From 8110e7530902de8744ff985f08938306e2c38367 Mon Sep 17 00:00:00 2001 From: Patricio Cano Date: Wed, 6 Apr 2016 18:12:25 -0500 Subject: [PATCH] Implemented suggested fixes --- doc/integration/saml.md | 3 +-- lib/gitlab/saml/auth_hash.rb | 2 +- lib/gitlab/saml/config.rb | 1 - lib/gitlab/saml/user.rb | 7 +++--- spec/lib/gitlab/saml/user_spec.rb | 41 ++++++++++++------------------- 5 files changed, 21 insertions(+), 33 deletions(-) diff --git a/doc/integration/saml.md b/doc/integration/saml.md index 684f0a5b8c9..8a7205caaa4 100644 --- a/doc/integration/saml.md +++ b/doc/integration/saml.md @@ -159,8 +159,7 @@ with the regular SAML response. Here is an example: The name of the attribute can be anything you like, but it must contain the groups to which a user belongs. In order to tell GitLab where to find these groups, you need to add a `groups_attribute:` element to your SAML settings. You will also need to -tell GitLab which groups are external, for that you need the `external_groups:` -element: +tell GitLab which groups are external via the `external_groups:` element: ```yaml { name: 'saml', diff --git a/lib/gitlab/saml/auth_hash.rb b/lib/gitlab/saml/auth_hash.rb index 3414d24ca73..32c1c9ec5bb 100644 --- a/lib/gitlab/saml/auth_hash.rb +++ b/lib/gitlab/saml/auth_hash.rb @@ -9,7 +9,7 @@ module Gitlab private def get_raw(key) - # Needs to call `all` because of https://github.com/onelogin/ruby-saml/blob/master/lib/onelogin/ruby-saml/attributes.rb#L78 + # Needs to call `all` because of https://git.io/vVo4u # otherwise just the first value is returned auth_hash.extra[:raw_info].all[key] end diff --git a/lib/gitlab/saml/config.rb b/lib/gitlab/saml/config.rb index 2b3cf840f61..0f40c00f547 100644 --- a/lib/gitlab/saml/config.rb +++ b/lib/gitlab/saml/config.rb @@ -1,4 +1,3 @@ -# Load a specific server configuration module Gitlab module Saml class Config diff --git a/lib/gitlab/saml/user.rb b/lib/gitlab/saml/user.rb index 73fc443a02b..c1072452abe 100644 --- a/lib/gitlab/saml/user.rb +++ b/lib/gitlab/saml/user.rb @@ -28,12 +28,11 @@ module Gitlab if external_users_enabled? # Check if there is overlap between the user's groups and the external groups - # setting and set user as external or internal. + # setting then set user as external or internal. if (auth_hash.groups & Gitlab::Saml::Config.external_groups).empty? - # Avoid an unnecessary change of values and the subsequent save - @user.external = false if @user.external + @user.external = false else - @user.external = true unless @user.external + @user.external = true end end diff --git a/spec/lib/gitlab/saml/user_spec.rb b/spec/lib/gitlab/saml/user_spec.rb index ed7b507dbab..c2a51d9249c 100644 --- a/spec/lib/gitlab/saml/user_spec.rb +++ b/spec/lib/gitlab/saml/user_spec.rb @@ -23,11 +23,15 @@ describe Gitlab::Saml::User, lib: true do allow(Gitlab::LDAP::Config).to receive_messages(messages) end - def stub_saml_config(messages) - allow(Gitlab::Saml::Config).to receive_messages(messages) + def stub_basic_saml_config + allow(Gitlab::Saml::Config).to receive_messages({ options: { name: 'saml', args: {} } }) end - before { stub_saml_config({ options: { name: 'saml', args: {} } }) } + def stub_saml_group_config(groups) + allow(Gitlab::Saml::Config).to receive_messages({ options: { name: 'saml', groups_attribute: 'groups', external_groups: groups, args: {} } }) + end + + before { stub_basic_saml_config } describe 'account exists on server' do before { stub_omniauth_config({ allow_single_sign_on: ['saml'], auto_link_saml_user: true }) } @@ -45,15 +49,15 @@ describe Gitlab::Saml::User, lib: true do context 'external groups' do context 'are defined' do - before { stub_saml_config({ options: { name: 'saml', groups_attribute: 'groups', external_groups: %w(Freelancers), args: {} } }) } it 'marks the user as external' do + stub_saml_group_config(%w(Freelancers)) saml_user.save expect(gl_user).to be_valid expect(gl_user.external).to be_truthy end end - before { stub_saml_config({ options: { name: 'saml', groups_attribute: 'groups', external_groups: %w(Interns), args: {} } }) } + before { stub_saml_group_config(%w(Interns)) } context 'are defined but the user does not belong there' do it 'does not mark the user as external' do saml_user.save @@ -105,17 +109,17 @@ describe Gitlab::Saml::User, lib: true do context 'external groups' do context 'are defined' do - before { stub_saml_config({ options: { name: 'saml', groups_attribute: 'groups', external_groups: %w(Freelancers), args: {} } }) } it 'marks the user as external' do + stub_saml_group_config(%w(Freelancers)) saml_user.save expect(gl_user).to be_valid expect(gl_user.external).to be_truthy end end - before { stub_saml_config({ options: { name: 'saml', groups_attribute: 'groups', external_groups: %w(Interns), args: {} } }) } context 'are defined but the user does not belong there' do it 'does not mark the user as external' do + stub_saml_group_config(%w(Interns)) saml_user.save expect(gl_user).to be_valid expect(gl_user.external).to be_falsey @@ -131,12 +135,6 @@ describe Gitlab::Saml::User, lib: true do context 'with auto_link_ldap_user enabled' do before { stub_omniauth_config({ auto_link_ldap_user: true, auto_link_saml_user: false }) } - context 'and no LDAP provider defined' do - before { stub_ldap_config(providers: []) } - - include_examples 'to verify compliance with allow_single_sign_on' - end - context 'and at least one LDAP provider is defined' do before { stub_ldap_config(providers: %w(ldapmain)) } @@ -144,19 +142,18 @@ describe Gitlab::Saml::User, lib: true do before do allow(ldap_user).to receive(:uid) { uid } allow(ldap_user).to receive(:username) { uid } - allow(ldap_user).to receive(:email) { ['johndoe@example.com','john2@example.com'] } + allow(ldap_user).to receive(:email) { %w(john@mail.com john2@example.com) } allow(ldap_user).to receive(:dn) { 'uid=user1,ou=People,dc=example' } allow(Gitlab::LDAP::Person).to receive(:find_by_uid).and_return(ldap_user) end context 'and no account for the LDAP user' do - it 'creates a user with dual LDAP and SAML identities' do saml_user.save expect(gl_user).to be_valid expect(gl_user.username).to eql uid - expect(gl_user.email).to eql 'johndoe@example.com' + expect(gl_user.email).to eql 'john@mail.com' expect(gl_user.identities.length).to eql 2 identities_as_hash = gl_user.identities.map { |id| { provider: id.provider, extern_uid: id.extern_uid } } expect(identities_as_hash).to match_array([ { provider: 'ldapmain', extern_uid: 'uid=user1,ou=People,dc=example' }, @@ -166,13 +163,13 @@ describe Gitlab::Saml::User, lib: true do end context 'and LDAP user has an account already' do - let!(:existing_user) { create(:omniauth_user, email: 'john@example.com', extern_uid: 'uid=user1,ou=People,dc=example', provider: 'ldapmain', username: 'john') } - it "adds the omniauth identity to the LDAP account" do + let!(:existing_user) { create(:omniauth_user, email: 'john@mail.com', extern_uid: 'uid=user1,ou=People,dc=example', provider: 'ldapmain', username: 'john') } + it 'adds the omniauth identity to the LDAP account' do saml_user.save expect(gl_user).to be_valid expect(gl_user.username).to eql 'john' - expect(gl_user.email).to eql 'john@example.com' + expect(gl_user.email).to eql 'john@mail.com' expect(gl_user.identities.length).to eql 2 identities_as_hash = gl_user.identities.map { |id| { provider: id.provider, extern_uid: id.extern_uid } } expect(identities_as_hash).to match_array([ { provider: 'ldapmain', extern_uid: 'uid=user1,ou=People,dc=example' }, @@ -181,12 +178,6 @@ describe Gitlab::Saml::User, lib: true do end end end - - context 'and no corresponding LDAP person' do - before { allow(Gitlab::LDAP::Person).to receive(:find_by_uid).and_return(nil) } - - include_examples 'to verify compliance with allow_single_sign_on' - end end end