gitlab-org--gitlab-foss/spec/lib/gitlab/ldap/config_spec.rb

require 'spec_helper'

describe Gitlab::LDAP::Config, lib: true do
  include LdapHelpers

  let(:config) { Gitlab::LDAP::Config.new('ldapmain') }

  describe '#initalize' do
    it 'requires a provider' do
      expect{ Gitlab::LDAP::Config.new }.to raise_error ArgumentError
    end

    it 'works' do
      expect(config).to be_a described_class
    end

    it 'raises an error if a unknown provider is used' do
      expect{ Gitlab::LDAP::Config.new 'unknown' }.to raise_error(RuntimeError)
    end
  end

  describe '#adapter_options' do
    it 'constructs basic options' do
      stub_ldap_config(
        options: {
          'host'    => 'ldap.example.com',
          'port'    => 386,
          'method'  => 'plain'
        }
      )

      expect(config.adapter_options).to eq(
        host: 'ldap.example.com',
        port: 386,
        encryption: nil
      )
    end

    it 'includes authentication options when auth is configured' do
      stub_ldap_config(
        options: {
          'host'      => 'ldap.example.com',
          'port'      => 686,
          'method'    => 'ssl',
          'bind_dn'   => 'uid=admin,dc=example,dc=com',
          'password'  => 'super_secret'
        }
      )

      expect(config.adapter_options).to eq(
        host: 'ldap.example.com',
        port: 686,
        encryption: :simple_tls,
        auth: {
          method: :simple,
          username: 'uid=admin,dc=example,dc=com',
          password: 'super_secret'
        }
      )
    end
  end

  describe '#omniauth_options' do
    it 'constructs basic options' do
      stub_ldap_config(
        options: {
          'host'    => 'ldap.example.com',
          'port'    => 386,
          'base'    => 'ou=users,dc=example,dc=com',
          'method'  => 'plain',
          'uid'     => 'uid'
        }
      )

      expect(config.omniauth_options).to include(
        host: 'ldap.example.com',
        port: 386,
        base: 'ou=users,dc=example,dc=com',
        method: 'plain',
        filter: '(uid=%{username})'
      )
      expect(config.omniauth_options.keys).not_to include(:bind_dn, :password)
    end

    it 'includes authentication options when auth is configured' do
      stub_ldap_config(
        options: {
          'uid'         => 'sAMAccountName',
          'user_filter' => '(memberOf=cn=group1,ou=groups,dc=example,dc=com)',
          'bind_dn'     => 'uid=admin,dc=example,dc=com',
          'password'    => 'super_secret'
        }
      )

      expect(config.omniauth_options).to include(
        filter: '(&(sAMAccountName=%{username})(memberOf=cn=group1,ou=groups,dc=example,dc=com))',
        bind_dn: 'uid=admin,dc=example,dc=com',
        password: 'super_secret'
      )
    end
  end

  describe '#has_auth?' do
    it 'is true when password is set' do
      stub_ldap_config(
        options: {
          'bind_dn'  => 'uid=admin,dc=example,dc=com',
          'password' => 'super_secret'
        }
      )

      expect(config.has_auth?).to be_truthy
    end

    it 'is true when bind_dn is set and password is empty' do
      stub_ldap_config(
        options: {
          'bind_dn'  => 'uid=admin,dc=example,dc=com',
          'password' => ''
        }
      )

      expect(config.has_auth?).to be_truthy
    end

    it 'is false when password and bind_dn are not set' do
      stub_ldap_config(options: { 'bind_dn' => nil, 'password' => nil })

      expect(config.has_auth?).to be_falsey
    end
  end
end
Add specs for authentication and config 2014-10-14 03:31:38 -04:00			`require 'spec_helper'`

Tag lib specs 2015-12-09 05:55:36 -05:00			`describe Gitlab::LDAP::Config, lib: true do`
Introduce better credential and error checking to `rake gitlab:ldap:check` It was previously possible for invalid credential errors to go unnoticed in this task. Users would believe everything was configured correctly and then sign in would fail with 'invalid credentials'. This adds a specific bind check, plus catches errors connecting to the server. Also, specs :) 2016-09-29 15:08:27 -04:00			`include LdapHelpers`

			`let(:config) { Gitlab::LDAP::Config.new('ldapmain') }`
Add specs for authentication and config 2014-10-14 03:31:38 -04:00
Updated rspec to rspec 3.x syntax Signed-off-by: Jeroen van Baarsen <jeroenvanbaarsen@gmail.com> 2015-02-12 13:17:35 -05:00			`describe '#initalize' do`
Add specs for authentication and config 2014-10-14 03:31:38 -04:00			`it 'requires a provider' do`
			`expect{ Gitlab::LDAP::Config.new }.to raise_error ArgumentError`
			`end`

Introduce better credential and error checking to `rake gitlab:ldap:check` It was previously possible for invalid credential errors to go unnoticed in this task. Users would believe everything was configured correctly and then sign in would fail with 'invalid credentials'. This adds a specific bind check, plus catches errors connecting to the server. Also, specs :) 2016-09-29 15:08:27 -04:00			`it 'works' do`
Add specs for authentication and config 2014-10-14 03:31:38 -04:00			`expect(config).to be_a described_class`
			`end`

Introduce better credential and error checking to `rake gitlab:ldap:check` It was previously possible for invalid credential errors to go unnoticed in this task. Users would believe everything was configured correctly and then sign in would fail with 'invalid credentials'. This adds a specific bind check, plus catches errors connecting to the server. Also, specs :) 2016-09-29 15:08:27 -04:00			`it 'raises an error if a unknown provider is used' do`
Fix `raise_error` without an argument deprecation warnings 2015-06-17 21:29:18 -04:00			`expect{ Gitlab::LDAP::Config.new 'unknown' }.to raise_error(RuntimeError)`
Add specs for authentication and config 2014-10-14 03:31:38 -04:00			`end`
			`end`
Introduce better credential and error checking to `rake gitlab:ldap:check` It was previously possible for invalid credential errors to go unnoticed in this task. Users would believe everything was configured correctly and then sign in would fail with 'invalid credentials'. This adds a specific bind check, plus catches errors connecting to the server. Also, specs :) 2016-09-29 15:08:27 -04:00
Centralize LDAP config/filter logic Centralize all LDAP config logic in `GitLab::LDAP::Config`. Previously, some logic was in the Devise initializer and it was not honoring the `user_filter`. If a user outside the configured `user_filter` signed in, an account would be created but they would then be denied access. Now that logic is centralized, the filter is honored and users outside the filter are never created. 2016-11-11 15:44:08 -05:00			`describe '#adapter_options' do`
			`it 'constructs basic options' do`
			`stub_ldap_config(`
			`options: {`
			`'host' => 'ldap.example.com',`
			`'port' => 386,`
			`'method' => 'plain'`
			`}`
			`)`

			`expect(config.adapter_options).to eq(`
			`host: 'ldap.example.com',`
			`port: 386,`
			`encryption: nil`
			`)`
			`end`

			`it 'includes authentication options when auth is configured' do`
			`stub_ldap_config(`
			`options: {`
			`'host' => 'ldap.example.com',`
			`'port' => 686,`
			`'method' => 'ssl',`
			`'bind_dn' => 'uid=admin,dc=example,dc=com',`
			`'password' => 'super_secret'`
			`}`
			`)`

			`expect(config.adapter_options).to eq(`
			`host: 'ldap.example.com',`
			`port: 686,`
			`encryption: :simple_tls,`
			`auth: {`
			`method: :simple,`
			`username: 'uid=admin,dc=example,dc=com',`
			`password: 'super_secret'`
			`}`
			`)`
			`end`
			`end`

			`describe '#omniauth_options' do`
			`it 'constructs basic options' do`
			`stub_ldap_config(`
			`options: {`
			`'host' => 'ldap.example.com',`
			`'port' => 386,`
			`'base' => 'ou=users,dc=example,dc=com',`
			`'method' => 'plain',`
			`'uid' => 'uid'`
			`}`
			`)`

			`expect(config.omniauth_options).to include(`
			`host: 'ldap.example.com',`
			`port: 386,`
			`base: 'ou=users,dc=example,dc=com',`
			`method: 'plain',`
			`filter: '(uid=%{username})'`
			`)`
			`expect(config.omniauth_options.keys).not_to include(:bind_dn, :password)`
			`end`

			`it 'includes authentication options when auth is configured' do`
			`stub_ldap_config(`
			`options: {`
			`'uid' => 'sAMAccountName',`
			`'user_filter' => '(memberOf=cn=group1,ou=groups,dc=example,dc=com)',`
			`'bind_dn' => 'uid=admin,dc=example,dc=com',`
			`'password' => 'super_secret'`
			`}`
			`)`

			`expect(config.omniauth_options).to include(`
			`filter: '(&(sAMAccountName=%{username})(memberOf=cn=group1,ou=groups,dc=example,dc=com))',`
			`bind_dn: 'uid=admin,dc=example,dc=com',`
			`password: 'super_secret'`
			`)`
			`end`
			`end`

Introduce better credential and error checking to `rake gitlab:ldap:check` It was previously possible for invalid credential errors to go unnoticed in this task. Users would believe everything was configured correctly and then sign in would fail with 'invalid credentials'. This adds a specific bind check, plus catches errors connecting to the server. Also, specs :) 2016-09-29 15:08:27 -04:00			`describe '#has_auth?' do`
			`it 'is true when password is set' do`
			`stub_ldap_config(`
			`options: {`
			`'bind_dn' => 'uid=admin,dc=example,dc=com',`
			`'password' => 'super_secret'`
			`}`
			`)`

			`expect(config.has_auth?).to be_truthy`
			`end`

			`it 'is true when bind_dn is set and password is empty' do`
			`stub_ldap_config(`
			`options: {`
			`'bind_dn' => 'uid=admin,dc=example,dc=com',`
			`'password' => ''`
			`}`
			`)`

			`expect(config.has_auth?).to be_truthy`
			`end`

			`it 'is false when password and bind_dn are not set' do`
			`stub_ldap_config(options: { 'bind_dn' => nil, 'password' => nil })`

			`expect(config.has_auth?).to be_falsey`
			`end`
			`end`
Fix LDAP config lookup for provider 'ldap' 2014-10-23 16:57:16 -04:00			`end`