Merge branch 'scim-allowed-domain-problem' into 'master'

Show proper error in SCIM create user endpoint Closes #13997 See merge request gitlab-org/gitlab-ee!15756

Merge branch 'scim-allowed-domain-problem' into 'master'
Show proper error in SCIM create user endpoint Closes #13997 See merge request gitlab-org/gitlab-ee!15756
b1557db4 · Grzegorz Bizon · 75c32935 · 9db49dc9 · b1557db4 · b1557db4
Commit b1557db4 authored Sep 04, 2019 by Grzegorz Bizon
3 changed files
--- a/ee/changelogs/unreleased/scim-allowed-domain-problem.yml
+++ b/ee/changelogs/unreleased/scim-allowed-domain-problem.yml
+---
+title: Show proper error in SCIM create user endpoint
+merge_request: 15756
+author:
+type: fixed
--- a/ee/lib/ee/gitlab/scim/provisioning_service.rb
+++ b/ee/lib/ee/gitlab/scim/provisioning_service.rb
@@ -87,7 +87,9 @@ module EE
        end

        def member
-          @member ||= @group.add_user(user, DEFAULT_ACCESS)
+          strong_memoize(:member) do
+            @group.add_user(user, DEFAULT_ACCESS) if user.valid?
+          end
        end

        def existing_member?

--- a/ee/spec/requests/api/scim_spec.rb
+++ b/ee/spec/requests/api/scim_spec.rb
@@ -8,7 +8,7 @@ describe API::Scim do
  let(:scim_token) { create(:scim_oauth_access_token, group: group) }

  before do
-    stub_licensed_features(group_saml: true)
+    stub_licensed_features(group_allowed_email_domains: true, group_saml: true)

    group.add_owner(user)
  end
@@ -119,6 +119,60 @@ describe API::Scim do
        end
      end

+      context 'with allowed domain setting switched on' do
+        let(:new_user) { User.find_by_email('work@example.com') }
+        let(:member) { GroupMember.find_by(user: new_user, group: group) }
+
+        context 'with different domains' do
+          before do
+            create(:allowed_email_domain, group: group)
+            post scim_api("scim/v2/groups/#{group.full_path}/Users?params=#{post_params}")
+          end
+
+          it 'created the user' do
+            expect(new_user).not_to be_nil
+          end
+
+          it 'did not create member' do
+            expect(member).to be_nil
+          end
+
+          context 'with invalid user params' do
+            let(:post_params) do
+              {
+                externalId: 'test_uid',
+                active: nil,
+                userName: 'username',
+                emails: [
+                  { primary: nil, type: 'work', value: '' }
+                ],
+                name: { formatted: 'Test Name', familyName: 'Name', givenName: 'Test' }
+              }.to_query
+            end
+
+            it 'returns user error' do
+              expect(response).to have_gitlab_http_status(412)
+              expect(json_response.fetch('detail')).to include("Email can't be blank")
+            end
+          end
+        end
+
+        context 'with matching domains' do
+          before do
+            create(:allowed_email_domain, group: group, domain: 'example.com')
+            post scim_api("scim/v2/groups/#{group.full_path}/Users?params=#{post_params}")
+          end
+
+          it 'created the user' do
+            expect(new_user).not_to be_nil
+          end
+
+          it 'created the right member' do
+            expect(member.access_level).to eq(::Gitlab::Access::GUEST)
+          end
+        end
+      end
+
      context 'existing user' do
        before do
          old_user = create(:user, email: 'work@example.com')