Merge branch '66443-unrecoverable-configuration-loop-in-external-auth-control' into 'master'

Resolve "Unrecoverable configuration loop in external auth control" Closes #66443 See merge request gitlab-org/gitlab-ce!32102

Merge branch '66443-unrecoverable-configuration-loop-in-external-auth-control' into 'master'
Resolve "Unrecoverable configuration loop in external auth control" Closes #66443 See merge request gitlab-org/gitlab-ce!32102
74904116 · Nick Thomas · f5fa604c · f56c2191 · 74904116 · 74904116
Commit 74904116 authored Aug 26, 2019 by Nick Thomas
3 changed files
--- a/app/services/application_settings/update_service.rb
+++ b/app/services/application_settings/update_service.rb
@@ -7,7 +7,7 @@ module ApplicationSettings
    attr_reader :params, :application_setting
    def execute
-      validate_classification_label(application_setting, :external_authorization_service_default_label)
+      validate_classification_label(application_setting, :external_authorization_service_default_label) unless bypass_external_auth?
      if application_setting.errors.any?
        return false
@@ -59,5 +59,9 @@ module ApplicationSettings
      Group.find_by_full_path(group_full_path)&.id if group_full_path.present?
    end
+    def bypass_external_auth?
+      params.key?(:external_authorization_service_enabled) && !Gitlab::Utils.to_boolean(params[:external_authorization_service_enabled])
+    end
  end
 end
--- a/changelogs/unreleased/66443-unrecoverable-configuration-loop-in-external-auth-control.yml
+++ b/changelogs/unreleased/66443-unrecoverable-configuration-loop-in-external-auth-control.yml
+---
+title: Don't check external authorization when disabling the service
+merge_request: 32102
+author: Robert Schilling
+type: fixed
--- a/spec/services/application_settings/update_service_spec.rb
+++ b/spec/services/application_settings/update_service_spec.rb
@@ -201,6 +201,24 @@ describe ApplicationSettings::UpdateService do
      enable_external_authorization_service_check
    end
+    it 'does not validate labels if external authorization gets disabled' do
+      expect_any_instance_of(described_class).not_to receive(:validate_classification_label)
+      described_class.new(application_settings, admin, { external_authorization_service_enabled: false }).execute
+    end
+    it 'does validate labels if external authorization gets enabled ' do
+      expect_any_instance_of(described_class).to receive(:validate_classification_label)
+      described_class.new(application_settings, admin, { external_authorization_service_enabled: true }).execute
+    end
+    it 'does validate labels if external authorization is left unchanged' do
+      expect_any_instance_of(described_class).to receive(:validate_classification_label)
+      described_class.new(application_settings, admin, { external_authorization_service_default_label: 'new-label' }).execute
+    end
    it 'does not save the settings with an error if the service denies access' do
      expect(::Gitlab::ExternalAuthorization)
        .to receive(:access_allowed?).with(admin, 'new-label') { false }