discourse/spec/lib/validators/enable_sso_validator_spec.rb

# frozen_string_literal: true

RSpec.describe EnableSsoValidator do
  subject { described_class.new }

  describe "#valid_value?" do
    describe "when 'sso url' is empty" do
      before { SiteSetting.discourse_connect_url = "" }

      describe "when val is false" do
        it "should be valid" do
          expect(subject.valid_value?("f")).to eq(true)
        end
      end

      describe "when value is true" do
        it "should not be valid" do
          expect(subject.valid_value?("t")).to eq(false)

          expect(subject.error_message).to eq(
            I18n.t("site_settings.errors.discourse_connect_url_is_empty"),
          )
        end
      end
    end

    describe "when invite_only is set" do
      before do
        SiteSetting.invite_only = true
        SiteSetting.discourse_connect_url = "https://example.com/sso"
      end

      it "allows a false value" do
        expect(subject.valid_value?("f")).to eq(true)
      end

      it "doesn't allow true" do
        expect(subject.valid_value?("t")).to eq(false)
        expect(subject.error_message).to eq(
          I18n.t("site_settings.errors.discourse_connect_invite_only"),
        )
      end
    end

    describe "when 'sso url' is present" do
      before { SiteSetting.discourse_connect_url = "https://www.example.com/sso" }

      describe "when value is false" do
        it "should be valid" do
          expect(subject.valid_value?("f")).to eq(true)
        end
      end

      describe "when value is true" do
        it "should be valid" do
          expect(subject.valid_value?("t")).to eq(true)
        end
      end
    end

    describe "when 2FA is enforced" do
      before { SiteSetting.discourse_connect_url = "https://www.example.com/sso" }

      it "should be invalid" do
        SiteSetting.enforce_second_factor = "all"

        expect(subject.valid_value?("t")).to eq(false)
      end

      it "should be valid" do
        SiteSetting.enforce_second_factor = "no"

        expect(subject.valid_value?("t")).to eq(true)
      end
    end
  end
end
DEV: use #frozen_string_literal: true on all spec This change both speeds up specs (less strings to allocate) and helps catch cases where methods in Discourse are mutating inputs. Overall we will be migrating everything to use #frozen_string_literal: true it will take a while, but this is the first and safest move in this direction 2019-04-29 20:27:42 -04:00			`# frozen_string_literal: true`

FIX: verify presence of 'sso url' before enabling 'enable sso' 2017-12-23 03:00:49 -05:00			`RSpec.describe EnableSsoValidator do`
			`subject { described_class.new }`

			`describe "#valid_value?" do`
			`describe "when 'sso url' is empty" do`
FEATURE: Rename 'Discourse SSO' to DiscourseConnect (#11978) The 'Discourse SSO' protocol is being rebranded to DiscourseConnect. This should help to reduce confusion when 'SSO' is used in the generic sense. This commit aims to: - Rename `sso_` site settings. DiscourseConnect specific ones are prefixed `discourse_connect_`. Generic settings are prefixed `auth_` - Add (server-side-only) backwards compatibility for the old setting names, with deprecation notices - Copy `site_settings` database records to the new names - Rename relevant translation keys - Update relevant translations This commit does not aim to: - Rename any Ruby classes or methods. This might be done in a future commit - Change any URLs. This would break existing integrations - Make any changes to the protocol. This would break existing integrations - Change any functionality. Further normalization across DiscourseConnect and other auth methods will be done separately The risks are: - There is no backwards compatibility for site settings on the client-side. Accessing auth-related site settings in Javascript is fairly rare, and an error on the client side would not be security-critical. - If a plugin is monkey-patching parts of the auth process, changes to locale keys could cause broken error messages. This should also be unlikely. The old site setting names remain functional, so security-related overrides will remain working. A follow-up commit will be made with a post-deploy migration to delete the old `site_settings` rows. 2021-02-08 05:04:33 -05:00			`before { SiteSetting.discourse_connect_url = "" }`
FIX: verify presence of 'sso url' before enabling 'enable sso' 2017-12-23 03:00:49 -05:00
			`describe "when val is false" do`
			`it "should be valid" do`
			`expect(subject.valid_value?("f")).to eq(true)`
			`end`
			`end`

			`describe "when value is true" do`
			`it "should not be valid" do`
			`expect(subject.valid_value?("t")).to eq(false)`

			`expect(subject.error_message).to eq(`
FEATURE: Rename 'Discourse SSO' to DiscourseConnect (#11978) The 'Discourse SSO' protocol is being rebranded to DiscourseConnect. This should help to reduce confusion when 'SSO' is used in the generic sense. This commit aims to: - Rename `sso_` site settings. DiscourseConnect specific ones are prefixed `discourse_connect_`. Generic settings are prefixed `auth_` - Add (server-side-only) backwards compatibility for the old setting names, with deprecation notices - Copy `site_settings` database records to the new names - Rename relevant translation keys - Update relevant translations This commit does not aim to: - Rename any Ruby classes or methods. This might be done in a future commit - Change any URLs. This would break existing integrations - Make any changes to the protocol. This would break existing integrations - Change any functionality. Further normalization across DiscourseConnect and other auth methods will be done separately The risks are: - There is no backwards compatibility for site settings on the client-side. Accessing auth-related site settings in Javascript is fairly rare, and an error on the client side would not be security-critical. - If a plugin is monkey-patching parts of the auth process, changes to locale keys could cause broken error messages. This should also be unlikely. The old site setting names remain functional, so security-related overrides will remain working. A follow-up commit will be made with a post-deploy migration to delete the old `site_settings` rows. 2021-02-08 05:04:33 -05:00			`I18n.t("site_settings.errors.discourse_connect_url_is_empty"),`
FIX: verify presence of 'sso url' before enabling 'enable sso' 2017-12-23 03:00:49 -05:00			`)`
			`end`
			`end`
			`end`

FIX: Do not allow `invite_only` and `enable_sso` at the same time This functionality was never supported but before the new review queue it didn't have any errors. Now the combination of settings is prevented and existing sites with sso enabled will be migrated to remove invite only. 2019-04-02 10:26:27 -04:00			`describe "when invite_only is set" do`
			`before do`
			`SiteSetting.invite_only = true`
FEATURE: Rename 'Discourse SSO' to DiscourseConnect (#11978) The 'Discourse SSO' protocol is being rebranded to DiscourseConnect. This should help to reduce confusion when 'SSO' is used in the generic sense. This commit aims to: - Rename `sso_` site settings. DiscourseConnect specific ones are prefixed `discourse_connect_`. Generic settings are prefixed `auth_` - Add (server-side-only) backwards compatibility for the old setting names, with deprecation notices - Copy `site_settings` database records to the new names - Rename relevant translation keys - Update relevant translations This commit does not aim to: - Rename any Ruby classes or methods. This might be done in a future commit - Change any URLs. This would break existing integrations - Make any changes to the protocol. This would break existing integrations - Change any functionality. Further normalization across DiscourseConnect and other auth methods will be done separately The risks are: - There is no backwards compatibility for site settings on the client-side. Accessing auth-related site settings in Javascript is fairly rare, and an error on the client side would not be security-critical. - If a plugin is monkey-patching parts of the auth process, changes to locale keys could cause broken error messages. This should also be unlikely. The old site setting names remain functional, so security-related overrides will remain working. A follow-up commit will be made with a post-deploy migration to delete the old `site_settings` rows. 2021-02-08 05:04:33 -05:00			`SiteSetting.discourse_connect_url = "https://example.com/sso"`
FIX: Do not allow `invite_only` and `enable_sso` at the same time This functionality was never supported but before the new review queue it didn't have any errors. Now the combination of settings is prevented and existing sites with sso enabled will be migrated to remove invite only. 2019-04-02 10:26:27 -04:00			`end`

			`it "allows a false value" do`
			`expect(subject.valid_value?("f")).to eq(true)`
			`end`

			`it "doesn't allow true" do`
			`expect(subject.valid_value?("t")).to eq(false)`
			`expect(subject.error_message).to eq(`
FEATURE: Rename 'Discourse SSO' to DiscourseConnect (#11978) The 'Discourse SSO' protocol is being rebranded to DiscourseConnect. This should help to reduce confusion when 'SSO' is used in the generic sense. This commit aims to: - Rename `sso_` site settings. DiscourseConnect specific ones are prefixed `discourse_connect_`. Generic settings are prefixed `auth_` - Add (server-side-only) backwards compatibility for the old setting names, with deprecation notices - Copy `site_settings` database records to the new names - Rename relevant translation keys - Update relevant translations This commit does not aim to: - Rename any Ruby classes or methods. This might be done in a future commit - Change any URLs. This would break existing integrations - Make any changes to the protocol. This would break existing integrations - Change any functionality. Further normalization across DiscourseConnect and other auth methods will be done separately The risks are: - There is no backwards compatibility for site settings on the client-side. Accessing auth-related site settings in Javascript is fairly rare, and an error on the client side would not be security-critical. - If a plugin is monkey-patching parts of the auth process, changes to locale keys could cause broken error messages. This should also be unlikely. The old site setting names remain functional, so security-related overrides will remain working. A follow-up commit will be made with a post-deploy migration to delete the old `site_settings` rows. 2021-02-08 05:04:33 -05:00			`I18n.t("site_settings.errors.discourse_connect_invite_only"),`
FIX: Do not allow `invite_only` and `enable_sso` at the same time This functionality was never supported but before the new review queue it didn't have any errors. Now the combination of settings is prevented and existing sites with sso enabled will be migrated to remove invite only. 2019-04-02 10:26:27 -04:00			`)`
			`end`
			`end`

FIX: verify presence of 'sso url' before enabling 'enable sso' 2017-12-23 03:00:49 -05:00			`describe "when 'sso url' is present" do`
FEATURE: Rename 'Discourse SSO' to DiscourseConnect (#11978) The 'Discourse SSO' protocol is being rebranded to DiscourseConnect. This should help to reduce confusion when 'SSO' is used in the generic sense. This commit aims to: - Rename `sso_` site settings. DiscourseConnect specific ones are prefixed `discourse_connect_`. Generic settings are prefixed `auth_` - Add (server-side-only) backwards compatibility for the old setting names, with deprecation notices - Copy `site_settings` database records to the new names - Rename relevant translation keys - Update relevant translations This commit does not aim to: - Rename any Ruby classes or methods. This might be done in a future commit - Change any URLs. This would break existing integrations - Make any changes to the protocol. This would break existing integrations - Change any functionality. Further normalization across DiscourseConnect and other auth methods will be done separately The risks are: - There is no backwards compatibility for site settings on the client-side. Accessing auth-related site settings in Javascript is fairly rare, and an error on the client side would not be security-critical. - If a plugin is monkey-patching parts of the auth process, changes to locale keys could cause broken error messages. This should also be unlikely. The old site setting names remain functional, so security-related overrides will remain working. A follow-up commit will be made with a post-deploy migration to delete the old `site_settings` rows. 2021-02-08 05:04:33 -05:00			`before { SiteSetting.discourse_connect_url = "https://www.example.com/sso" }`
FIX: verify presence of 'sso url' before enabling 'enable sso' 2017-12-23 03:00:49 -05:00
			`describe "when value is false" do`
			`it "should be valid" do`
			`expect(subject.valid_value?("f")).to eq(true)`
			`end`
			`end`

			`describe "when value is true" do`
			`it "should be valid" do`
			`expect(subject.valid_value?("t")).to eq(true)`
			`end`
			`end`
			`end`

FIX: Check 2FA is disabled before enabling DiscourseConnect. (#16542) Both settings are incompatible. We validated that DiscourseConnect is disabled before enabling 2FA but were missing the other way around. 2022-04-25 13:49:36 -04:00			`describe "when 2FA is enforced" do`
			`before { SiteSetting.discourse_connect_url = "https://www.example.com/sso" }`

			`it "should be invalid" do`
			`SiteSetting.enforce_second_factor = "all"`

			`expect(subject.valid_value?("t")).to eq(false)`
			`end`

			`it "should be valid" do`
			`SiteSetting.enforce_second_factor = "no"`

			`expect(subject.valid_value?("t")).to eq(true)`
			`end`
			`end`
FIX: verify presence of 'sso url' before enabling 'enable sso' 2017-12-23 03:00:49 -05:00			`end`
			`end`