Commit 4cc86e3c authored by Gabriel Mazetto's avatar Gabriel Mazetto

Merge branch 'dblessing-remove-scim-identities-feature-flag' into 'master'

Remove `scim_identities` feature flag

See merge request gitlab-org/gitlab!43458
parents 966edcc7 ab9cb62c
...@@ -21,22 +21,12 @@ class ScimFinder ...@@ -21,22 +21,12 @@ class ScimFinder
private private
def scim_identities_enabled?
strong_memoize(:scim_identities_enabled) do
::EE::Gitlab::Scim::Feature.scim_identities_enabled?(group)
end
end
def null_identity def null_identity
return ScimIdentity.none if scim_identities_enabled? ScimIdentity.none
Identity.none
end end
def all_identities def all_identities
return group.scim_identities if scim_identities_enabled? group.scim_identities
saml_provider.identities
end end
def unfiltered?(params) def unfiltered?(params)
...@@ -63,9 +53,7 @@ class ScimFinder ...@@ -63,9 +53,7 @@ class ScimFinder
end end
def by_extern_uid(extern_uid) def by_extern_uid(extern_uid)
return group.scim_identities.with_extern_uid(extern_uid) if scim_identities_enabled? group.scim_identities.with_extern_uid(extern_uid)
Identity.where_group_saml_uid(saml_provider, extern_uid)
end end
def eq_filter_on_username?(parser) def eq_filter_on_username?(parser)
...@@ -79,9 +67,7 @@ class ScimFinder ...@@ -79,9 +67,7 @@ class ScimFinder
user ||= User.find_by_any_email(username) || User.find_by_username(email_local_part(username)) user ||= User.find_by_any_email(username) || User.find_by_username(email_local_part(username))
end end
return group.scim_identities.for_user(user) if scim_identities_enabled? group.scim_identities.for_user(user)
saml_provider.identities.for_user(user)
end end
def email?(email) def email?(email)
......
---
name: scim_identities
introduced_by_url:
rollout_issue_url:
group:
type: development
default_enabled: true
...@@ -97,23 +97,12 @@ module API ...@@ -97,23 +97,12 @@ module API
def find_user_identity(group, extern_uid) def find_user_identity(group, extern_uid)
return unless group.saml_provider return unless group.saml_provider
return group.scim_identities.with_extern_uid(extern_uid).first if scim_identities_enabled?
GroupSamlIdentityFinder.find_by_group_and_uid(group: group, uid: extern_uid) group.scim_identities.with_extern_uid(extern_uid).first
end
def scim_identities_enabled?
strong_memoize(:scim_identities_enabled) do
::EE::Gitlab::Scim::Feature.scim_identities_enabled?(@group)
end
end end
def deprovision(identity) def deprovision(identity)
if scim_identities_enabled? ::EE::Gitlab::Scim::DeprovisionService.new(identity).execute
::EE::Gitlab::Scim::DeprovisionService.new(identity).execute
else
GroupSaml::Identity::DestroyService.new(identity).execute(transactional: true)
end
true true
rescue => e rescue => e
......
# frozen_string_literal: true
module EE
module Gitlab
module Scim
class Feature
def self.scim_identities_enabled?(group)
::Feature.enabled?(:scim_identities, group, default_enabled: true)
end
end
end
end
end
...@@ -50,24 +50,8 @@ module EE ...@@ -50,24 +50,8 @@ module EE
error_response(objects: [user, identity, member]) error_response(objects: [user, identity, member])
end end
def scim_identities_enabled?
strong_memoize(:scim_identities_enabled) do
::EE::Gitlab::Scim::Feature.scim_identities_enabled?(@group)
end
end
def identity_provider
strong_memoize(:identity_provider) do
next ::Users::BuildService::GROUP_SCIM_PROVIDER if scim_identities_enabled?
::Users::BuildService::GROUP_SAML_PROVIDER
end
end
def identity def identity
strong_memoize(:identity) do strong_memoize(:identity) do
next saml_identity unless scim_identities_enabled?
identity = @group.scim_identities.with_extern_uid(@parsed_hash[:extern_uid]).first identity = @group.scim_identities.with_extern_uid(@parsed_hash[:extern_uid]).first
next identity if identity next identity if identity
...@@ -75,14 +59,8 @@ module EE ...@@ -75,14 +59,8 @@ module EE
end end
end end
def saml_identity
::Identity.with_extern_uid(identity_provider, @parsed_hash[:extern_uid]).first
end
def user def user
strong_memoize(:user) do strong_memoize(:user) do
next build_user unless scim_identities_enabled?
user = ::User.find_by_any_email(@parsed_hash[:email]) user = ::User.find_by_any_email(@parsed_hash[:email])
next user if user next user if user
...@@ -127,7 +105,7 @@ module EE ...@@ -127,7 +105,7 @@ module EE
hash[:skip_confirmation] = SKIP_EMAIL_CONFIRMATION hash[:skip_confirmation] = SKIP_EMAIL_CONFIRMATION
hash[:saml_provider_id] = @group.saml_provider.id hash[:saml_provider_id] = @group.saml_provider.id
hash[:group_id] = @group.id hash[:group_id] = @group.id
hash[:provider] = identity_provider hash[:provider] = ::Users::BuildService::GROUP_SCIM_PROVIDER
hash[:username] = valid_username hash[:username] = valid_username
hash[:password] = hash[:password_confirmation] = random_password hash[:password] = hash[:password_confirmation] = random_password
hash[:password_automatically_set] = PASSWORD_AUTOMATICALLY_SET hash[:password_automatically_set] = PASSWORD_AUTOMATICALLY_SET
...@@ -161,7 +139,7 @@ module EE ...@@ -161,7 +139,7 @@ module EE
end end
def create_identity_only? def create_identity_only?
scim_identities_enabled? && existing_user? && existing_member?(user) existing_user? && existing_member?(user)
end end
def existing_identity_and_member? def existing_identity_and_member?
......
...@@ -10,15 +10,7 @@ RSpec.describe ScimFinder do ...@@ -10,15 +10,7 @@ RSpec.describe ScimFinder do
describe '#search' do describe '#search' do
context 'without a SAML provider' do context 'without a SAML provider' do
it 'returns an empty identity relation when scim_identities is disabled' do it 'returns an empty scim identity relation' do
stub_feature_flags(scim_identities: false)
expect(finder.search(unused_params)).to eq Identity.none
end
it 'returns an empty scim identity relation when scim_identities is enabled' do
stub_feature_flags(scim_identities: true)
expect(finder.search(unused_params)).to eq ScimIdentity.none expect(finder.search(unused_params)).to eq ScimIdentity.none
end end
end end
...@@ -28,15 +20,7 @@ RSpec.describe ScimFinder do ...@@ -28,15 +20,7 @@ RSpec.describe ScimFinder do
create(:saml_provider, group: group, enabled: false) create(:saml_provider, group: group, enabled: false)
end end
it 'returns an empty identity relation when scim_identities is disabled' do it 'returns an empty scim identity relation' do
stub_feature_flags(scim_identities: false)
expect(finder.search(unused_params)).to eq Identity.none
end
it 'returns an empty scim identity relation when scim_identities is enabled' do
stub_feature_flags(scim_identities: true)
expect(finder.search(unused_params)).to eq ScimIdentity.none expect(finder.search(unused_params)).to eq ScimIdentity.none
end end
end end
...@@ -45,67 +29,41 @@ RSpec.describe ScimFinder do ...@@ -45,67 +29,41 @@ RSpec.describe ScimFinder do
let_it_be(:saml_provider) { create(:saml_provider, group: group) } let_it_be(:saml_provider) { create(:saml_provider, group: group) }
context 'with an eq filter' do context 'with an eq filter' do
shared_examples 'valid lookups' do let_it_be(:user) { create(:user, username: 'foo', email: 'bar@example.com') }
it 'allows identity lookup by id/externalId' do let_it_be(:id) { create(:scim_identity, group: group, user: user) }
expect(finder.search(filter: "id eq #{id.extern_uid}")).to be_a ActiveRecord::Relation
expect(finder.search(filter: "id eq #{id.extern_uid}").first).to eq id
expect(finder.search(filter: "externalId eq #{id.extern_uid}").first).to eq id
end
it 'allows lookup by userName' do
expect(finder.search(filter: "userName eq \"#{id.user.username}\"").first).to eq id
end
context 'allows lookup by userName' do it 'allows identity lookup by id/externalId' do
it 'finds user by an email address' do expect(finder.search(filter: "id eq #{id.extern_uid}")).to be_a ActiveRecord::Relation
expect(finder.search(filter: "userName eq #{id.user.email}").first).to eq id expect(finder.search(filter: "id eq #{id.extern_uid}").first).to eq id
end expect(finder.search(filter: "externalId eq #{id.extern_uid}").first).to eq id
end
it 'finds user by using local part of email address as username' do
email = "#{id.user.username}@example.com"
expect(finder.search(filter: "userName eq #{email}").first).to eq id
end
it 'finds user by username' do
expect(finder.search(filter: "userName eq \"#{id.user.username}\"").first).to eq id
end
it 'finds user by extern_uid' do it 'allows lookup by userName' do
expect(finder.search(filter: "userName eq \"#{id.extern_uid}\"").first).to eq id expect(finder.search(filter: "userName eq \"#{id.user.username}\"").first).to eq id
end
end
end end
context 'when scim_identities is disabled' do context 'allows lookup by userName' do
before do it 'finds user by an email address' do
stub_feature_flags(scim_identities: false) expect(finder.search(filter: "userName eq #{id.user.email}").first).to eq id
end end
let_it_be(:id) { create(:group_saml_identity, saml_provider: saml_provider) }
it_behaves_like 'valid lookups' it 'finds user by using local part of email address as username' do
end email = "#{id.user.username}@example.com"
expect(finder.search(filter: "userName eq #{email}").first).to eq id
end
context 'when scim_identities is enabled' do it 'finds user by username' do
before do expect(finder.search(filter: "userName eq \"#{id.user.username}\"").first).to eq id
stub_feature_flags(scim_identities: true)
end end
let_it_be(:user) { create(:user, username: 'foo', email: 'bar@example.com') }
let_it_be(:id) { create(:scim_identity, group: group, user: user) }
it_behaves_like 'valid lookups' it 'finds user by extern_uid' do
expect(finder.search(filter: "userName eq \"#{id.extern_uid}\"").first).to eq id
end
end end
end end
context 'with no filter' do context 'with no filter' do
it 'returns all related identities when scim_identities is disabled' do it 'returns all related scim_identities' do
stub_feature_flags(scim_identities: false)
create_list(:group_saml_identity, 2, saml_provider: saml_provider)
expect(finder.search({}).count).to eq 2
end
it 'returns all related identities when scim_identities is enabled' do
stub_feature_flags(scim_identities: true)
create_list(:scim_identity, 4, group: group) create_list(:scim_identity, 4, group: group)
expect(finder.search({}).count).to eq 4 expect(finder.search({}).count).to eq 4
......
...@@ -27,89 +27,7 @@ RSpec.describe ::EE::Gitlab::Scim::ProvisioningService do ...@@ -27,89 +27,7 @@ RSpec.describe ::EE::Gitlab::Scim::ProvisioningService do
end end
end end
shared_examples 'scim provisioning' do shared_examples 'existing user' do
context 'valid params' do
let_it_be(:service_params) do
{
email: 'work@example.com',
name: 'Test Name',
extern_uid: 'test_uid',
username: 'username'
}
end
def user
User.find_by(email: service_params[:email])
end
it_behaves_like 'success response'
it 'creates the user' do
expect { service.execute }.to change { User.count }.by(1)
end
it 'creates the group member' do
expect { service.execute }.to change { GroupMember.count }.by(1)
end
it 'creates the correct user attributes' do
service.execute
expect(user).to be_a(User)
end
context 'access level of created group member' do
let!(:saml_provider) do
create(:saml_provider, group: group, default_membership_role: Gitlab::Access::DEVELOPER)
end
it 'sets the access level of the member as specified in saml_provider' do
service.execute
access_level = group.group_member(user).access_level
expect(access_level).to eq(Gitlab::Access::DEVELOPER)
end
end
it 'user record requires confirmation' do
service.execute
expect(user).to be_present
expect(user).not_to be_confirmed
end
context 'when the current minimum password length is different from the default minimum password length' do
before do
stub_application_setting minimum_password_length: 21
end
it 'creates the user' do
expect { service.execute }.to change { User.count }.by(1)
end
end
end
context 'invalid params' do
let_it_be(:service_params) do
{
email: 'work@example.com',
name: 'Test Name',
extern_uid: 'test_uid'
}
end
it 'fails with error' do
expect(service.execute.status).to eq(:error)
end
it 'fails with missing params' do
expect(service.execute.message).to eq("Missing params: [:username]")
end
end
end
shared_examples 'existing user when scim identities are enabled' do
it 'does not create a new user' do it 'does not create a new user' do
expect { service.execute }.not_to change { User.count } expect { service.execute }.not_to change { User.count }
end end
...@@ -125,13 +43,7 @@ RSpec.describe ::EE::Gitlab::Scim::ProvisioningService do ...@@ -125,13 +43,7 @@ RSpec.describe ::EE::Gitlab::Scim::ProvisioningService do
end end
end end
context 'when scim_identities is disabled' do context 'valid params' do
before do
stub_feature_flags(scim_identities: false)
end
it_behaves_like 'scim provisioning'
let_it_be(:service_params) do let_it_be(:service_params) do
{ {
email: 'work@example.com', email: 'work@example.com',
...@@ -141,93 +53,132 @@ RSpec.describe ::EE::Gitlab::Scim::ProvisioningService do ...@@ -141,93 +53,132 @@ RSpec.describe ::EE::Gitlab::Scim::ProvisioningService do
} }
end end
it 'creates the SAML identity' do def user
expect { service.execute }.to change { Identity.count }.by(1) User.find_by(email: service_params[:email])
end end
it 'does not create the SCIM identity' do it_behaves_like 'success response'
expect { service.execute }.not_to change { ScimIdentity.count }
it 'creates the user' do
expect { service.execute }.to change { User.count }.by(1)
end end
context 'existing user' do it 'creates the group member' do
before do expect { service.execute }.to change { GroupMember.count }.by(1)
create(:user, email: 'work@example.com') end
end
it 'does not create a new user' do it 'creates the correct user attributes' do
expect { service.execute }.not_to change { User.count } service.execute
expect(user).to be_a(User)
end
context 'access level of created group member' do
let!(:saml_provider) do
create(:saml_provider, group: group, default_membership_role: Gitlab::Access::DEVELOPER)
end end
it 'fails with conflict' do it 'sets the access level of the member as specified in saml_provider' do
expect(service.execute.status).to eq(:conflict) service.execute
access_level = group.group_member(user).access_level
expect(access_level).to eq(Gitlab::Access::DEVELOPER)
end end
end end
end
context 'when scim_identities is enabled' do it 'user record requires confirmation' do
before do service.execute
stub_feature_flags(scim_identities: true)
expect(user).to be_present
expect(user).not_to be_confirmed
end end
it_behaves_like 'scim provisioning' context 'when the current minimum password length is different from the default minimum password length' do
before do
stub_application_setting minimum_password_length: 21
end
it 'creates the user' do
expect { service.execute }.to change { User.count }.by(1)
end
end
end
context 'invalid params' do
let_it_be(:service_params) do let_it_be(:service_params) do
{ {
email: 'work@example.com', email: 'work@example.com',
name: 'Test Name', name: 'Test Name',
extern_uid: 'test_uid', extern_uid: 'test_uid'
username: 'username'
} }
end end
it 'creates the SCIM identity' do it 'fails with error' do
expect { service.execute }.to change { ScimIdentity.count }.by(1) expect(service.execute.status).to eq(:error)
end end
it 'creates the SAML identity' do it 'fails with missing params' do
expect { service.execute }.to change { Identity.count }.by(1) expect(service.execute.message).to eq("Missing params: [:username]")
end end
end
context 'existing user' do let_it_be(:service_params) do
before do {
create(:email, user: user, email: 'work@example.com') email: 'work@example.com',
end name: 'Test Name',
let(:user) { create(:user) } extern_uid: 'test_uid',
username: 'username'
context 'when user is not an existing group member' do }
it_behaves_like 'existing user when scim identities are enabled' end
it 'creates the group member' do it 'creates the SCIM identity' do
expect { service.execute }.to change { GroupMember.count }.by(1) expect { service.execute }.to change { ScimIdentity.count }.by(1)
end end
context 'with enforced SSO' do it 'creates the SAML identity' do
let(:enforced_sso) { true } expect { service.execute }.to change { Identity.count }.by(1)
end
it 'does not create the group member' do context 'for an existing user' do
expect { service.execute }.not_to change { GroupMember.count } before do
end create(:email, user: user, email: 'work@example.com')
end
let(:user) { create(:user) }
it 'does not create the SAML identity' do context 'when user is not a group member' do
expect { service.execute }.not_to change { Identity.count } it_behaves_like 'existing user'
end
it 'does not create the SCIM identity' do it 'creates the group member' do
expect { service.execute }.not_to change { ScimIdentity.count } expect { service.execute }.to change { GroupMember.count }.by(1)
end
end
end end
context 'when user is an existing group member' do context 'with enforced SSO' do
before do let(:enforced_sso) { true }
group.add_guest(user)
end
it_behaves_like 'existing user when scim identities are enabled'
it 'does not create the group member' do it 'does not create the group member' do
expect { service.execute }.not_to change { GroupMember.count } expect { service.execute }.not_to change { GroupMember.count }
end end
it 'does not create the SAML identity' do
expect { service.execute }.not_to change { Identity.count }
end
it 'does not create the SCIM identity' do
expect { service.execute }.not_to change { ScimIdentity.count }
end
end
end
context 'when user is an existing group member' do
before do
group.add_guest(user)
end
it_behaves_like 'existing user'
it 'does not create the group member' do
expect { service.execute }.not_to change { GroupMember.count }
end end
end end
end end
......
This diff is collapsed.
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment