Merge branch...

Merge branch '243787-make-the-auto_link_user-omniauth-setting-configurable-by-provider' into 'master' Resolve "Make the auto_link_user OmniAuth setting configurable by provider" Closes #243787 See merge request gitlab-org/gitlab!41133

Merge branch...
Merge branch '243787-make-the-auto_link_user-omniauth-setting-configurable-by-provider' into 'master' Resolve "Make the auto_link_user OmniAuth setting configurable by provider" Closes #243787 See merge request gitlab-org/gitlab!41133
ef14a099 · Stan Hu · 5f5d3f1d · f3cefb32 · ef14a099 · ef14a099
Commit ef14a099 authored Sep 10, 2020 by Stan Hu
5 changed files
--- a/changelogs/unreleased/243787-make-the-auto_link_user-omniauth-setting-configurable-by-provider.yml
+++ b/changelogs/unreleased/243787-make-the-auto_link_user-omniauth-setting-configurable-by-provider.yml
+---
+title: Make the auto_link_user OmniAuth setting configurable by provider
+merge_request: 41133
+author:
+type: added
--- a/config/gitlab.yml.example
+++ b/config/gitlab.yml.example
@@ -890,8 +890,10 @@ production: &base
    # Allow users with existing accounts to sign in and auto link their account via OmniAuth
    # login, without having to do a manual login first and manually add OmniAuth. Links on email.
+    # Define the allowed providers using an array, e.g. ["saml", "twitter"], or as true/false to
+    # allow all providers or none.
    # (default: false)
-    auto_link_user: false
+    auto_link_user: ["saml", "twitter"]
    # Set different Omniauth providers as external so that all users creating accounts
    # via these providers will not be able to have access to internal projects. You

--- a/doc/integration/omniauth.md
+++ b/doc/integration/omniauth.md
@@ -144,19 +144,20 @@ The chosen OmniAuth provider is now active and can be used to sign in to GitLab
 > [Introduced in GitLab 13.4.](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/36664)
-You can automatically link OmniAuth users with existing GitLab users if their email addresses match by adding the following setting:
+You can automatically link OmniAuth users with existing GitLab users if their email addresses match.
+For example, the following setting is used to enable the auto link feature for both a SAML provider and the Twitter OAuth provider:
 **For Omnibus installations**
 ```ruby
-gitlab_rails['omniauth_auto_link_user'] = true
+gitlab_rails['omniauth_auto_link_user'] = ["saml", "twitter"]
 ```
 **For installations from source**
 ```yaml
 omniauth:
-  auto_link_user: true
+  auto_link_user: ["saml", "twitter"]
 ```
 ## Configure OmniAuth Providers as External

--- a/lib/gitlab/auth/o_auth/user.rb
+++ b/lib/gitlab/auth/o_auth/user.rb
@@ -273,7 +273,11 @@ module Gitlab
        end
        def auto_link_user?
-          Gitlab.config.omniauth.auto_link_user
+          auto_link = Gitlab.config.omniauth.auto_link_user
+          return auto_link if [true, false].include?(auto_link)
+          auto_link = Array(auto_link)
+          auto_link.include?(auth_hash.provider)
        end
      end
    end

--- a/spec/lib/gitlab/auth/o_auth/user_spec.rb
+++ b/spec/lib/gitlab/auth/o_auth/user_spec.rb
@@ -202,7 +202,56 @@ RSpec.describe Gitlab::Auth::OAuth::User do
        include_examples "to verify compliance with allow_single_sign_on"
      end
-      context "with auto_link_user enabled" do
+      context "with auto_link_user enabled for a different provider" do
+        before do
+          stub_omniauth_config(auto_link_user: ['saml'])
+        end
+        context "and a current GitLab user with a matching email" do
+          let!(:existing_user) { create(:user, email: 'john@mail.com', username: 'john') }
+          it "adds the OmniAuth identity to the GitLab user account" do
+            oauth_user.save
+            expect(gl_user).not_to be_valid
+          end
+        end
+        context "and no current GitLab user with a matching email" do
+          include_examples "to verify compliance with allow_single_sign_on"
+        end
+      end
+      context "with auto_link_user enabled for the correct provider" do
+        before do
+          stub_omniauth_config(auto_link_user: ['twitter'])
+        end
+        context "and a current GitLab user with a matching email" do
+          let!(:existing_user) { create(:user, email: 'john@mail.com', username: 'john') }
+          it "adds the OmniAuth identity to the GitLab user account" do
+            oauth_user.save
+            expect(gl_user).to be_valid
+            expect(gl_user.username).to eql 'john'
+            expect(gl_user.email).to eql 'john@mail.com'
+            expect(gl_user.identities.length).to be 1
+            identities_as_hash = gl_user.identities.map { |id| { provider: id.provider, extern_uid: id.extern_uid } }
+            expect(identities_as_hash).to match_array(
+              [
+                { provider: 'twitter', extern_uid: uid }
+              ]
+            )
+          end
+        end
+        context "and no current GitLab user with a matching email" do
+          include_examples "to verify compliance with allow_single_sign_on"
+        end
+      end
+      context "with auto_link_user enabled for all providers" do
        before do
          stub_omniauth_config(auto_link_user: true)
        end
@@ -421,7 +470,7 @@ RSpec.describe Gitlab::Auth::OAuth::User do
      context "with both auto_link_user and auto_link_ldap_user enabled" do
        before do
-          stub_omniauth_config(auto_link_user: true, auto_link_ldap_user: true)
+          stub_omniauth_config(auto_link_user: ['twitter'], auto_link_ldap_user: true)
        end
        context "and at least one LDAP provider is defined" do