summaryrefslogtreecommitdiff
path: root/spec/controllers/ldap/omniauth_callbacks_controller_spec.rb
blob: 2de824bbf3c4fce5bf1ce6542fb248b4f29b3a05 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
# frozen_string_literal: true

require 'spec_helper'

RSpec.describe Ldap::OmniauthCallbacksController do
  include_context 'Ldap::OmniauthCallbacksController'

  it 'allows sign in' do
    post provider

    expect(request.env['warden']).to be_authenticated
  end

  context 'with sign in prevented' do
    let(:ldap_settings) { ldap_setting_defaults.merge(prevent_ldap_sign_in: true) }

    it 'does not allow sign in' do
      expect { post provider }.to raise_error(ActionController::UrlGenerationError)
    end
  end

  it 'respects remember me checkbox' do
    expect do
      post provider, params: { remember_me: '1' }
    end.to change { user.reload.remember_created_at }.from(nil)
  end

  context 'with 2FA' do
    let(:user) { create(:omniauth_user, :two_factor_via_otp, extern_uid: uid, provider: provider) }

    it 'passes remember_me to the Devise view' do
      post provider, params: { remember_me: '1' }

      expect(assigns[:user].remember_me).to eq '1'
    end
  end

  context 'access denied' do
    let(:valid_login?) { false }

    it 'warns the user' do
      post provider

      expect(flash[:alert]).to match(/Access denied for your LDAP account*/)
    end

    it "doesn't authenticate user" do
      post provider

      expect(request.env['warden']).not_to be_authenticated
      expect(response).to redirect_to(new_user_session_path)
    end
  end

  context 'sign up' do
    let(:user) { double(email: +'new@example.com') }

    before do
      stub_omniauth_setting(block_auto_created_users: false)
    end

    it 'is allowed' do
      post provider

      expect(request.env['warden']).to be_authenticated
    end
  end

  describe 'enable admin mode' do
    include_context 'custom session'

    before do
      sign_in user
    end

    context 'with a regular user' do
      it 'cannot be enabled' do
        reauthenticate_and_check_admin_mode(expected_admin_mode: false)

        expect(response).to redirect_to(root_path)
      end
    end

    context 'with an admin user' do
      let(:user) { create(:omniauth_user, :admin, extern_uid: uid, provider: provider) }

      context 'when requested first' do
        before do
          subject.current_user_mode.request_admin_mode!
        end

        it 'can be enabled' do
          reauthenticate_and_check_admin_mode(expected_admin_mode: true)

          expect(response).to redirect_to(admin_root_path)
        end
      end

      context 'when not requested first' do
        it 'cannot be enabled' do
          reauthenticate_and_check_admin_mode(expected_admin_mode: false)

          expect(response).to redirect_to(root_path)
        end
      end
    end
  end

  def reauthenticate_and_check_admin_mode(expected_admin_mode:)
    # Initially admin mode disabled
    expect(subject.current_user_mode.admin_mode?).to be(false)

    # Trigger OmniAuth admin mode flow and expect admin mode status
    post provider

    expect(request.env['warden']).to be_authenticated
    expect(subject.current_user_mode.admin_mode?).to be(expected_admin_mode)
  end
end