Fix sign-in when user has multiple group saml identities

If a GitLab.com user has multiple group saml identities, a problem can occur when looking up the identity. Depending on the order the database returns the records the wrong identity may be chosen. This can lead to attempted creation of a duplicate record, and ultimate error signing in. Changelog: fixed

Fix sign-in when user has multiple group saml identities
If a GitLab.com user has multiple group saml identities, a problem can occur when looking up the identity. Depending on the order the database returns the records the wrong identity may be chosen. This can lead to attempted creation of a duplicate record, and ultimate error signing in. Changelog: fixed
08bf68ea · Drew Blessing · Drew Blessing · 2393b1eb · 08bf68ea · 08bf68ea
Commit 08bf68ea authored May 13, 2021 by Drew Blessing Committed by Drew Blessing May 13, 2021
3 changed files
--- a/ee/changelogs/unreleased/dblessing_fix_multiple_group_saml_identities.yml
+++ b/ee/changelogs/unreleased/dblessing_fix_multiple_group_saml_identities.yml
+---
+title: Fix sign-in when user has multiple group saml identities
+merge_request: 61717
+author:
+type: fixed
--- a/ee/lib/gitlab/auth/group_saml/user.rb
+++ b/ee/lib/gitlab/auth/group_saml/user.rb
@@ -83,9 +83,16 @@ module Gitlab

        override :add_or_update_user_identities
        def add_or_update_user_identities
-          super.tap do |identity|
-            identity.saml_provider_id = @saml_provider.id
-          end
+          return unless gl_user
+
+          identity = self.identity
+          # find_or_initialize_by doesn't update `gl_user.identities`, and isn't autosaved.
+          identity ||= gl_user.identities.find { |identity| identity.provider == auth_hash.provider && identity.saml_provider_id == @saml_provider.id }
+          identity ||= gl_user.identities.build(provider: auth_hash.provider, saml_provider: @saml_provider)
+
+          identity.extern_uid = auth_hash.uid
+
+          identity
        end

        def update_group_membership

--- a/ee/spec/lib/gitlab/auth/group_saml/user_spec.rb
+++ b/ee/spec/lib/gitlab/auth/group_saml/user_spec.rb
@@ -57,6 +57,18 @@ RSpec.describe Gitlab::Auth::GroupSaml::User do
      it 'does not mark the user as provisioned' do
        expect(find_and_update.provisioned_by_group).to be_nil
      end
+
+      context 'when the user has multiple group saml identities' do
+        let(:saml_provider2) { create(:saml_provider) }
+
+        before do
+          create(:group_saml_identity, extern_uid: uid, saml_provider: saml_provider2, user: identity.user)
+        end
+
+        it 'returns the user' do
+          expect(find_and_update).to eq identity.user
+        end
+      end
    end

    context 'with no matching user identity' do