gitlab-org--gitlab-foss/spec/lib/gitlab/ldap/config_spec.rb

require 'spec_helper'

describe Gitlab::LDAP::Config, lib: true do
  include LdapHelpers

  let(:config) { Gitlab::LDAP::Config.new('ldapmain') }

  describe '#initialize' do
    it 'requires a provider' do
      expect{ Gitlab::LDAP::Config.new }.to raise_error ArgumentError
    end

    it 'works' do
      expect(config).to be_a described_class
    end

    it 'raises an error if a unknown provider is used' do
      expect{ Gitlab::LDAP::Config.new 'unknown' }.to raise_error(RuntimeError)
    end
  end

  describe '#adapter_options' do
    it 'constructs basic options' do
      stub_ldap_config(
        options: {
          'host'       => 'ldap.example.com',
          'port'       => 386,
          'encryption' => 'plain'
        }
      )

      expect(config.adapter_options).to eq(
        host: 'ldap.example.com',
        port: 386,
        encryption: { method: nil }
      )
    end

    it 'includes authentication options when auth is configured' do
      stub_ldap_config(
        options: {
          'host'                => 'ldap.example.com',
          'port'                => 686,
          'encryption'          => 'simple_tls',
          'verify_certificates' => true,
          'bind_dn'             => 'uid=admin,dc=example,dc=com',
          'password'            => 'super_secret'
        }
      )

      expect(config.adapter_options).to include({
        auth: {
          method: :simple,
          username: 'uid=admin,dc=example,dc=com',
          password: 'super_secret'
        }
      })
    end

    it 'sets encryption method to simple_tls when configured as simple_tls' do
      stub_ldap_config(
        options: {
          'host'                => 'ldap.example.com',
          'port'                => 686,
          'encryption'          => 'simple_tls'
        }
      )

      expect(config.adapter_options[:encryption]).to include({ method: :simple_tls })
    end

    it 'sets encryption method to simple_tls when configured as ssl, for backwards compatibility' do
      stub_ldap_config(
        options: {
          'host'                => 'ldap.example.com',
          'port'                => 686,
          'encryption'          => 'ssl'
        }
      )

      expect(config.adapter_options[:encryption]).to include({ method: :simple_tls })
    end

    it 'sets encryption method to start_tls when configured as start_tls' do
      stub_ldap_config(
        options: {
          'host'                => 'ldap.example.com',
          'port'                => 686,
          'encryption'          => 'start_tls'
        }
      )

      expect(config.adapter_options[:encryption]).to include({ method: :start_tls })
    end

    it 'sets encryption method to start_tls when configured as tls, for backwards compatibility' do
      stub_ldap_config(
        options: {
          'host'                => 'ldap.example.com',
          'port'                => 686,
          'encryption'          => 'tls'
        }
      )

      expect(config.adapter_options[:encryption]).to include({ method: :start_tls })
    end

    context 'when verify_certificates is enabled' do
      it 'sets tls_options to OpenSSL defaults' do
        stub_ldap_config(
          options: {
            'host'                => 'ldap.example.com',
            'port'                => 686,
            'encryption'          => 'simple_tls',
            'verify_certificates' => true
          }
        )

        expect(config.adapter_options[:encryption]).to include({ tls_options: OpenSSL::SSL::SSLContext::DEFAULT_PARAMS })
      end
    end

    context 'when verify_certificates is disabled' do
      it 'sets verify_mode to OpenSSL VERIFY_NONE' do
        stub_ldap_config(
          options: {
            'host'                => 'ldap.example.com',
            'port'                => 686,
            'encryption'          => 'simple_tls',
            'verify_certificates' => false
          }
        )

        expect(config.adapter_options[:encryption]).to include({
          tls_options: {
            verify_mode: OpenSSL::SSL::VERIFY_NONE
          }
        })
      end
    end
  end

  describe '#omniauth_options' do
    it 'constructs basic options' do
      stub_ldap_config(
        options: {
          'host'       => 'ldap.example.com',
          'port'       => 386,
          'base'       => 'ou=users,dc=example,dc=com',
          'encryption' => 'plain',
          'uid'        => 'uid'
        }
      )

      expect(config.omniauth_options).to include(
        host: 'ldap.example.com',
        port: 386,
        base: 'ou=users,dc=example,dc=com',
        encryption: 'plain',
        filter: '(uid=%{username})'
      )
      expect(config.omniauth_options.keys).not_to include(:bind_dn, :password)
    end

    it 'includes authentication options when auth is configured' do
      stub_ldap_config(
        options: {
          'uid'         => 'sAMAccountName',
          'user_filter' => '(memberOf=cn=group1,ou=groups,dc=example,dc=com)',
          'bind_dn'     => 'uid=admin,dc=example,dc=com',
          'password'    => 'super_secret'
        }
      )

      expect(config.omniauth_options).to include(
        filter: '(&(sAMAccountName=%{username})(memberOf=cn=group1,ou=groups,dc=example,dc=com))',
        bind_dn: 'uid=admin,dc=example,dc=com',
        password: 'super_secret'
      )
    end
  end

  describe '#has_auth?' do
    it 'is true when password is set' do
      stub_ldap_config(
        options: {
          'bind_dn'  => 'uid=admin,dc=example,dc=com',
          'password' => 'super_secret'
        }
      )

      expect(config.has_auth?).to be_truthy
    end

    it 'is true when bind_dn is set and password is empty' do
      stub_ldap_config(
        options: {
          'bind_dn'  => 'uid=admin,dc=example,dc=com',
          'password' => ''
        }
      )

      expect(config.has_auth?).to be_truthy
    end

    it 'is false when password and bind_dn are not set' do
      stub_ldap_config(options: { 'bind_dn' => nil, 'password' => nil })

      expect(config.has_auth?).to be_falsey
    end
  end

  describe '#attributes' do
    it 'uses default attributes when no custom attributes are configured' do
      expect(config.attributes).to eq(config.default_attributes)
    end

    it 'merges the configuration attributes with default attributes' do
      stub_ldap_config(
        options: {
          'attributes' => {
            'username' => %w(sAMAccountName),
            'email'    => %w(userPrincipalName)
          }
        }
      )

      expect(config.attributes).to include({
        'username' => %w(sAMAccountName),
        'email'    => %w(userPrincipalName),
        'name'     => 'cn'
      })
    end
  end
end
Add specs for authentication and config 2014-10-14 03:31:38 -04:00			`require 'spec_helper'`

Tag lib specs 2015-12-09 05:55:36 -05:00			`describe Gitlab::LDAP::Config, lib: true do`
Introduce better credential and error checking to `rake gitlab:ldap:check` It was previously possible for invalid credential errors to go unnoticed in this task. Users would believe everything was configured correctly and then sign in would fail with 'invalid credentials'. This adds a specific bind check, plus catches errors connecting to the server. Also, specs :) 2016-09-29 15:08:27 -04:00			`include LdapHelpers`

			`let(:config) { Gitlab::LDAP::Config.new('ldapmain') }`
Add specs for authentication and config 2014-10-14 03:31:38 -04:00
Set `Net::LDAP` encryption properly 2017-06-08 19:30:54 -04:00			`describe '#initialize' do`
Add specs for authentication and config 2014-10-14 03:31:38 -04:00			`it 'requires a provider' do`
			`expect{ Gitlab::LDAP::Config.new }.to raise_error ArgumentError`
			`end`

Introduce better credential and error checking to `rake gitlab:ldap:check` It was previously possible for invalid credential errors to go unnoticed in this task. Users would believe everything was configured correctly and then sign in would fail with 'invalid credentials'. This adds a specific bind check, plus catches errors connecting to the server. Also, specs :) 2016-09-29 15:08:27 -04:00			`it 'works' do`
Add specs for authentication and config 2014-10-14 03:31:38 -04:00			`expect(config).to be_a described_class`
			`end`

Introduce better credential and error checking to `rake gitlab:ldap:check` It was previously possible for invalid credential errors to go unnoticed in this task. Users would believe everything was configured correctly and then sign in would fail with 'invalid credentials'. This adds a specific bind check, plus catches errors connecting to the server. Also, specs :) 2016-09-29 15:08:27 -04:00			`it 'raises an error if a unknown provider is used' do`
Fix `raise_error` without an argument deprecation warnings 2015-06-17 21:29:18 -04:00			`expect{ Gitlab::LDAP::Config.new 'unknown' }.to raise_error(RuntimeError)`
Add specs for authentication and config 2014-10-14 03:31:38 -04:00			`end`
			`end`
Introduce better credential and error checking to `rake gitlab:ldap:check` It was previously possible for invalid credential errors to go unnoticed in this task. Users would believe everything was configured correctly and then sign in would fail with 'invalid credentials'. This adds a specific bind check, plus catches errors connecting to the server. Also, specs :) 2016-09-29 15:08:27 -04:00
Centralize LDAP config/filter logic Centralize all LDAP config logic in `GitLab::LDAP::Config`. Previously, some logic was in the Devise initializer and it was not honoring the `user_filter`. If a user outside the configured `user_filter` signed in, an account would be created but they would then be denied access. Now that logic is centralized, the filter is honored and users outside the filter are never created. 2016-11-11 15:44:08 -05:00			`describe '#adapter_options' do`
			`it 'constructs basic options' do`
			`stub_ldap_config(`
			`options: {`
Use encryption instead of method The method key is deprecated in the `gitlab_omniauth-ldap` gem. 2017-06-08 18:46:06 -04:00			`'host' => 'ldap.example.com',`
			`'port' => 386,`
			`'encryption' => 'plain'`
Centralize LDAP config/filter logic Centralize all LDAP config logic in `GitLab::LDAP::Config`. Previously, some logic was in the Devise initializer and it was not honoring the `user_filter`. If a user outside the configured `user_filter` signed in, an account would be created but they would then be denied access. Now that logic is centralized, the filter is honored and users outside the filter are never created. 2016-11-11 15:44:08 -05:00			`}`
			`)`

			`expect(config.adapter_options).to eq(`
			`host: 'ldap.example.com',`
			`port: 386,`
Set `Net::LDAP` encryption properly 2017-06-08 19:30:54 -04:00			`encryption: { method: nil }`
Centralize LDAP config/filter logic Centralize all LDAP config logic in `GitLab::LDAP::Config`. Previously, some logic was in the Devise initializer and it was not honoring the `user_filter`. If a user outside the configured `user_filter` signed in, an account would be created but they would then be denied access. Now that logic is centralized, the filter is honored and users outside the filter are never created. 2016-11-11 15:44:08 -05:00			`)`
			`end`

			`it 'includes authentication options when auth is configured' do`
			`stub_ldap_config(`
			`options: {`
Set `Net::LDAP` encryption properly 2017-06-08 19:30:54 -04:00			`'host' => 'ldap.example.com',`
			`'port' => 686,`
			`'encryption' => 'simple_tls',`
			`'verify_certificates' => true,`
			`'bind_dn' => 'uid=admin,dc=example,dc=com',`
			`'password' => 'super_secret'`
Centralize LDAP config/filter logic Centralize all LDAP config logic in `GitLab::LDAP::Config`. Previously, some logic was in the Devise initializer and it was not honoring the `user_filter`. If a user outside the configured `user_filter` signed in, an account would be created but they would then be denied access. Now that logic is centralized, the filter is honored and users outside the filter are never created. 2016-11-11 15:44:08 -05:00			`}`
			`)`

Set `Net::LDAP` encryption properly 2017-06-08 19:30:54 -04:00			`expect(config.adapter_options).to include({`
Centralize LDAP config/filter logic Centralize all LDAP config logic in `GitLab::LDAP::Config`. Previously, some logic was in the Devise initializer and it was not honoring the `user_filter`. If a user outside the configured `user_filter` signed in, an account would be created but they would then be denied access. Now that logic is centralized, the filter is honored and users outside the filter are never created. 2016-11-11 15:44:08 -05:00			`auth: {`
			`method: :simple,`
			`username: 'uid=admin,dc=example,dc=com',`
			`password: 'super_secret'`
			`}`
Set `Net::LDAP` encryption properly 2017-06-08 19:30:54 -04:00			`})`
			`end`

			`it 'sets encryption method to simple_tls when configured as simple_tls' do`
			`stub_ldap_config(`
			`options: {`
			`'host' => 'ldap.example.com',`
			`'port' => 686,`
			`'encryption' => 'simple_tls'`
			`}`
			`)`

			`expect(config.adapter_options[:encryption]).to include({ method: :simple_tls })`
			`end`

			`it 'sets encryption method to simple_tls when configured as ssl, for backwards compatibility' do`
			`stub_ldap_config(`
			`options: {`
			`'host' => 'ldap.example.com',`
			`'port' => 686,`
			`'encryption' => 'ssl'`
			`}`
			`)`

			`expect(config.adapter_options[:encryption]).to include({ method: :simple_tls })`
			`end`

			`it 'sets encryption method to start_tls when configured as start_tls' do`
			`stub_ldap_config(`
			`options: {`
			`'host' => 'ldap.example.com',`
			`'port' => 686,`
			`'encryption' => 'start_tls'`
			`}`
			`)`

			`expect(config.adapter_options[:encryption]).to include({ method: :start_tls })`
			`end`

			`it 'sets encryption method to start_tls when configured as tls, for backwards compatibility' do`
			`stub_ldap_config(`
			`options: {`
			`'host' => 'ldap.example.com',`
			`'port' => 686,`
			`'encryption' => 'tls'`
			`}`
Centralize LDAP config/filter logic Centralize all LDAP config logic in `GitLab::LDAP::Config`. Previously, some logic was in the Devise initializer and it was not honoring the `user_filter`. If a user outside the configured `user_filter` signed in, an account would be created but they would then be denied access. Now that logic is centralized, the filter is honored and users outside the filter are never created. 2016-11-11 15:44:08 -05:00			`)`
Set `Net::LDAP` encryption properly 2017-06-08 19:30:54 -04:00
			`expect(config.adapter_options[:encryption]).to include({ method: :start_tls })`
			`end`

			`context 'when verify_certificates is enabled' do`
			`it 'sets tls_options to OpenSSL defaults' do`
			`stub_ldap_config(`
			`options: {`
			`'host' => 'ldap.example.com',`
			`'port' => 686,`
			`'encryption' => 'simple_tls',`
			`'verify_certificates' => true`
			`}`
			`)`

			`expect(config.adapter_options[:encryption]).to include({ tls_options: OpenSSL::SSL::SSLContext::DEFAULT_PARAMS })`
			`end`
			`end`

			`context 'when verify_certificates is disabled' do`
			`it 'sets verify_mode to OpenSSL VERIFY_NONE' do`
			`stub_ldap_config(`
			`options: {`
			`'host' => 'ldap.example.com',`
			`'port' => 686,`
			`'encryption' => 'simple_tls',`
			`'verify_certificates' => false`
			`}`
			`)`

			`expect(config.adapter_options[:encryption]).to include({`
			`tls_options: {`
			`verify_mode: OpenSSL::SSL::VERIFY_NONE`
			`}`
			`})`
			`end`
Centralize LDAP config/filter logic Centralize all LDAP config logic in `GitLab::LDAP::Config`. Previously, some logic was in the Devise initializer and it was not honoring the `user_filter`. If a user outside the configured `user_filter` signed in, an account would be created but they would then be denied access. Now that logic is centralized, the filter is honored and users outside the filter are never created. 2016-11-11 15:44:08 -05:00			`end`
			`end`

			`describe '#omniauth_options' do`
			`it 'constructs basic options' do`
			`stub_ldap_config(`
			`options: {`
Use encryption instead of method The method key is deprecated in the `gitlab_omniauth-ldap` gem. 2017-06-08 18:46:06 -04:00			`'host' => 'ldap.example.com',`
			`'port' => 386,`
			`'base' => 'ou=users,dc=example,dc=com',`
			`'encryption' => 'plain',`
			`'uid' => 'uid'`
Centralize LDAP config/filter logic Centralize all LDAP config logic in `GitLab::LDAP::Config`. Previously, some logic was in the Devise initializer and it was not honoring the `user_filter`. If a user outside the configured `user_filter` signed in, an account would be created but they would then be denied access. Now that logic is centralized, the filter is honored and users outside the filter are never created. 2016-11-11 15:44:08 -05:00			`}`
			`)`

			`expect(config.omniauth_options).to include(`
			`host: 'ldap.example.com',`
			`port: 386,`
			`base: 'ou=users,dc=example,dc=com',`
Use encryption instead of method The method key is deprecated in the `gitlab_omniauth-ldap` gem. 2017-06-08 18:46:06 -04:00			`encryption: 'plain',`
Centralize LDAP config/filter logic Centralize all LDAP config logic in `GitLab::LDAP::Config`. Previously, some logic was in the Devise initializer and it was not honoring the `user_filter`. If a user outside the configured `user_filter` signed in, an account would be created but they would then be denied access. Now that logic is centralized, the filter is honored and users outside the filter are never created. 2016-11-11 15:44:08 -05:00			`filter: '(uid=%{username})'`
			`)`
			`expect(config.omniauth_options.keys).not_to include(:bind_dn, :password)`
			`end`

			`it 'includes authentication options when auth is configured' do`
			`stub_ldap_config(`
			`options: {`
			`'uid' => 'sAMAccountName',`
			`'user_filter' => '(memberOf=cn=group1,ou=groups,dc=example,dc=com)',`
			`'bind_dn' => 'uid=admin,dc=example,dc=com',`
			`'password' => 'super_secret'`
			`}`
			`)`

			`expect(config.omniauth_options).to include(`
			`filter: '(&(sAMAccountName=%{username})(memberOf=cn=group1,ou=groups,dc=example,dc=com))',`
			`bind_dn: 'uid=admin,dc=example,dc=com',`
			`password: 'super_secret'`
			`)`
			`end`
			`end`

Introduce better credential and error checking to `rake gitlab:ldap:check` It was previously possible for invalid credential errors to go unnoticed in this task. Users would believe everything was configured correctly and then sign in would fail with 'invalid credentials'. This adds a specific bind check, plus catches errors connecting to the server. Also, specs :) 2016-09-29 15:08:27 -04:00			`describe '#has_auth?' do`
			`it 'is true when password is set' do`
			`stub_ldap_config(`
			`options: {`
			`'bind_dn' => 'uid=admin,dc=example,dc=com',`
			`'password' => 'super_secret'`
			`}`
			`)`

			`expect(config.has_auth?).to be_truthy`
			`end`

			`it 'is true when bind_dn is set and password is empty' do`
			`stub_ldap_config(`
			`options: {`
			`'bind_dn' => 'uid=admin,dc=example,dc=com',`
			`'password' => ''`
			`}`
			`)`

			`expect(config.has_auth?).to be_truthy`
			`end`

			`it 'is false when password and bind_dn are not set' do`
			`stub_ldap_config(options: { 'bind_dn' => nil, 'password' => nil })`

			`expect(config.has_auth?).to be_falsey`
			`end`
			`end`
LDAP attributes needs default values 2017-01-05 17:01:04 -05:00
			`describe '#attributes' do`
			`it 'uses default attributes when no custom attributes are configured' do`
			`expect(config.attributes).to eq(config.default_attributes)`
			`end`

			`it 'merges the configuration attributes with default attributes' do`
			`stub_ldap_config(`
			`options: {`
			`'attributes' => {`
			`'username' => %w(sAMAccountName),`
			`'email' => %w(userPrincipalName)`
			`}`
			`}`
			`)`

			`expect(config.attributes).to include({`
			`'username' => %w(sAMAccountName),`
			`'email' => %w(userPrincipalName),`
			`'name' => 'cn'`
			`})`
			`end`
			`end`
Fix LDAP config lookup for provider 'ldap' 2014-10-23 16:57:16 -04:00			`end`