Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Support
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
G
gitlab-ce
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Issues
0
Issues
0
List
Boards
Labels
Milestones
Merge Requests
0
Merge Requests
0
Analytics
Analytics
Repository
Value Stream
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Create a new issue
Commits
Issue Boards
Open sidebar
Boxiang Sun
gitlab-ce
Commits
8110e753
Commit
8110e753
authored
Apr 06, 2016
by
Patricio Cano
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
Implemented suggested fixes
parent
eb0f1de3
Changes
5
Hide whitespace changes
Inline
Side-by-side
Showing
5 changed files
with
21 additions
and
33 deletions
+21
-33
doc/integration/saml.md
doc/integration/saml.md
+1
-2
lib/gitlab/saml/auth_hash.rb
lib/gitlab/saml/auth_hash.rb
+1
-1
lib/gitlab/saml/config.rb
lib/gitlab/saml/config.rb
+0
-1
lib/gitlab/saml/user.rb
lib/gitlab/saml/user.rb
+3
-4
spec/lib/gitlab/saml/user_spec.rb
spec/lib/gitlab/saml/user_spec.rb
+16
-25
No files found.
doc/integration/saml.md
View file @
8110e753
...
@@ -159,8 +159,7 @@ with the regular SAML response. Here is an example:
...
@@ -159,8 +159,7 @@ with the regular SAML response. Here is an example:
The name of the attribute can be anything you like, but it must contain the groups
The name of the attribute can be anything you like, but it must contain the groups
to which a user belongs. In order to tell GitLab where to find these groups, you need
to which a user belongs. In order to tell GitLab where to find these groups, you need
to add a
`groups_attribute:`
element to your SAML settings. You will also need to
to add a
`groups_attribute:`
element to your SAML settings. You will also need to
tell GitLab which groups are external, for that you need the
`external_groups:`
tell GitLab which groups are external via the
`external_groups:`
element:
element:
```
yaml
```
yaml
{
name
:
'
saml'
,
{
name
:
'
saml'
,
...
...
lib/gitlab/saml/auth_hash.rb
View file @
8110e753
...
@@ -9,7 +9,7 @@ module Gitlab
...
@@ -9,7 +9,7 @@ module Gitlab
private
private
def
get_raw
(
key
)
def
get_raw
(
key
)
# Needs to call `all` because of https://git
hub.com/onelogin/ruby-saml/blob/master/lib/onelogin/ruby-saml/attributes.rb#L78
# Needs to call `all` because of https://git
.io/vVo4u
# otherwise just the first value is returned
# otherwise just the first value is returned
auth_hash
.
extra
[
:raw_info
].
all
[
key
]
auth_hash
.
extra
[
:raw_info
].
all
[
key
]
end
end
...
...
lib/gitlab/saml/config.rb
View file @
8110e753
# Load a specific server configuration
module
Gitlab
module
Gitlab
module
Saml
module
Saml
class
Config
class
Config
...
...
lib/gitlab/saml/user.rb
View file @
8110e753
...
@@ -28,12 +28,11 @@ module Gitlab
...
@@ -28,12 +28,11 @@ module Gitlab
if
external_users_enabled?
if
external_users_enabled?
# Check if there is overlap between the user's groups and the external groups
# Check if there is overlap between the user's groups and the external groups
# setting
and
set user as external or internal.
# setting
then
set user as external or internal.
if
(
auth_hash
.
groups
&
Gitlab
::
Saml
::
Config
.
external_groups
).
empty?
if
(
auth_hash
.
groups
&
Gitlab
::
Saml
::
Config
.
external_groups
).
empty?
# Avoid an unnecessary change of values and the subsequent save
@user
.
external
=
false
@user
.
external
=
false
if
@user
.
external
else
else
@user
.
external
=
true
unless
@user
.
external
@user
.
external
=
true
end
end
end
end
...
...
spec/lib/gitlab/saml/user_spec.rb
View file @
8110e753
...
@@ -23,11 +23,15 @@ describe Gitlab::Saml::User, lib: true do
...
@@ -23,11 +23,15 @@ describe Gitlab::Saml::User, lib: true do
allow
(
Gitlab
::
LDAP
::
Config
).
to
receive_messages
(
messages
)
allow
(
Gitlab
::
LDAP
::
Config
).
to
receive_messages
(
messages
)
end
end
def
stub_
saml_config
(
messages
)
def
stub_
basic_saml_config
allow
(
Gitlab
::
Saml
::
Config
).
to
receive_messages
(
messages
)
allow
(
Gitlab
::
Saml
::
Config
).
to
receive_messages
(
{
options:
{
name:
'saml'
,
args:
{}
}
}
)
end
end
before
{
stub_saml_config
({
options:
{
name:
'saml'
,
args:
{}
}
})
}
def
stub_saml_group_config
(
groups
)
allow
(
Gitlab
::
Saml
::
Config
).
to
receive_messages
({
options:
{
name:
'saml'
,
groups_attribute:
'groups'
,
external_groups:
groups
,
args:
{}
}
})
end
before
{
stub_basic_saml_config
}
describe
'account exists on server'
do
describe
'account exists on server'
do
before
{
stub_omniauth_config
({
allow_single_sign_on:
[
'saml'
],
auto_link_saml_user:
true
})
}
before
{
stub_omniauth_config
({
allow_single_sign_on:
[
'saml'
],
auto_link_saml_user:
true
})
}
...
@@ -45,15 +49,15 @@ describe Gitlab::Saml::User, lib: true do
...
@@ -45,15 +49,15 @@ describe Gitlab::Saml::User, lib: true do
context
'external groups'
do
context
'external groups'
do
context
'are defined'
do
context
'are defined'
do
before
{
stub_saml_config
({
options:
{
name:
'saml'
,
groups_attribute:
'groups'
,
external_groups:
%w(Freelancers)
,
args:
{}
}
})
}
it
'marks the user as external'
do
it
'marks the user as external'
do
stub_saml_group_config
(
%w(Freelancers)
)
saml_user
.
save
saml_user
.
save
expect
(
gl_user
).
to
be_valid
expect
(
gl_user
).
to
be_valid
expect
(
gl_user
.
external
).
to
be_truthy
expect
(
gl_user
.
external
).
to
be_truthy
end
end
end
end
before
{
stub_saml_
config
({
options:
{
name:
'saml'
,
groups_attribute:
'groups'
,
external_groups:
%w(Interns)
,
args:
{}
}
}
)
}
before
{
stub_saml_
group_config
(
%w(Interns)
)
}
context
'are defined but the user does not belong there'
do
context
'are defined but the user does not belong there'
do
it
'does not mark the user as external'
do
it
'does not mark the user as external'
do
saml_user
.
save
saml_user
.
save
...
@@ -105,17 +109,17 @@ describe Gitlab::Saml::User, lib: true do
...
@@ -105,17 +109,17 @@ describe Gitlab::Saml::User, lib: true do
context
'external groups'
do
context
'external groups'
do
context
'are defined'
do
context
'are defined'
do
before
{
stub_saml_config
({
options:
{
name:
'saml'
,
groups_attribute:
'groups'
,
external_groups:
%w(Freelancers)
,
args:
{}
}
})
}
it
'marks the user as external'
do
it
'marks the user as external'
do
stub_saml_group_config
(
%w(Freelancers)
)
saml_user
.
save
saml_user
.
save
expect
(
gl_user
).
to
be_valid
expect
(
gl_user
).
to
be_valid
expect
(
gl_user
.
external
).
to
be_truthy
expect
(
gl_user
.
external
).
to
be_truthy
end
end
end
end
before
{
stub_saml_config
({
options:
{
name:
'saml'
,
groups_attribute:
'groups'
,
external_groups:
%w(Interns)
,
args:
{}
}
})
}
context
'are defined but the user does not belong there'
do
context
'are defined but the user does not belong there'
do
it
'does not mark the user as external'
do
it
'does not mark the user as external'
do
stub_saml_group_config
(
%w(Interns)
)
saml_user
.
save
saml_user
.
save
expect
(
gl_user
).
to
be_valid
expect
(
gl_user
).
to
be_valid
expect
(
gl_user
.
external
).
to
be_falsey
expect
(
gl_user
.
external
).
to
be_falsey
...
@@ -131,12 +135,6 @@ describe Gitlab::Saml::User, lib: true do
...
@@ -131,12 +135,6 @@ describe Gitlab::Saml::User, lib: true do
context
'with auto_link_ldap_user enabled'
do
context
'with auto_link_ldap_user enabled'
do
before
{
stub_omniauth_config
({
auto_link_ldap_user:
true
,
auto_link_saml_user:
false
})
}
before
{
stub_omniauth_config
({
auto_link_ldap_user:
true
,
auto_link_saml_user:
false
})
}
context
'and no LDAP provider defined'
do
before
{
stub_ldap_config
(
providers:
[])
}
include_examples
'to verify compliance with allow_single_sign_on'
end
context
'and at least one LDAP provider is defined'
do
context
'and at least one LDAP provider is defined'
do
before
{
stub_ldap_config
(
providers:
%w(ldapmain)
)
}
before
{
stub_ldap_config
(
providers:
%w(ldapmain)
)
}
...
@@ -144,19 +142,18 @@ describe Gitlab::Saml::User, lib: true do
...
@@ -144,19 +142,18 @@ describe Gitlab::Saml::User, lib: true do
before
do
before
do
allow
(
ldap_user
).
to
receive
(
:uid
)
{
uid
}
allow
(
ldap_user
).
to
receive
(
:uid
)
{
uid
}
allow
(
ldap_user
).
to
receive
(
:username
)
{
uid
}
allow
(
ldap_user
).
to
receive
(
:username
)
{
uid
}
allow
(
ldap_user
).
to
receive
(
:email
)
{
[
'johndoe@example.com'
,
'john2@example.com'
]
}
allow
(
ldap_user
).
to
receive
(
:email
)
{
%w(john@mail.com john2@example.com)
}
allow
(
ldap_user
).
to
receive
(
:dn
)
{
'uid=user1,ou=People,dc=example'
}
allow
(
ldap_user
).
to
receive
(
:dn
)
{
'uid=user1,ou=People,dc=example'
}
allow
(
Gitlab
::
LDAP
::
Person
).
to
receive
(
:find_by_uid
).
and_return
(
ldap_user
)
allow
(
Gitlab
::
LDAP
::
Person
).
to
receive
(
:find_by_uid
).
and_return
(
ldap_user
)
end
end
context
'and no account for the LDAP user'
do
context
'and no account for the LDAP user'
do
it
'creates a user with dual LDAP and SAML identities'
do
it
'creates a user with dual LDAP and SAML identities'
do
saml_user
.
save
saml_user
.
save
expect
(
gl_user
).
to
be_valid
expect
(
gl_user
).
to
be_valid
expect
(
gl_user
.
username
).
to
eql
uid
expect
(
gl_user
.
username
).
to
eql
uid
expect
(
gl_user
.
email
).
to
eql
'john
doe@example
.com'
expect
(
gl_user
.
email
).
to
eql
'john
@mail
.com'
expect
(
gl_user
.
identities
.
length
).
to
eql
2
expect
(
gl_user
.
identities
.
length
).
to
eql
2
identities_as_hash
=
gl_user
.
identities
.
map
{
|
id
|
{
provider:
id
.
provider
,
extern_uid:
id
.
extern_uid
}
}
identities_as_hash
=
gl_user
.
identities
.
map
{
|
id
|
{
provider:
id
.
provider
,
extern_uid:
id
.
extern_uid
}
}
expect
(
identities_as_hash
).
to
match_array
([
{
provider:
'ldapmain'
,
extern_uid:
'uid=user1,ou=People,dc=example'
},
expect
(
identities_as_hash
).
to
match_array
([
{
provider:
'ldapmain'
,
extern_uid:
'uid=user1,ou=People,dc=example'
},
...
@@ -166,13 +163,13 @@ describe Gitlab::Saml::User, lib: true do
...
@@ -166,13 +163,13 @@ describe Gitlab::Saml::User, lib: true do
end
end
context
'and LDAP user has an account already'
do
context
'and LDAP user has an account already'
do
let!
(
:existing_user
)
{
create
(
:omniauth_user
,
email:
'john@
example
.com'
,
extern_uid:
'uid=user1,ou=People,dc=example'
,
provider:
'ldapmain'
,
username:
'john'
)
}
let!
(
:existing_user
)
{
create
(
:omniauth_user
,
email:
'john@
mail
.com'
,
extern_uid:
'uid=user1,ou=People,dc=example'
,
provider:
'ldapmain'
,
username:
'john'
)
}
it
"adds the omniauth identity to the LDAP account"
do
it
'adds the omniauth identity to the LDAP account'
do
saml_user
.
save
saml_user
.
save
expect
(
gl_user
).
to
be_valid
expect
(
gl_user
).
to
be_valid
expect
(
gl_user
.
username
).
to
eql
'john'
expect
(
gl_user
.
username
).
to
eql
'john'
expect
(
gl_user
.
email
).
to
eql
'john@
example
.com'
expect
(
gl_user
.
email
).
to
eql
'john@
mail
.com'
expect
(
gl_user
.
identities
.
length
).
to
eql
2
expect
(
gl_user
.
identities
.
length
).
to
eql
2
identities_as_hash
=
gl_user
.
identities
.
map
{
|
id
|
{
provider:
id
.
provider
,
extern_uid:
id
.
extern_uid
}
}
identities_as_hash
=
gl_user
.
identities
.
map
{
|
id
|
{
provider:
id
.
provider
,
extern_uid:
id
.
extern_uid
}
}
expect
(
identities_as_hash
).
to
match_array
([
{
provider:
'ldapmain'
,
extern_uid:
'uid=user1,ou=People,dc=example'
},
expect
(
identities_as_hash
).
to
match_array
([
{
provider:
'ldapmain'
,
extern_uid:
'uid=user1,ou=People,dc=example'
},
...
@@ -181,12 +178,6 @@ describe Gitlab::Saml::User, lib: true do
...
@@ -181,12 +178,6 @@ describe Gitlab::Saml::User, lib: true do
end
end
end
end
end
end
context
'and no corresponding LDAP person'
do
before
{
allow
(
Gitlab
::
LDAP
::
Person
).
to
receive
(
:find_by_uid
).
and_return
(
nil
)
}
include_examples
'to verify compliance with allow_single_sign_on'
end
end
end
end
end
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment