make failed signup attempts flash alerts

3ff6cd84 · Balazs Nagy · 15a86e9d · 3ff6cd84 · 3ff6cd84 · 3ff6cd84
Commit 3ff6cd84 authored Jan 03, 2020 by Balazs Nagy
4 changed files
--- a/app/controllers/omniauth_callbacks_controller.rb
+++ b/app/controllers/omniauth_callbacks_controller.rb
@@ -177,7 +177,7 @@ class OmniauthCallbacksController < Devise::OmniauthCallbacksController
      message << _("Create a GitLab account first, and then connect it to your %{label} account.") % { label: label }
    end

-    flash[:notice] = message.join(' ')
+    flash[:alert] = message.join(' ')
    redirect_to new_user_session_path
  end


--- a/changelogs/unreleased/omniauth-redirect-loop.yml
+++ b/changelogs/unreleased/omniauth-redirect-loop.yml
+---
+title: "Prevent omniauth signup redirect loop"
+merge_request: 22432
+author: Balazs Nagy
+type: fixed
--- a/ee/lib/ee/gitlab/auth/saml/user.rb
+++ b/ee/lib/ee/gitlab/auth/saml/user.rb
@@ -12,8 +12,8 @@ module EE
            user = super

            if user_in_required_group?
-              unblock_user(user, "in required group") if user.persisted? && user.ldap_blocked?
-            elsif user.persisted?
+              unblock_user(user, "in required group") if user&.persisted? && user&.ldap_blocked?
+            elsif user&.persisted?
              block_user(user, "not in required group") unless user.blocked?
            else
              user = nil

--- a/spec/controllers/omniauth_callbacks_controller_spec.rb
+++ b/spec/controllers/omniauth_callbacks_controller_spec.rb
@@ -287,6 +287,34 @@ describe OmniauthCallbacksController, type: :controller, do_not_mock_admin_mode:
      request.env['omniauth.auth'] = Rails.application.env_config['omniauth.auth']
    end

+    context 'sign up' do
+      before do
+        user.destroy
+      end
+
+      it 'denies login if sign up is enabled, but block_auto_created_users is set' do
+        post :saml, params: { SAMLResponse: mock_saml_response }
+
+        expect(flash[:alert]).to start_with 'Your account has been blocked.'
+      end
+
+      it 'accepts login if sign up is enabled' do
+        stub_omniauth_setting(block_auto_created_users: false)
+
+        post :saml, params: { SAMLResponse: mock_saml_response }
+
+        expect(request.env['warden']).to be_authenticated
+      end
+
+      it 'denies login if sign up is not enabled' do
+        stub_omniauth_setting(allow_single_sign_on: false, block_auto_created_users: false)
+
+        post :saml, params: { SAMLResponse: mock_saml_response }
+
+        expect(flash[:alert]).to start_with 'Signing in using your saml account without a pre-existing GitLab account is not allowed.'
+      end
+    end
+
    context 'with GitLab initiated request' do
      before do
        post :saml, params: { SAMLResponse: mock_saml_response }