summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorPatricio Cano <suprnova32@gmail.com>2016-04-06 18:12:25 -0500
committerPatricio Cano <suprnova32@gmail.com>2016-04-06 18:12:25 -0500
commit8110e7530902de8744ff985f08938306e2c38367 (patch)
treebb0d7ee98b40059d51c895ec6d2e5eb6ee35a635
parenteb0f1de36c6ebf13d86540bb79d7fb07fc3642f0 (diff)
downloadgitlab-ce-8110e7530902de8744ff985f08938306e2c38367.tar.gz
Implemented suggested fixes
-rw-r--r--doc/integration/saml.md3
-rw-r--r--lib/gitlab/saml/auth_hash.rb2
-rw-r--r--lib/gitlab/saml/config.rb1
-rw-r--r--lib/gitlab/saml/user.rb7
-rw-r--r--spec/lib/gitlab/saml/user_spec.rb41
5 files changed, 21 insertions, 33 deletions
diff --git a/doc/integration/saml.md b/doc/integration/saml.md
index 684f0a5b8c9..8a7205caaa4 100644
--- a/doc/integration/saml.md
+++ b/doc/integration/saml.md
@@ -159,8 +159,7 @@ with the regular SAML response. Here is an example:
The name of the attribute can be anything you like, but it must contain the groups
to which a user belongs. In order to tell GitLab where to find these groups, you need
to add a `groups_attribute:` element to your SAML settings. You will also need to
-tell GitLab which groups are external, for that you need the `external_groups:`
-element:
+tell GitLab which groups are external via the `external_groups:` element:
```yaml
{ name: 'saml',
diff --git a/lib/gitlab/saml/auth_hash.rb b/lib/gitlab/saml/auth_hash.rb
index 3414d24ca73..32c1c9ec5bb 100644
--- a/lib/gitlab/saml/auth_hash.rb
+++ b/lib/gitlab/saml/auth_hash.rb
@@ -9,7 +9,7 @@ module Gitlab
private
def get_raw(key)
- # Needs to call `all` because of https://github.com/onelogin/ruby-saml/blob/master/lib/onelogin/ruby-saml/attributes.rb#L78
+ # Needs to call `all` because of https://git.io/vVo4u
# otherwise just the first value is returned
auth_hash.extra[:raw_info].all[key]
end
diff --git a/lib/gitlab/saml/config.rb b/lib/gitlab/saml/config.rb
index 2b3cf840f61..0f40c00f547 100644
--- a/lib/gitlab/saml/config.rb
+++ b/lib/gitlab/saml/config.rb
@@ -1,4 +1,3 @@
-# Load a specific server configuration
module Gitlab
module Saml
class Config
diff --git a/lib/gitlab/saml/user.rb b/lib/gitlab/saml/user.rb
index 73fc443a02b..c1072452abe 100644
--- a/lib/gitlab/saml/user.rb
+++ b/lib/gitlab/saml/user.rb
@@ -28,12 +28,11 @@ module Gitlab
if external_users_enabled?
# Check if there is overlap between the user's groups and the external groups
- # setting and set user as external or internal.
+ # setting then set user as external or internal.
if (auth_hash.groups & Gitlab::Saml::Config.external_groups).empty?
- # Avoid an unnecessary change of values and the subsequent save
- @user.external = false if @user.external
+ @user.external = false
else
- @user.external = true unless @user.external
+ @user.external = true
end
end
diff --git a/spec/lib/gitlab/saml/user_spec.rb b/spec/lib/gitlab/saml/user_spec.rb
index ed7b507dbab..c2a51d9249c 100644
--- a/spec/lib/gitlab/saml/user_spec.rb
+++ b/spec/lib/gitlab/saml/user_spec.rb
@@ -23,11 +23,15 @@ describe Gitlab::Saml::User, lib: true do
allow(Gitlab::LDAP::Config).to receive_messages(messages)
end
- def stub_saml_config(messages)
- allow(Gitlab::Saml::Config).to receive_messages(messages)
+ def stub_basic_saml_config
+ allow(Gitlab::Saml::Config).to receive_messages({ options: { name: 'saml', args: {} } })
end
- before { stub_saml_config({ options: { name: 'saml', args: {} } }) }
+ def stub_saml_group_config(groups)
+ allow(Gitlab::Saml::Config).to receive_messages({ options: { name: 'saml', groups_attribute: 'groups', external_groups: groups, args: {} } })
+ end
+
+ before { stub_basic_saml_config }
describe 'account exists on server' do
before { stub_omniauth_config({ allow_single_sign_on: ['saml'], auto_link_saml_user: true }) }
@@ -45,15 +49,15 @@ describe Gitlab::Saml::User, lib: true do
context 'external groups' do
context 'are defined' do
- before { stub_saml_config({ options: { name: 'saml', groups_attribute: 'groups', external_groups: %w(Freelancers), args: {} } }) }
it 'marks the user as external' do
+ stub_saml_group_config(%w(Freelancers))
saml_user.save
expect(gl_user).to be_valid
expect(gl_user.external).to be_truthy
end
end
- before { stub_saml_config({ options: { name: 'saml', groups_attribute: 'groups', external_groups: %w(Interns), args: {} } }) }
+ before { stub_saml_group_config(%w(Interns)) }
context 'are defined but the user does not belong there' do
it 'does not mark the user as external' do
saml_user.save
@@ -105,17 +109,17 @@ describe Gitlab::Saml::User, lib: true do
context 'external groups' do
context 'are defined' do
- before { stub_saml_config({ options: { name: 'saml', groups_attribute: 'groups', external_groups: %w(Freelancers), args: {} } }) }
it 'marks the user as external' do
+ stub_saml_group_config(%w(Freelancers))
saml_user.save
expect(gl_user).to be_valid
expect(gl_user.external).to be_truthy
end
end
- before { stub_saml_config({ options: { name: 'saml', groups_attribute: 'groups', external_groups: %w(Interns), args: {} } }) }
context 'are defined but the user does not belong there' do
it 'does not mark the user as external' do
+ stub_saml_group_config(%w(Interns))
saml_user.save
expect(gl_user).to be_valid
expect(gl_user.external).to be_falsey
@@ -131,12 +135,6 @@ describe Gitlab::Saml::User, lib: true do
context 'with auto_link_ldap_user enabled' do
before { stub_omniauth_config({ auto_link_ldap_user: true, auto_link_saml_user: false }) }
- context 'and no LDAP provider defined' do
- before { stub_ldap_config(providers: []) }
-
- include_examples 'to verify compliance with allow_single_sign_on'
- end
-
context 'and at least one LDAP provider is defined' do
before { stub_ldap_config(providers: %w(ldapmain)) }
@@ -144,19 +142,18 @@ describe Gitlab::Saml::User, lib: true do
before do
allow(ldap_user).to receive(:uid) { uid }
allow(ldap_user).to receive(:username) { uid }
- allow(ldap_user).to receive(:email) { ['johndoe@example.com','john2@example.com'] }
+ allow(ldap_user).to receive(:email) { %w(john@mail.com john2@example.com) }
allow(ldap_user).to receive(:dn) { 'uid=user1,ou=People,dc=example' }
allow(Gitlab::LDAP::Person).to receive(:find_by_uid).and_return(ldap_user)
end
context 'and no account for the LDAP user' do
-
it 'creates a user with dual LDAP and SAML identities' do
saml_user.save
expect(gl_user).to be_valid
expect(gl_user.username).to eql uid
- expect(gl_user.email).to eql 'johndoe@example.com'
+ expect(gl_user.email).to eql 'john@mail.com'
expect(gl_user.identities.length).to eql 2
identities_as_hash = gl_user.identities.map { |id| { provider: id.provider, extern_uid: id.extern_uid } }
expect(identities_as_hash).to match_array([ { provider: 'ldapmain', extern_uid: 'uid=user1,ou=People,dc=example' },
@@ -166,13 +163,13 @@ describe Gitlab::Saml::User, lib: true do
end
context 'and LDAP user has an account already' do
- let!(:existing_user) { create(:omniauth_user, email: 'john@example.com', extern_uid: 'uid=user1,ou=People,dc=example', provider: 'ldapmain', username: 'john') }
- it "adds the omniauth identity to the LDAP account" do
+ let!(:existing_user) { create(:omniauth_user, email: 'john@mail.com', extern_uid: 'uid=user1,ou=People,dc=example', provider: 'ldapmain', username: 'john') }
+ it 'adds the omniauth identity to the LDAP account' do
saml_user.save
expect(gl_user).to be_valid
expect(gl_user.username).to eql 'john'
- expect(gl_user.email).to eql 'john@example.com'
+ expect(gl_user.email).to eql 'john@mail.com'
expect(gl_user.identities.length).to eql 2
identities_as_hash = gl_user.identities.map { |id| { provider: id.provider, extern_uid: id.extern_uid } }
expect(identities_as_hash).to match_array([ { provider: 'ldapmain', extern_uid: 'uid=user1,ou=People,dc=example' },
@@ -181,12 +178,6 @@ describe Gitlab::Saml::User, lib: true do
end
end
end
-
- context 'and no corresponding LDAP person' do
- before { allow(Gitlab::LDAP::Person).to receive(:find_by_uid).and_return(nil) }
-
- include_examples 'to verify compliance with allow_single_sign_on'
- end
end
end