Merge branch 'master' of gitlab.com:gitlab-org/gitlab-ee into ce-upstream

.rubocop.yml

@@ -755,19 +755,19 @@ Lint/BlockAlignment:
 # Default values in optional keyword arguments and optional ordinal arguments
 # should not refer back to the name of the argument.
 Lint/CircularArgumentReference:
-  Enabled: false
+  Enabled: true
 
 # Checks for condition placed in a confusing position relative to the keyword.
 Lint/ConditionPosition:
-  Enabled: false
+  Enabled: true
 
 # Check for debugger calls.
 Lint/Debugger:
-  Enabled: false
+  Enabled: true
 
 # Align ends corresponding to defs correctly.
 Lint/DefEndAlignment:
-  Enabled: false
+  Enabled: true
 
 # Check for deprecated class method calls.
 Lint/DeprecatedClassMethods:
@@ -783,15 +783,15 @@ Lint/DuplicatedKey:
 
 # Check for immutable argument given to each_with_object.
 Lint/EachWithObjectArgument:
-  Enabled: false
+  Enabled: true
 
 # Check for odd code arrangement in an else block.
 Lint/ElseLayout:
-  Enabled: false
+  Enabled: true
 
 # Checks for empty ensure block.
 Lint/EmptyEnsure:
-  Enabled: false
+  Enabled: true
 
 # Checks for empty string interpolation.
 Lint/EmptyInterpolation:
@@ -799,37 +799,36 @@ Lint/EmptyInterpolation:
 
 # Align ends correctly.
 Lint/EndAlignment:
-  Enabled: false
+  Enabled: true
 
 # END blocks should not be placed inside method definitions.
 Lint/EndInMethod:
-  Enabled: false
+  Enabled: true
 
 # Do not use return in an ensure block.
 Lint/EnsureReturn:
-  Enabled: false
+  Enabled: true
 
 # The use of eval represents a serious security risk.
 Lint/Eval:
-  Enabled: false
+  Enabled: true
 
 # Catches floating-point literals too large or small for Ruby to represent.
 Lint/FloatOutOfRange:
-  Enabled: false
+  Enabled: true
 
 # The number of parameters to format/sprint must match the fields.
 Lint/FormatParameterMismatch:
-  Enabled: false
+  Enabled: true
 
 # Don't suppress exception.
 Lint/HandleExceptions:
   Enabled: false
 
-# TODO: Enable ImplicitStringConcatenation Cop.
 # Checks for adjacent string literals on the same line, which could better be
 # represented as a single string literal.
 Lint/ImplicitStringConcatenation:
-  Enabled: false
+  Enabled: true
 
 # TODO: Enable IneffectiveAccessModifier Cop.
 # Checks for attempts to use `private` or `protected` to set the visibility
@@ -840,7 +839,7 @@ Lint/IneffectiveAccessModifier:
 # Checks for invalid character literals with a non-escaped whitespace
 # character.
 Lint/InvalidCharacterLiteral:
-  Enabled: false
+  Enabled: true
 
 # Checks of literals used in conditions.
 Lint/LiteralInCondition:
@@ -848,7 +847,7 @@ Lint/LiteralInCondition:
 
 # Checks for literals used in interpolation.
 Lint/LiteralInInterpolation:
-  Enabled: false
+  Enabled: true
 
 # Use Kernel#loop with break rather than begin/end/until or begin/end/while
 # for post-loop tests.
@@ -857,11 +856,11 @@ Lint/Loop:
 
 # Do not use nested method definitions.
 Lint/NestedMethodDefinition:
-  Enabled: false
+  Enabled: true
 
 # Do not omit the accumulator when calling `next` in a `reduce`/`inject` block.
 Lint/NextWithoutAccumulator:
-  Enabled: false
+  Enabled: true
 
 # Checks for method calls with a space before the opening parenthesis.
 Lint/ParenthesesAsGroupedExpression:
@@ -870,11 +869,11 @@ Lint/ParenthesesAsGroupedExpression:
 # Checks for `rand(1)` calls. Such calls always return `0` and most likely
 # a mistake.
 Lint/RandOne:
-  Enabled: false
+  Enabled: true
 
 # Use parentheses in the method call to avoid confusion about precedence.
 Lint/RequireParentheses:
-  Enabled: false
+  Enabled: true
 
 # Avoid rescuing the Exception class.
 Lint/RescueException:
@@ -909,7 +908,7 @@ Lint/UnusedMethodArgument:
 
 # Unreachable code.
 Lint/UnreachableCode:
-  Enabled: false
+  Enabled: true
 
 # Checks for useless access modifiers.
 Lint/UselessAccessModifier:
@@ -921,19 +920,19 @@ Lint/UselessAssignment:
 
 # Checks for comparison of something with itself.
 Lint/UselessComparison:
-  Enabled: false
+  Enabled: true
 
 # Checks for useless `else` in `begin..end` without `rescue`.
 Lint/UselessElseWithoutRescue:
-  Enabled: false
+  Enabled: true
 
 # Checks for useless setter call to a local variable.
 Lint/UselessSetterCall:
-  Enabled: false
+  Enabled: true
 
 # Possible use of operator/literal/variable in void context.
 Lint/Void:
-  Enabled: false
+  Enabled: true
 
 
 ##################### Performance ############################
@@ -942,11 +941,10 @@ Lint/Void:
 Performance/Casecmp:
   Enabled: true
 
-# TODO: Enable DoubleStartEndWith Cop.
 # Use `str.{start,end}_with?(x, ..., y, ...)` instead of
 # `str.{start,end}_with?(x, ...) || str.{start,end}_with?(y, ...)`.
 Performance/DoubleStartEndWith:
-  Enabled: false
+  Enabled: true
 
 # TODO: Enable EndWith Cop.
 # Use `end_with?` instead of a regex match anchored to the end of a string.
@@ -980,10 +978,9 @@ Performance/RedundantMerge:
   MaxKeyValuePairs: 2
   Enabled: false
 
-# TODO: Enable RedundantSortBy Cop.
 # Use `sort` instead of `sort_by { |x| x }`.
 Performance/RedundantSortBy:
-  Enabled: false
+  Enabled: true
 
 # TODO: Enable StartWith Cop.
 # Use `start_with?` instead of a regex match anchored to the beginning of a
@@ -1025,11 +1022,11 @@ Rails/Delegate:
 
 # Prefer `find_by` over `where.first`.
 Rails/FindBy:
-  Enabled: false
+  Enabled: true
 
 # Prefer `all.find_each` over `all.find`.
 Rails/FindEach:
-  Enabled: false
+  Enabled: true
 
 # Prefer has_many :through to has_and_belongs_to_many.
 Rails/HasAndBelongsToMany:
@@ -1041,7 +1038,7 @@ Rails/Output:
 
 # Checks for incorrect grammar when using methods like `3.day.ago`.
 Rails/PluralizationGrammar:
-  Enabled: false
+  Enabled: true
 
 # Checks for `read_attribute(:attr)` and `write_attribute(:attr, val)`.
 Rails/ReadWriteAttribute:
@@ -1049,7 +1046,7 @@ Rails/ReadWriteAttribute:
 
 # Checks the arguments of ActiveRecord scopes.
 Rails/ScopeArgs:
-  Enabled: false
+  Enabled: true
 
 # Checks the correct usage of time zone aware methods.
 # http://danilenko.org/2012/7/6/rails_timezones

CHANGELOG-EE

@@ -14,11 +14,16 @@ v 8.8.0
   - [Elastic] Improve code search
   - [Elastic] Fix encoding issues during indexing
   - Warn admin if current active count exceeds license
+  - [Elastic] Search through the filenames
   - Set KRB5 as default clone protocol when Kerberos is enabled and user is logged in (Borja Aparicio)
+  - Add support for Admin Groups to SAML
   - Reduce emails-on-push HTML size by using a simple monospace font
   - API requests to /internal/authorized_keys are now tagged properly
   - Geo: Single Sign Out support !380
 
+v 8.7.6
+  - Bump GitLab Pages to 0.2.4 to fix Content-Type for predefined 404
+
 v 8.7.5
   - No EE-specific changes
 

Gemfile

@@ -102,7 +102,7 @@ gem "seed-fu", '~> 2.3.5'
 # Search
 gem 'elasticsearch-model'
 gem 'elasticsearch-rails'
-gem 'gitlab-elasticsearch-git', '~> 0.0.14', require: "elasticsearch/git"
+gem 'gitlab-elasticsearch-git', '~> 0.0.15', require: "elasticsearch/git"
 
 # Markdown and HTML processing
 gem 'html-pipeline', '~> 1.11.0'

Gemfile.lock

@@ -352,7 +352,7 @@ GEM
       mime-types (>= 1.19)
       rugged (>= 0.24.0b13)
     github-markup (1.3.3)
-    gitlab-elasticsearch-git (0.0.14)
+    gitlab-elasticsearch-git (0.0.15)
       activemodel (~> 4.2)
       activesupport (~> 4.2)
       charlock_holmes (~> 0.7)
@@ -965,7 +965,7 @@ DEPENDENCIES
   gemnasium-gitlab-service (~> 0.2)
   github-linguist (~> 4.7.0)
   github-markup (~> 1.3.1)
-  gitlab-elasticsearch-git (~> 0.0.14)
+  gitlab-elasticsearch-git (~> 0.0.15)
   gitlab-flowdock-git-hook (~> 1.0.1)
   gitlab-license (~> 0.0.4)
   gitlab_emoji (~> 0.3.0)

app/models/repository.rb

@@ -1000,11 +1000,13 @@ class Repository
     content = result["_source"]["blob"]["content"]
     total_lines = content.lines.size
 
-    term = result["highlight"]["blob.content"][0].match(/gitlabelasticsearch→(.*?)←gitlabelasticsearch/)[1]
+    highlighted_content = result["highlight"]["blob.content"]
+    term = highlighted_content && highlighted_content[0].match(/gitlabelasticsearch→(.*?)←gitlabelasticsearch/)[1]
+
     found_line_number = 0
 
     content.each_line.each_with_index do |line, index|
-      if line.include?(term)
+      if term && line.include?(term)
         found_line_number = index
         break
       end

app/views/projects/mirrors/_instructions.html.haml

+.account-well.prepend-top-default.append-bottom-default
+  %ul
+    %li
+      The repository must be accessible over <code>http://</code>, <code>https://</code>, <code>ssh://</code> or <code>git://</code>.
+    %li
+      If your HTTP repository is not publicly accessible, add authentication information to the URL: <code>https://username:password@gitlab.company.com/group/project.git</code>.
+    %li
+      If your SSH repository is not publicly accessible, add the public SSH key of the GitLab server to the remote repository.
+    %li
+      The update action will time out after 10 minutes. For big repositories, use a clone/push combination.

app/views/projects/mirrors/show.html.haml

 - page_title "Mirror Repository"
-%h3.page-title
-  Mirror Repository
 
-%p.light
-  A repository can be setup as a mirror of another repository, and can also have a remote mirror associated.
-
-%p.light
-  When the repository is configured as a mirror, all of its branches, tags, and commits will automatically be updated from the repository configured in the
-  %strong Pull from a remote repository
-  section.
-
-%p.light
-  When the repository has a remote mirror associated, it means that the remote repository configured in the <strong>Push to a remote repository</strong> section will automatically receive updates from the current repository.
-
-%hr.clearfix
-
-= form_for @project, url: namespace_project_mirror_path(@project.namespace, @project), html: { class: 'form-horizontal' } do |f|
-  - if @project.errors.any?
-    .alert.alert-danger
-      - @project.errors.full_messages.each do |msg|
-        %p= msg
-
-  %h4 Pull from a remote repository
-  %p.light
-    Set up your project to automatically have its branches, tags, and commits updated from an upstream repository every hour.
-  = render "shared/mirror_update_button"
-  - if @project.mirror_last_update_success?
-    %span.prepend-left-default Successfully updated #{time_ago_with_tooltip(@project.mirror_last_successful_update_at)}.
-  %hr.clearfix
-
-  - if @project.mirror_last_update_failed?
-    .panel.panel-danger
-      .panel-heading
-        The repository failed to update #{time_ago_with_tooltip(@project.mirror_last_update_at)}.
-        - if @project.mirror_ever_updated_successfully?
-          Last successful update #{time_ago_with_tooltip(@project.mirror_last_successful_update_at)}.
-      .panel-body
-        %pre
-          :preserve
-            #{@project.import_error.try(:strip)}
-
-  .form-group
-    .col-sm-offset-2.col-sm-10
-      .checkbox
-        = f.label :mirror do
-          = f.check_box :mirror
-          %strong
-            Mirror repository
+.row.prepend-top-default.append-bottom-default
+  .col-lg-3
+    %h4.prepend-top-0
+      Pull from a remote repository
+    %p.light
+      Set up your project to automatically have its branches, tags, and commits updated from an upstream repository every hour.
+  .col-lg-9
+    %h5.prepend-top-0
+      Set up mirror repository
+    = form_for @project, url: namespace_project_mirror_path(@project.namespace, @project) do |f|
+      = form_errors(@project)
+      = render "shared/mirror_update_button"
+      - if @project.mirror_last_update_failed?
+        .panel.panel-danger
+          .panel-heading
+            The repository failed to update #{time_ago_with_tooltip(@project.mirror_last_update_at)}.
+            - if @project.mirror_ever_updated_successfully?
+              Last successful update #{time_ago_with_tooltip(@project.mirror_last_successful_update_at)}.
+          .panel-body
+            %pre
+              :preserve
+                #{@project.import_error.try(:strip)}
+      .form-group
+        = f.check_box :mirror, class: "pull-left"
+        .prepend-left-20
+          = f.label :mirror, "Mirror repository", class: "label-light append-bottom-0"
+          %p.light.append-bottom-0
+            Automatically update this project's branches, tags, and commits from the upstream repository every hour.
+      .form-group
+        = f.label :import_url, "Git repository URL", class: "label-light"
+        = f.text_field :import_url, class: 'form-control', placeholder: 'https://username:password@gitlab.company.com/group/project.git'
+        = render "instructions"
+      .form-group
+        = f.label :mirror_user_id, "Mirror user", class: "label-light"
+        = users_select_tag("project[mirror_user_id]", class: 'input-large', selected: @project.mirror_user_id || current_user.id,
+          first_user: true, current_user: true, push_code_to_protected_branches: true)
         .help-block
-          Automatically update this project's branches, tags, and commits from the upstream repository every hour.
-
-  .form-group
-    = f.label :import_url, class: 'control-label' do
-      %span Git repository URL
-    .col-sm-10
-      = f.text_field :import_url, class: 'form-control', placeholder: 'https://username:password@gitlab.company.com/group/project.git'
-      .well.prepend-top-20
-        %ul
-          %li
-            The repository must be accessible over <code>http://</code>, <code>https://</code>, <code>ssh://</code> or <code>git://</code>.
-          %li
-            If your HTTP repository is not publicly accessible, add authentication information to the URL: <code>https://username:password@gitlab.company.com/group/project.git</code>.
-          %li
-            If your SSH repository is not publicly accessible, add the public SSH key of the GitLab server to the remote repository.
-          %li
-            The update action will time out after 10 minutes. For big repositories, use a clone/push combination.
-
-  .form-group
-    = f.label :mirror_user_id, class: 'control-label' do
-      Mirror user
-    .col-sm-10
-      = users_select_tag("project[mirror_user_id]", class: 'input-large', selected: @project.mirror_user_id || current_user.id,
-        first_user: true, current_user: true, push_code_to_protected_branches: true)
-      .help-block
-        This user will be the author of all events in the activity feed that are the result of an update,
-        like new branches being created or new commits being pushed to existing branches.
-        They need to have at least master access to this project.
-
-  - if @project.builds_enabled?
-    = render 'shared/mirror_trigger_builds_setting', f: f
-
-  %h4 Push to a remote repository
-  %p.light
-    Set up the remote repository that you want to update with the content of the current repository every hour.
-  = render "shared/remote_mirror_update_button", remote_mirror: @remote_mirror
-  - if @remote_mirror.last_successful_update_at
-    %span.prepend-left-default Successfully updated #{time_ago_with_tooltip(@remote_mirror.last_successful_update_at)}.
-
-  %hr.clearfix
-
-  - if @remote_mirror.last_error.present?
-    .panel.panel-danger
-      .panel-heading
-        The remote repository failed to update #{time_ago_with_tooltip(@remote_mirror.last_update_at)}.
-        - if @remote_mirror.last_successful_update_at
-          Last successful update #{time_ago_with_tooltip(@remote_mirror.last_successful_update_at)}.
-      .panel-body
-        %pre
-          :preserve
-            #{@remote_mirror.last_error.strip}
-
-  = f.fields_for :remote_mirrors, @remote_mirror do |rm_form|
-    .form-group
-      .col-sm-offset-2.col-sm-10
-        .checkbox
-          = rm_form.label :enabled do
-            = rm_form.check_box :enabled
-            %strong
-              Remote Mirror Repository
-          .help-block
-            Automatically update the remote mirror's branches, tags, and commits from this repository every hour.
-
-    .form-group.has-feedback
-      = rm_form.label :url, class: 'control-label' do
-        %span Git repository URL
-      .col-sm-10
-        = rm_form.text_field :url, class: 'form-control', placeholder: 'https://username:password@gitlab.company.com/group/project.git'
-        .well.prepend-top-20
-          The requirements for the URL format are the same mentioned in the <strong>Pull from a remote repository</strong> section.
-
-  .form-actions
-    = f.submit "Save Changes", class: "btn btn-create"
+          This user will be the author of all events in the activity feed that are the result of an update,
+          like new branches being created or new commits being pushed to existing branches.
+          They need to have at least master access to this project.
+      - if @project.builds_enabled?
+        = render "shared/mirror_trigger_builds_setting", f: f
+      = f.submit "Update", class: "btn btn-save"
+  .col-sm-12
+    %hr
+  .col-lg-3
+    %h4.prepend-top-0
+      Push to a remote repository
+    %p.light
+      Set up the remote repository that you want to update with the content of the current repository every hour.
+  .col-lg-9
+    = form_for @project, url: namespace_project_mirror_path(@project.namespace, @project) do |f|
+      = form_errors(@project)
+      = render "shared/remote_mirror_update_button", remote_mirror: @remote_mirror
+      - if @remote_mirror.last_error.present?
+        .panel.panel-danger
+          .panel-heading
+            The remote repository failed to update #{time_ago_with_tooltip(@remote_mirror.last_update_at)}.
+            - if @remote_mirror.last_successful_update_at
+              Last successful update #{time_ago_with_tooltip(@remote_mirror.last_successful_update_at)}.
+          .panel-body
+            %pre
+              :preserve
+                #{@remote_mirror.last_error.strip}
+      = f.fields_for :remote_mirrors, @remote_mirror do |rm_form|
+        .form-group
+          = rm_form.check_box :enabled, class: "pull-left"
+          .prepend-left-20
+            = rm_form.label :enabled, "Remote mirror repository", class: "label-light append-bottom-0"
+            %p.light.append-bottom-0
+              Automatically update the remote mirror's branches, tags, and commits from this repository every hour.
+        .form-group.has-feedback
+          = rm_form.label :url, "Git repository URL", class: "label-light"
+          = rm_form.text_field :url, class: "form-control", placeholder: 'https://username:password@gitlab.company.com/group/project.git'
+          = render "instructions"
+      = f.submit "Update", class: "btn btn-create"

app/views/shared/_mirror_trigger_builds_setting.html.haml

 .form-group
-  .col-sm-offset-2.col-sm-10
-    .checkbox
-      = f.label :mirror_trigger_builds do
-        = f.check_box :mirror_trigger_builds
-        %strong
-          Trigger builds for mirror updates
-      .help-block
-        Trigger builds when branches or tags are updated from the upstream repository.
-        Depending on the activity of the upstream repository, this may greatly increase the load on your CI runners.
-        Only enable this if you know they can handle the load.
+  = f.check_box :mirror_trigger_builds, class: "pull-left"
+  .prepend-left-20
+    = f.label :mirror_trigger_builds, "Trigger builds for mirror updates", class: "label-light"
+    %p.light.append-bottom-0
+      Trigger builds when branches or tags are updated from the upstream repository.
+      Depending on the activity of the upstream repository, this may greatly increase the load on your CI runners.
+      Only enable this if you know they can handle the load.

app/views/shared/_mirror_update_button.html.haml

 - if @project.mirror? && can?(current_user, :push_code, @project)
-  - if @project.updating_mirror?
-    %span.btn.disabled
-      = icon('refresh')
-      Updating…
-  - else
-    = link_to update_now_namespace_project_mirror_path(@project.namespace, @project), method: :post, class: "btn" do
-      = icon('refresh')
-      Update Now
+  .append-bottom-default
+    - if @project.updating_mirror?
+      %span.btn.disabled
+        = icon("refresh spin")
+        Updating…
+    - else
+      = link_to update_now_namespace_project_mirror_path(@project.namespace, @project), method: :post, class: "btn" do
+        = icon("refresh")
+        Update Now
+    - if @project.mirror_last_update_success?
+      %p.inline.prepend-left-10
+        Successfully updated #{time_ago_with_tooltip(@project.mirror_last_successful_update_at)}.

app/views/shared/_remote_mirror_update_button.html.haml

 - if @project.has_remote_mirror?
-  - if remote_mirror.update_in_progress?
-    %span.btn.disabled
-      = icon('refresh')
-      Updating…
-  - else
-    = link_to update_now_namespace_project_mirror_path(@project.namespace, @project, sync_remote: true), method: :post, class: "btn" do
-      = icon('refresh')
-      Update Now
+  .append-bottom-default
+    - if remote_mirror.update_in_progress?
+      %span.btn.disabled
+        = icon("refresh spin")
+        Updating…
+    - else
+      = link_to update_now_namespace_project_mirror_path(@project.namespace, @project, sync_remote: true), method: :post, class: "btn" do
+        = icon("refresh")
+        Update Now
+    - if @remote_mirror.last_successful_update_at
+      %p.inline.prepend-left-10
+        Successfully updated #{time_ago_with_tooltip(@remote_mirror.last_successful_update_at)}.

doc/integration/saml.md

@@ -175,6 +175,30 @@ tell GitLab which groups are external via the `external_groups:` element:
         } }
 ```
 
+## Admin Groups
+
+>**Note:**
+This setting is only available on GitLab 8.8 EE and above.
+
+This setting works very similarly to the `External Groups` setting. The requirements
+are the same, your IdP needs to pass Group information to GitLab, you need to tell
+GitLab where to look for the groups in the SAML response, and which group should be
+considered `admin groups`.
+
+```yaml
+{ name: 'saml',
+  label: 'Our SAML Provider',
+  groups_attribute: 'Groups',
+  admin_groups: ['Managers', 'Admins'],
+  args: {
+          assertion_consumer_service_url: 'https://gitlab.example.com/users/auth/saml/callback',
+          idp_cert_fingerprint: '43:51:43:a1:b5:fc:8b:b7:0a:3a:a9:b1:0f:66:73:a8',
+          idp_sso_target_url: 'https://login.example.com/idp',
+          issuer: 'https://gitlab.example.com',
+          name_identifier_format: 'urn:oasis:names:tc:SAML:2.0:nameid-format:transient'
+        } }
+```
+
 ## Customization
 
 ### `auto_sign_in_with_provider`

doc/update/8.7-to-8.8.md

@@ -151,6 +151,16 @@ When index mapping is changed the whole index should be removed and built from t
     bundle exec rake gitlab:elastic:delete_indexes
     ```
 
+1. Clear repository index status:
+
+    ```
+    # Omnibus installations
+    sudo gitlab-rake gitlab:elastic:clear_index_status
+
+    # Installations from source
+    bundle exec rake gitlab:elastic:clear_index_status
+    ```
+
 1. Create new, empty indexes:
 
     ```

lib/api/users.rb

@@ -24,7 +24,7 @@ module API
           @users = @users.non_ldap if skip_ldap
           @users = @users.search(params[:search]) if params[:search].present?
           @users = paginate @users
-       end
+        end
 
         if current_user.is_admin?
           present @users, with: Entities::UserFull

lib/gitlab/saml/config.rb

@@ -14,6 +14,10 @@ module Gitlab
         def external_groups
           options[:external_groups]
         end
+
+        def admin_groups
+          options[:admin_groups]
+        end
       end
 
     end

lib/gitlab/saml/user.rb

@@ -36,6 +36,14 @@ module Gitlab
           end
         end
 
+        if admin_groups_enabled? && @user
+          if (auth_hash.groups & Gitlab::Saml::Config.admin_groups).empty?
+            @user.admin = false
+          else
+            @user.admin = true
+          end
+        end
+
         @user
       end
 
@@ -65,6 +73,10 @@ module Gitlab
       def auth_hash=(auth_hash)
         @auth_hash = Gitlab::Saml::AuthHash.new(auth_hash)
       end
+
+      def admin_groups_enabled?
+        !Gitlab::Saml::Config.admin_groups.nil?
+      end
     end
   end
 end

spec/controllers/oauth/geo_auth_controller_spec.rb

@@ -106,7 +106,7 @@ describe Oauth::GeoAuthController do
         allow_any_instance_of(Oauth2::LogoutTokenValidationService).to receive(:execute) { { status: :error, message: :expired } }
         get :logout, state: logout_state
 
-        expect(response.body).to include("There is a problem with the OAuth access_token: #{:expired}")
+        expect(response.body).to include("There is a problem with the OAuth access_token: expired")
       end
     end
   end

spec/lib/gitlab/saml/user_spec.rb

@@ -31,6 +31,10 @@ describe Gitlab::Saml::User, lib: true do
       allow(Gitlab::Saml::Config).to receive_messages({ options: { name: 'saml', groups_attribute: 'groups', external_groups: groups, args: {} } })
     end
 
+    def stub_saml_admin_group_config(groups)
+      allow(Gitlab::Saml::Config).to receive_messages({ options: { name: 'saml', groups_attribute: 'groups', admin_groups: groups, args: {} } })
+    end
+
     before { stub_basic_saml_config }
 
     describe 'account exists on server' do
@@ -75,6 +79,35 @@ describe Gitlab::Saml::User, lib: true do
           end
         end
       end
+
+      context 'admin groups' do
+        context 'are defined' do
+          it 'marks the user as admin' do
+            stub_saml_admin_group_config(%w(Developers))
+            saml_user.save
+            expect(gl_user).to be_valid
+            expect(gl_user.admin).to be_truthy
+          end
+        end
+
+        before { stub_saml_admin_group_config(%w(Admins)) }
+        context 'are defined but the user does not belong there' do
+          it 'does not mark the user as admin' do
+            saml_user.save
+            expect(gl_user).to be_valid
+            expect(gl_user.admin).to be_falsey
+          end
+        end
+
+        context 'user was admin, now should not be' do
+          it 'should make user non admin' do
+            existing_user.update_attribute('admin', true)
+            saml_user.save
+            expect(gl_user).to be_valid
+            expect(gl_user.admin).to be_falsey
+          end
+        end
+      end
     end
 
     describe 'no account exists on server' do
@@ -127,6 +160,26 @@ describe Gitlab::Saml::User, lib: true do
         end
       end
 
+      context 'admin groups' do
+        context 'are defined' do
+          it 'marks the user as admin' do
+            stub_saml_admin_group_config(%w(Developers))
+            saml_user.save
+            expect(gl_user).to be_valid
+            expect(gl_user.admin).to be_truthy
+          end
+        end
+
+        context 'are defined but the user does not belong there' do
+          it 'does not mark the user as admin' do
+            stub_saml_admin_group_config(%w(Admins))
+            saml_user.save
+            expect(gl_user).to be_valid
+            expect(gl_user.admin).to be_falsey
+          end
+        end
+      end
+
       context 'with auto_link_ldap_user disabled (default)' do
         before { stub_omniauth_config({ auto_link_ldap_user: false, auto_link_saml_user: false, allow_single_sign_on: ['saml'] }) }
         include_examples 'to verify compliance with allow_single_sign_on'