Commit 98a4a005 authored by Jan Provaznik's avatar Jan Provaznik

Merge branch '61201-pass-identities-to-external-authorization' into 'master'

Add identity information to external authorization requests

See merge request gitlab-org/gitlab-ce!29461
parents 51267258 83163fab
---
title: Add identity information to external authorization requests
merge_request: 29461
author:
type: changed
...@@ -76,13 +76,19 @@ service with this body: ...@@ -76,13 +76,19 @@ service with this body:
{ {
"user_identifier": "jane@acme.org", "user_identifier": "jane@acme.org",
"project_classification_label": "project-label", "project_classification_label": "project-label",
"user_ldap_dn": "CN=Jane Doe,CN=admin,DC=acme" "user_ldap_dn": "CN=Jane Doe,CN=admin,DC=acme",
"identities": [
{ "provider": "ldap", "extern_uid": "CN=Jane Doe,CN=admin,DC=acme" },
{ "provider": "bitbucket", "extern_uid": "2435223452345" }
]
} }
``` ```
The `user_ldap_dn` is optional and is only sent when the user is logged in The `user_ldap_dn` is optional and is only sent when the user is logged in
through LDAP. through LDAP.
`identities` will contain the details of all the identities associated with the user. This will be an empty array if there are no identities associated with the user.
When the external authorization service responds with a status code 200, the When the external authorization service responds with a status code 200, the
user is granted access. When the external service responds with a status code user is granted access. When the external service responds with a status code
401 or 403, the user is denied access. In any case, the request is cached for 6 hours. 401 or 403, the user is denied access. In any case, the request is cached for 6 hours.
......
...@@ -48,7 +48,8 @@ module Gitlab ...@@ -48,7 +48,8 @@ module Gitlab
@body ||= begin @body ||= begin
body = { body = {
user_identifier: @user.email, user_identifier: @user.email,
project_classification_label: @label project_classification_label: @label,
identities: @user.identities.map { |identity| { provider: identity.provider, extern_uid: identity.extern_uid } }
} }
if @user.ldap_identity if @user.ldap_identity
......
...@@ -19,7 +19,8 @@ describe Gitlab::ExternalAuthorization::Client do ...@@ -19,7 +19,8 @@ describe Gitlab::ExternalAuthorization::Client do
it 'adds the correct params for the user to the body of the request' do it 'adds the correct params for the user to the body of the request' do
expected_body = { expected_body = {
user_identifier: 'dummy_user@example.com', user_identifier: 'dummy_user@example.com',
project_classification_label: 'dummy_label' project_classification_label: 'dummy_label',
identities: []
}.to_json }.to_json
expect(Excon).to receive(:post) expect(Excon).to receive(:post)
.with(dummy_url, hash_including(body: expected_body)) .with(dummy_url, hash_including(body: expected_body))
...@@ -81,10 +82,11 @@ describe Gitlab::ExternalAuthorization::Client do ...@@ -81,10 +82,11 @@ describe Gitlab::ExternalAuthorization::Client do
provider: 'ldapprovider') provider: 'ldapprovider')
end end
it 'includes the ldap dn for ldap users' do it 'includes the ldap dn and identities for ldap users' do
expected_body = { expected_body = {
user_identifier: 'dummy_user@example.com', user_identifier: 'dummy_user@example.com',
project_classification_label: 'dummy_label', project_classification_label: 'dummy_label',
identities: [{ provider: 'ldapprovider', extern_uid: 'external id' }],
user_ldap_dn: 'external id' user_ldap_dn: 'external id'
}.to_json }.to_json
expect(Excon).to receive(:post) expect(Excon).to receive(:post)
...@@ -93,5 +95,28 @@ describe Gitlab::ExternalAuthorization::Client do ...@@ -93,5 +95,28 @@ describe Gitlab::ExternalAuthorization::Client do
client.request_access client.request_access
end end
end end
describe 'for non-ldap users with identities' do
before do
%w(twitter facebook).each do |provider|
create(:identity, provider: provider, extern_uid: "#{provider}_external_id", user: user)
end
end
it 'includes all the identities' do
expected_body = {
user_identifier: 'dummy_user@example.com',
project_classification_label: 'dummy_label',
identities: [
{ provider: 'twitter', extern_uid: 'twitter_external_id' },
{ provider: 'facebook', extern_uid: 'facebook_external_id' }
]
}.to_json
expect(Excon).to receive(:post)
.with(dummy_url, hash_including(body: expected_body))
client.request_access
end
end
end end
end end
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment