Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Support
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
G
gitlab-ce
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Issues
0
Issues
0
List
Boards
Labels
Milestones
Merge Requests
1
Merge Requests
1
Analytics
Analytics
Repository
Value Stream
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Create a new issue
Commits
Issue Boards
Open sidebar
nexedi
gitlab-ce
Commits
30dde143
Commit
30dde143
authored
Mar 14, 2019
by
James Lopez
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
Add saml auth logic
parent
f40ce034
Changes
7
Show whitespace changes
Inline
Side-by-side
Showing
7 changed files
with
70 additions
and
22 deletions
+70
-22
ee/app/controllers/concerns/saml_authorization.rb
ee/app/controllers/concerns/saml_authorization.rb
+18
-0
ee/app/controllers/groups/saml_providers_controller.rb
ee/app/controllers/groups/saml_providers_controller.rb
+7
-12
ee/app/controllers/groups/scim_oauth_controller.rb
ee/app/controllers/groups/scim_oauth_controller.rb
+23
-8
ee/app/models/ee/group.rb
ee/app/models/ee/group.rb
+1
-1
ee/app/models/scim_oauth_access_token.rb
ee/app/models/scim_oauth_access_token.rb
+1
-1
ee/app/serializers/scim_oauth_access_token_entity.rb
ee/app/serializers/scim_oauth_access_token_entity.rb
+13
-0
ee/spec/factories/scim_oauth_access_tokens.rb
ee/spec/factories/scim_oauth_access_tokens.rb
+7
-0
No files found.
ee/app/controllers/concerns/saml_authorization.rb
0 → 100644
View file @
30dde143
# frozen_string_literal: true
module
SamlAuthorization
extend
ActiveSupport
::
Concern
private
def
authorize_manage_saml!
render_404
unless
can?
(
current_user
,
:admin_group_saml
,
group
)
end
def
check_group_saml_configured
render_404
unless
Gitlab
::
Auth
::
GroupSaml
::
Config
.
enabled?
end
def
require_top_level_group
render_404
if
group
.
subgroup?
end
end
ee/app/controllers/groups/saml_providers_controller.rb
View file @
30dde143
# frozen_string_literal: true
require_relative
'../concerns/saml_authorization.rb'
# frozen_string_literal: true
class
Groups::SamlProvidersController
<
Groups
::
ApplicationController
include
SamlAuthorization
before_action
:require_top_level_group
before_action
:authorize_manage_saml!
before_action
:check_group_saml_available!
before_action
:check_group_saml_configured
# rubocop: disable CodeReuse/ActiveRecord
def
show
@saml_provider
=
@group
.
saml_provider
||
@group
.
build_saml_provider
@scim_token_exists
=
ScimOauthAccessToken
.
exists?
(
group:
@group
)
@scim_token_url
=
group_scim_oauth_url
(
@group
)
end
# rubocop: enable CodeReuse/ActiveRecord
def
create
@saml_provider
=
@group
.
build_saml_provider
(
saml_provider_params
)
...
...
@@ -28,18 +35,6 @@ class Groups::SamlProvidersController < Groups::ApplicationController
private
def
authorize_manage_saml!
render_404
unless
can?
(
current_user
,
:admin_group_saml
,
@group
)
end
def
check_group_saml_configured
render_404
unless
Gitlab
::
Auth
::
GroupSaml
::
Config
.
enabled?
end
def
require_top_level_group
render_404
if
@group
.
subgroup?
end
def
saml_provider_params
allowed_params
=
%i[sso_url certificate_fingerprint enabled]
...
...
ee/app/controllers/groups/scim_oauth_controller.rb
View file @
30dde143
# frozen_string_literal: true
class
Groups::ScimOauthController
<
Groups
::
ApplicationController
# before_action :require_top_level_group
# before_action :authorize_manage_saml!
# before_action :check_group_saml_available!
# before_action :check_group_saml_configured
skip_before_filter
:verify_authenticity_token
include
SamlAuthorization
before_action
:require_top_level_group
before_action
:authorize_manage_saml!
before_action
:check_group_saml_available!
before_action
:check_group_saml_configured
before_action
:check_group_scim_enabled
def
show
scim_token
=
ScimOauthAccessToken
.
find_by_group_id
(
@group
.
id
)
...
...
@@ -22,17 +23,31 @@ class Groups::ScimOauthController < Groups::ApplicationController
end
end
# rubocop: disable CodeReuse/ActiveRecord
def
create
scim_token
=
ScimOauthAccessToken
.
safe_find_or_create_by
(
group:
@group
)
scim_token
=
ScimOauthAccessToken
.
find_or_initialize_by
(
group:
@group
)
if
scim_token
.
new_record?
scim_token
.
save
else
scim_token
.
reset_token!
end
respond_to
do
|
format
|
format
.
json
do
if
scim_token
&
.
valid?
if
scim_token
.
valid?
render
json:
ScimOauthAccessTokenEntity
.
new
(
scim_token
).
as_json
else
render
json:
{
errors:
scim_token
&
.
errors
&
.
full_messages
},
status: :unprocessable_entity
render
json:
{
errors:
scim_token
.
errors
.
full_messages
},
status: :unprocessable_entity
end
end
end
end
# rubocop: enable CodeReuse/ActiveRecord
private
def
check_group_scim_enabled
route_not_found
unless
Feature
.
enabled?
(
:group_scim
,
@group
)
end
end
ee/app/models/ee/group.rb
View file @
30dde143
...
...
@@ -20,7 +20,7 @@ module EE
has_one
:saml_provider
has_one
:insight
,
foreign_key: :namespace_id
accepts_nested_attributes_for
:insight
has_one
:scim_o
ua
th_access_token
,
dependent: :destroy
has_one
:scim_o
au
th_access_token
,
dependent: :destroy
has_many
:ldap_group_links
,
foreign_key:
'group_id'
,
dependent: :destroy
# rubocop:disable Cop/ActiveRecordDependent
has_many
:hooks
,
dependent: :destroy
,
class_name:
'GroupHook'
# rubocop:disable Cop/ActiveRecordDependent
...
...
ee/app/models/scim_oauth_access_token.rb
View file @
30dde143
# frozen_string_literal: true
class
ScimOauthAccessToken
<
A
ctiveRecord
::
Base
class
ScimOauthAccessToken
<
A
pplicationRecord
include
TokenAuthenticatable
belongs_to
:group
...
...
ee/app/serializers/scim_oauth_access_token_entity.rb
0 → 100644
View file @
30dde143
# frozen_string_literal: true
class
ScimOauthAccessTokenEntity
<
Grape
::
Entity
include
::
API
::
Helpers
::
RelatedResourcesHelpers
SCIM_PATH
=
'/api/scim/v2/groups'
expose
:scim_api_url
do
|
scim
|
expose_url
(
"
#{
SCIM_PATH
}
/
#{
scim
.
group
.
full_path
}
"
)
end
expose
:token
,
as: :scim_token
end
ee/spec/factories/scim_oauth_access_tokens.rb
0 → 100644
View file @
30dde143
# Read about factories at https://github.com/thoughtbot/factory_bot
FactoryBot
.
define
do
factory
:scim_oauth_access_token
do
group
end
end
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment