Merge branch 'ce-security-jej/group-saml-link-origin-verification' into 'master'

Ensure request to link GroupSAML acount was GitLab initiated See merge request gitlab/gitlabhq!2976

Merge branch 'ce-security-jej/group-saml-link-origin-verification' into 'master'
Ensure request to link GroupSAML acount was GitLab initiated See merge request gitlab/gitlabhq!2976
040e6e72 · Yorick Peterse · 4c887a19 · 104c8b89 · 040e6e72 · 040e6e72
Commit 040e6e72 authored Mar 04, 2019 by Yorick Peterse
3 changed files
--- a/lib/gitlab/auth/omniauth_identity_linker_base.rb
+++ b/lib/gitlab/auth/omniauth_identity_linker_base.rb
@@ -12,7 +12,7 @@ module Gitlab
      end
      def link
-        save if identity.new_record?
+        save if unlinked?
      end
      def changed?
@@ -35,6 +35,10 @@ module Gitlab
        @changed = identity.save
      end
+      def unlinked?
+        identity.new_record?
+      end
      # rubocop: disable CodeReuse/ActiveRecord
      def identity
        @identity ||= current_user.identities

--- a/spec/controllers/omniauth_callbacks_controller_spec.rb
+++ b/spec/controllers/omniauth_callbacks_controller_spec.rb
@@ -193,7 +193,7 @@ describe OmniauthCallbacksController, type: :controller do
    before do
      stub_omniauth_saml_config({ enabled: true, auto_link_saml_user: true, allow_single_sign_on: ['saml'],
                                  providers: [saml_config] })
-      mock_auth_hash('saml', 'my-uid', user.email, mock_saml_response)
+      mock_auth_hash_with_saml_xml('saml', 'my-uid', user.email, mock_saml_response)
      request.env["devise.mapping"] = Devise.mappings[:user]
      request.env['omniauth.auth'] = Rails.application.env_config['omniauth.auth']
      post :saml, params: { SAMLResponse: mock_saml_response }

--- a/spec/support/helpers/login_helpers.rb
+++ b/spec/support/helpers/login_helpers.rb
@@ -47,7 +47,7 @@ module LoginHelpers
  end
  def gitlab_sign_in_via(provider, user, uid, saml_response = nil)
-    mock_auth_hash(provider, uid, user.email, saml_response)
+    mock_auth_hash_with_saml_xml(provider, uid, user.email, saml_response)
    visit new_user_session_path
    click_link provider
  end
@@ -87,7 +87,12 @@ module LoginHelpers
    click_link "oauth-login-#{provider}"
  end
-  def mock_auth_hash(provider, uid, email, saml_response = nil)
+  def mock_auth_hash_with_saml_xml(provider, uid, email, saml_response)
+    response_object = { document: saml_xml(saml_response) }
+    mock_auth_hash(provider, uid, email, response_object: response_object)
+  end
+  def mock_auth_hash(provider, uid, email, response_object: nil)
    # The mock_auth configuration allows you to set per-provider (or default)
    # authentication hashes to return during integration testing.
    OmniAuth.config.mock_auth[provider.to_sym] = OmniAuth::AuthHash.new({
@@ -110,9 +115,7 @@ module LoginHelpers
            image: 'mock_user_thumbnail_url'
          }
        },
-        response_object: {
+        response_object: response_object
-          document: saml_xml(saml_response)
-        }
      }
    })
    Rails.application.env_config['omniauth.auth'] = OmniAuth.config.mock_auth[provider.to_sym]