Merge branch 'multi_provider' into 'master'

Supporting for multiple omniauth provider for the same user fixes https://dev.gitlab.org/gitlab/gitlabhq/issues/1721 and https://dev.gitlab.org/gitlab/gitlabhq/issues/1760 See merge request !1296

Merge branch 'multi_provider' into 'master'
Supporting for multiple omniauth provider for the same user fixes https://dev.gitlab.org/gitlab/gitlabhq/issues/1721 and https://dev.gitlab.org/gitlab/gitlabhq/issues/1760 See merge request !1296
e1f1e062 · Dmitriy Zaporozhets · 490ae737 · f9a730eb · e1f1e062 · e1f1e062
Commit e1f1e062 authored Dec 04, 2014 by Dmitriy Zaporozhets
24 changed files
--- a/app/controllers/omniauth_callbacks_controller.rb
+++ b/app/controllers/omniauth_callbacks_controller.rb
@@ -42,10 +42,8 @@ class OmniauthCallbacksController < Devise::OmniauthCallbacksController

  def handle_omniauth
    if current_user
-      # Change a logged-in user's authentication method:
-      current_user.extern_uid = oauth['uid']
-      current_user.provider = oauth['provider']
-      current_user.save
+      # Add new authentication method
+      current_user.identities.find_or_create_by(extern_uid: oauth['uid'], provider: oauth['provider'])
      redirect_to profile_path
    else
      @user = Gitlab::OAuth::User.new(oauth)
@@ -67,8 +65,8 @@ class OmniauthCallbacksController < Devise::OmniauthCallbacksController
        redirect_to omniauth_error_path(oauth['provider'], error: error_message) and return
      end
    end
-  rescue StandardError
-    flash[:notice] = "There's no such user!"
+  rescue ForbiddenAction => e
+    flash[:notice] = e.message
    redirect_to new_user_session_path
  end


--- a/app/helpers/oauth_helper.rb
+++ b/app/helpers/oauth_helper.rb
@@ -16,4 +16,8 @@ module OauthHelper
      [:twitter, :github, :google_oauth2].include?(name.to_sym)
    end
  end
+
+  def additional_providers
+    enabled_oauth_providers.reject{|provider| provider.to_s.starts_with?('ldap')}
+  end
 end
--- a/app/helpers/profile_helper.rb
+++ b/app/helpers/profile_helper.rb
 module ProfileHelper
  def oauth_active_class(provider)
-    if current_user.provider == provider.to_s
+    if current_user.identities.exists?(provider: provider.to_s)
      'active'
    end
  end
@@ -10,10 +10,10 @@ module ProfileHelper
  end

  def show_profile_social_tab?
-    enabled_social_providers.any? && !current_user.ldap_user?
+    enabled_social_providers.any?
  end

  def show_profile_remove_tab?
-    gitlab_config.signup_enabled && !current_user.ldap_user?
+    gitlab_config.signup_enabled
  end
 end
--- a/app/models/identity.rb
+++ b/app/models/identity.rb
+class Identity < ActiveRecord::Base
+  belongs_to :user
+
+  validates :extern_uid, allow_blank: true, uniqueness: {scope: :provider}
+end
\ No newline at end of file
--- a/app/models/user.rb
+++ b/app/models/user.rb
@@ -79,6 +79,7 @@ class User < ActiveRecord::Base
  # Profile
  has_many :keys, dependent: :destroy
  has_many :emails, dependent: :destroy
+  has_many :identities, dependent: :destroy

  # Groups
  has_many :members, dependent: :destroy
@@ -113,7 +114,6 @@ class User < ActiveRecord::Base
  validates :name, presence: true
  validates :email, presence: true, email: {strict_mode: true}, uniqueness: true
  validates :bio, length: { maximum: 255 }, allow_blank: true
-  validates :extern_uid, allow_blank: true, uniqueness: {scope: :provider}
  validates :projects_limit, presence: true, numericality: {greater_than_or_equal_to: 0}
  validates :username, presence: true, uniqueness: { case_sensitive: false },
            exclusion: { in: Gitlab::Blacklist.path },
@@ -178,7 +178,6 @@ class User < ActiveRecord::Base
  scope :not_in_team, ->(team){ where('users.id NOT IN (:ids)', ids: team.member_ids) }
  scope :not_in_project, ->(project) { project.users.present? ? where("id not in (:ids)", ids: project.users.map(&:id) ) : all }
  scope :without_projects, -> { where('id NOT IN (SELECT DISTINCT(user_id) FROM members)') }
-  scope :ldap, -> { where('provider LIKE ?', 'ldap%') }
  scope :potential_team_members, ->(team) { team.members.any? ? active.not_in_team(team) : active  }

  #
@@ -407,7 +406,11 @@ class User < ActiveRecord::Base
  end

  def ldap_user?
-    extern_uid && provider.start_with?('ldap')
+    identities.exists?(["provider LIKE ? AND extern_uid IS NOT NULL", "ldap%"])
+  end
+
+  def ldap_identity
+    @ldap_identity ||= identities.find_by(["provider LIKE ?", "ldap%"])
  end

  def accessible_deploy_keys

--- a/app/services/notification_service.rb
+++ b/app/services/notification_service.rb
@@ -107,7 +107,7 @@ class NotificationService
  # Notify new user with email after creation
  def new_user(user, token = nil)
    # Don't email omniauth created users
-    mailer.new_user_email(user.id, token) unless user.extern_uid?
+    mailer.new_user_email(user.id, token) unless user.identities.any?
  end

  # Notify users on new note in system

--- a/app/views/admin/users/show.html.haml
+++ b/app/views/admin/users/show.html.haml
@@ -95,7 +95,7 @@
              %li
                %span.light LDAP uid:
                %strong
-                  = @user.extern_uid
+                  = @user.ldap_identity.extern_uid

            - if @user.created_by
              %li

--- a/app/views/devise/sessions/_oauth_providers.html.haml
+++ b/app/views/devise/sessions/_oauth_providers.html.haml
- providers = (enabled_oauth_providers - [:ldap])
+- providers = additional_providers
 - if providers.present?
  .bs-callout.bs-callout-info{:'data-no-turbolink' => 'data-no-turbolink'}
    %span Sign in with: &nbsp;

--- a/db/migrate/20141121161704_add_identity_table.rb
+++ b/db/migrate/20141121161704_add_identity_table.rb
+class AddIdentityTable < ActiveRecord::Migration
+  def up
+    create_table :identities do |t|
+      t.string :extern_uid
+      t.string :provider
+      t.references :user
+    end
+
+    add_index :identities, :user_id
+
+    User.where("provider IS NOT NULL").find_each do |user|
+      execute "INSERT INTO identities(provider, extern_uid, user_id) VALUES('#{user.provider}', '#{user.extern_uid}', '#{user.id}')"
+    end
+
+    remove_column :users, :extern_uid
+    remove_column :users, :provider
+  end
+
+  def down
+    add_column :users, :extern_uid, :string
+    add_column :users, :provider, :string
+
+    User.where("id IN(SELECT user_id FROM identities)").find_each do |user|
+      identity = user.identities.last
+      user.extern_uid = identity.extern_uid
+      user.provider = identity.provider
+      user.save
+    end
+
+    drop_table :identities
+  end
+end
--- a/db/schema.rb
+++ b/db/schema.rb
@@ -11,7 +11,7 @@
 #
 # It's strongly recommended that you check this file into your version control system.

-ActiveRecord::Schema.define(version: 20141121133009) do
+ActiveRecord::Schema.define(version: 20141121161704) do

  # These are extensions that must be enabled in order to support this database
  enable_extension "plpgsql"
@@ -74,6 +74,14 @@ ActiveRecord::Schema.define(version: 20141121133009) do

  add_index "forked_project_links", ["forked_to_project_id"], name: "index_forked_project_links_on_forked_to_project_id", unique: true, using: :btree

+  create_table "identities", force: true do |t|
+    t.string  "extern_uid"
+    t.string  "provider"
+    t.integer "user_id"
+  end
+
+  add_index "identities", ["user_id"], name: "index_identities_on_user_id", using: :btree
+
  create_table "issues", force: true do |t|
    t.string   "title"
    t.integer  "assignee_id"
@@ -350,8 +358,6 @@ ActiveRecord::Schema.define(version: 20141121133009) do
    t.string   "bio"
    t.integer  "failed_attempts",          default: 0
    t.datetime "locked_at"
-    t.string   "extern_uid"
-    t.string   "provider"
    t.string   "username"
    t.boolean  "can_create_group",         default: true,  null: false
    t.boolean  "can_create_team",          default: true,  null: false
@@ -360,6 +366,7 @@ ActiveRecord::Schema.define(version: 20141121133009) do
    t.integer  "notification_level",       default: 1,     null: false
    t.datetime "password_expires_at"
    t.integer  "created_by_id"
+    t.datetime "last_credential_check_at"
    t.string   "avatar"
    t.string   "confirmation_token"
    t.datetime "confirmed_at"
@@ -367,7 +374,6 @@ ActiveRecord::Schema.define(version: 20141121133009) do
    t.string   "unconfirmed_email"
    t.boolean  "hide_no_ssh_key",          default: false
    t.string   "website_url",              default: "",    null: false
-    t.datetime "last_credential_check_at"
  end

  add_index "users", ["admin"], name: "index_users_on_admin", using: :btree
@@ -375,7 +381,6 @@ ActiveRecord::Schema.define(version: 20141121133009) do
  add_index "users", ["confirmation_token"], name: "index_users_on_confirmation_token", unique: true, using: :btree
  add_index "users", ["current_sign_in_at"], name: "index_users_on_current_sign_in_at", using: :btree
  add_index "users", ["email"], name: "index_users_on_email", unique: true, using: :btree
-  add_index "users", ["extern_uid", "provider"], name: "index_users_on_extern_uid_and_provider", unique: true, using: :btree
  add_index "users", ["name"], name: "index_users_on_name", using: :btree
  add_index "users", ["reset_password_token"], name: "index_users_on_reset_password_token", unique: true, using: :btree
  add_index "users", ["username"], name: "index_users_on_username", using: :btree

--- a/features/steps/profile/profile.rb
+++ b/features/steps/profile/profile.rb
@@ -170,7 +170,7 @@ class Spinach::Features::Profile < Spinach::FeatureSteps
  end

  step "I am not an ldap user" do
-    current_user.update_attributes(extern_uid: nil,  provider: '')
+    current_user.identities.delete
    current_user.ldap_user?.should be_false
  end


--- a/lib/api/entities.rb
+++ b/lib/api/entities.rb
@@ -14,10 +14,14 @@ module API
      expose :bio, :skype, :linkedin, :twitter, :website_url
    end

+    class Identity < Grape::Entity
+      expose :provider, :extern_uid
+    end
+
    class UserFull < User
      expose :email
-      expose :theme_id, :color_scheme_id, :extern_uid, :provider, \
-             :projects_limit
+      expose :theme_id, :color_scheme_id, :projects_limit
+      expose :identities, using: Entities::Identity
      expose :can_create_group?, as: :can_create_group
      expose :can_create_project?, as: :can_create_project
    end

--- a/lib/api/users.rb
+++ b/lib/api/users.rb
@@ -59,10 +59,16 @@ module API
      post do
        authenticated_as_admin!
        required_attributes! [:email, :password, :name, :username]
-        attrs = attributes_for_keys [:email, :name, :password, :skype, :linkedin, :twitter, :projects_limit, :username, :extern_uid, :provider, :bio, :can_create_group, :admin]
+        attrs = attributes_for_keys [:email, :name, :password, :skype, :linkedin, :twitter, :projects_limit, :username, :bio, :can_create_group, :admin]
        user = User.build_user(attrs)
        admin = attrs.delete(:admin)
        user.admin = admin unless admin.nil?
+
+        identity_attrs = attributes_for_keys [:provider, :extern_uid]
+        if identity_attrs.any?
+          user.identities.build(identity_attrs)
+        end
+
        if user.save
          present user, with: Entities::UserFull
        else
@@ -89,8 +95,6 @@ module API
      #   twitter                           - Twitter account
      #   website_url                       - Website url
      #   projects_limit                    - Limit projects each user can create
-      #   extern_uid                        - External authentication provider UID
-      #   provider                          - External provider
      #   bio                               - Bio
      #   admin                             - User is admin - true or false (default)
      #   can_create_group                  - User can create groups - true or false
@@ -99,7 +103,7 @@ module API
      put ":id" do
        authenticated_as_admin!

-        attrs = attributes_for_keys [:email, :name, :password, :skype, :linkedin, :twitter, :website_url, :projects_limit, :username, :extern_uid, :provider, :bio, :can_create_group, :admin]
+        attrs = attributes_for_keys [:email, :name, :password, :skype, :linkedin, :twitter, :website_url, :projects_limit, :username, :bio, :can_create_group, :admin]
        user = User.find(params[:id])
        not_found!('User') unless user


--- a/lib/gitlab/ldap/access.rb
+++ b/lib/gitlab/ldap/access.rb
@@ -8,7 +8,7 @@ module Gitlab
      attr_reader :adapter, :provider, :user

      def self.open(user, &block)
-        Gitlab::LDAP::Adapter.open(user.provider) do |adapter|
+        Gitlab::LDAP::Adapter.open(user.ldap_identity.provider) do |adapter|
          block.call(self.new(user, adapter))
        end
      end
@@ -28,13 +28,13 @@ module Gitlab
      def initialize(user, adapter=nil)
        @adapter = adapter
        @user = user
-        @provider = user.provider
+        @provider = user.ldap_identity.provider
      end

      def allowed?
-        if Gitlab::LDAP::Person.find_by_dn(user.extern_uid, adapter)
+        if Gitlab::LDAP::Person.find_by_dn(user.ldap_identity.extern_uid, adapter)
          return true unless ldap_config.active_directory
-          !Gitlab::LDAP::Person.disabled_via_active_directory?(user.extern_uid, adapter)
+          !Gitlab::LDAP::Person.disabled_via_active_directory?(user.ldap_identity.extern_uid, adapter)
        else
          false
        end

--- a/lib/gitlab/ldap/user.rb
+++ b/lib/gitlab/ldap/user.rb
@@ -12,9 +12,10 @@ module Gitlab
      class << self
        def find_by_uid_and_provider(uid, provider)
          # LDAP distinguished name is case-insensitive
-          ::User.
+          identity = ::Identity.
            where(provider: [provider, :ldap]).
            where('lower(extern_uid) = ?', uid.downcase).last
+          identity && identity.user
        end
      end

@@ -34,15 +35,13 @@ module Gitlab
      end

      def find_by_email
-        model.find_by(email: auth_hash.email)
+        ::User.find_by(email: auth_hash.email)
      end

      def update_user_attributes
-        gl_user.attributes = {
-          extern_uid: auth_hash.uid,
-          provider: auth_hash.provider,
-          email: auth_hash.email
-        }
+        gl_user.email = auth_hash.email
+        gl_user.identities.build(provider: auth_hash.provider, extern_uid: auth_hash.uid)
+        gl_user
      end

      def changed?

--- a/lib/gitlab/oauth/user.rb
+++ b/lib/gitlab/oauth/user.rb
@@ -5,6 +5,8 @@
 #
 module Gitlab
  module OAuth
+    class ForbiddenAction < StandardError; end
+
    class User
      attr_accessor :auth_hash, :gl_user

@@ -70,24 +72,24 @@ module Gitlab
      end

      def find_by_uid_and_provider
-        model.where(provider: auth_hash.provider, extern_uid: auth_hash.uid).last
+        identity = Identity.find_by(provider: auth_hash.provider, extern_uid: auth_hash.uid)
+        identity && identity.user
      end

      def build_new_user
-        model.new(user_attributes).tap do |user|
-          user.skip_confirmation!
-        end
+        user = ::User.new(user_attributes)
+        user.skip_confirmation!
+        user.identities.new(extern_uid: auth_hash.uid, provider: auth_hash.provider)
+        user
      end

      def user_attributes
        {
-          extern_uid: auth_hash.uid,
-          provider: auth_hash.provider,
          name: auth_hash.name,
          username: auth_hash.username,
          email: auth_hash.email,
          password: auth_hash.password,
-          password_confirmation: auth_hash.password,
+          password_confirmation: auth_hash.password
        }
      end

@@ -95,12 +97,8 @@ module Gitlab
        Gitlab::AppLogger
      end

-      def model
-        ::User
-      end
-
-      def raise_unauthorized_to_create
-        raise StandardError.new("Unauthorized to create user, signup disabled for #{auth_hash.provider}")
+      def unauthorized_to_create
+        raise ForbiddenAction.new("Unauthorized to create user, signup disabled for #{auth_hash.provider}")
      end
    end
  end

--- a/spec/factories.rb
+++ b/spec/factories.rb
@@ -18,15 +18,24 @@ FactoryGirl.define do
    password "12345678"
    password_confirmation { password }
    confirmed_at { Time.now }
-    confirmation_token { nil }
+    confirmation_token { nil }    

    trait :admin do
      admin true
    end

-    trait :ldap do
-      provider 'ldapmain'
-      extern_uid 'my-ldap-id'
+    factory :omniauth_user do
+      ignore do
+        extern_uid '123456'
+        provider 'ldapmain'
+      end
+
+      after(:create) do |user, evaluator|
+        user.identities << create(:identity,
+          provider: evaluator.provider,
+          extern_uid: evaluator.extern_uid
+        )
+      end
    end

    factory :admin, traits: [:admin]
@@ -182,4 +191,9 @@ FactoryGirl.define do
    deploy_key
    project
  end
+
+  factory :identity do
+    provider 'ldapmain'
+    extern_uid 'my-ldap-id'
+  end
 end
--- a/spec/helpers/oauth_helper_spec.rb
+++ b/spec/helpers/oauth_helper_spec.rb
+require "spec_helper"
+
+describe OauthHelper do
+  describe "additional_providers" do
+    it 'returns all enabled providers' do
+      allow(helper).to receive(:enabled_oauth_providers) { [:twitter, :github] }
+      helper.additional_providers.should include(*[:twitter, :github])
+    end
+
+    it 'does not return ldap provider' do
+      allow(helper).to receive(:enabled_oauth_providers) { [:twitter, :ldapmain] }
+      helper.additional_providers.should include(:twitter)
+    end
+
+    it 'returns empty array' do
+      allow(helper).to receive(:enabled_oauth_providers) { [] }
+      helper.additional_providers.should == []
+    end
+  end
+end
\ No newline at end of file
--- a/spec/lib/gitlab/ldap/access_spec.rb
+++ b/spec/lib/gitlab/ldap/access_spec.rb
@@ -2,7 +2,7 @@ require 'spec_helper'

 describe Gitlab::LDAP::Access do
  let(:access) { Gitlab::LDAP::Access.new user }
-  let(:user) { create(:user, :ldap) }
+  let(:user) { create(:omniauth_user) }

  describe :allowed? do
    subject { access.allowed? }

--- a/spec/lib/gitlab/ldap/authentication_spec.rb
+++ b/spec/lib/gitlab/ldap/authentication_spec.rb
@@ -2,7 +2,7 @@ require 'spec_helper'

 describe Gitlab::LDAP::Authentication do
  let(:klass) { Gitlab::LDAP::Authentication }
-  let(:user) { create(:user, :ldap, extern_uid: dn) }
+  let(:user) { create(:omniauth_user, extern_uid: dn) }
  let(:dn) { 'uid=john,ou=people,dc=example,dc=com' }
  let(:login) { 'john' }
  let(:password) { 'password' }

--- a/spec/lib/gitlab/ldap/user_spec.rb
+++ b/spec/lib/gitlab/ldap/user_spec.rb
@@ -15,18 +15,18 @@ describe Gitlab::LDAP::User do

  describe :find_or_create do
    it "finds the user if already existing" do
-      existing_user = create(:user, extern_uid: 'my-uid', provider: 'ldapmain')
+      existing_user = create(:omniauth_user, extern_uid: 'my-uid', provider: 'ldapmain')

      expect{ gl_user.save }.to_not change{ User.count }
    end

    it "connects to existing non-ldap user if the email matches" do
-      existing_user = create(:user, email: 'john@example.com')
+      existing_user = create(:omniauth_user, email: 'john@example.com', provider: "twitter")
      expect{ gl_user.save }.to_not change{ User.count }

      existing_user.reload
-      expect(existing_user.extern_uid).to eql 'my-uid'
-      expect(existing_user.provider).to eql 'ldapmain'
+      expect(existing_user.ldap_identity.extern_uid).to eql 'my-uid'
+      expect(existing_user.ldap_identity.provider).to eql 'ldapmain'
    end

    it "creates a new user if not found" do

--- a/spec/lib/gitlab/oauth/user_spec.rb
+++ b/spec/lib/gitlab/oauth/user_spec.rb
@@ -15,7 +15,7 @@ describe Gitlab::OAuth::User do
  end

  describe :persisted? do
-    let!(:existing_user) { create(:user, extern_uid: 'my-uid', provider: 'my-provider') }
+    let!(:existing_user) { create(:omniauth_user, extern_uid: 'my-uid', provider: 'my-provider') }

    it "finds an existing user based on uid and provider (facebook)" do
      auth = double(info: double(name: 'John'), uid: 'my-uid', provider: 'my-provider')
@@ -39,8 +39,9 @@ describe Gitlab::OAuth::User do
          oauth_user.save

          expect(gl_user).to be_valid
-          expect(gl_user.extern_uid).to eql uid
-          expect(gl_user.provider).to eql 'twitter'
+          identity = gl_user.identities.first
+          expect(identity.extern_uid).to eql uid
+          expect(identity.provider).to eql 'twitter'
        end
      end


--- a/spec/models/user_spec.rb
+++ b/spec/models/user_spec.rb
@@ -62,6 +62,7 @@ describe User do
    it { should have_many(:assigned_issues).dependent(:destroy) }
    it { should have_many(:merge_requests).dependent(:destroy) }
    it { should have_many(:assigned_merge_requests).dependent(:destroy) }
+    it { should have_many(:identities).dependent(:destroy) }
  end

  describe "Mass assignment" do
@@ -361,24 +362,29 @@ describe User do
  end

  describe :ldap_user? do
-    let(:user) { build(:user, :ldap) }
-
    it "is true if provider name starts with ldap" do
-      user.provider = 'ldapmain'
+      user = create(:omniauth_user, provider: 'ldapmain')
      expect( user.ldap_user? ).to be_true
    end

    it "is false for other providers" do
-      user.provider = 'other-provider'
+      user = create(:omniauth_user, provider: 'other-provider')
      expect( user.ldap_user? ).to be_false
    end

    it "is false if no extern_uid is provided" do
-      user.extern_uid = nil
+      user = create(:omniauth_user, extern_uid: nil)
      expect( user.ldap_user? ).to be_false
    end
  end

+  describe :ldap_identity do
+    it "returns ldap identity" do
+      user = create :omniauth_user
+      user.ldap_identity.provider.should_not be_empty
+    end
+  end
+
  describe '#full_website_url' do
    let(:user) { create(:user) }


--- a/spec/requests/api/users_spec.rb
+++ b/spec/requests/api/users_spec.rb
@@ -33,7 +33,7 @@ describe API::API, api: true  do
        response.status.should == 200
        json_response.should be_an Array
        json_response.first.keys.should include 'email'
-        json_response.first.keys.should include 'extern_uid'
+        json_response.first.keys.should include 'identities'
        json_response.first.keys.should include 'can_create_project'
      end
    end