Commit 74904116 authored by Nick Thomas's avatar Nick Thomas

Merge branch '66443-unrecoverable-configuration-loop-in-external-auth-control' into 'master'

Resolve "Unrecoverable configuration loop in external auth control"

Closes #66443

See merge request gitlab-org/gitlab-ce!32102
parents f5fa604c f56c2191
......@@ -7,7 +7,7 @@ module ApplicationSettings
attr_reader :params, :application_setting
def execute
validate_classification_label(application_setting, :external_authorization_service_default_label)
validate_classification_label(application_setting, :external_authorization_service_default_label) unless bypass_external_auth?
if application_setting.errors.any?
return false
......@@ -59,5 +59,9 @@ module ApplicationSettings
Group.find_by_full_path(group_full_path)&.id if group_full_path.present?
end
def bypass_external_auth?
params.key?(:external_authorization_service_enabled) && !Gitlab::Utils.to_boolean(params[:external_authorization_service_enabled])
end
end
end
---
title: Don't check external authorization when disabling the service
merge_request: 32102
author: Robert Schilling
type: fixed
......@@ -201,6 +201,24 @@ describe ApplicationSettings::UpdateService do
enable_external_authorization_service_check
end
it 'does not validate labels if external authorization gets disabled' do
expect_any_instance_of(described_class).not_to receive(:validate_classification_label)
described_class.new(application_settings, admin, { external_authorization_service_enabled: false }).execute
end
it 'does validate labels if external authorization gets enabled ' do
expect_any_instance_of(described_class).to receive(:validate_classification_label)
described_class.new(application_settings, admin, { external_authorization_service_enabled: true }).execute
end
it 'does validate labels if external authorization is left unchanged' do
expect_any_instance_of(described_class).to receive(:validate_classification_label)
described_class.new(application_settings, admin, { external_authorization_service_default_label: 'new-label' }).execute
end
it 'does not save the settings with an error if the service denies access' do
expect(::Gitlab::ExternalAuthorization)
.to receive(:access_allowed?).with(admin, 'new-label') { false }
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment