Commit 3fbad121 authored by James Edwards-Jones's avatar James Edwards-Jones

Can view SAML SSO page using token

Adds Auth::GroupSaml::TokenActor for use in SamlProviderPolicy
parent 8cce6308
...@@ -60,7 +60,12 @@ class Groups::SsoController < Groups::ApplicationController ...@@ -60,7 +60,12 @@ class Groups::SsoController < Groups::ApplicationController
end end
def check_user_can_sign_in_with_provider def check_user_can_sign_in_with_provider
route_not_found unless can?(current_user, :sign_in_with_saml_provider, @unauthenticated_group.saml_provider) actor = saml_discovery_token_actor || current_user
route_not_found unless can?(actor, :sign_in_with_saml_provider, @unauthenticated_group.saml_provider)
end
def saml_discovery_token_actor
Gitlab::Auth::GroupSaml::TokenActor.new(params[:token]) if params[:token]
end end
def redirect_if_group_moved def redirect_if_group_moved
......
# frozen_string_literal: true # frozen_string_literal: true
class SamlProviderPolicy < BasePolicy class SamlProviderPolicy < BasePolicy
rule { ~anonymous }.enable :sign_in_with_saml_provider delegate { @subject.group }
def actor
@user
end
condition(:public_group, scope: :subject) { @subject.group.public? }
condition(:signed_in, scope: :user) { actor.is_a?(::User) }
condition(:token_grants_private_access) do
actor.is_a?(Gitlab::Auth::GroupSaml::TokenActor) && actor.valid_for?(@subject.group)
end
condition(:can_discover_group?) do
public_group? || token_grants_private_access? || signed_in?
end
rule { can_discover_group? }.enable :sign_in_with_saml_provider
end end
# frozen_string_literal: true
module Gitlab
module Auth
module GroupSaml
class TokenActor
def initialize(token)
@token = token
end
def valid_for?(group)
group.saml_discovery_token.present? && group.saml_discovery_token == @token
end
end
end
end
end
# frozen_string_literal: true
require 'spec_helper'
describe Gitlab::Auth::GroupSaml::TokenActor do
let(:saml_provider) { create(:saml_provider) }
let(:group) { saml_provider.group }
subject { described_class.new(token) }
context 'valid token' do
let(:token) { group.saml_discovery_token }
it 'is valid for the group' do
expect(subject).to be_valid_for(group)
end
end
context 'invalid token' do
let(:token) { 'abcdef' }
it 'is invalid for the group' do
expect(subject).not_to be_valid_for(group)
end
end
context 'missing token' do
let(:token) { nil }
it 'is invalid for the group' do
expect(subject).not_to be_valid_for(group)
end
end
context 'when geo prevents saml_provider from having a token' do
let(:token) { nil }
let(:group) { double(:group, saml_discovery_token: nil) }
it 'prevents nil token from allowing access' do
expect(subject).not_to be_valid_for(group)
end
end
end
# frozen_string_literal: true
require 'spec_helper'
describe SamlProviderPolicy do
let(:group_visibility) { :public }
let(:group) { create(:group, group_visibility) }
let(:saml_provider) { create(:saml_provider, group: group) }
context 'with a user' do
let(:user) { create(:user) }
subject { described_class.new(user, saml_provider) }
it 'allows access to public groups' do
is_expected.to be_allowed(:sign_in_with_saml_provider)
end
it 'allows access to private groups' do
group.update!(visibility_level: Gitlab::VisibilityLevel::PRIVATE)
is_expected.to be_allowed(:sign_in_with_saml_provider)
end
end
context 'with a token actor' do
subject { described_class.new(token_actor, saml_provider) }
context 'valid token' do
let(:token_actor) { Gitlab::Auth::GroupSaml::TokenActor.new(group.saml_discovery_token) }
it 'allows access to public groups' do
is_expected.to be_allowed(:sign_in_with_saml_provider)
end
it 'allows access to private groups' do
group.update!(visibility_level: Gitlab::VisibilityLevel::PRIVATE)
is_expected.to be_allowed(:sign_in_with_saml_provider)
end
end
context 'invalid or missing token' do
let(:token_actor) { Gitlab::Auth::GroupSaml::TokenActor.new("xyz") }
it 'allows anonymous access to public groups' do
is_expected.to be_allowed(:sign_in_with_saml_provider)
end
it 'prevents access to private groups' do
group.update!(visibility_level: Gitlab::VisibilityLevel::PRIVATE)
is_expected.not_to be_allowed(:sign_in_with_saml_provider)
end
end
end
context 'without a user or actor' do
subject { described_class.new(nil, saml_provider) }
it 'allows access to public groups' do
is_expected.to be_allowed(:sign_in_with_saml_provider)
end
it 'prevents access to private groups' do
group.update!(visibility_level: Gitlab::VisibilityLevel::PRIVATE)
is_expected.not_to be_allowed(:sign_in_with_saml_provider)
end
end
end
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment