Merge branch 'if-233137-scim_provisioning_avoid_identity_creation_without_membership' into 'master'

SCIM provisioning to avoid creating SCIM identity without membership See merge request gitlab-org/gitlab!39259

Merge branch 'if-233137-scim_provisioning_avoid_identity_creation_without_membership' into 'master'
SCIM provisioning to avoid creating SCIM identity without membership See merge request gitlab-org/gitlab!39259
5c2f4073 · James Fargher · 6aaddc4a · 730e5853 · 5c2f4073 · 5c2f4073
Commit 5c2f4073 authored Aug 12, 2020 by James Fargher
3 changed files
--- a/ee/changelogs/unreleased/233137-scim_provisioning_avoid_identity_creation_without_membership.yml
+++ b/ee/changelogs/unreleased/233137-scim_provisioning_avoid_identity_creation_without_membership.yml
+---
+title: SCIM provisioning to avoid creating SCIM identity without membership
+merge_request: 39259
+author:
+type: fixed
--- a/ee/lib/ee/gitlab/scim/provisioning_service.rb
+++ b/ee/lib/ee/gitlab/scim/provisioning_service.rb
@@ -39,7 +39,7 @@ module EE
        end

        def create_identity_and_member
-          return success_response if identity.save && member.errors.empty?
+          return success_response if member.valid? && identity.save

          error_response(objects: [identity, member])
        end

--- a/ee/spec/lib/ee/gitlab/scim/provisioning_service_spec.rb
+++ b/ee/spec/lib/ee/gitlab/scim/provisioning_service_spec.rb
@@ -6,7 +6,12 @@ RSpec.describe ::EE::Gitlab::Scim::ProvisioningService do
  describe '#execute' do
    let(:group) { create(:group) }
    let(:service) { described_class.new(group, service_params) }
-    let!(:saml_provider) { create(:saml_provider, group: group, default_membership_role: Gitlab::Access::DEVELOPER) }
+    let(:enforced_sso) { false }
+    let!(:saml_provider) do
+      create(:saml_provider, group: group,
+                             enforced_sso: enforced_sso,
+                             default_membership_role: Gitlab::Access::DEVELOPER)
+    end

    before do
      stub_licensed_features(group_saml: true)
@@ -195,6 +200,22 @@ RSpec.describe ::EE::Gitlab::Scim::ProvisioningService do
          it 'creates the group member' do
            expect { service.execute }.to change { GroupMember.count }.by(1)
          end
+
+          context 'with enforced SSO' do
+            let(:enforced_sso) { true }
+
+            it 'does not create the group member' do
+              expect { service.execute }.not_to change { GroupMember.count }
+            end
+
+            it 'does not create the SAML identity' do
+              expect { service.execute }.not_to change { Identity.count }
+            end
+
+            it 'does not create the SCIM identity' do
+              expect { service.execute }.not_to change { ScimIdentity.count }
+            end
+          end
        end

        context 'when user is an existing group member' do