Merge branch '9153-jit-provisioning-for-new-users' into 'master'

Resolve "JIT provisioning for new users" Closes #9153 See merge request gitlab-org/gitlab-ee!13552

Merge branch '9153-jit-provisioning-for-new-users' into 'master'
Resolve "JIT provisioning for new users" Closes #9153 See merge request gitlab-org/gitlab-ee!13552
8367f031 · Douglas Barbosa Alexandre · cd4cf8cc · 95759f18 · 8367f031 · 8367f031
Commit 8367f031 authored May 30, 2019 by Douglas Barbosa Alexandre
3 changed files
--- a/ee/app/controllers/groups/sso_controller.rb
+++ b/ee/app/controllers/groups/sso_controller.rb
@@ -49,26 +49,33 @@ class Groups::SsoController < Groups::ApplicationController
  private

  def new_user
-    @new_user ||= User.new(new_user_params.merge(idp_user_data))
+    @new_user ||= User.new(new_user_params)
  end
  # Devise compatible name
  alias_method :resource, :new_user
  helper_method :resource

  def new_user_params
-    params.fetch(:new_user, {}).permit(:username, :name)
+    new_user_params = params.fetch(:new_user, {}).permit(:username, :name).merge(email: oauth_data.email, name: oauth_data.name)
+    new_user_params[:username] = generate_unique_username unless new_user_params[:username]
+    new_user_params
  end

-  def idp_user_data
-    return {} unless session['oauth_data'] && session['oauth_group_id'] == unauthenticated_group.id
-
-    data = Gitlab::Auth::OAuth::AuthHash.new(session['oauth_data'])
-
-    { email: data.email, name: data.name }
+  def generate_unique_username
+    username = ::Namespace.clean_path(oauth_data.username)
+    Uniquify.new.string(username) { |s| !NamespacePathValidator.valid_path?(s) }
  end

  def check_oauth_data
-    route_not_found unless unauthenticated_group.saml_provider.enforced_group_managed_accounts? && idp_user_data.present?
+    route_not_found unless unauthenticated_group.saml_provider.enforced_group_managed_accounts? && oauth_data.present?
+  end
+
+  def oauth_data
+    @oauth_data ||= begin
+      if session['oauth_data'] && session['oauth_group_id'] == unauthenticated_group.id
+        Gitlab::Auth::OAuth::AuthHash.new(session['oauth_data'])
+      end
+    end
  end

  def render_sign_up_form

--- a/ee/changelogs/unreleased/9153-jit-provisioning-for-new-users.yml
+++ b/ee/changelogs/unreleased/9153-jit-provisioning-for-new-users.yml
+---
+title: JIT users provisioning for group SAML
+merge_request: 13552
+author:
+type: added
--- a/ee/spec/controllers/groups/sso_controller_spec.rb
+++ b/ee/spec/controllers/groups/sso_controller_spec.rb
@@ -135,12 +135,20 @@ describe Groups::SsoController do

      context 'and group managed accounts enforced' do
        context 'and oauth data available' do
-          let(:oauth_data) { { "info" => { "name" => 'Test', "email" => 'email@email.com' } } }
+          let(:oauth_data) { { "info" => { name: 'Test', email: 'testuser@email.com' } } }

          it 'has status 200' do
            expect(subject).to have_gitlab_http_status(200)
          end

+          it 'suggests first available username automatically' do
+            create(:user, username: 'testuser')
+
+            subject
+
+            expect(controller.helpers.resource.username).to eq 'testuser1'
+          end
+
          context 'and belongs to different group' do
            let(:oauth_group_id) { group.id + 1 }

@@ -175,7 +183,7 @@ describe Groups::SsoController do
    end

    let(:new_user_data) { { username: "myusername" } }
-    let(:oauth_data) { { "info" => { "name" => 'Test', "email" => 'email@email.com' } } }
+    let(:oauth_data) { { "info" => { name: 'Test', email: 'testuser@email.com' } } }

    let!(:saml_provider) { create(:saml_provider, :enforced_group_managed_accounts, group: group) }