1
0
Fork 0
mirror of https://codeberg.org/forgejo/forgejo.git synced 2024-12-24 13:09:23 -05:00
forgejo/tests/integration/remote_test.go
Earl Warren 7cabc5670d
Implement remote user login source and promotion to regular user
A remote user (UserTypeRemoteUser) is a placeholder that can be
promoted to a regular user (UserTypeIndividual). It represents users
that exist somewhere else. Although the UserTypeRemoteUser already
exists in Forgejo, it is neither used or documented.

A new login type / source (Remote) is introduced and set to be the login type
of remote users.

Type        UserTypeRemoteUser
LogingType  Remote

The association between a remote user and its counterpart in another
environment (for instance another forge) is via the OAuth2 login
source:

LoginName   set to the unique identifier relative to the login source
LoginSource set to the identifier of the remote source

For instance when migrating from GitLab.com, a user can be created as
if it was authenticated using GitLab.com as an OAuth2 authentication
source.

When a user authenticates to Forejo from the same authentication
source and the identifier match, the remote user is promoted to a
regular user. For instance if 43 is the ID of the GitLab.com OAuth2
login source, 88 is the ID of the Remote loging source, and 48323
is the identifier of the foo user:

Type        UserTypeRemoteUser
LogingType  Remote
LoginName   48323
LoginSource 88
Email       (empty)
Name        foo

Will be promoted to the following when the user foo authenticates to
the Forgejo instance using GitLab.com as an OAuth2 provider. All users
with a LoginType of Remote and a LoginName of 48323 are examined. If
the LoginSource has a provider name that matches the provider name of
GitLab.com (usually just "gitlab"), it is a match and can be promoted.

The email is obtained via the OAuth2 provider and the user set to:

Type        UserTypeIndividual
LogingType  OAuth2
LoginName   48323
LoginSource 43
Email       foo@example.com
Name        foo

Note: the Remote login source is an indirection to the actual login
source, i.e. the provider string my be set to a login source that does
not exist yet.
2024-04-25 13:03:49 +02:00

205 lines
6.5 KiB
Go

// Copyright Earl Warren <contact@earl-warren.org>
// SPDX-License-Identifier: MIT
package integration
import (
"context"
"fmt"
"net/http"
"testing"
auth_model "code.gitea.io/gitea/models/auth"
"code.gitea.io/gitea/models/unittest"
user_model "code.gitea.io/gitea/models/user"
"code.gitea.io/gitea/modules/test"
remote_service "code.gitea.io/gitea/services/remote"
"code.gitea.io/gitea/tests"
"github.com/markbates/goth"
"github.com/stretchr/testify/assert"
)
func TestRemote_MaybePromoteUserSuccess(t *testing.T) {
defer tests.PrepareTestEnv(t)()
//
// OAuth2 authentication source GitLab
//
gitlabName := "gitlab"
_ = addAuthSource(t, authSourcePayloadGitLabCustom(gitlabName))
//
// Remote authentication source matching the GitLab authentication source
//
remoteName := "remote"
remote := createRemoteAuthSource(t, remoteName, "http://mygitlab.eu", gitlabName)
//
// Create a user as if it had previously been created by the remote
// authentication source.
//
gitlabUserID := "5678"
gitlabEmail := "gitlabuser@example.com"
userBeforeSignIn := &user_model.User{
Name: "gitlabuser",
Type: user_model.UserTypeRemoteUser,
LoginType: auth_model.Remote,
LoginSource: remote.ID,
LoginName: gitlabUserID,
}
defer createUser(context.Background(), t, userBeforeSignIn)()
//
// A request for user information sent to Goth will return a
// goth.User exactly matching the user created above.
//
defer mockCompleteUserAuth(func(res http.ResponseWriter, req *http.Request) (goth.User, error) {
return goth.User{
Provider: gitlabName,
UserID: gitlabUserID,
Email: gitlabEmail,
}, nil
})()
req := NewRequest(t, "GET", fmt.Sprintf("/user/oauth2/%s/callback?code=XYZ&state=XYZ", gitlabName))
resp := MakeRequest(t, req, http.StatusSeeOther)
assert.Equal(t, "/", test.RedirectURL(resp))
userAfterSignIn := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: userBeforeSignIn.ID})
// both are about the same user
assert.Equal(t, userAfterSignIn.ID, userBeforeSignIn.ID)
// the login time was updated, proof the login succeeded
assert.Greater(t, userAfterSignIn.LastLoginUnix, userBeforeSignIn.LastLoginUnix)
// the login type was promoted from Remote to OAuth2
assert.Equal(t, userBeforeSignIn.LoginType, auth_model.Remote)
assert.Equal(t, userAfterSignIn.LoginType, auth_model.OAuth2)
// the OAuth2 email was used to set the missing user email
assert.Equal(t, userBeforeSignIn.Email, "")
assert.Equal(t, userAfterSignIn.Email, gitlabEmail)
}
func TestRemote_MaybePromoteUserFail(t *testing.T) {
defer tests.PrepareTestEnv(t)()
ctx := context.Background()
//
// OAuth2 authentication source GitLab
//
gitlabName := "gitlab"
gitlabSource := addAuthSource(t, authSourcePayloadGitLabCustom(gitlabName))
//
// Remote authentication source matching the GitLab authentication source
//
remoteName := "remote"
remoteSource := createRemoteAuthSource(t, remoteName, "http://mygitlab.eu", gitlabName)
{
promoted, reason, err := remote_service.MaybePromoteRemoteUser(ctx, &auth_model.Source{}, "", "")
assert.NoError(t, err)
assert.False(t, promoted)
assert.Equal(t, remote_service.ReasonNotAuth2, reason)
}
{
remoteSource.Type = auth_model.OAuth2
promoted, reason, err := remote_service.MaybePromoteRemoteUser(ctx, remoteSource, "", "")
assert.NoError(t, err)
assert.False(t, promoted)
assert.Equal(t, remote_service.ReasonBadAuth2, reason)
remoteSource.Type = auth_model.Remote
}
{
promoted, reason, err := remote_service.MaybePromoteRemoteUser(ctx, gitlabSource, "unknownloginname", "")
assert.NoError(t, err)
assert.False(t, promoted)
assert.Equal(t, remote_service.ReasonLoginNameNotExists, reason)
}
{
remoteUserID := "844"
remoteUser := &user_model.User{
Name: "withmailuser",
Type: user_model.UserTypeRemoteUser,
LoginType: auth_model.Remote,
LoginSource: remoteSource.ID,
LoginName: remoteUserID,
Email: "some@example.com",
}
defer createUser(context.Background(), t, remoteUser)()
promoted, reason, err := remote_service.MaybePromoteRemoteUser(ctx, gitlabSource, remoteUserID, "")
assert.NoError(t, err)
assert.False(t, promoted)
assert.Equal(t, remote_service.ReasonEmailIsSet, reason)
}
{
remoteUserID := "7464"
nonexistentloginsource := int64(4344)
remoteUser := &user_model.User{
Name: "badsourceuser",
Type: user_model.UserTypeRemoteUser,
LoginType: auth_model.Remote,
LoginSource: nonexistentloginsource,
LoginName: remoteUserID,
}
defer createUser(context.Background(), t, remoteUser)()
promoted, reason, err := remote_service.MaybePromoteRemoteUser(ctx, gitlabSource, remoteUserID, "")
assert.NoError(t, err)
assert.False(t, promoted)
assert.Equal(t, remote_service.ReasonNoSource, reason)
}
{
remoteUserID := "33335678"
remoteUser := &user_model.User{
Name: "badremoteuser",
Type: user_model.UserTypeRemoteUser,
LoginType: auth_model.Remote,
LoginSource: gitlabSource.ID,
LoginName: remoteUserID,
}
defer createUser(context.Background(), t, remoteUser)()
promoted, reason, err := remote_service.MaybePromoteRemoteUser(ctx, gitlabSource, remoteUserID, "")
assert.NoError(t, err)
assert.False(t, promoted)
assert.Equal(t, remote_service.ReasonSourceWrongType, reason)
}
{
unrelatedName := "unrelated"
unrelatedSource := addAuthSource(t, authSourcePayloadGitHubCustom(unrelatedName))
assert.NotNil(t, unrelatedSource)
remoteUserID := "488484"
remoteEmail := "4848484@example.com"
remoteUser := &user_model.User{
Name: "unrelateduser",
Type: user_model.UserTypeRemoteUser,
LoginType: auth_model.Remote,
LoginSource: remoteSource.ID,
LoginName: remoteUserID,
}
defer createUser(context.Background(), t, remoteUser)()
promoted, reason, err := remote_service.MaybePromoteRemoteUser(ctx, unrelatedSource, remoteUserID, remoteEmail)
assert.NoError(t, err)
assert.False(t, promoted)
assert.Equal(t, remote_service.ReasonNoMatch, reason)
}
{
remoteUserID := "5678"
remoteEmail := "gitlabuser@example.com"
remoteUser := &user_model.User{
Name: "remoteuser",
Type: user_model.UserTypeRemoteUser,
LoginType: auth_model.Remote,
LoginSource: remoteSource.ID,
LoginName: remoteUserID,
}
defer createUser(context.Background(), t, remoteUser)()
promoted, reason, err := remote_service.MaybePromoteRemoteUser(ctx, gitlabSource, remoteUserID, remoteEmail)
assert.NoError(t, err)
assert.True(t, promoted)
assert.Equal(t, remote_service.ReasonPromoted, reason)
}
}