Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Support
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
G
gitlab-ce
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Issues
0
Issues
0
List
Boards
Labels
Milestones
Merge Requests
1
Merge Requests
1
Analytics
Analytics
Repository
Value Stream
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Create a new issue
Commits
Issue Boards
Open sidebar
nexedi
gitlab-ce
Commits
1b61a419
Commit
1b61a419
authored
Apr 23, 2018
by
James Edwards-Jones
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
Group SAML Omniauth Callback flow
parent
47083508
Changes
6
Show whitespace changes
Inline
Side-by-side
Showing
6 changed files
with
176 additions
and
1 deletion
+176
-1
config/routes/group.rb
config/routes/group.rb
+2
-0
ee/app/controllers/groups/omniauth_callbacks_controller.rb
ee/app/controllers/groups/omniauth_callbacks_controller.rb
+47
-0
ee/changelogs/unreleased/jej-group-saml-callback-flow.yml
ee/changelogs/unreleased/jej-group-saml-callback-flow.yml
+5
-0
ee/lib/gitlab/auth/group_saml/user.rb
ee/lib/gitlab/auth/group_saml/user.rb
+11
-0
ee/spec/controllers/groups/omniauth_callbacks_controller_spec.rb
.../controllers/groups/omniauth_callbacks_controller_spec.rb
+108
-0
spec/factories/users.rb
spec/factories/users.rb
+3
-1
No files found.
config/routes/group.rb
View file @
1b61a419
...
@@ -68,7 +68,9 @@ constraints(::Constraints::GroupUrlConstrainer.new) do
...
@@ -68,7 +68,9 @@ constraints(::Constraints::GroupUrlConstrainer.new) do
resources
:ldap_group_links
,
only:
[
:index
,
:create
,
:destroy
]
resources
:ldap_group_links
,
only:
[
:index
,
:create
,
:destroy
]
## EE-specific
resource
:saml_providers
,
path:
'saml'
,
only:
[
:show
,
:create
,
:update
]
do
resource
:saml_providers
,
path:
'saml'
,
only:
[
:show
,
:create
,
:update
]
do
post
:callback
,
to:
'omniauth_callbacks#group_saml'
get
:sso
,
to:
'sso#saml'
get
:sso
,
to:
'sso#saml'
end
end
...
...
ee/app/controllers/groups/omniauth_callbacks_controller.rb
0 → 100644
View file @
1b61a419
class
Groups::OmniauthCallbacksController
<
OmniauthCallbacksController
extend
::
Gitlab
::
Utils
::
Override
def
group_saml
@unauthenticated_group
=
Group
.
find_by_full_path
(
params
[
:group_id
])
saml_provider
=
@unauthenticated_group
.
saml_provider
identity_linker
=
Gitlab
::
Auth
::
GroupSaml
::
IdentityLinker
.
new
(
current_user
,
oauth
,
saml_provider
)
omniauth_flow
(
Gitlab
::
Auth
::
GroupSaml
,
identity_linker:
identity_linker
)
end
private
override
:redirect_identity_linked
def
redirect_identity_linked
flash
[
:notice
]
=
"SAML for
#{
@unauthenticated_group
.
name
}
was added to your connected accounts"
redirect_to
after_sign_in_path_for
(
current_user
)
end
override
:redirect_identity_exists
def
redirect_identity_exists
flash
[
:notice
]
=
"Signed in with SAML for
#{
@unauthenticated_group
.
name
}
"
redirect_to
after_sign_in_path_for
(
current_user
)
end
override
:after_sign_in_path_for
def
after_sign_in_path_for
(
resource
)
saml_redirect_path
||
super
end
override
:sign_in_user_flow
def
sign_in_user_flow
(
auth_user_class
)
# User has successfully authenticated with the SAML provider for the group
# but is not signed in to the GitLab instance.
flash
[
:notice
]
=
"You must be signed in to use SAML with this group"
redirect_to
new_user_session_path
end
def
saml_redirect_path
params
[
'RelayState'
].
presence
if
current_user
end
end
ee/changelogs/unreleased/jej-group-saml-callback-flow.yml
0 → 100644
View file @
1b61a419
---
title
:
Adds authentication flow for GitLab.com per group SAML beta
merge_request
:
5575
author
:
type
:
changed
ee/lib/gitlab/auth/group_saml/user.rb
0 → 100644
View file @
1b61a419
module
Gitlab
module
Auth
module
GroupSaml
class
User
def
initialize
(
auth_hash
)
raise
NotImplementedError
end
end
end
end
end
ee/spec/controllers/groups/omniauth_callbacks_controller_spec.rb
0 → 100644
View file @
1b61a419
require
'spec_helper'
describe
Groups
::
OmniauthCallbacksController
do
include
LoginHelpers
let
(
:uid
)
{
'my-uid'
}
let
(
:user
)
{
create
(
:user
)
}
let
(
:provider
)
{
:group_saml
}
let
(
:group
)
{
create
(
:group
,
:private
)
}
let!
(
:saml_provider
)
{
create
(
:saml_provider
,
group:
group
)
}
before
do
stub_licensed_features
(
group_saml:
true
)
end
def
linked_accounts
Identity
.
where
(
user:
user
,
extern_uid:
uid
,
provider:
provider
)
end
context
"when request hasn't been validated by omniauth middleware"
do
it
"prevents authentication"
do
sign_in
(
user
)
expect
do
post
provider
,
group_id:
group
end
.
to
raise_error
(
AbstractController
::
ActionNotFound
)
end
end
context
"valid credentials"
do
before
do
mock_auth_hash
(
provider
,
uid
,
user
.
email
)
stub_omniauth_provider
(
provider
,
context:
request
)
end
context
"when signed in"
do
before
do
sign_in
(
user
)
end
context
"and identity already linked"
do
let
(
:user
)
{
create
(
:omniauth_user
,
extern_uid:
uid
,
provider:
provider
,
saml_provider:
saml_provider
)
}
it
"redirects to RelayState"
do
post
provider
,
group_id:
group
,
RelayState
:
'/explore'
expect
(
response
).
to
redirect_to
(
'/explore'
)
end
it
"displays a flash message verifying group sign in"
do
post
provider
,
group_id:
group
expect
(
flash
[
:notice
]).
to
start_with
"Signed in with SAML"
end
it
'uses existing linked identity'
do
expect
{
post
provider
,
group_id:
group
}.
not_to
change
(
linked_accounts
,
:count
)
end
end
context
'oauth already linked to another account'
do
before
do
create
(
:omniauth_user
,
extern_uid:
uid
,
provider:
provider
,
saml_provider:
saml_provider
)
end
it
'displays warning to user'
do
post
provider
,
group_id:
group
expect
(
flash
[
:notice
]).
to
match
(
/has already been taken*/
)
end
end
context
"and identity hasn't been linked"
do
it
"links the identity"
do
post
provider
,
group_id:
group
expect
(
group
).
to
be_member
(
user
)
end
it
"redirects to RelayState"
do
post
provider
,
group_id:
group
,
RelayState
:
'/explore'
expect
(
response
).
to
redirect_to
(
'/explore'
)
end
it
"displays a flash indicating the account has been linked"
do
post
provider
,
group_id:
group
expect
(
flash
[
:notice
]).
to
match
(
/SAML for .* was added/
)
end
end
end
context
"when not signed in"
do
it
"redirects to sign in page"
do
post
provider
,
group_id:
group
expect
(
response
).
to
redirect_to
(
new_user_session_path
)
end
it
"informs users that they need to sign in to the GitLab instance first"
do
post
provider
,
group_id:
group
expect
(
flash
[
:notice
]).
to
start_with
(
"You must be signed in"
)
end
end
end
end
spec/factories/users.rb
View file @
1b61a419
...
@@ -70,13 +70,15 @@ FactoryBot.define do
...
@@ -70,13 +70,15 @@ FactoryBot.define do
transient
do
transient
do
extern_uid
'123456'
extern_uid
'123456'
provider
'ldapmain'
provider
'ldapmain'
saml_provider
nil
end
end
after
(
:create
)
do
|
user
,
evaluator
|
after
(
:create
)
do
|
user
,
evaluator
|
user
.
identities
<<
create
(
user
.
identities
<<
create
(
:identity
,
:identity
,
provider:
evaluator
.
provider
,
provider:
evaluator
.
provider
,
extern_uid:
evaluator
.
extern_uid
extern_uid:
evaluator
.
extern_uid
,
saml_provider:
evaluator
.
saml_provider
)
)
end
end
end
end
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment