From d7e2ac729317ace2ccf0203663637ba32f328d1a Mon Sep 17 00:00:00 2001
From: Douwe Maan <douwe@selenight.nl>
Date: Mon, 24 Apr 2017 16:12:14 -0500
Subject: [PATCH] Fix OAuth, LDAP and SAML SSO when regular sign-ups are
 disabled

---
 app/services/users/build_service.rb                |  4 ++--
 app/services/users/create_service.rb               |  4 ++--
 .../unreleased/dm-fix-oauth-user-creation.yml      |  4 ++++
 lib/gitlab/o_auth/user.rb                          |  2 +-
 spec/lib/gitlab/ldap/user_spec.rb                  | 12 ++++++++++++
 spec/lib/gitlab/o_auth/user_spec.rb                | 14 ++++++++++++++
 spec/lib/gitlab/saml/user_spec.rb                  | 12 ++++++++++++
 7 files changed, 47 insertions(+), 5 deletions(-)
 create mode 100644 changelogs/unreleased/dm-fix-oauth-user-creation.yml

diff --git a/app/services/users/build_service.rb b/app/services/users/build_service.rb
index 9a0a5a12f91..d2a1c161026 100644
--- a/app/services/users/build_service.rb
+++ b/app/services/users/build_service.rb
@@ -6,8 +6,8 @@ module Users
       @params = params.dup
     end
 
-    def execute
-      raise Gitlab::Access::AccessDeniedError unless can_create_user?
+    def execute(skip_authorization: false)
+      raise Gitlab::Access::AccessDeniedError unless skip_authorization || can_create_user?
 
       user = User.new(build_user_params)
 
diff --git a/app/services/users/create_service.rb b/app/services/users/create_service.rb
index a2105d31f71..e22f7225ae2 100644
--- a/app/services/users/create_service.rb
+++ b/app/services/users/create_service.rb
@@ -6,8 +6,8 @@ module Users
       @params = params.dup
     end
 
-    def execute
-      user = Users::BuildService.new(current_user, params).execute
+    def execute(skip_authorization: false)
+      user = Users::BuildService.new(current_user, params).execute(skip_authorization: skip_authorization)
 
       @reset_token = user.generate_reset_token if user.recently_sent_password_reset?
 
diff --git a/changelogs/unreleased/dm-fix-oauth-user-creation.yml b/changelogs/unreleased/dm-fix-oauth-user-creation.yml
new file mode 100644
index 00000000000..161b114394a
--- /dev/null
+++ b/changelogs/unreleased/dm-fix-oauth-user-creation.yml
@@ -0,0 +1,4 @@
+---
+title: Fix OAuth, LDAP and SAML SSO when regular sign-ups are disabled
+merge_request:
+author:
diff --git a/lib/gitlab/o_auth/user.rb b/lib/gitlab/o_auth/user.rb
index 6e42d8941fb..afd24b4dcc5 100644
--- a/lib/gitlab/o_auth/user.rb
+++ b/lib/gitlab/o_auth/user.rb
@@ -148,7 +148,7 @@ module Gitlab
 
       def build_new_user
         user_params = user_attributes.merge(extern_uid: auth_hash.uid, provider: auth_hash.provider, skip_confirmation: true)
-        Users::BuildService.new(nil, user_params).execute
+        Users::BuildService.new(nil, user_params).execute(skip_authorization: true)
       end
 
       def user_attributes
diff --git a/spec/lib/gitlab/ldap/user_spec.rb b/spec/lib/gitlab/ldap/user_spec.rb
index 346cf0d117c..65a304d1468 100644
--- a/spec/lib/gitlab/ldap/user_spec.rb
+++ b/spec/lib/gitlab/ldap/user_spec.rb
@@ -108,6 +108,18 @@ describe Gitlab::LDAP::User, lib: true do
     it "creates a new user if not found" do
       expect{ ldap_user.save }.to change{ User.count }.by(1)
     end
+
+    context 'when signup is disabled' do
+      before do
+        stub_application_setting signup_enabled: false
+      end
+
+      it 'creates the user' do
+        ldap_user.save
+
+        expect(gl_user).to be_persisted
+      end
+    end
   end
 
   describe 'updating email' do
diff --git a/spec/lib/gitlab/o_auth/user_spec.rb b/spec/lib/gitlab/o_auth/user_spec.rb
index 8f09266c3b3..6d3ac62d9e9 100644
--- a/spec/lib/gitlab/o_auth/user_spec.rb
+++ b/spec/lib/gitlab/o_auth/user_spec.rb
@@ -40,6 +40,20 @@ describe Gitlab::OAuth::User, lib: true do
     let(:provider) { 'twitter' }
 
     describe 'signup' do
+      context 'when signup is disabled' do
+        before do
+          stub_application_setting signup_enabled: false
+        end
+
+        it 'creates the user' do
+          stub_omniauth_config(allow_single_sign_on: ['twitter'])
+
+          oauth_user.save
+
+          expect(gl_user).to be_persisted
+        end
+      end
+
       it 'marks user as having password_automatically_set' do
         stub_omniauth_config(allow_single_sign_on: ['twitter'], external_providers: ['twitter'])
 
diff --git a/spec/lib/gitlab/saml/user_spec.rb b/spec/lib/gitlab/saml/user_spec.rb
index 4f6ef3c10fc..b3b76a6d629 100644
--- a/spec/lib/gitlab/saml/user_spec.rb
+++ b/spec/lib/gitlab/saml/user_spec.rb
@@ -211,6 +211,18 @@ describe Gitlab::Saml::User, lib: true do
           end
         end
       end
+
+      context 'when signup is disabled' do
+        before do
+          stub_application_setting signup_enabled: false
+        end
+
+        it 'creates the user' do
+          saml_user.save
+
+          expect(gl_user).to be_persisted
+        end
+      end
     end
 
     describe 'blocking' do