Fix failed LDAP logins when nil user_id present

When a LDAP user signs in the for the first time and if there is an `Identity` object with `user_id` of `nil`, new users will not be able to be register until that entry is cleared because of the way identities are created: 1. First, the User object is built but not saved, so it has no `id`. 2. Then, `user.identities.build(provider: 'ldapmain')` is called, but it does not have an associated `user_id` as a result. 3. `User#save` is called, but the `Identity` validation fails if an existing entry with `user_id` of `nil` already exists. The uniqueness validation for `nil` values doesn't make any sense in this case. We should be enforcing this at the database level with a foreign key constraint. To work around the issue we can validate against the user instead, which does the right thing even when the user isn't saved yet. Closes https://gitlab.com/gitlab-org/gitlab-ce/issues/56734

Fix failed LDAP logins when nil user_id present
When a LDAP user signs in the for the first time and if there is an `Identity` object with `user_id` of `nil`, new users will not be able to be register until that entry is cleared because of the way identities are created: 1. First, the User object is built but not saved, so it has no `id`. 2. Then, `user.identities.build(provider: 'ldapmain')` is called, but it does not have an associated `user_id` as a result. 3. `User#save` is called, but the `Identity` validation fails if an existing entry with `user_id` of `nil` already exists. The uniqueness validation for `nil` values doesn't make any sense in this case. We should be enforcing this at the database level with a foreign key constraint. To work around the issue we can validate against the user instead, which does the right thing even when the user isn't saved yet. Closes https://gitlab.com/gitlab-org/gitlab-ce/issues/56734
ab4aba70 · Stan Hu · bbf6e65d · ab4aba70 · ab4aba70 · ab4aba70
Commit ab4aba70 authored Jan 28, 2019 by Stan Hu
3 changed files
--- a/app/models/identity.rb
+++ b/app/models/identity.rb
@@ -8,7 +8,7 @@ class Identity < ActiveRecord::Base
  validates :provider, presence: true
  validates :extern_uid, allow_blank: true, uniqueness: { scope: UniquenessScopes.scopes, case_sensitive: false }
-  validates :user_id, uniqueness: { scope: UniquenessScopes.scopes }
+  validates :user, uniqueness: { scope: UniquenessScopes.scopes }
  before_save :ensure_normalized_extern_uid, if: :extern_uid_changed?
  after_destroy :clear_user_synced_attributes, if: :user_synced_attributes_metadata_from_provider?

--- a/changelogs/unreleased/sh-disable-nil-user-id-identity-validation.yml
+++ b/changelogs/unreleased/sh-disable-nil-user-id-identity-validation.yml
+---
+title: Fix failed LDAP logins when nil user_id present
+merge_request: 24749
+author:
+type: fixed
--- a/spec/models/identity_spec.rb
+++ b/spec/models/identity_spec.rb
@@ -10,6 +10,40 @@ describe Identity do
    it { is_expected.to respond_to(:extern_uid) }
  end
+  describe 'validations' do
+    set(:user) { create(:user) }
+    context 'with existing user and provider' do
+      before do
+        create(:identity, provider: 'ldapmain', user_id: user.id)
+      end
+      it 'returns false for a duplicate entry' do
+        identity = user.identities.build(provider: 'ldapmain', user_id: user.id)
+        expect(identity.validate).to be_falsey
+      end
+      it 'returns true when a different provider is used' do
+        identity = user.identities.build(provider: 'gitlab', user_id: user.id)
+        expect(identity.validate).to be_truthy
+      end
+    end
+    context 'with newly-created user' do
+      before do
+        create(:identity, provider: 'ldapmain', user_id: nil)
+      end
+      it 'successfully validates even with a nil user_id' do
+        identity = user.identities.build(provider: 'ldapmain')
+        expect(identity.validate).to be_truthy
+      end
+    end
+  end
  describe '#is_ldap?' do
    let(:ldap_identity) { create(:identity, provider: 'ldapmain') }
    let(:other_identity) { create(:identity, provider: 'twitter') }