Fixed user cap evaluation for all OAuth login

Moved some logic away from SAML related code to a controller related to Omniauth sign-in. Changelog: fixed EE: true

Fixed user cap evaluation for all OAuth login
Moved some logic away from SAML related code to a controller related to Omniauth sign-in. Changelog: fixed EE: true
0938f9f1 · Etienne Baqué · 571badda · 0938f9f1 · 0938f9f1 · 0938f9f1
Commit 0938f9f1 authored Feb 23, 2022 by Etienne Baqué
5 changed files
--- a/ee/lib/ee/gitlab/auth/ldap/user.rb
+++ b/ee/lib/ee/gitlab/auth/ldap/user.rb
@@ -9,26 +9,12 @@ module EE
    module Auth
      module Ldap
        module User
-          extend ::Gitlab::Utils::Override
-
          def initialize(auth_hash)
            super

            set_external_with_external_groups
          end

-          override :find_user
-          def find_user
-            user = super
-
-            if activate_user_based_on_user_cap?(user)
-              user.activate
-              log_user_changes(user, 'LDAP', "user cap not reached yet, unblocking")
-            end
-
-            user
-          end
-
          private

          # Intended to be called during #initialize, and #save should be called

--- a/ee/lib/ee/gitlab/auth/o_auth/user.rb
+++ b/ee/lib/ee/gitlab/auth/o_auth/user.rb
@@ -5,6 +5,13 @@ module EE
    module Auth
      module OAuth
        module User
+          def activate_user_if_user_cap_not_reached
+            if activate_user_based_on_user_cap?(gl_user)
+              gl_user.activate
+              log_user_changes(gl_user, protocol_name, "user cap not reached yet, unblocking")
+            end
+          end
+
          protected

          def find_ldap_person(auth_hash, adapter)

--- a/ee/lib/ee/gitlab/auth/saml/user.rb
+++ b/ee/lib/ee/gitlab/auth/saml/user.rb
@@ -13,7 +13,6 @@ module EE

            if user_in_required_group?
              unblock_user(user, "in required group") if user&.persisted? && user&.ldap_blocked?
-              unblock_user(user, "user cap not reached yet") if activate_user_based_on_user_cap?(user)
            elsif user&.persisted?
              block_user(user, "not in required group") unless user.blocked?
            else

--- a/ee/spec/support/shared_examples/auth/access_protocol_examples.rb
+++ b/ee/spec/support/shared_examples/auth/access_protocol_examples.rb
@@ -39,13 +39,13 @@ RSpec.shared_examples 'finding user when user cap is set' do
          it 'does not activate the user' do
            allow(::User).to receive(:user_cap_reached?).and_raise(ActiveRecord::QueryAborted)

-            o_auth_user.save # rubocop:disable Rails/SaveBang
-
            expect(::Gitlab::ErrorTracking).to receive(:track_exception).with(
              instance_of(ActiveRecord::QueryAborted),
              user_email: o_auth_user.gl_user.email
            )
            expect(o_auth_user.find_user).to be_blocked
+
+            o_auth_user.save # rubocop:disable Rails/SaveBang
          end
        end
      end

--- a/lib/gitlab/auth/o_auth/user.rb
+++ b/lib/gitlab/auth/o_auth/user.rb
@@ -55,6 +55,7 @@ module Gitlab
          Users::UpdateService.new(gl_user, user: gl_user).execute!

          gl_user.block_pending_approval if block_after_save
+          activate_user_if_user_cap_not_reached

          log.info "(#{provider}) saving user #{auth_hash.email} from login with admin => #{gl_user.admin}, extern_uid => #{auth_hash.uid}"
          gl_user
@@ -100,6 +101,10 @@ module Gitlab
          'OAuth'
        end

+        def activate_user_if_user_cap_not_reached
+          nil
+        end
+
        protected

        def should_save?