Group SAML identity cleaned up when leaving group

Helps when users accidentally link the wrong GitLab account, are removed by a group administrator, and then try to log in with a different GitLab account.

Group SAML identity cleaned up when leaving group
Helps when users accidentally link the wrong GitLab account, are removed by a group administrator, and then try to log in with a different GitLab account.
9df25fcf · James Edwards-Jones · Mayra Cabrera · 76c81b73 · 9df25fcf · 9df25fcf
Commit 9df25fcf authored May 29, 2019 by James Edwards-Jones Committed by Mayra Cabrera May 29, 2019
3 changed files
--- a/ee/app/services/ee/members/destroy_service.rb
+++ b/ee/app/services/ee/members/destroy_service.rb
@@ -7,6 +7,8 @@ module EE
        super

        log_audit_event(member: member)
+
+        cleanup_group_identity(member)
      end

      private
@@ -18,6 +20,14 @@ module EE
          action: :destroy
        ).for_member(member).security_event
      end
+
+      def cleanup_group_identity(member)
+        saml_provider = member.source.try(:saml_provider)
+
+        return unless saml_provider
+
+        saml_provider.identities.for_user(member.user).delete_all
+      end
    end
  end
 end
--- a/ee/changelogs/unreleased/jej-group-saml-cleans-up-identity.yml
+++ b/ee/changelogs/unreleased/jej-group-saml-cleans-up-identity.yml
+---
+title: Group SAML identities cleaned up when leaving a group
+merge_request: 5817
+author:
+type: fixed
--- a/ee/spec/services/ee/members/destroy_service_spec.rb
+++ b/ee/spec/services/ee/members/destroy_service_spec.rb
+# frozen_string_literal: true
+
+require 'spec_helper'
+
+describe Members::DestroyService do
+  let(:current_user) { create(:user) }
+  let(:member_user) { create(:user) }
+  let(:group) { create(:group) }
+  let(:member) { group.members.find_by(user_id: member_user.id) }
+
+  subject { described_class.new(current_user) }
+
+  before do
+    group.add_owner(current_user)
+    group.add_developer(member_user)
+  end
+
+  context 'with group membership via Group SAML' do
+    let!(:saml_provider) { create(:saml_provider, group: group) }
+
+    context 'with a SAML identity' do
+      before do
+        create(:group_saml_identity, user: member_user, saml_provider: saml_provider)
+      end
+
+      it 'cleans up linked SAML identity' do
+        expect { subject.execute(member, {}) }.to change { member_user.reload.identities.count }.by(-1)
+      end
+    end
+
+    context 'without a SAML identity' do
+      it 'does not attempt to destroy unrelated identities' do
+        create(:identity, user: member_user)
+
+        expect { subject.execute(member, {}) }.not_to change(Identity, :count)
+      end
+    end
+  end
+end