Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Support
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
G
gitlab-ce
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Issues
0
Issues
0
List
Boards
Labels
Milestones
Merge Requests
0
Merge Requests
0
Analytics
Analytics
Repository
Value Stream
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Create a new issue
Commits
Issue Boards
Open sidebar
Jérome Perrin
gitlab-ce
Commits
8110e753
Commit
8110e753
authored
Apr 06, 2016
by
Patricio Cano
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
Implemented suggested fixes
parent
eb0f1de3
Changes
5
Show whitespace changes
Inline
Side-by-side
Showing
5 changed files
with
21 additions
and
33 deletions
+21
-33
doc/integration/saml.md
doc/integration/saml.md
+1
-2
lib/gitlab/saml/auth_hash.rb
lib/gitlab/saml/auth_hash.rb
+1
-1
lib/gitlab/saml/config.rb
lib/gitlab/saml/config.rb
+0
-1
lib/gitlab/saml/user.rb
lib/gitlab/saml/user.rb
+3
-4
spec/lib/gitlab/saml/user_spec.rb
spec/lib/gitlab/saml/user_spec.rb
+16
-25
No files found.
doc/integration/saml.md
View file @
8110e753
...
...
@@ -159,8 +159,7 @@ with the regular SAML response. Here is an example:
The name of the attribute can be anything you like, but it must contain the groups
to which a user belongs. In order to tell GitLab where to find these groups, you need
to add a
`groups_attribute:`
element to your SAML settings. You will also need to
tell GitLab which groups are external, for that you need the
`external_groups:`
element:
tell GitLab which groups are external via the
`external_groups:`
element:
```
yaml
{
name
:
'
saml'
,
...
...
lib/gitlab/saml/auth_hash.rb
View file @
8110e753
...
...
@@ -9,7 +9,7 @@ module Gitlab
private
def
get_raw
(
key
)
# Needs to call `all` because of https://git
hub.com/onelogin/ruby-saml/blob/master/lib/onelogin/ruby-saml/attributes.rb#L78
# Needs to call `all` because of https://git
.io/vVo4u
# otherwise just the first value is returned
auth_hash
.
extra
[
:raw_info
].
all
[
key
]
end
...
...
lib/gitlab/saml/config.rb
View file @
8110e753
# Load a specific server configuration
module
Gitlab
module
Saml
class
Config
...
...
lib/gitlab/saml/user.rb
View file @
8110e753
...
...
@@ -28,12 +28,11 @@ module Gitlab
if
external_users_enabled?
# Check if there is overlap between the user's groups and the external groups
# setting
and
set user as external or internal.
# setting
then
set user as external or internal.
if
(
auth_hash
.
groups
&
Gitlab
::
Saml
::
Config
.
external_groups
).
empty?
# Avoid an unnecessary change of values and the subsequent save
@user
.
external
=
false
if
@user
.
external
@user
.
external
=
false
else
@user
.
external
=
true
unless
@user
.
external
@user
.
external
=
true
end
end
...
...
spec/lib/gitlab/saml/user_spec.rb
View file @
8110e753
...
...
@@ -23,11 +23,15 @@ describe Gitlab::Saml::User, lib: true do
allow
(
Gitlab
::
LDAP
::
Config
).
to
receive_messages
(
messages
)
end
def
stub_
saml_config
(
messages
)
allow
(
Gitlab
::
Saml
::
Config
).
to
receive_messages
(
messages
)
def
stub_
basic_saml_config
allow
(
Gitlab
::
Saml
::
Config
).
to
receive_messages
(
{
options:
{
name:
'saml'
,
args:
{}
}
}
)
end
before
{
stub_saml_config
({
options:
{
name:
'saml'
,
args:
{}
}
})
}
def
stub_saml_group_config
(
groups
)
allow
(
Gitlab
::
Saml
::
Config
).
to
receive_messages
({
options:
{
name:
'saml'
,
groups_attribute:
'groups'
,
external_groups:
groups
,
args:
{}
}
})
end
before
{
stub_basic_saml_config
}
describe
'account exists on server'
do
before
{
stub_omniauth_config
({
allow_single_sign_on:
[
'saml'
],
auto_link_saml_user:
true
})
}
...
...
@@ -45,15 +49,15 @@ describe Gitlab::Saml::User, lib: true do
context
'external groups'
do
context
'are defined'
do
before
{
stub_saml_config
({
options:
{
name:
'saml'
,
groups_attribute:
'groups'
,
external_groups:
%w(Freelancers)
,
args:
{}
}
})
}
it
'marks the user as external'
do
stub_saml_group_config
(
%w(Freelancers)
)
saml_user
.
save
expect
(
gl_user
).
to
be_valid
expect
(
gl_user
.
external
).
to
be_truthy
end
end
before
{
stub_saml_
config
({
options:
{
name:
'saml'
,
groups_attribute:
'groups'
,
external_groups:
%w(Interns)
,
args:
{}
}
}
)
}
before
{
stub_saml_
group_config
(
%w(Interns)
)
}
context
'are defined but the user does not belong there'
do
it
'does not mark the user as external'
do
saml_user
.
save
...
...
@@ -105,17 +109,17 @@ describe Gitlab::Saml::User, lib: true do
context
'external groups'
do
context
'are defined'
do
before
{
stub_saml_config
({
options:
{
name:
'saml'
,
groups_attribute:
'groups'
,
external_groups:
%w(Freelancers)
,
args:
{}
}
})
}
it
'marks the user as external'
do
stub_saml_group_config
(
%w(Freelancers)
)
saml_user
.
save
expect
(
gl_user
).
to
be_valid
expect
(
gl_user
.
external
).
to
be_truthy
end
end
before
{
stub_saml_config
({
options:
{
name:
'saml'
,
groups_attribute:
'groups'
,
external_groups:
%w(Interns)
,
args:
{}
}
})
}
context
'are defined but the user does not belong there'
do
it
'does not mark the user as external'
do
stub_saml_group_config
(
%w(Interns)
)
saml_user
.
save
expect
(
gl_user
).
to
be_valid
expect
(
gl_user
.
external
).
to
be_falsey
...
...
@@ -131,12 +135,6 @@ describe Gitlab::Saml::User, lib: true do
context
'with auto_link_ldap_user enabled'
do
before
{
stub_omniauth_config
({
auto_link_ldap_user:
true
,
auto_link_saml_user:
false
})
}
context
'and no LDAP provider defined'
do
before
{
stub_ldap_config
(
providers:
[])
}
include_examples
'to verify compliance with allow_single_sign_on'
end
context
'and at least one LDAP provider is defined'
do
before
{
stub_ldap_config
(
providers:
%w(ldapmain)
)
}
...
...
@@ -144,19 +142,18 @@ describe Gitlab::Saml::User, lib: true do
before
do
allow
(
ldap_user
).
to
receive
(
:uid
)
{
uid
}
allow
(
ldap_user
).
to
receive
(
:username
)
{
uid
}
allow
(
ldap_user
).
to
receive
(
:email
)
{
[
'johndoe@example.com'
,
'john2@example.com'
]
}
allow
(
ldap_user
).
to
receive
(
:email
)
{
%w(john@mail.com john2@example.com)
}
allow
(
ldap_user
).
to
receive
(
:dn
)
{
'uid=user1,ou=People,dc=example'
}
allow
(
Gitlab
::
LDAP
::
Person
).
to
receive
(
:find_by_uid
).
and_return
(
ldap_user
)
end
context
'and no account for the LDAP user'
do
it
'creates a user with dual LDAP and SAML identities'
do
saml_user
.
save
expect
(
gl_user
).
to
be_valid
expect
(
gl_user
.
username
).
to
eql
uid
expect
(
gl_user
.
email
).
to
eql
'john
doe@example
.com'
expect
(
gl_user
.
email
).
to
eql
'john
@mail
.com'
expect
(
gl_user
.
identities
.
length
).
to
eql
2
identities_as_hash
=
gl_user
.
identities
.
map
{
|
id
|
{
provider:
id
.
provider
,
extern_uid:
id
.
extern_uid
}
}
expect
(
identities_as_hash
).
to
match_array
([
{
provider:
'ldapmain'
,
extern_uid:
'uid=user1,ou=People,dc=example'
},
...
...
@@ -166,13 +163,13 @@ describe Gitlab::Saml::User, lib: true do
end
context
'and LDAP user has an account already'
do
let!
(
:existing_user
)
{
create
(
:omniauth_user
,
email:
'john@
example
.com'
,
extern_uid:
'uid=user1,ou=People,dc=example'
,
provider:
'ldapmain'
,
username:
'john'
)
}
it
"adds the omniauth identity to the LDAP account"
do
let!
(
:existing_user
)
{
create
(
:omniauth_user
,
email:
'john@
mail
.com'
,
extern_uid:
'uid=user1,ou=People,dc=example'
,
provider:
'ldapmain'
,
username:
'john'
)
}
it
'adds the omniauth identity to the LDAP account'
do
saml_user
.
save
expect
(
gl_user
).
to
be_valid
expect
(
gl_user
.
username
).
to
eql
'john'
expect
(
gl_user
.
email
).
to
eql
'john@
example
.com'
expect
(
gl_user
.
email
).
to
eql
'john@
mail
.com'
expect
(
gl_user
.
identities
.
length
).
to
eql
2
identities_as_hash
=
gl_user
.
identities
.
map
{
|
id
|
{
provider:
id
.
provider
,
extern_uid:
id
.
extern_uid
}
}
expect
(
identities_as_hash
).
to
match_array
([
{
provider:
'ldapmain'
,
extern_uid:
'uid=user1,ou=People,dc=example'
},
...
...
@@ -181,12 +178,6 @@ describe Gitlab::Saml::User, lib: true do
end
end
end
context
'and no corresponding LDAP person'
do
before
{
allow
(
Gitlab
::
LDAP
::
Person
).
to
receive
(
:find_by_uid
).
and_return
(
nil
)
}
include_examples
'to verify compliance with allow_single_sign_on'
end
end
end
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment