Added support for Admin Groups to SAML.

8eec0c9a · Patricio Cano · fcaa2c25 · 8eec0c9a · 8eec0c9a · 8eec0c9a
Commit 8eec0c9a authored May 18, 2016 by Patricio Cano
5 changed files
--- a/CHANGELOG-EE
+++ b/CHANGELOG-EE
@@ -10,6 +10,7 @@ v 8.8.0 (unreleased)
  - [Elastic] Improve code search
  - [Elastic] Fix encoding issues during indexing
  - Set KRB5 as default clone protocol when Kerberos is enabled and user is logged in (Borja Aparicio)
+  - Add support for Admin Groups to SAML
  - Reduce emails-on-push HTML size by using a simple monospace font
  - API requests to /internal/authorized_keys are now tagged properly


--- a/doc/integration/saml.md
+++ b/doc/integration/saml.md
@@ -175,6 +175,30 @@ tell GitLab which groups are external via the `external_groups:` element:
        } }
 ```

+## Admin Groups
+
+>**Note:**
+This setting is only available on GitLab 8.8 EE and above.
+
+This setting works very similarly to the `External Groups` setting. The requirements
+are the same, your IdP needs to pass Group information to GitLab, you need to tell
+GitLab where to look for the groups in the SAML response, and which group should be
+considered `admin groups`.
+
+```yaml
+{ name: 'saml',
+  label: 'Our SAML Provider',
+  groups_attribute: 'Groups',
+  admin_groups: ['Managers', 'Admins'],
+  args: {
+          assertion_consumer_service_url: 'https://gitlab.example.com/users/auth/saml/callback',
+          idp_cert_fingerprint: '43:51:43:a1:b5:fc:8b:b7:0a:3a:a9:b1:0f:66:73:a8',
+          idp_sso_target_url: 'https://login.example.com/idp',
+          issuer: 'https://gitlab.example.com',
+          name_identifier_format: 'urn:oasis:names:tc:SAML:2.0:nameid-format:transient'
+        } }
+```
+
 ## Customization

 ### `auto_sign_in_with_provider`

--- a/lib/gitlab/saml/config.rb
+++ b/lib/gitlab/saml/config.rb
@@ -14,6 +14,10 @@ module Gitlab
        def external_groups
          options[:external_groups]
        end
+
+        def admin_groups
+          options[:admin_groups]
+        end
      end

    end

--- a/lib/gitlab/saml/user.rb
+++ b/lib/gitlab/saml/user.rb
@@ -36,6 +36,14 @@ module Gitlab
          end
        end

+        if admin_groups_enabled? && @user
+          if (auth_hash.groups & Gitlab::Saml::Config.admin_groups).empty?
+            @user.admin = false
+          else
+            @user.admin = true
+          end
+        end
+
        @user
      end

@@ -65,6 +73,10 @@ module Gitlab
      def auth_hash=(auth_hash)
        @auth_hash = Gitlab::Saml::AuthHash.new(auth_hash)
      end
+
+      def admin_groups_enabled?
+        !Gitlab::Saml::Config.admin_groups.nil?
+      end
    end
  end
 end
--- a/spec/lib/gitlab/saml/user_spec.rb
+++ b/spec/lib/gitlab/saml/user_spec.rb
@@ -31,6 +31,10 @@ describe Gitlab::Saml::User, lib: true do
      allow(Gitlab::Saml::Config).to receive_messages({ options: { name: 'saml', groups_attribute: 'groups', external_groups: groups, args: {} } })
    end

+    def stub_saml_admin_group_config(groups)
+      allow(Gitlab::Saml::Config).to receive_messages({ options: { name: 'saml', groups_attribute: 'groups', admin_groups: groups, args: {} } })
+    end
+
    before { stub_basic_saml_config }

    describe 'account exists on server' do
@@ -75,6 +79,35 @@ describe Gitlab::Saml::User, lib: true do
          end
        end
      end
+
+      context 'admin groups' do
+        context 'are defined' do
+          it 'marks the user as admin' do
+            stub_saml_admin_group_config(%w(Developers))
+            saml_user.save
+            expect(gl_user).to be_valid
+            expect(gl_user.admin).to be_truthy
+          end
+        end
+
+        before { stub_saml_admin_group_config(%w(Admins)) }
+        context 'are defined but the user does not belong there' do
+          it 'does not mark the user as admin' do
+            saml_user.save
+            expect(gl_user).to be_valid
+            expect(gl_user.admin).to be_falsey
+          end
+        end
+
+        context 'user was admin, now should not be' do
+          it 'should make user non admin' do
+            existing_user.update_attribute('admin', true)
+            saml_user.save
+            expect(gl_user).to be_valid
+            expect(gl_user.admin).to be_falsey
+          end
+        end
+      end
    end

    describe 'no account exists on server' do
@@ -127,6 +160,26 @@ describe Gitlab::Saml::User, lib: true do
        end
      end

+      context 'admin groups' do
+        context 'are defined' do
+          it 'marks the user as admin' do
+            stub_saml_admin_group_config(%w(Developers))
+            saml_user.save
+            expect(gl_user).to be_valid
+            expect(gl_user.admin).to be_truthy
+          end
+        end
+
+        context 'are defined but the user does not belong there' do
+          it 'does not mark the user as admin' do
+            stub_saml_admin_group_config(%w(Admins))
+            saml_user.save
+            expect(gl_user).to be_valid
+            expect(gl_user.admin).to be_falsey
+          end
+        end
+      end
+
      context 'with auto_link_ldap_user disabled (default)' do
        before { stub_omniauth_config({ auto_link_ldap_user: false, auto_link_saml_user: false, allow_single_sign_on: ['saml'] }) }
        include_examples 'to verify compliance with allow_single_sign_on'