Make auto_link_user configurable by provider

- The initial auto_link_user setting supported true/false - This allows users to configure the setting for each provider - Gives users more control over this OmniAuth setting

Make auto_link_user configurable by provider
- The initial auto_link_user setting supported true/false - This allows users to configure the setting for each provider - Gives users more control over this OmniAuth setting
686b1dd9 · Blair Lunceford · 725c66a2 · 686b1dd9 · 686b1dd9 · 686b1dd9
Commit 686b1dd9 authored Sep 02, 2020 by Blair Lunceford
5 changed files
--- a/changelogs/unreleased/243787-make-the-auto_link_user-omniauth-setting-configurable-by-provider.yml
+++ b/changelogs/unreleased/243787-make-the-auto_link_user-omniauth-setting-configurable-by-provider.yml
+---
+title: Make the auto_link_user OmniAuth setting configurable by provider
+merge_request: 41133
+author:
+type: added
--- a/config/gitlab.yml.example
+++ b/config/gitlab.yml.example
@@ -890,8 +890,10 @@ production: &base

    # Allow users with existing accounts to sign in and auto link their account via OmniAuth
    # login, without having to do a manual login first and manually add OmniAuth. Links on email.
+    # Define the allowed providers using an array, e.g. ["saml", "twitter"], or as true/false to
+    # allow all providers or none.
    # (default: false)
-    auto_link_user: false
+    auto_link_user: ["saml"]

    # Set different Omniauth providers as external so that all users creating accounts
    # via these providers will not be able to have access to internal projects. You

--- a/doc/integration/omniauth.md
+++ b/doc/integration/omniauth.md
@@ -149,14 +149,14 @@ You can automatically link OmniAuth users with existing GitLab users if their em
 **For Omnibus installations**

 ```ruby
-gitlab_rails['omniauth_auto_link_user'] = true
+gitlab_rails['omniauth_auto_link_user'] = ["saml", "twitter"]
 ```

 **For installations from source**

 ```yaml
 omniauth:
-  auto_link_user: true
+  auto_link_user: ["saml", "twitter"]
 ```

 ## Configure OmniAuth Providers as External

--- a/lib/gitlab/auth/o_auth/user.rb
+++ b/lib/gitlab/auth/o_auth/user.rb
@@ -273,7 +273,12 @@ module Gitlab
        end

        def auto_link_user?
-          Gitlab.config.omniauth.auto_link_user
+          providers = Gitlab.config.omniauth.auto_link_user
+          if providers.is_a?(Array)
+            providers.include?(auth_hash.provider)
+          else
+            providers
+          end
        end
      end
    end

--- a/spec/lib/gitlab/auth/o_auth/user_spec.rb
+++ b/spec/lib/gitlab/auth/o_auth/user_spec.rb
@@ -202,9 +202,17 @@ RSpec.describe Gitlab::Auth::OAuth::User do
        include_examples "to verify compliance with allow_single_sign_on"
      end

-      context "with auto_link_user enabled" do
+      context "with auto_link_user enabled for a different provider" do
        before do
-          stub_omniauth_config(auto_link_user: true)
+          stub_omniauth_config(auto_link_user: ['saml'])
+        end
+
+        include_examples "to verify compliance with allow_single_sign_on"
+      end
+
+      context "with auto_link_user enabled for the correct provider" do
+        before do
+          stub_omniauth_config(auto_link_user: ['twitter'])
        end

        context "and a current GitLab user with a matching email" do
@@ -421,7 +429,7 @@ RSpec.describe Gitlab::Auth::OAuth::User do

      context "with both auto_link_user and auto_link_ldap_user enabled" do
        before do
-          stub_omniauth_config(auto_link_user: true, auto_link_ldap_user: true)
+          stub_omniauth_config(auto_link_user: ['twitter'], auto_link_ldap_user: true)
        end

        context "and at least one LDAP provider is defined" do