Attempt to link saml users to ldap by email
This commit is contained in:
parent
4d88f64968
commit
718e5b0865
|
@ -0,0 +1,5 @@
|
||||||
|
---
|
||||||
|
title: Link SAML users to LDAP by email.
|
||||||
|
merge_request: 14216
|
||||||
|
author:
|
||||||
|
type: changed
|
|
@ -17,6 +17,10 @@ module Gitlab
|
||||||
adapter.user('dn', dn)
|
adapter.user('dn', dn)
|
||||||
end
|
end
|
||||||
|
|
||||||
|
def self.find_by_email(email, adapter)
|
||||||
|
Array(adapter.config.attributes['email']).find { |attr| adapter.user(attr, email) }
|
||||||
|
end
|
||||||
|
|
||||||
def self.disabled_via_active_directory?(dn, adapter)
|
def self.disabled_via_active_directory?(dn, adapter)
|
||||||
adapter.dn_matches_filter?(dn, AD_USER_DISABLED)
|
adapter.dn_matches_filter?(dn, AD_USER_DISABLED)
|
||||||
end
|
end
|
||||||
|
|
|
@ -108,9 +108,12 @@ module Gitlab
|
||||||
end
|
end
|
||||||
|
|
||||||
def find_ldap_person(auth_hash, adapter)
|
def find_ldap_person(auth_hash, adapter)
|
||||||
by_uid = Gitlab::LDAP::Person.find_by_uid(auth_hash.uid, adapter)
|
person = Gitlab::LDAP::Person.find_by_uid(auth_hash.uid, adapter)
|
||||||
# The `uid` might actually be a DN. Try it next.
|
# The `uid` might actually be a DN. Try it next.
|
||||||
by_uid || Gitlab::LDAP::Person.find_by_dn(auth_hash.uid, adapter)
|
person ||= Gitlab::LDAP::Person.find_by_dn(auth_hash.uid, adapter)
|
||||||
|
|
||||||
|
# The `uid` might actually be a Email. Try it next.
|
||||||
|
person || Gitlab::LDAP::Person.find_by_email(auth_hash.uid, adapter)
|
||||||
end
|
end
|
||||||
|
|
||||||
def ldap_config
|
def ldap_config
|
||||||
|
|
|
@ -11,16 +11,16 @@ module Gitlab
|
||||||
end
|
end
|
||||||
|
|
||||||
def gl_user
|
def gl_user
|
||||||
if auto_link_ldap_user?
|
if auto_link_saml_user?
|
||||||
|
@user ||= find_by_email
|
||||||
|
end
|
||||||
|
|
||||||
|
if auto_link_ldap_user? && !@user&.ldap_user?
|
||||||
@user ||= find_or_create_ldap_user
|
@user ||= find_or_create_ldap_user
|
||||||
end
|
end
|
||||||
|
|
||||||
@user ||= find_by_uid_and_provider
|
@user ||= find_by_uid_and_provider
|
||||||
|
|
||||||
if auto_link_saml_user?
|
|
||||||
@user ||= find_by_email
|
|
||||||
end
|
|
||||||
|
|
||||||
if signup_enabled?
|
if signup_enabled?
|
||||||
@user ||= build_new_user
|
@user ||= build_new_user
|
||||||
end
|
end
|
||||||
|
@ -42,7 +42,11 @@ module Gitlab
|
||||||
def find_by_email
|
def find_by_email
|
||||||
if auth_hash.has_attribute?(:email)
|
if auth_hash.has_attribute?(:email)
|
||||||
user = ::User.find_by(email: auth_hash.email.downcase)
|
user = ::User.find_by(email: auth_hash.email.downcase)
|
||||||
user.identities.new(extern_uid: auth_hash.uid, provider: auth_hash.provider) if user
|
|
||||||
|
if user&.identities&.empty?
|
||||||
|
user.identities.new(extern_uid: auth_hash.uid, provider: auth_hash.provider)
|
||||||
|
end
|
||||||
|
|
||||||
user
|
user
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
|
@ -170,6 +170,7 @@ describe Gitlab::Saml::User do
|
||||||
allow(ldap_user).to receive(:dn) { 'uid=user1,ou=People,dc=example' }
|
allow(ldap_user).to receive(:dn) { 'uid=user1,ou=People,dc=example' }
|
||||||
allow(Gitlab::LDAP::Person).to receive(:find_by_uid).and_return(ldap_user)
|
allow(Gitlab::LDAP::Person).to receive(:find_by_uid).and_return(ldap_user)
|
||||||
allow(Gitlab::LDAP::Person).to receive(:find_by_dn).and_return(ldap_user)
|
allow(Gitlab::LDAP::Person).to receive(:find_by_dn).and_return(ldap_user)
|
||||||
|
allow(Gitlab::LDAP::Person).to receive(:find_by_email).and_return(ldap_user)
|
||||||
end
|
end
|
||||||
|
|
||||||
context 'and no account for the LDAP user' do
|
context 'and no account for the LDAP user' do
|
||||||
|
@ -195,6 +196,82 @@ describe Gitlab::Saml::User do
|
||||||
username: 'john')
|
username: 'john')
|
||||||
end
|
end
|
||||||
|
|
||||||
|
shared_examples 'find ldap person' do |uid_type, uid|
|
||||||
|
before do
|
||||||
|
allow(Gitlab::LDAP::Person).to receive(:"find_by_#{uid_type}").and_return(ldap_user)
|
||||||
|
end
|
||||||
|
|
||||||
|
it 'adds the omniauth identity to the LDAP account' do
|
||||||
|
identities = [
|
||||||
|
{ provider: 'ldapmain', extern_uid: 'uid=user1,ou=People,dc=example' },
|
||||||
|
{ provider: 'saml', extern_uid: extern_uid }
|
||||||
|
]
|
||||||
|
|
||||||
|
identities_as_hash = gl_user.identities.map do |id|
|
||||||
|
{ provider: id.provider, extern_uid: id.extern_uid }
|
||||||
|
end
|
||||||
|
|
||||||
|
saml_user.save
|
||||||
|
|
||||||
|
expect(gl_user).to be_valid
|
||||||
|
expect(gl_user.username).to eql 'john'
|
||||||
|
expect(gl_user.email).to eql 'john@mail.com'
|
||||||
|
expect(gl_user.identities.length).to be 2
|
||||||
|
expect(identities_as_hash).to match_array(identities)
|
||||||
|
end
|
||||||
|
end
|
||||||
|
|
||||||
|
context 'when uid is an uid' do
|
||||||
|
it_behaves_like 'find ldap person', 'uid' do
|
||||||
|
let(:extern_uid) { uid }
|
||||||
|
let(:auth_hash) do
|
||||||
|
OmniAuth::AuthHash.new(
|
||||||
|
uid: uid,
|
||||||
|
provider: provider,
|
||||||
|
info: info_hash,
|
||||||
|
extra: {
|
||||||
|
raw_info: OneLogin::RubySaml::Attributes.new(
|
||||||
|
{ 'groups' => %w(Developers Freelancers Designers) }
|
||||||
|
)
|
||||||
|
})
|
||||||
|
end
|
||||||
|
end
|
||||||
|
end
|
||||||
|
|
||||||
|
context 'when uid is a dn' do
|
||||||
|
it_behaves_like 'find ldap person', 'email' do
|
||||||
|
let(:extern_uid) { 'uid=user1,ou=People,dc=example' }
|
||||||
|
let(:auth_hash) do
|
||||||
|
OmniAuth::AuthHash.new(
|
||||||
|
uid: extern_uid,
|
||||||
|
provider: provider,
|
||||||
|
info: info_hash,
|
||||||
|
extra: {
|
||||||
|
raw_info: OneLogin::RubySaml::Attributes.new(
|
||||||
|
{ 'groups' => %w(Developers Freelancers Designers) }
|
||||||
|
)
|
||||||
|
})
|
||||||
|
end
|
||||||
|
end
|
||||||
|
end
|
||||||
|
|
||||||
|
context 'when uid is an email' do
|
||||||
|
it_behaves_like 'find ldap person', 'email' do
|
||||||
|
let(:extern_uid) { 'john@mail.com' }
|
||||||
|
let(:auth_hash) do
|
||||||
|
OmniAuth::AuthHash.new(
|
||||||
|
uid: extern_uid,
|
||||||
|
provider: provider,
|
||||||
|
info: info_hash,
|
||||||
|
extra: {
|
||||||
|
raw_info: OneLogin::RubySaml::Attributes.new(
|
||||||
|
{ 'groups' => %w(Developers Freelancers Designers) }
|
||||||
|
)
|
||||||
|
})
|
||||||
|
end
|
||||||
|
end
|
||||||
|
end
|
||||||
|
|
||||||
it 'adds the omniauth identity to the LDAP account' do
|
it 'adds the omniauth identity to the LDAP account' do
|
||||||
saml_user.save
|
saml_user.save
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue