diff options
Diffstat (limited to 'spec/controllers/sessions_controller_spec.rb')
| -rw-r--r-- | spec/controllers/sessions_controller_spec.rb | 174 |
1 files changed, 87 insertions, 87 deletions
diff --git a/spec/controllers/sessions_controller_spec.rb b/spec/controllers/sessions_controller_spec.rb index ea7242c1aa8..25cf9058a3e 100644 --- a/spec/controllers/sessions_controller_spec.rb +++ b/spec/controllers/sessions_controller_spec.rb @@ -1,32 +1,32 @@ -require 'spec_helper' +require "spec_helper" describe SessionsController do include DeviseHelpers - describe '#new' do + describe "#new" do before do set_devise_mapping(context: @request) end - context 'when auto sign-in is enabled' do + context "when auto sign-in is enabled" do before do stub_omniauth_setting(auto_sign_in_with_provider: :saml) allow(controller).to receive(:omniauth_authorize_path).with(:user, :saml) - .and_return('/saml') + .and_return("/saml") end - context 'and no auto_sign_in param is passed' do - it 'redirects to :omniauth_authorize_path' do + context "and no auto_sign_in param is passed" do + it "redirects to :omniauth_authorize_path" do get(:new) expect(response).to have_gitlab_http_status(302) - expect(response).to redirect_to('/saml') + expect(response).to redirect_to("/saml") end end - context 'and auto_sign_in=false param is passed' do - it 'responds with 200' do - get(:new, params: { auto_sign_in: 'false' }) + context "and auto_sign_in=false param is passed" do + it "responds with 200" do + get(:new, params: {auto_sign_in: "false"}) expect(response).to have_gitlab_http_status(200) end @@ -34,132 +34,132 @@ describe SessionsController do end end - describe '#create' do + describe "#create" do before do set_devise_mapping(context: @request) end - context 'when using standard authentications' do - context 'invalid password' do - it 'does not authenticate user' do - post(:create, params: { user: { login: 'invalid', password: 'invalid' } }) + context "when using standard authentications" do + context "invalid password" do + it "does not authenticate user" do + post(:create, params: {user: {login: "invalid", password: "invalid"}}) expect(response) .to set_flash.now[:alert].to /Invalid Login or password/ end end - context 'when using valid password', :clean_gitlab_redis_shared_state do + context "when using valid password", :clean_gitlab_redis_shared_state do let(:user) { create(:user) } - let(:user_params) { { login: user.username, password: user.password } } + let(:user_params) { {login: user.username, password: user.password} } - it 'authenticates user correctly' do - post(:create, params: { user: user_params }) + it "authenticates user correctly" do + post(:create, params: {user: user_params}) expect(subject.current_user). to eq user end - it 'creates an audit log record' do - expect { post(:create, params: { user: user_params }) }.to change { SecurityEvent.count }.by(1) - expect(SecurityEvent.last.details[:with]).to eq('standard') + it "creates an audit log record" do + expect { post(:create, params: {user: user_params}) }.to change { SecurityEvent.count }.by(1) + expect(SecurityEvent.last.details[:with]).to eq("standard") end - include_examples 'user login request with unique ip limit', 302 do + include_examples "user login request with unique ip limit", 302 do def request - post(:create, params: { user: user_params }) + post(:create, params: {user: user_params}) expect(subject.current_user).to eq user subject.sign_out user end end - it 'updates the user activity' do - expect do - post(:create, params: { user: user_params }) - end.to change { user.reload.last_activity_on }.to(Date.today) + it "updates the user activity" do + expect { + post(:create, params: {user: user_params}) + }.to change { user.reload.last_activity_on }.to(Date.today) end end - context 'when reCAPTCHA is enabled' do + context "when reCAPTCHA is enabled" do let(:user) { create(:user) } - let(:user_params) { { login: user.username, password: user.password } } + let(:user_params) { {login: user.username, password: user.password} } before do stub_application_setting(recaptcha_enabled: true) request.headers[described_class::CAPTCHA_HEADER] = 1 end - it 'displays an error when the reCAPTCHA is not solved' do + it "displays an error when the reCAPTCHA is not solved" do # Without this, `verify_recaptcha` arbitrarily returns true in test env - Recaptcha.configuration.skip_verify_env.delete('test') + Recaptcha.configuration.skip_verify_env.delete("test") counter = double(:counter) expect(counter).to receive(:increment) expect(Gitlab::Metrics).to receive(:counter) - .with(:failed_login_captcha_total, anything) - .and_return(counter) + .with(:failed_login_captcha_total, anything) + .and_return(counter) - post(:create, params: { user: user_params }) + post(:create, params: {user: user_params}) expect(response).to render_template(:new) - expect(flash[:alert]).to include 'There was an error with the reCAPTCHA. Please solve the reCAPTCHA again.' + expect(flash[:alert]).to include "There was an error with the reCAPTCHA. Please solve the reCAPTCHA again." expect(subject.current_user).to be_nil end - it 'successfully logs in a user when reCAPTCHA is solved' do + it "successfully logs in a user when reCAPTCHA is solved" do # Avoid test ordering issue and ensure `verify_recaptcha` returns true - Recaptcha.configuration.skip_verify_env << 'test' + Recaptcha.configuration.skip_verify_env << "test" counter = double(:counter) expect(counter).to receive(:increment) expect(Gitlab::Metrics).to receive(:counter) - .with(:successful_login_captcha_total, anything) - .and_return(counter) + .with(:successful_login_captcha_total, anything) + .and_return(counter) expect(Gitlab::Metrics).to receive(:counter).and_call_original - post(:create, params: { user: user_params }) + post(:create, params: {user: user_params}) expect(subject.current_user).to eq user end end end - context 'when using two-factor authentication via OTP' do + context "when using two-factor authentication via OTP" do let(:user) { create(:user, :two_factor) } def authenticate_2fa(user_params) - post(:create, params: { user: user_params }, session: { otp_user_id: user.id }) + post(:create, params: {user: user_params}, session: {otp_user_id: user.id}) end - context 'remember_me field' do - it 'sets a remember_user_token cookie when enabled' do + context "remember_me field" do + it "sets a remember_user_token cookie when enabled" do allow(controller).to receive(:find_user).and_return(user) expect(controller) .to receive(:remember_me).with(user).and_call_original - authenticate_2fa(remember_me: '1', otp_attempt: user.current_otp) + authenticate_2fa(remember_me: "1", otp_attempt: user.current_otp) - expect(response.cookies['remember_user_token']).to be_present + expect(response.cookies["remember_user_token"]).to be_present end - it 'does nothing when disabled' do + it "does nothing when disabled" do allow(controller).to receive(:find_user).and_return(user) expect(controller).not_to receive(:remember_me) - authenticate_2fa(remember_me: '0', otp_attempt: user.current_otp) + authenticate_2fa(remember_me: "0", otp_attempt: user.current_otp) - expect(response.cookies['remember_user_token']).to be_nil + expect(response.cookies["remember_user_token"]).to be_nil end end ## # See #14900 issue # - context 'when authenticating with login and OTP of another user' do - context 'when another user has 2FA enabled' do + context "when authenticating with login and OTP of another user" do + context "when another user has 2FA enabled" do let(:another_user) { create(:user, :two_factor) } - context 'when OTP is valid for another user' do - it 'does not authenticate' do + context "when OTP is valid for another user" do + it "does not authenticate" do authenticate_2fa(login: another_user.username, otp_attempt: another_user.current_otp) @@ -167,73 +167,73 @@ describe SessionsController do end end - context 'when OTP is invalid for another user' do - it 'does not authenticate' do + context "when OTP is invalid for another user" do + it "does not authenticate" do authenticate_2fa(login: another_user.username, - otp_attempt: 'invalid') + otp_attempt: "invalid") expect(subject.current_user).not_to eq another_user end end - context 'when authenticating with OTP' do - context 'when OTP is valid' do - it 'authenticates correctly' do + context "when authenticating with OTP" do + context "when OTP is valid" do + it "authenticates correctly" do authenticate_2fa(otp_attempt: user.current_otp) expect(subject.current_user).to eq user end end - context 'when OTP is invalid' do + context "when OTP is invalid" do before do - authenticate_2fa(otp_attempt: 'invalid') + authenticate_2fa(otp_attempt: "invalid") end - it 'does not authenticate' do + it "does not authenticate" do expect(subject.current_user).not_to eq user end - it 'warns about invalid OTP code' do + it "warns about invalid OTP code" do expect(response).to set_flash.now[:alert] .to /Invalid two-factor code/ end end end - context 'when the user is on their last attempt' do + context "when the user is on their last attempt" do before do user.update(failed_attempts: User.maximum_attempts.pred) end - context 'when OTP is valid' do - it 'authenticates correctly' do + context "when OTP is valid" do + it "authenticates correctly" do authenticate_2fa(otp_attempt: user.current_otp) expect(subject.current_user).to eq user end end - context 'when OTP is invalid' do + context "when OTP is invalid" do before do - authenticate_2fa(otp_attempt: 'invalid') + authenticate_2fa(otp_attempt: "invalid") end - it 'does not authenticate' do + it "does not authenticate" do expect(subject.current_user).not_to eq user end - it 'warns about invalid login' do + it "warns about invalid login" do expect(response).to set_flash.now[:alert] .to /Invalid Login or password/ end - it 'locks the user' do + it "locks the user" do expect(user.reload).to be_access_locked end - it 'keeps the user locked on future login attempts' do - post(:create, params: { user: { login: user.username, password: user.password } }) + it "keeps the user locked on future login attempts" do + post(:create, params: {user: {login: user.username, password: user.password}}) expect(response) .to set_flash.now[:alert].to /Invalid Login or password/ @@ -241,12 +241,12 @@ describe SessionsController do end end - context 'when another user does not have 2FA enabled' do + context "when another user does not have 2FA enabled" do let(:another_user) { create(:user) } - it 'does not leak that 2FA is disabled for another user' do + it "does not leak that 2FA is disabled for another user" do authenticate_2fa(login: another_user.username, - otp_attempt: 'invalid') + otp_attempt: "invalid") expect(response).to set_flash.now[:alert] .to /Invalid two-factor code/ @@ -261,33 +261,33 @@ describe SessionsController do end end - context 'when using two-factor authentication via U2F device' do + context "when using two-factor authentication via U2F device" do let(:user) { create(:user, :two_factor) } def authenticate_2fa_u2f(user_params) - post(:create, params: { user: user_params }, session: { otp_user_id: user.id }) + post(:create, params: {user: user_params}, session: {otp_user_id: user.id}) end - context 'remember_me field' do - it 'sets a remember_user_token cookie when enabled' do + context "remember_me field" do + it "sets a remember_user_token cookie when enabled" do allow(U2fRegistration).to receive(:authenticate).and_return(true) allow(controller).to receive(:find_user).and_return(user) expect(controller) .to receive(:remember_me).with(user).and_call_original - authenticate_2fa_u2f(remember_me: '1', login: user.username, device_response: "{}") + authenticate_2fa_u2f(remember_me: "1", login: user.username, device_response: "{}") - expect(response.cookies['remember_user_token']).to be_present + expect(response.cookies["remember_user_token"]).to be_present end - it 'does nothing when disabled' do + it "does nothing when disabled" do allow(U2fRegistration).to receive(:authenticate).and_return(true) allow(controller).to receive(:find_user).and_return(user) expect(controller).not_to receive(:remember_me) - authenticate_2fa_u2f(remember_me: '0', login: user.username, device_response: "{}") + authenticate_2fa_u2f(remember_me: "0", login: user.username, device_response: "{}") - expect(response.cookies['remember_user_token']).to be_nil + expect(response.cookies["remember_user_token"]).to be_nil end end @@ -309,7 +309,7 @@ describe SessionsController do search_path = "/search?search=seed_project" request.headers[:HTTP_REFERER] = "http://#{host}#{search_path}" - get(:new, params: { redirect_to_referer: :yes }) + get(:new, params: {redirect_to_referer: :yes}) expect(controller.stored_location_for(:redirect)).to eq(search_path) end |