Commit 011c168b authored by Tiago Botelho's avatar Tiago Botelho

Refactors SAML identity creation in gl_user.

parent cd85a558
...@@ -690,8 +690,12 @@ class User < ActiveRecord::Base ...@@ -690,8 +690,12 @@ class User < ActiveRecord::Base
end end
def ldap_user? def ldap_user?
if identities.loaded?
identities.find { |identity| identity.provider.start_with?('ldap') && !identity.extern_uid.nil? }
else
identities.exists?(["provider LIKE ? AND extern_uid IS NOT NULL", "ldap%"]) identities.exists?(["provider LIKE ? AND extern_uid IS NOT NULL", "ldap%"])
end end
end
def ldap_identity def ldap_identity
@ldap_identity ||= identities.find_by(["provider LIKE ?", "ldap%"]) @ldap_identity ||= identities.find_by(["provider LIKE ?", "ldap%"])
......
...@@ -22,8 +22,8 @@ module Gitlab ...@@ -22,8 +22,8 @@ module Gitlab
Gitlab::LDAP::Config.new(provider) Gitlab::LDAP::Config.new(provider)
end end
def users(field, value, limit = nil) def users(fields, value, limit = nil)
options = user_options(field, value, limit) options = user_options(Array(fields), value, limit)
entries = ldap_search(options).select do |entry| entries = ldap_search(options).select do |entry|
entry.respond_to? config.uid entry.respond_to? config.uid
...@@ -72,8 +72,7 @@ module Gitlab ...@@ -72,8 +72,7 @@ module Gitlab
private private
def user_options(field, value, limit) def user_options(fields, value, limit)
filter = nil
options = { options = {
attributes: Gitlab::LDAP::Person.ldap_attributes(config).compact.uniq, attributes: Gitlab::LDAP::Person.ldap_attributes(config).compact.uniq,
base: config.base base: config.base
...@@ -81,16 +80,13 @@ module Gitlab ...@@ -81,16 +80,13 @@ module Gitlab
options[:size] = limit if limit options[:size] = limit if limit
case field.to_sym if fields.include?('dn')
when :dn raise ArgumentError, 'It is not currently possible to search the DN and other fields at the same time.' if fields.size > 1
options[:base] = value options[:base] = value
options[:scope] = Net::LDAP::SearchScope_BaseObject options[:scope] = Net::LDAP::SearchScope_BaseObject
when :email
filter = config.attributes['email'].map do |field|
Net::LDAP::Filter.eq(field, value)
end.inject(:|)
else else
filter = Net::LDAP::Filter.eq(field, value) filter = fields.map { |field| Net::LDAP::Filter.eq(field, value) }.inject(:|)
end end
options.merge(filter: user_filter(filter)) options.merge(filter: user_filter(filter))
......
...@@ -18,7 +18,9 @@ module Gitlab ...@@ -18,7 +18,9 @@ module Gitlab
end end
def self.find_by_email(email, adapter) def self.find_by_email(email, adapter)
adapter.user('email', email) email_fields = adapter.config.attributes['email']
adapter.user(email_fields, email)
end end
def self.disabled_via_active_directory?(dn, adapter) def self.disabled_via_active_directory?(dn, adapter)
......
...@@ -17,41 +17,19 @@ module Gitlab ...@@ -17,41 +17,19 @@ module Gitlab
end end
end end
def initialize(auth_hash)
super
update_user_attributes
end
def save def save
super('LDAP') super('LDAP')
end end
# instance methods # instance methods
def gl_user def find_user
@gl_user ||= find_by_uid_and_provider || find_by_email || build_new_user find_by_uid_and_provider || find_by_email || build_new_user
end end
def find_by_uid_and_provider def find_by_uid_and_provider
self.class.find_by_uid_and_provider(auth_hash.uid, auth_hash.provider) self.class.find_by_uid_and_provider(auth_hash.uid, auth_hash.provider)
end end
def find_by_email
::User.find_by(email: auth_hash.email.downcase) if auth_hash.has_attribute?(:email)
end
def update_user_attributes
if persisted?
# find_or_initialize_by doesn't update `gl_user.identities`, and isn't autosaved.
identity = gl_user.identities.find { |identity| identity.provider == auth_hash.provider }
identity ||= gl_user.identities.build(provider: auth_hash.provider)
# For a new identity set extern_uid to the LDAP DN
# For an existing identity with matching email but changed DN, update the DN.
# For an existing identity with no change in DN, this line changes nothing.
identity.extern_uid = auth_hash.uid
end
end
def changed? def changed?
gl_user.changed? || gl_user.identities.any?(&:changed?) gl_user.changed? || gl_user.identities.any?(&:changed?)
end end
......
...@@ -13,6 +13,7 @@ module Gitlab ...@@ -13,6 +13,7 @@ module Gitlab
def initialize(auth_hash) def initialize(auth_hash)
self.auth_hash = auth_hash self.auth_hash = auth_hash
update_profile if sync_profile_from_provider? update_profile if sync_profile_from_provider?
add_or_update_user_identities
end end
def persisted? def persisted?
...@@ -44,47 +45,54 @@ module Gitlab ...@@ -44,47 +45,54 @@ module Gitlab
end end
def gl_user def gl_user
@user ||= find_by_uid_and_provider return @gl_user if defined?(@gl_user)
if auto_link_ldap_user? @gl_user = find_user
@user ||= find_or_create_ldap_user
end end
if signup_enabled? def find_user
@user ||= build_new_user user = find_by_uid_and_provider
end
if external_provider? && @user user ||= find_or_build_ldap_user if auto_link_ldap_user?
@user.external = true user ||= build_new_user if signup_enabled?
end
@user user.external = true if external_provider? && user
user
end end
protected protected
def find_or_create_ldap_user def add_or_update_user_identities
# find_or_initialize_by doesn't update `gl_user.identities`, and isn't autosaved.
identity = gl_user.identities.find { |identity| identity.provider == auth_hash.provider }
identity ||= gl_user.identities.build(provider: auth_hash.provider)
identity.extern_uid = auth_hash.uid
if auto_link_ldap_user? && !gl_user.ldap_user? && ldap_person
log.info "Correct LDAP account has been found. identity to user: #{gl_user.username}."
gl_user.identities.build(provider: ldap_person.provider, extern_uid: ldap_person.dn)
end
end
def find_or_build_ldap_user
return unless ldap_person return unless ldap_person
# If a corresponding person exists with same uid in a LDAP server,
# check if the user already has a GitLab account.
user = Gitlab::LDAP::User.find_by_uid_and_provider(ldap_person.dn, ldap_person.provider) user = Gitlab::LDAP::User.find_by_uid_and_provider(ldap_person.dn, ldap_person.provider)
if user if user
# Case when a LDAP user already exists in Gitlab. Add the OAuth identity to existing account.
log.info "LDAP account found for user #{user.username}. Building new #{auth_hash.provider} identity." log.info "LDAP account found for user #{user.username}. Building new #{auth_hash.provider} identity."
user.identities.find_or_initialize_by(extern_uid: auth_hash.uid, provider: auth_hash.provider) return user
else
log.info "No existing LDAP account was found in GitLab. Checking for #{auth_hash.provider} account."
user = find_by_uid_and_provider
if user.nil?
log.info "No user found using #{auth_hash.provider} provider. Creating a new one."
user = build_new_user
end end
log.info "Correct account has been found. Adding LDAP identity to user: #{user.username}."
user.identities.new(provider: ldap_person.provider, extern_uid: ldap_person.dn) log.info "No user found using #{auth_hash.provider} provider. Creating a new one."
build_new_user
end end
user def find_by_email
return unless auth_hash.has_attribute?(:email)
::User.find_by(email: auth_hash.email.downcase)
end end
def auto_link_ldap_user? def auto_link_ldap_user?
...@@ -108,12 +116,9 @@ module Gitlab ...@@ -108,12 +116,9 @@ module Gitlab
end end
def find_ldap_person(auth_hash, adapter) def find_ldap_person(auth_hash, adapter)
person = Gitlab::LDAP::Person.find_by_uid(auth_hash.uid, adapter) Gitlab::LDAP::Person.find_by_uid(auth_hash.uid, adapter) ||
# The `uid` might actually be a DN. Try it next. Gitlab::LDAP::Person.find_by_email(auth_hash.uid, adapter) ||
person ||= Gitlab::LDAP::Person.find_by_dn(auth_hash.uid, adapter) Gitlab::LDAP::Person.find_by_dn(auth_hash.uid, adapter)
# The `uid` might actually be a Email. Try it next.
person || Gitlab::LDAP::Person.find_by_email(auth_hash.uid, adapter)
end end
def ldap_config def ldap_config
...@@ -155,7 +160,7 @@ module Gitlab ...@@ -155,7 +160,7 @@ module Gitlab
end end
def build_new_user def build_new_user
user_params = user_attributes.merge(extern_uid: auth_hash.uid, provider: auth_hash.provider, skip_confirmation: true) user_params = user_attributes.merge(skip_confirmation: true)
Users::BuildService.new(nil, user_params).execute(skip_authorization: true) Users::BuildService.new(nil, user_params).execute(skip_authorization: true)
end end
......
...@@ -10,46 +10,21 @@ module Gitlab ...@@ -10,46 +10,21 @@ module Gitlab
super('SAML') super('SAML')
end end
def gl_user def find_user
if auto_link_saml_user? user = find_by_uid_and_provider
@user ||= find_by_email
end
if auto_link_ldap_user? && !@user&.ldap_user?
@user ||= find_or_create_ldap_user
end
@user ||= find_by_uid_and_provider user ||= find_by_email if auto_link_saml_user?
user ||= find_or_build_ldap_user if auto_link_ldap_user?
user ||= build_new_user if signup_enabled?
if signup_enabled? if external_users_enabled? && user
@user ||= build_new_user
end
if external_users_enabled? && @user
# Check if there is overlap between the user's groups and the external groups # Check if there is overlap between the user's groups and the external groups
# setting then set user as external or internal. # setting then set user as external or internal.
@user.external = user.external = !(auth_hash.groups & Gitlab::Saml::Config.external_groups).empty?
if (auth_hash.groups & Gitlab::Saml::Config.external_groups).empty?
false
else
true
end
end
@user
end
def find_by_email
if auth_hash.has_attribute?(:email)
user = ::User.find_by(email: auth_hash.email.downcase)
if user&.identities&.empty?
user.identities.new(extern_uid: auth_hash.uid, provider: auth_hash.provider)
end end
user user
end end
end
def changed? def changed?
return true unless gl_user return true unless gl_user
......
...@@ -4,6 +4,7 @@ describe Gitlab::OAuth::User do ...@@ -4,6 +4,7 @@ describe Gitlab::OAuth::User do
let(:oauth_user) { described_class.new(auth_hash) } let(:oauth_user) { described_class.new(auth_hash) }
let(:gl_user) { oauth_user.gl_user } let(:gl_user) { oauth_user.gl_user }
let(:uid) { 'my-uid' } let(:uid) { 'my-uid' }
let(:dn) { 'uid=user1,ou=People,dc=example' }
let(:provider) { 'my-provider' } let(:provider) { 'my-provider' }
let(:auth_hash) { OmniAuth::AuthHash.new(uid: uid, provider: provider, info: info_hash) } let(:auth_hash) { OmniAuth::AuthHash.new(uid: uid, provider: provider, info: info_hash) }
let(:info_hash) do let(:info_hash) do
...@@ -197,7 +198,7 @@ describe Gitlab::OAuth::User do ...@@ -197,7 +198,7 @@ describe Gitlab::OAuth::User do
allow(ldap_user).to receive(:uid) { uid } allow(ldap_user).to receive(:uid) { uid }
allow(ldap_user).to receive(:username) { uid } allow(ldap_user).to receive(:username) { uid }
allow(ldap_user).to receive(:email) { ['johndoe@example.com', 'john2@example.com'] } allow(ldap_user).to receive(:email) { ['johndoe@example.com', 'john2@example.com'] }
allow(ldap_user).to receive(:dn) { 'uid=user1,ou=People,dc=example' } allow(ldap_user).to receive(:dn) { dn }
end end
context "and no account for the LDAP user" do context "and no account for the LDAP user" do
...@@ -213,7 +214,7 @@ describe Gitlab::OAuth::User do ...@@ -213,7 +214,7 @@ describe Gitlab::OAuth::User do
identities_as_hash = gl_user.identities.map { |id| { provider: id.provider, extern_uid: id.extern_uid } } identities_as_hash = gl_user.identities.map { |id| { provider: id.provider, extern_uid: id.extern_uid } }
expect(identities_as_hash).to match_array( expect(identities_as_hash).to match_array(
[ [
{ provider: 'ldapmain', extern_uid: 'uid=user1,ou=People,dc=example' }, { provider: 'ldapmain', extern_uid: dn },
{ provider: 'twitter', extern_uid: uid } { provider: 'twitter', extern_uid: uid }
] ]
) )
...@@ -221,7 +222,7 @@ describe Gitlab::OAuth::User do ...@@ -221,7 +222,7 @@ describe Gitlab::OAuth::User do
end end
context "and LDAP user has an account already" do context "and LDAP user has an account already" do
let!(:existing_user) { create(:omniauth_user, email: 'john@example.com', extern_uid: 'uid=user1,ou=People,dc=example', provider: 'ldapmain', username: 'john') } let!(:existing_user) { create(:omniauth_user, email: 'john@example.com', extern_uid: dn, provider: 'ldapmain', username: 'john') }
it "adds the omniauth identity to the LDAP account" do it "adds the omniauth identity to the LDAP account" do
allow(Gitlab::LDAP::Person).to receive(:find_by_uid).and_return(ldap_user) allow(Gitlab::LDAP::Person).to receive(:find_by_uid).and_return(ldap_user)
...@@ -234,7 +235,7 @@ describe Gitlab::OAuth::User do ...@@ -234,7 +235,7 @@ describe Gitlab::OAuth::User do
identities_as_hash = gl_user.identities.map { |id| { provider: id.provider, extern_uid: id.extern_uid } } identities_as_hash = gl_user.identities.map { |id| { provider: id.provider, extern_uid: id.extern_uid } }
expect(identities_as_hash).to match_array( expect(identities_as_hash).to match_array(
[ [
{ provider: 'ldapmain', extern_uid: 'uid=user1,ou=People,dc=example' }, { provider: 'ldapmain', extern_uid: dn },
{ provider: 'twitter', extern_uid: uid } { provider: 'twitter', extern_uid: uid }
] ]
) )
...@@ -252,7 +253,7 @@ describe Gitlab::OAuth::User do ...@@ -252,7 +253,7 @@ describe Gitlab::OAuth::User do
expect(identities_as_hash) expect(identities_as_hash)
.to match_array( .to match_array(
[ [
{ provider: 'ldapmain', extern_uid: 'uid=user1,ou=People,dc=example' }, { provider: 'ldapmain', extern_uid: dn },
{ provider: 'twitter', extern_uid: uid } { provider: 'twitter', extern_uid: uid }
] ]
) )
...@@ -310,8 +311,8 @@ describe Gitlab::OAuth::User do ...@@ -310,8 +311,8 @@ describe Gitlab::OAuth::User do
allow(ldap_user).to receive(:uid) { uid } allow(ldap_user).to receive(:uid) { uid }
allow(ldap_user).to receive(:username) { uid } allow(ldap_user).to receive(:username) { uid }
allow(ldap_user).to receive(:email) { ['johndoe@example.com', 'john2@example.com'] } allow(ldap_user).to receive(:email) { ['johndoe@example.com', 'john2@example.com'] }
allow(ldap_user).to receive(:dn) { 'uid=user1,ou=People,dc=example' } allow(ldap_user).to receive(:dn) { dn }
allow(oauth_user).to receive(:ldap_person).and_return(ldap_user) allow(Gitlab::LDAP::Person).to receive(:find_by_uid).and_return(ldap_user)
end end
context "and no account for the LDAP user" do context "and no account for the LDAP user" do
...@@ -341,7 +342,7 @@ describe Gitlab::OAuth::User do ...@@ -341,7 +342,7 @@ describe Gitlab::OAuth::User do
end end
context 'and LDAP user has an account already' do context 'and LDAP user has an account already' do
let!(:existing_user) { create(:omniauth_user, email: 'john@example.com', extern_uid: 'uid=user1,ou=People,dc=example', provider: 'ldapmain', username: 'john') } let!(:existing_user) { create(:omniauth_user, email: 'john@example.com', extern_uid: dn, provider: 'ldapmain', username: 'john') }
context 'dont block on create (LDAP)' do context 'dont block on create (LDAP)' do
before do before do
......
require 'spec_helper' require 'spec_helper'
describe Gitlab::Saml::User do describe Gitlab::Saml::User do
include LdapHelpers
let(:saml_user) { described_class.new(auth_hash) } let(:saml_user) { described_class.new(auth_hash) }
let(:gl_user) { saml_user.gl_user } let(:gl_user) { saml_user.gl_user }
let(:uid) { 'my-uid' } let(:uid) { 'my-uid' }
let(:dn) { 'uid=user1,ou=People,dc=example' }
let(:provider) { 'saml' } let(:provider) { 'saml' }
let(:auth_hash) { OmniAuth::AuthHash.new(uid: uid, provider: provider, info: info_hash, extra: { raw_info: OneLogin::RubySaml::Attributes.new({ 'groups' => %w(Developers Freelancers Designers) }) }) } let(:auth_hash) { OmniAuth::AuthHash.new(uid: uid, provider: provider, info: info_hash, extra: { raw_info: OneLogin::RubySaml::Attributes.new({ 'groups' => %w(Developers Freelancers Designers) }) }) }
let(:info_hash) do let(:info_hash) do
...@@ -163,14 +166,17 @@ describe Gitlab::Saml::User do ...@@ -163,14 +166,17 @@ describe Gitlab::Saml::User do
end end
context 'and a corresponding LDAP person' do context 'and a corresponding LDAP person' do
let(:adapter) { ldap_adapter('ldapmain') }
before do before do
allow(ldap_user).to receive(:uid) { uid } allow(ldap_user).to receive(:uid) { uid }
allow(ldap_user).to receive(:username) { uid } allow(ldap_user).to receive(:username) { uid }
allow(ldap_user).to receive(:email) { %w(john@mail.com john2@example.com) } allow(ldap_user).to receive(:email) { %w(john@mail.com john2@example.com) }
allow(ldap_user).to receive(:dn) { 'uid=user1,ou=People,dc=example' } allow(ldap_user).to receive(:dn) { dn }
allow(Gitlab::LDAP::Person).to receive(:find_by_uid).and_return(ldap_user) allow(Gitlab::LDAP::Adapter).to receive(:new).and_return(adapter)
allow(Gitlab::LDAP::Person).to receive(:find_by_dn).and_return(ldap_user) allow(Gitlab::LDAP::Person).to receive(:find_by_uid).with(uid, adapter).and_return(ldap_user)
allow(Gitlab::LDAP::Person).to receive(:find_by_email).and_return(ldap_user) allow(Gitlab::LDAP::Person).to receive(:find_by_dn).with(dn, adapter).and_return(ldap_user)
allow(Gitlab::LDAP::Person).to receive(:find_by_email).with('john@mail.com', adapter).and_return(ldap_user)
end end
context 'and no account for the LDAP user' do context 'and no account for the LDAP user' do
...@@ -182,28 +188,51 @@ describe Gitlab::Saml::User do ...@@ -182,28 +188,51 @@ describe Gitlab::Saml::User do
expect(gl_user.email).to eql 'john@mail.com' expect(gl_user.email).to eql 'john@mail.com'
expect(gl_user.identities.length).to be 2 expect(gl_user.identities.length).to be 2
identities_as_hash = gl_user.identities.map { |id| { provider: id.provider, extern_uid: id.extern_uid } } identities_as_hash = gl_user.identities.map { |id| { provider: id.provider, extern_uid: id.extern_uid } }
expect(identities_as_hash).to match_array([{ provider: 'ldapmain', extern_uid: 'uid=user1,ou=People,dc=example' }, expect(identities_as_hash).to match_array([{ provider: 'ldapmain', extern_uid: dn },
{ provider: 'saml', extern_uid: uid }]) { provider: 'saml', extern_uid: uid }])
end end
end end
context 'and LDAP user has an account already' do context 'and LDAP user has an account already' do
let(:auth_hash_base_attributes) do
{
uid: uid,
provider: provider,
info: info_hash,
extra: {
raw_info: OneLogin::RubySaml::Attributes.new(
{ 'groups' => %w(Developers Freelancers Designers) }
)
}
}
end
let(:auth_hash) { OmniAuth::AuthHash.new(auth_hash_base_attributes) }
let(:uid_types) { %w(uid dn email) }
before do before do
create(:omniauth_user, create(:omniauth_user,
email: 'john@mail.com', email: 'john@mail.com',
extern_uid: 'uid=user1,ou=People,dc=example', extern_uid: dn,
provider: 'ldapmain', provider: 'ldapmain',
username: 'john') username: 'john')
end end
shared_examples 'find ldap person' do |uid_type, uid| shared_examples 'find LDAP person' do |uid_type, uid|
let(:auth_hash) { OmniAuth::AuthHash.new(auth_hash_base_attributes.merge(uid: extern_uid)) }
before do before do
nil_types = uid_types - [uid_type]
nil_types.each do |type|
allow(Gitlab::LDAP::Person).to receive(:"find_by_#{type}").and_return(nil)
end
allow(Gitlab::LDAP::Person).to receive(:"find_by_#{uid_type}").and_return(ldap_user) allow(Gitlab::LDAP::Person).to receive(:"find_by_#{uid_type}").and_return(ldap_user)
end end
it 'adds the omniauth identity to the LDAP account' do it 'adds the omniauth identity to the LDAP account' do
identities = [ identities = [
{ provider: 'ldapmain', extern_uid: 'uid=user1,ou=People,dc=example' }, { provider: 'ldapmain', extern_uid: dn },
{ provider: 'saml', extern_uid: extern_uid } { provider: 'saml', extern_uid: extern_uid }
] ]
...@@ -222,53 +251,20 @@ describe Gitlab::Saml::User do ...@@ -222,53 +251,20 @@ describe Gitlab::Saml::User do
end end
context 'when uid is an uid' do context 'when uid is an uid' do
it_behaves_like 'find ldap person', 'uid' do it_behaves_like 'find LDAP person', 'uid' do
let(:extern_uid) { uid } let(:extern_uid) { uid }
let(:auth_hash) do
OmniAuth::AuthHash.new(
uid: uid,
provider: provider,
info: info_hash,
extra: {
raw_info: OneLogin::RubySaml::Attributes.new(
{ 'groups' => %w(Developers Freelancers Designers) }
)
})
end
end end
end end
context 'when uid is a dn' do context 'when uid is a dn' do
it_behaves_like 'find ldap person', 'email' do it_behaves_like 'find LDAP person', 'dn' do
let(:extern_uid) { 'uid=user1,ou=People,dc=example' } let(:extern_uid) { dn }
let(:auth_hash) do
OmniAuth::AuthHash.new(
uid: extern_uid,
provider: provider,
info: info_hash,
extra: {
raw_info: OneLogin::RubySaml::Attributes.new(
{ 'groups' => %w(Developers Freelancers Designers) }
)
})
end
end end
end end
context 'when uid is an email' do context 'when uid is an email' do
it_behaves_like 'find ldap person', 'email' do it_behaves_like 'find LDAP person', 'email' do
let(:extern_uid) { 'john@mail.com' } let(:extern_uid) { 'john@mail.com' }
let(:auth_hash) do
OmniAuth::AuthHash.new(
uid: extern_uid,
provider: provider,
info: info_hash,
extra: {
raw_info: OneLogin::RubySaml::Attributes.new(
{ 'groups' => %w(Developers Freelancers Designers) }
)
})
end
end end
end end
...@@ -280,7 +276,7 @@ describe Gitlab::Saml::User do ...@@ -280,7 +276,7 @@ describe Gitlab::Saml::User do
expect(gl_user.email).to eql 'john@mail.com' expect(gl_user.email).to eql 'john@mail.com'
expect(gl_user.identities.length).to be 2 expect(gl_user.identities.length).to be 2
identities_as_hash = gl_user.identities.map { |id| { provider: id.provider, extern_uid: id.extern_uid } } identities_as_hash = gl_user.identities.map { |id| { provider: id.provider, extern_uid: id.extern_uid } }
expect(identities_as_hash).to match_array([{ provider: 'ldapmain', extern_uid: 'uid=user1,ou=People,dc=example' }, expect(identities_as_hash).to match_array([{ provider: 'ldapmain', extern_uid: dn },
{ provider: 'saml', extern_uid: uid }]) { provider: 'saml', extern_uid: uid }])
end end
...@@ -296,17 +292,21 @@ describe Gitlab::Saml::User do ...@@ -296,17 +292,21 @@ describe Gitlab::Saml::User do
context 'user has SAML user, and wants to add their LDAP identity' do context 'user has SAML user, and wants to add their LDAP identity' do
it 'adds the LDAP identity to the existing SAML user' do it 'adds the LDAP identity to the existing SAML user' do
create(:omniauth_user, email: 'john@mail.com', extern_uid: 'uid=user1,ou=People,dc=example', provider: 'saml', username: 'john') create(:omniauth_user, email: 'john@mail.com', extern_uid: dn, provider: 'saml', username: 'john')
local_hash = OmniAuth::AuthHash.new(uid: 'uid=user1,ou=People,dc=example', provider: provider, info: info_hash)
allow(Gitlab::LDAP::Person).to receive(:find_by_uid).with(dn, adapter).and_return(ldap_user)
local_hash = OmniAuth::AuthHash.new(uid: dn, provider: provider, info: info_hash)
local_saml_user = described_class.new(local_hash) local_saml_user = described_class.new(local_hash)
local_saml_user.save local_saml_user.save
local_gl_user = local_saml_user.gl_user local_gl_user = local_saml_user.gl_user
expect(local_gl_user).to be_valid expect(local_gl_user).to be_valid
expect(local_gl_user.identities.length).to be 2 expect(local_gl_user.identities.length).to be 2
identities_as_hash = local_gl_user.identities.map { |id| { provider: id.provider, extern_uid: id.extern_uid } } identities_as_hash = local_gl_user.identities.map { |id| { provider: id.provider, extern_uid: id.extern_uid } }
expect(identities_as_hash).to match_array([{ provider: 'ldapmain', extern_uid: 'uid=user1,ou=People,dc=example' }, expect(identities_as_hash).to match_array([{ provider: 'ldapmain', extern_uid: dn },
{ provider: 'saml', extern_uid: 'uid=user1,ou=People,dc=example' }]) { provider: 'saml', extern_uid: dn }])
end end
end end
end end
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment