Commit 08bf68ea authored by Drew Blessing's avatar Drew Blessing Committed by Drew Blessing

Fix sign-in when user has multiple group saml identities

If a GitLab.com user has multiple group saml identities, a
problem can occur when looking up the identity. Depending on
the order the database returns the records the wrong identity
may be chosen. This can lead to attempted creation of a duplicate
record, and ultimate error signing in.

Changelog: fixed
parent 2393b1eb
---
title: Fix sign-in when user has multiple group saml identities
merge_request: 61717
author:
type: fixed
......@@ -83,9 +83,16 @@ module Gitlab
override :add_or_update_user_identities
def add_or_update_user_identities
super.tap do |identity|
identity.saml_provider_id = @saml_provider.id
end
return unless gl_user
identity = self.identity
# find_or_initialize_by doesn't update `gl_user.identities`, and isn't autosaved.
identity ||= gl_user.identities.find { |identity| identity.provider == auth_hash.provider && identity.saml_provider_id == @saml_provider.id }
identity ||= gl_user.identities.build(provider: auth_hash.provider, saml_provider: @saml_provider)
identity.extern_uid = auth_hash.uid
identity
end
def update_group_membership
......
......@@ -57,6 +57,18 @@ RSpec.describe Gitlab::Auth::GroupSaml::User do
it 'does not mark the user as provisioned' do
expect(find_and_update.provisioned_by_group).to be_nil
end
context 'when the user has multiple group saml identities' do
let(:saml_provider2) { create(:saml_provider) }
before do
create(:group_saml_identity, extern_uid: uid, saml_provider: saml_provider2, user: identity.user)
end
it 'returns the user' do
expect(find_and_update).to eq identity.user
end
end
end
context 'with no matching user identity' do
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment