Merge branch 'saml-decoupling' into 'master'

Decouple SAML authentication from the default Omniauth logic Fixes gitlab-org/gitlab-ee#178 With this merge request SAML gets its own login logic and its own `User` class under `lib/gitlab/saml/` This is needed to give SAML more versatility over how the authorization process works and to pave the way for the development of a SAML group sync as outlined here: gitlab-org/gitlab-ee#118 See merge request !2782

Merge branch 'saml-decoupling' into 'master'
Decouple SAML authentication from the default Omniauth logic Fixes gitlab-org/gitlab-ee#178 With this merge request SAML gets its own login logic and its own `User` class under `lib/gitlab/saml/` This is needed to give SAML more versatility over how the authorization process works and to pave the way for the development of a SAML group sync as outlined here: gitlab-org/gitlab-ee#118 See merge request !2782
c04e22fb · Robert Speicher · 0feab326 · f014127e · c04e22fb · c04e22fb
Commit c04e22fb authored Feb 18, 2016 by Robert Speicher
8 changed files
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -64,6 +64,9 @@ v 8.5.0 (unreleased)
  - Fix broken link to project in build notification emails
  - Ability to see and sort on vote count from Issues and MR lists
  - Fix builds scheduler when first build in stage was allowed to fail
+  - Allow SAML users to login with no previous account without having to allow
+    all Omniauth providers to do so.
+  - Allow existing users to auto link their SAML credentials by logging in via SAML
 v 8.4.4
  - Update omniauth-saml gem to 1.4.2

--- a/app/controllers/omniauth_callbacks_controller.rb
+++ b/app/controllers/omniauth_callbacks_controller.rb
@@ -42,6 +42,26 @@ class OmniauthCallbacksController < Devise::OmniauthCallbacksController
    end
  end
+  def saml
+    if current_user
+      log_audit_event(current_user, with: :saml)
+      # Update SAML identity if data has changed.
+      identity = current_user.identities.find_by(extern_uid: oauth['uid'], provider: :saml)
+      if identity.nil?
+        current_user.identities.create(extern_uid: oauth['uid'], provider: :saml)
+        redirect_to profile_account_path, notice: 'Authentication method updated'
+      else
+        redirect_to after_sign_in_path_for(current_user)
+      end
+    else
+      saml_user = Gitlab::Saml::User.new(oauth)
+      saml_user.save
+      @user = saml_user.gl_user
+      continue_login_process
+    end
+  end
  def omniauth_error
    @provider = params[:provider]
    @error = params[:error]
@@ -65,25 +85,11 @@ class OmniauthCallbacksController < Devise::OmniauthCallbacksController
      log_audit_event(current_user, with: oauth['provider'])
      redirect_to profile_account_path, notice: 'Authentication method updated'
    else
-      @user = Gitlab::OAuth::User.new(oauth)
+      oauth_user = Gitlab::OAuth::User.new(oauth)
-      @user.save
+      oauth_user.save
+      @user = oauth_user.gl_user
-      # Only allow properly saved users to login.
-      if @user.persisted? && @user.valid?
-        log_audit_event(@user.gl_user, with: oauth['provider'])
-        sign_in_and_redirect(@user.gl_user)
-      else
-        error_message =
-          if @user.gl_user.errors.any?
-            @user.gl_user.errors.map do |attribute, message|
-              "#{attribute} #{message}"
-            end.join(", ")
-          else
-            ''
-          end
-        redirect_to omniauth_error_path(oauth['provider'], error: error_message) and return
+      continue_login_process
-      end
    end
  rescue Gitlab::OAuth::SignupDisabledError
    label = Gitlab::OAuth::Provider.label_for(oauth['provider'])
@@ -104,6 +110,18 @@ class OmniauthCallbacksController < Devise::OmniauthCallbacksController
    session[:service_tickets][provider] = ticket
  end
+  def continue_login_process
+    # Only allow properly saved users to login.
+    if @user.persisted? && @user.valid?
+      log_audit_event(@user, with: oauth['provider'])
+      sign_in_and_redirect(@user)
+    else
+      error_message = @user.errors.full_messages.to_sentence
+      redirect_to omniauth_error_path(oauth['provider'], error: error_message) and return
+    end
+  end
  def oauth
    @oauth ||= request.env['omniauth.auth']
  end

--- a/config/gitlab.yml.example
+++ b/config/gitlab.yml.example
@@ -288,15 +288,22 @@ production: &base
    # auto_sign_in_with_provider: saml
    # CAUTION!
-    # This allows users to login without having a user account first (default: false).
+    # This allows users to login without having a user account first. Define the allowed
+    # providers using an array, e.g. ["saml", "twitter"]
    # User accounts will be created automatically when authentication was successful.
-    allow_single_sign_on: false
+    allow_single_sign_on: ["saml"]
    # Locks down those users until they have been cleared by the admin (default: true).
    block_auto_created_users: true
    # Look up new users in LDAP servers. If a match is found (same uid), automatically
    # link the omniauth identity with the LDAP account. (default: false)
    auto_link_ldap_user: false
+    # Allow users with existing accounts to login and auto link their account via SAML
+    # login, without having to do a manual login first and manually add SAML
+    # (default: false)
+    auto_link_saml_user: false
    ## Auth providers
    # Uncomment the following lines and fill in the data of the auth provider you want to use
    # If your favorite auth provider is not listed you can use others:

--- a/lib/gitlab/ldap/user.rb
+++ b/lib/gitlab/ldap/user.rb
@@ -24,6 +24,10 @@ module Gitlab
        update_user_attributes
      end
+      def save
+        super('LDAP')
+      end
      # instance methods
      def gl_user
        @gl_user ||= find_by_uid_and_provider || find_by_email || build_new_user

--- a/lib/gitlab/o_auth/user.rb
+++ b/lib/gitlab/o_auth/user.rb
@@ -26,7 +26,7 @@ module Gitlab
        gl_user.try(:valid?)
      end
-      def save
+      def save(provider = 'OAuth')
        unauthorized_to_create unless gl_user
        if needs_blocking?
@@ -36,10 +36,10 @@ module Gitlab
          gl_user.save!
        end
-        log.info "(OAuth) saving user #{auth_hash.email} from login with extern_uid => #{auth_hash.uid}"
+        log.info "(#{provider}) saving user #{auth_hash.email} from login with extern_uid => #{auth_hash.uid}"
        gl_user
      rescue ActiveRecord::RecordInvalid => e
-        log.info "(OAuth) Error saving user: #{gl_user.errors.full_messages}"
+        log.info "(#{provider}) Error saving user: #{gl_user.errors.full_messages}"
        return self, e.record.errors
      end
@@ -105,7 +105,8 @@ module Gitlab
      end
      def signup_enabled?
-        Gitlab.config.omniauth.allow_single_sign_on
+        providers = Gitlab.config.omniauth.allow_single_sign_on
+        providers.include?(auth_hash.provider)
      end
      def block_after_signup?

--- a/lib/gitlab/saml/user.rb
+++ b/lib/gitlab/saml/user.rb
+# SAML extension for User model
+#
+# * Find GitLab user based on SAML uid and provider
+# * Create new user from SAML data
+#
+module Gitlab
+  module Saml
+    class User < Gitlab::OAuth::User
+      def save
+        super('SAML')
+      end
+      def gl_user
+        @user ||= find_by_uid_and_provider
+        if auto_link_ldap_user?
+          @user ||= find_or_create_ldap_user
+        end
+        if auto_link_saml_enabled?
+          @user ||= find_by_email
+        end
+        if signup_enabled?
+          @user ||= build_new_user
+        end
+        @user
+      end
+      def find_by_email
+        if auth_hash.has_email?
+          user = ::User.find_by(email: auth_hash.email.downcase)
+          user.identities.new(extern_uid: auth_hash.uid, provider: auth_hash.provider) if user
+          user
+        end
+      end
+      protected
+      def auto_link_saml_enabled?
+        Gitlab.config.omniauth.auto_link_saml_user
+      end
+    end
+  end
+end
--- a/spec/lib/gitlab/o_auth/user_spec.rb
+++ b/spec/lib/gitlab/o_auth/user_spec.rb
@@ -42,7 +42,7 @@ describe Gitlab::OAuth::User, lib: true do
    describe 'signup' do
      shared_examples "to verify compliance with allow_single_sign_on" do
        context "with allow_single_sign_on enabled" do
-          before { stub_omniauth_config(allow_single_sign_on: true) }
+          before { stub_omniauth_config(allow_single_sign_on: ['twitter']) }
          it "creates a user from Omniauth" do
            oauth_user.save
@@ -55,7 +55,7 @@ describe Gitlab::OAuth::User, lib: true do
        end
        context "with allow_single_sign_on disabled (Default)" do
-          before { stub_omniauth_config(allow_single_sign_on: false) }
+          before { stub_omniauth_config(allow_single_sign_on: []) }
          it "throws an error" do
            expect{ oauth_user.save }.to raise_error StandardError
          end
@@ -135,7 +135,7 @@ describe Gitlab::OAuth::User, lib: true do
    describe 'blocking' do
      let(:provider) { 'twitter' }
-      before { stub_omniauth_config(allow_single_sign_on: true) }
+      before { stub_omniauth_config(allow_single_sign_on: ['twitter']) }
      context 'signup with omniauth only' do
        context 'dont block on create' do

--- a/spec/lib/gitlab/saml/user_spec.rb
+++ b/spec/lib/gitlab/saml/user_spec.rb