Commit 718e5b08 authored by Tiago Botelho's avatar Tiago Botelho

Attempt to link saml users to ldap by email

parent 4d88f649
---
title: Link SAML users to LDAP by email.
merge_request: 14216
author:
type: changed
......@@ -17,6 +17,10 @@ module Gitlab
adapter.user('dn', dn)
end
def self.find_by_email(email, adapter)
Array(adapter.config.attributes['email']).find { |attr| adapter.user(attr, email) }
end
def self.disabled_via_active_directory?(dn, adapter)
adapter.dn_matches_filter?(dn, AD_USER_DISABLED)
end
......
......@@ -108,9 +108,12 @@ module Gitlab
end
def find_ldap_person(auth_hash, adapter)
by_uid = Gitlab::LDAP::Person.find_by_uid(auth_hash.uid, adapter)
person = Gitlab::LDAP::Person.find_by_uid(auth_hash.uid, adapter)
# The `uid` might actually be a DN. Try it next.
by_uid || Gitlab::LDAP::Person.find_by_dn(auth_hash.uid, adapter)
person ||= Gitlab::LDAP::Person.find_by_dn(auth_hash.uid, adapter)
# The `uid` might actually be a Email. Try it next.
person || Gitlab::LDAP::Person.find_by_email(auth_hash.uid, adapter)
end
def ldap_config
......
......@@ -11,16 +11,16 @@ module Gitlab
end
def gl_user
if auto_link_ldap_user?
if auto_link_saml_user?
@user ||= find_by_email
end
if auto_link_ldap_user? && !@user&.ldap_user?
@user ||= find_or_create_ldap_user
end
@user ||= find_by_uid_and_provider
if auto_link_saml_user?
@user ||= find_by_email
end
if signup_enabled?
@user ||= build_new_user
end
......@@ -42,7 +42,11 @@ module Gitlab
def find_by_email
if auth_hash.has_attribute?(:email)
user = ::User.find_by(email: auth_hash.email.downcase)
user.identities.new(extern_uid: auth_hash.uid, provider: auth_hash.provider) if user
if user&.identities&.empty?
user.identities.new(extern_uid: auth_hash.uid, provider: auth_hash.provider)
end
user
end
end
......
......@@ -170,6 +170,7 @@ describe Gitlab::Saml::User do
allow(ldap_user).to receive(:dn) { 'uid=user1,ou=People,dc=example' }
allow(Gitlab::LDAP::Person).to receive(:find_by_uid).and_return(ldap_user)
allow(Gitlab::LDAP::Person).to receive(:find_by_dn).and_return(ldap_user)
allow(Gitlab::LDAP::Person).to receive(:find_by_email).and_return(ldap_user)
end
context 'and no account for the LDAP user' do
......@@ -195,6 +196,82 @@ describe Gitlab::Saml::User do
username: 'john')
end
shared_examples 'find ldap person' do |uid_type, uid|
before do
allow(Gitlab::LDAP::Person).to receive(:"find_by_#{uid_type}").and_return(ldap_user)
end
it 'adds the omniauth identity to the LDAP account' do
identities = [
{ provider: 'ldapmain', extern_uid: 'uid=user1,ou=People,dc=example' },
{ provider: 'saml', extern_uid: extern_uid }
]
identities_as_hash = gl_user.identities.map do |id|
{ provider: id.provider, extern_uid: id.extern_uid }
end
saml_user.save
expect(gl_user).to be_valid
expect(gl_user.username).to eql 'john'
expect(gl_user.email).to eql 'john@mail.com'
expect(gl_user.identities.length).to be 2
expect(identities_as_hash).to match_array(identities)
end
end
context 'when uid is an uid' do
it_behaves_like 'find ldap person', 'uid' do
let(:extern_uid) { uid }
let(:auth_hash) do
OmniAuth::AuthHash.new(
uid: uid,
provider: provider,
info: info_hash,
extra: {
raw_info: OneLogin::RubySaml::Attributes.new(
{ 'groups' => %w(Developers Freelancers Designers) }
)
})
end
end
end
context 'when uid is a dn' do
it_behaves_like 'find ldap person', 'email' do
let(:extern_uid) { 'uid=user1,ou=People,dc=example' }
let(:auth_hash) do
OmniAuth::AuthHash.new(
uid: extern_uid,
provider: provider,
info: info_hash,
extra: {
raw_info: OneLogin::RubySaml::Attributes.new(
{ 'groups' => %w(Developers Freelancers Designers) }
)
})
end
end
end
context 'when uid is an email' do
it_behaves_like 'find ldap person', 'email' do
let(:extern_uid) { 'john@mail.com' }
let(:auth_hash) do
OmniAuth::AuthHash.new(
uid: extern_uid,
provider: provider,
info: info_hash,
extra: {
raw_info: OneLogin::RubySaml::Attributes.new(
{ 'groups' => %w(Developers Freelancers Designers) }
)
})
end
end
end
it 'adds the omniauth identity to the LDAP account' do
saml_user.save
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment