Commit 8293eff4 authored by Drew Blessing's avatar Drew Blessing Committed by Drew Blessing

Migrate SAML Identities to SCIM Identities

Migrate all SAML identities to SCIM identities, when a given
group has a SCIM token present. This also enables the
:scim_identities feature by default.
parent c3a37330
# frozen_string_literal: true
class MigrateSamlIdentitiesToScimIdentities < ActiveRecord::Migration[6.0]
DOWNTIME = false
class Identity < ActiveRecord::Base
self.table_name = 'identities'
include ::EachBatch
end
def up
Identity
.joins('INNER JOIN saml_providers ON saml_providers.id = identities.saml_provider_id')
.where('saml_providers.group_id IN (SELECT group_id FROM scim_oauth_access_tokens)')
.select('identities.extern_uid, identities.user_id, saml_providers.group_id, TRUE AS active,
identities.created_at, CURRENT_TIMESTAMP AS updated_at')
.each_batch do |batch|
data_to_insert = batch.map do |record|
record.attributes.extract!("extern_uid", "user_id", "group_id", "active", "created_at", "updated_at")
end
Gitlab::Database.bulk_insert(:scim_identities, data_to_insert, on_conflict: :do_nothing)
end
end
def down
end
end
......@@ -13137,6 +13137,7 @@ COPY "schema_migrations" (version) FROM STDIN;
20200310135818
20200310135823
20200310145304
20200310215714
20200311074438
20200311082301
20200311084025
......
---
title: Migrate SAML to SCIM Identities
merge_request: 26940
author:
type: added
......@@ -5,7 +5,7 @@ module EE
module Scim
class Feature
def self.scim_identities_enabled?(group)
::Feature.enabled?(:scim_identities, group)
::Feature.enabled?(:scim_identities, group, default_enabled: true)
end
end
end
......
......@@ -86,8 +86,6 @@ describe ::EE::Gitlab::Scim::ProvisioningService do
extern_uid: 'test_uid'
}
end
end
end
it 'fails with error' do
expect(service.execute.status).to eq(:error)
......
# frozen_string_literal: true
require 'spec_helper'
require Rails.root.join('db', 'post_migrate', '20200310215714_migrate_saml_identities_to_scim_identities.rb')
describe MigrateSamlIdentitiesToScimIdentities, :migration do
let(:group1) { table(:namespaces).create!(name: 'group1', path: 'group1') }
let(:group2) { table(:namespaces).create!(name: 'group2', path: 'group2') }
let(:saml_provider1) { table(:saml_providers).create!(enabled: true, group_id: group1.id, certificate_fingerprint: '123abc', sso_url: 'https://sso1.example.com') }
let(:saml_provider2) { table(:saml_providers).create!(enabled: false, group_id: group2.id, certificate_fingerprint: '123abc', sso_url: 'https://sso2.example.com') }
let(:users) { table(:users) }
let(:scim_identities) { table(:scim_identities) }
let(:identities) { table(:identities) }
before do
create_user_and_identity(1, identity_options: { saml_provider_id: saml_provider1.id })
create_user_and_identity(2, identity_options: { saml_provider_id: saml_provider2.id })
create_user_and_identity(3, identity_options: { saml_provider_id: nil, provider: 'ldapmain' })
end
context 'when a matching saml provider and scim oauth access token exist' do
before do
table(:scim_oauth_access_tokens).create!(group_id: group1.id, token_encrypted: '123abc')
table(:scim_oauth_access_tokens).create!(group_id: group2.id, token_encrypted: '456def')
end
it 'migrates all group_saml identities' do
expect(scim_identities.count).to be_zero
migrate!
scim_identity1 = scim_identities.find_by(extern_uid: 'user1')
scim_identity2 = scim_identities.find_by(extern_uid: 'user2')
expect(scim_identities.count).to eq(2)
expect(scim_identity1.extern_uid).to eq('user1')
expect(scim_identity1.group_id).to eq(group1.id)
expect(scim_identity1.user_id).to eq(1)
expect(scim_identity1.active).to eq(true)
expect(scim_identity2.extern_uid).to eq('user2')
expect(scim_identity2.group_id).to eq(group2.id)
expect(scim_identity2.user_id).to eq(2)
expect(scim_identity2.active).to eq(true)
end
it 'does not migrate non-group_saml identities' do
migrate!
expect(scim_identity('user3')).to be_nil
end
context 'when duplicate scim_identities already exist' do
before do
scim_identities.create!(extern_uid: 'user1', group_id: group1.id, user_id: 1)
end
it 'migrates missing group_saml identities without conflict' do
migrate!
expect(scim_identity('user2')).to be_present
end
end
end
context 'when a matching scim oauth access token does not exist' do
it 'does not migrate group_saml identities' do
expect(scim_identities.count).to be_zero
migrate!
expect(scim_identities.count).to be_zero
end
end
def create_user_and_identity(id, user_options: {}, identity_options: {})
default_user_options = {
id: id,
username: "user#{id}",
email: "user#{id}@example.com",
projects_limit: 10
}
default_identity_options = {
id: id,
user_id: id,
extern_uid: "user#{id}",
provider: 'group_saml'
}
users.create!(default_user_options.merge(user_options))
identities.create!(default_identity_options.merge(identity_options))
end
def scim_identity(extern_uid)
scim_identities.find_by(extern_uid: extern_uid)
end
end
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment