GitLab EE where it also looks in Kerberos. 2016-06-10 08:51:16 -04:00			`expect( gl_auth.find_with_user_password(username, password) ).not_to eql user`
Add settings for user permission defaults “Can create groups” and “Can create teams” had hardcoded defaults to `true`. Sometimes it is desirable to prohibit these for newly created users by default. 2013-03-11 02:44:45 -04:00			`end`
Ensure Gitlab::LDAP::authentication is tested 2014-09-08 07:26:25 -04:00
			`context "with ldap enabled" do`
Update mock and stub syntax for specs 2015-05-21 17:49:06 -04:00			`before do`
			`allow(Gitlab::LDAP::Config).to receive(:enabled?).and_return(true)`
			`end`
Ensure Gitlab::LDAP::authentication is tested 2014-09-08 07:26:25 -04:00
			`it "tries to autheticate with db before ldap" do`
Merge tests to support Multiple LDAP groups 2014-10-13 11:33:44 -04:00			`expect(Gitlab::LDAP::Authentication).not_to receive(:login)`
Ensure Gitlab::LDAP::authentication is tested 2014-09-08 07:26:25 -04:00
Improve Gitlab::Auth method names Auth.find was a very generic name for a very specific method. Auth.find_in_gitlab_or_ldap was inaccurate in GitLab EE where it also looks in Kerberos. 2016-06-10 08:51:16 -04:00			`gl_auth.find_with_user_password(username, password)`
Ensure Gitlab::LDAP::authentication is tested 2014-09-08 07:26:25 -04:00			`end`

			`it "uses ldap as fallback to for authentication" do`
Merge tests to support Multiple LDAP groups 2014-10-13 11:33:44 -04:00			`expect(Gitlab::LDAP::Authentication).to receive(:login)`
Ensure Gitlab::LDAP::authentication is tested 2014-09-08 07:26:25 -04:00
Improve Gitlab::Auth method names Auth.find was a very generic name for a very specific method. Auth.find_in_gitlab_or_ldap was inaccurate in GitLab EE where it also looks in Kerberos. 2016-06-10 08:51:16 -04:00			`gl_auth.find_with_user_password('ldap_user', 'password')`
Ensure Gitlab::LDAP::authentication is tested 2014-09-08 07:26:25 -04:00			`end`
			`end`
Refactorn oauth & ldap 2012-09-12 02:23:16 -04:00			`end`
Add access specs 2016-09-15 05:57:09 -04:00
			`private`

Rename capabilities to authentication_abilities 2016-09-16 03:59:10 -04:00			`def build_authentication_abilities`
Add access specs 2016-09-15 05:57:09 -04:00			`[`
			`:read_project,`
			`:build_download_code,`
			`:build_read_container_image,`
			`:build_create_container_image`
			`]`
			`end`

Rename capabilities to authentication_abilities 2016-09-16 03:59:10 -04:00			`def read_authentication_abilities`
Add access specs 2016-09-15 05:57:09 -04:00			`[`
			`:read_project,`
			`:download_code,`
			`:read_container_image`
			`]`
			`end`

Rename capabilities to authentication_abilities 2016-09-16 03:59:10 -04:00			`def full_authentication_abilities`
			`read_authentication_abilities + [`
Add access specs 2016-09-15 05:57:09 -04:00			`:push_code,`
Fix spec failures 2016-09-19 07:29:48 -04:00			`:create_container_image`
Add access specs 2016-09-15 05:57:09 -04:00			`]`
			`end`
Refactorn oauth & ldap 2012-09-12 02:23:16 -04:00			`end`