1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
|
# frozen_string_literal: true
require 'spec_helper'
RSpec.describe 'OAuth Login', :allow_forgery_protection, feature_category: :system_access do
include DeviseHelpers
def enter_code(code)
fill_in 'user_otp_attempt', with: code
click_button 'Verify code'
end
def stub_omniauth_config(provider)
OmniAuth.config.add_mock(provider, OmniAuth::AuthHash.new(provider: provider.to_s, uid: "12345"))
stub_omniauth_provider(provider)
end
providers = [:github, :twitter, :bitbucket, :gitlab, :google_oauth2,
:facebook, :cas3, :auth0, :authentiq, :salesforce, :dingtalk, :alicloud]
around do |example|
with_omniauth_full_host { example.run }
end
def login_with_provider(provider, enter_two_factor: false, additional_info: {})
login_via(provider.to_s, user, uid, remember_me: remember_me, additional_info: additional_info)
enter_code(user.current_otp) if enter_two_factor
end
providers.each do |provider|
context "when the user logs in using the #{provider} provider", :js do
let(:uid) { 'my-uid' }
let(:remember_me) { false }
let(:user) { create(:omniauth_user, extern_uid: uid, provider: provider.to_s) }
let(:two_factor_user) { create(:omniauth_user, :two_factor, extern_uid: uid, provider: provider.to_s) }
provider == :salesforce ? let(:additional_info) { { extra: { email_verified: true } } } : let(:additional_info) { {} }
before do
stub_omniauth_config(provider)
expect(ActiveSession).to receive(:cleanup).with(user).at_least(:once).and_call_original
end
context 'when two-factor authentication is disabled' do
it 'logs the user in' do
login_with_provider(provider, additional_info: additional_info)
expect(page).to have_current_path root_path, ignore_query: true
end
end
context 'when two-factor authentication is enabled' do
let(:user) { two_factor_user }
it 'logs the user in' do
login_with_provider(provider, additional_info: additional_info, enter_two_factor: true)
expect(page).to have_current_path root_path, ignore_query: true
end
it 'when bypass-two-factor is enabled' do
allow(Gitlab.config.omniauth).to receive_messages(allow_bypass_two_factor: true)
login_via(provider.to_s, user, uid, remember_me: false, additional_info: additional_info)
expect(page).to have_current_path root_path, ignore_query: true
end
it 'when bypass-two-factor is disabled' do
allow(Gitlab.config.omniauth).to receive_messages(allow_bypass_two_factor: false)
login_with_provider(provider, enter_two_factor: true, additional_info: additional_info)
expect(page).to have_current_path root_path, ignore_query: true
end
end
context 'when "remember me" is checked' do
let(:remember_me) { true }
context 'when two-factor authentication is disabled' do
it 'remembers the user after a browser restart' do
login_with_provider(provider, additional_info: additional_info)
clear_browser_session
visit(root_path)
expect(page).to have_current_path root_path, ignore_query: true
end
end
context 'when two-factor authentication is enabled' do
let(:user) { two_factor_user }
it 'remembers the user after a browser restart' do
login_with_provider(provider, enter_two_factor: true, additional_info: additional_info)
clear_browser_session
visit(root_path)
expect(page).to have_current_path root_path, ignore_query: true
end
end
end
context 'when "remember me" is not checked' do
context 'when two-factor authentication is disabled' do
it 'does not remember the user after a browser restart' do
login_with_provider(provider, additional_info: additional_info)
clear_browser_session
visit(root_path)
expect(page).to have_current_path new_user_session_path, ignore_query: true
end
end
context 'when two-factor authentication is enabled' do
let(:user) { two_factor_user }
it 'does not remember the user after a browser restart' do
login_with_provider(provider, enter_two_factor: true, additional_info: additional_info)
clear_browser_session
visit(root_path)
expect(page).to have_current_path new_user_session_path, ignore_query: true
end
end
end
end
end
context 'using GitLab as an OAuth provider' do
let_it_be(:user) { create(:user) }
let(:redirect_uri) { Gitlab::Routing.url_helpers.root_url }
# We can't use let_it_be to set the redirect_uri when creating the
# record as the host / port depends on whether or not the spec uses
# JS.
let(:application) do
create(:oauth_application, scopes: 'api', redirect_uri: redirect_uri, confidential: false)
end
let(:params) do
{
response_type: 'code',
client_id: application.uid,
redirect_uri: redirect_uri,
state: 'state'
}
end
before do
sign_in(user)
create(:oauth_access_token, application: application, resource_owner_id: user.id, scopes: 'api')
end
context 'when JS is enabled', :js do
it 'includes the fragment in the redirect if it is simple' do
visit "#{Gitlab::Routing.url_helpers.oauth_authorization_url(params)}#a_test-hash"
expect(page).to have_current_path("#{Gitlab::Routing.url_helpers.root_url}#a_test-hash", ignore_query: true)
end
it 'does not include the fragment if it contains forbidden characters' do
visit "#{Gitlab::Routing.url_helpers.oauth_authorization_url(params)}#a_test-hash."
expect(page).to have_current_path(Gitlab::Routing.url_helpers.root_url, ignore_query: true)
end
end
context 'when JS is disabled' do
it 'provides a basic HTML page including a link without the fragment' do
visit "#{Gitlab::Routing.url_helpers.oauth_authorization_url(params)}#a_test-hash"
expect(page).to have_current_path(oauth_authorization_path(params))
expect(page).to have_selector("a[href^='#{redirect_uri}']")
end
end
end
end
|