Omniauth auto link LDAP user falls back to find by DN when user cannot be found by uid

3cff3a2e · Drew Blessing · f3231d0f · 3cff3a2e · 3cff3a2e · 3cff3a2e
Commit 3cff3a2e authored Oct 19, 2016 by Drew Blessing
3 changed files
--- a/changelogs/unreleased/fix_saml_ldap_link.yml
+++ b/changelogs/unreleased/fix_saml_ldap_link.yml
+---
+title: Omniauth auto link LDAP user falls back to find by DN when user cannot be found
+  by UID
+merge_request: 7002
+author: 
--- a/lib/gitlab/o_auth/user.rb
+++ b/lib/gitlab/o_auth/user.rb
@@ -102,6 +102,8 @@ module Gitlab
        Gitlab::LDAP::Config.providers.each do |provider|
          adapter = Gitlab::LDAP::Adapter.new(provider)
          @ldap_person = Gitlab::LDAP::Person.find_by_uid(auth_hash.uid, adapter)
+          # The `uid` might actually be a DN. Try it next.
+          @ldap_person ||= Gitlab::LDAP::Person.find_by_dn(auth_hash.uid, adapter)
          break if @ldap_person
        end
        @ldap_person

--- a/spec/lib/gitlab/o_auth/user_spec.rb
+++ b/spec/lib/gitlab/o_auth/user_spec.rb
@@ -137,11 +137,12 @@ describe Gitlab::OAuth::User, lib: true do
              allow(ldap_user).to receive(:username) { uid }
              allow(ldap_user).to receive(:email) { ['johndoe@example.com', 'john2@example.com'] }
              allow(ldap_user).to receive(:dn) { 'uid=user1,ou=People,dc=example' }
-              allow(Gitlab::LDAP::Person).to receive(:find_by_uid).and_return(ldap_user)
            end

            context "and no account for the LDAP user" do
              it "creates a user with dual LDAP and omniauth identities" do
+                allow(Gitlab::LDAP::Person).to receive(:find_by_uid).and_return(ldap_user)
+
                oauth_user.save

                expect(gl_user).to be_valid
@@ -159,6 +160,8 @@ describe Gitlab::OAuth::User, lib: true do
            context "and LDAP user has an account already" do
              let!(:existing_user) { create(:omniauth_user, email: 'john@example.com', extern_uid: 'uid=user1,ou=People,dc=example', provider: 'ldapmain', username: 'john') }
              it "adds the omniauth identity to the LDAP account" do
+                allow(Gitlab::LDAP::Person).to receive(:find_by_uid).and_return(ldap_user)
+
                oauth_user.save

                expect(gl_user).to be_valid
@@ -172,6 +175,24 @@ describe Gitlab::OAuth::User, lib: true do
                  ])
              end
            end
+
+            context 'when an LDAP person is not found by uid' do
+              it 'tries to find an LDAP person by DN and adds the omniauth identity to the user' do
+                allow(Gitlab::LDAP::Person).to receive(:find_by_uid).and_return(nil)
+                allow(Gitlab::LDAP::Person).to receive(:find_by_dn).and_return(ldap_user)
+
+                oauth_user.save
+
+                identities_as_hash = gl_user.identities.map { |id| { provider: id.provider, extern_uid: id.extern_uid } }
+                expect(identities_as_hash)
+                  .to match_array(
+                    [
+                      { provider: 'ldapmain', extern_uid: 'uid=user1,ou=People,dc=example' },
+                      { provider: 'twitter', extern_uid: uid }
+                    ]
+                  )
+              end
+            end
          end

          context "and no corresponding LDAP person" do