Subject: [PATCH] update gem, test pam authentication (#7028)

* update gem, test pam authentication

* add description for test parameters

* fix inclusion of optional group
 .env.test                                     |  4 ++
 .travis.yml                                   |  3 +-
 Gemfile                                       |  2 +-
 Gemfile.lock                                  |  8 +--
 config/environments/test.rb                   | 11 ++++
 .../auth/sessions_controller_spec.rb          | 51 +++++++++++++++++++
 6 files changed, 73 insertions(+), 6 deletions(-)

diff --git a/.env.test b/.env.test
index b57f52e309..7da76f8ef8 100644
--- a/.env.test
+++ b/.env.test
@@ -1,3 +1,7 @@
 # Federation
+# test pam authentication
diff --git a/.travis.yml b/.travis.yml
index 989237a192..2addd9ba2f 100644
--- a/.travis.yml
+++ b/.travis.yml
@@ -23,6 +23,7 @@ env:
     - RAILS_ENV=test
+    - ALLOW_NOPAM=true
   postgresql: 9.4
@@ -47,7 +48,7 @@ services:
   - nvm install
-  - bundle install --path=vendor/bundle --without development production --retry=3 --jobs=16
+  - bundle install --path=vendor/bundle --with pam_authentication --without development production --retry=3 --jobs=16
   - yarn install
diff --git a/Gemfile b/Gemfile
index 4a5a166bdb..7f9591d8d4 100644
--- a/Gemfile
+++ b/Gemfile
@@ -33,7 +33,7 @@ gem 'devise', '~> 4.4'
 gem 'devise-two-factor', '~> 3.0'
 group :pam_authentication, optional: true do
-  gem 'devise_pam_authenticatable2', '~> 9.0'
+  gem 'devise_pam_authenticatable2', '~> 9.1'
 gem 'net-ldap', '~> 0.10'
diff --git a/Gemfile.lock b/Gemfile.lock
index 0f5a1fb6ad..5322b87461 100644
--- a/Gemfile.lock
+++ b/Gemfile.lock
@@ -146,9 +146,9 @@ GEM
       devise (~> 4.0)
       railties (< 5.2)
       rotp (~> 2.0)
-    devise_pam_authenticatable2 (9.0.0)
+    devise_pam_authenticatable2 (9.1.0)
       devise (>= 4.0.0)
-      rpam2 (~> 3.0)
+      rpam2 (~> 4.0)
     diff-lcs (1.3)
     docile (1.1.5)
     domain_name (0.5.20170404)
@@ -464,7 +464,7 @@ GEM
       actionpack (>= 4.2.0, < 5.3)
       railties (>= 4.2.0, < 5.3)
     rotp (2.1.2)
-    rpam2 (3.1.0)
+    rpam2 (4.0.2)
     rqrcode (0.10.1)
       chunky_png (~> 1.0)
     rspec-core (3.7.0)
@@ -639,7 +639,7 @@ DEPENDENCIES
   climate_control (~> 0.2)
   devise (~> 4.4)
   devise-two-factor (~> 3.0)
-  devise_pam_authenticatable2 (~> 9.0)
+  devise_pam_authenticatable2 (~> 9.1)
   doorkeeper (~> 4.2)
   dotenv-rails (~> 2.2)
   fabrication (~> 2.18)
diff --git a/config/environments/test.rb b/config/environments/test.rb
index 7d77a170e5..122634d5b8 100644
--- a/config/environments/test.rb
+++ b/config/environments/test.rb
@@ -59,3 +59,14 @@ Rails.application.configure do
 Paperclip::Attachment.default_options[:path] = "#{Rails.root}/spec/test_files/:class/:id_partition/:style.:extension"
+# set fake_data for pam, don't do real calls, just use fake data
+if ENV['PAM_ENABLED'] == 'true'
+  Rpam2.fake_data =
+    {
+      usernames: Set['pam_user1', 'pam_user2'],
+      servicenames: Set['pam_test', 'pam_test_controlled'],
+      password: '123456',
+      env: { email: '' }
+    }
diff --git a/spec/controllers/auth/sessions_controller_spec.rb b/spec/controllers/auth/sessions_controller_spec.rb
index 88f0a4734d..d5fed17d63 100644
--- a/spec/controllers/auth/sessions_controller_spec.rb
+++ b/spec/controllers/auth/sessions_controller_spec.rb
@@ -48,6 +48,57 @@ RSpec.describe Auth::SessionsController, type: :controller do
       request.env['devise.mapping'] = Devise.mappings[:user]
+    context 'using PAM authentication' do
+      context 'using a valid password' do
+        before do
+          post :create, params: { user: { email: "pam_user1", password: '123456' } }
+        end
+        it 'redirects to home' do
+          expect(response).to redirect_to(root_path)
+        end
+        it 'logs the user in' do
+          expect(controller.current_user).to be_instance_of(User)
+        end
+      end
+      context 'using an invalid password' do
+        before do
+          post :create, params: { user: { email: "pam_user1", password: 'WRONGPW' } }
+        end
+        it 'shows a login error' do
+          expect(flash[:alert]).to match I18n.t('devise.failure.invalid', authentication_keys: 'Email')
+        end
+        it "doesn't log the user in" do
+          expect(controller.current_user).to be_nil
+        end
+      end
+      context 'using a valid email and existing user' do
+        let(:user) do
+          account =, username: 'pam_user1')
+!(validate: false)
+          user = Fabricate(:user, email: '', password: nil, account: account)
+          user
+        end
+        before do
+          post :create, params: { user: { email:, password: '123456' } }
+        end
+        it 'redirects to home' do
+          expect(response).to redirect_to(root_path)
+        end
+        it 'logs the user in' do
+          expect(controller.current_user).to eq user
+        end
+      end
+    end
     context 'using password authentication' do
       let(:user) { Fabricate(:user, email: '', password: 'abcdefgh') }