Merge branch 'search_ldap_by_email' into 'master'

Lookup for users in LDAP based on their e-mail by their e-mail-address instead of only uid. See merge request gitlab-org/gitlab!33767

Merge branch 'search_ldap_by_email' into 'master'
Lookup for users in LDAP based on their e-mail by their e-mail-address instead of only uid. See merge request gitlab-org/gitlab!33767
23d49064 · Michael Kozono · 8affa7b0 · 54594ab9 · 23d49064 · 23d49064
Commit 23d49064 authored Aug 19, 2020 by Michael Kozono
3 changed files
--- a/changelogs/unreleased/33767-search-users-in-LDAP-by-their-e-mail-address.yml
+++ b/changelogs/unreleased/33767-search-users-in-LDAP-by-their-e-mail-address.yml
+---
+title: "Allow OAuth to auto link LDAP users via email address"
+merge_request: 33767
+author: Niko Wenselowski
+type: changed
--- a/lib/gitlab/auth/o_auth/user.rb
+++ b/lib/gitlab/auth/o_auth/user.rb
@@ -150,6 +150,7 @@ module Gitlab
        def find_ldap_person(auth_hash, adapter)
          Gitlab::Auth::Ldap::Person.find_by_uid(auth_hash.uid, adapter) ||
            Gitlab::Auth::Ldap::Person.find_by_email(auth_hash.uid, adapter) ||
+            Gitlab::Auth::Ldap::Person.find_by_email(auth_hash.email, adapter) ||
            Gitlab::Auth::Ldap::Person.find_by_dn(auth_hash.uid, adapter)
        rescue Gitlab::Auth::Ldap::LdapConnectionError
          nil

--- a/spec/lib/gitlab/auth/o_auth/user_spec.rb
+++ b/spec/lib/gitlab/auth/o_auth/user_spec.rb
@@ -230,39 +230,56 @@ RSpec.describe Gitlab::Auth::OAuth::User do
            end

            context "and no account for the LDAP user" do
-              before do
-                allow(Gitlab::Auth::Ldap::Person).to receive(:find_by_uid).and_return(ldap_user)
+              context 'when the LDAP user is found by UID' do
+                before do
+                  allow(Gitlab::Auth::Ldap::Person).to receive(:find_by_uid).and_return(ldap_user)

-                oauth_user.save
-              end
+                  oauth_user.save
+                end

-              it "creates a user with dual LDAP and omniauth identities" do
-                expect(gl_user).to be_valid
-                expect(gl_user.username).to eql uid
-                expect(gl_user.name).to eql 'John Doe'
-                expect(gl_user.email).to eql 'johndoe@example.com'
-                expect(gl_user.identities.length).to be 2
-                identities_as_hash = gl_user.identities.map { |id| { provider: id.provider, extern_uid: id.extern_uid } }
-                expect(identities_as_hash).to match_array(
-                  [
-                    { provider: 'ldapmain', extern_uid: dn },
-                    { provider: 'twitter', extern_uid: uid }
-                  ]
-                )
-              end
+                it "creates a user with dual LDAP and omniauth identities" do
+                  expect(gl_user).to be_valid
+                  expect(gl_user.username).to eql uid
+                  expect(gl_user.name).to eql 'John Doe'
+                  expect(gl_user.email).to eql 'johndoe@example.com'
+                  expect(gl_user.identities.length).to be 2
+                  identities_as_hash = gl_user.identities.map { |id| { provider: id.provider, extern_uid: id.extern_uid } }
+                  expect(identities_as_hash).to match_array(
+                    [
+                      { provider: 'ldapmain', extern_uid: dn },
+                      { provider: 'twitter', extern_uid: uid }
+                    ]
+                  )
+                end

-              it "has name and email set as synced" do
-                expect(gl_user.user_synced_attributes_metadata.name_synced).to be_truthy
-                expect(gl_user.user_synced_attributes_metadata.email_synced).to be_truthy
-              end
+                it "has name and email set as synced" do
+                  expect(gl_user.user_synced_attributes_metadata.name_synced).to be_truthy
+                  expect(gl_user.user_synced_attributes_metadata.email_synced).to be_truthy
+                end
+
+                it "has name and email set as read-only" do
+                  expect(gl_user.read_only_attribute?(:name)).to be_truthy
+                  expect(gl_user.read_only_attribute?(:email)).to be_truthy
+                end

-              it "has name and email set as read-only" do
-                expect(gl_user.read_only_attribute?(:name)).to be_truthy
-                expect(gl_user.read_only_attribute?(:email)).to be_truthy
+                it "has synced attributes provider set to ldapmain" do
+                  expect(gl_user.user_synced_attributes_metadata.provider).to eql 'ldapmain'
+                end
              end

-              it "has synced attributes provider set to ldapmain" do
-                expect(gl_user.user_synced_attributes_metadata.provider).to eql 'ldapmain'
+              context 'when the LDAP user is found by email address' do
+                before do
+                  allow(Gitlab::Auth::Ldap::Person).to receive(:find_by_uid).and_return(nil)
+                  allow(Gitlab::Auth::Ldap::Person).to receive(:find_by_email).with(uid, any_args).and_return(nil)
+                  allow(Gitlab::Auth::Ldap::Person).to receive(:find_by_email).with(info_hash[:email], any_args).and_return(ldap_user)
+
+                  oauth_user.save
+                end
+
+                it 'creates the LDAP identity' do
+                  identities_as_hash = gl_user.identities.map { |id| { provider: id.provider, extern_uid: id.extern_uid } }
+                  expect(identities_as_hash).to include({ provider: 'ldapmain', extern_uid: dn })
+                end
              end
            end

@@ -791,7 +808,7 @@ RSpec.describe Gitlab::Auth::OAuth::User do
    end
  end

-  describe '.find_by_uid_and_provider' do
+  describe '._uid_and_provider' do
    let!(:existing_user) { create(:omniauth_user, extern_uid: 'my-uid', provider: 'my-provider') }

    it 'normalizes extern_uid' do