BigW Consortium Gitlab
Skip to content
Projects
Groups
Snippets
Help
This project
Loading...
Sign in / Register
Toggle navigation
G
gitlab-ce
Project
Overview
Details
Activity
Cycle Analytics
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Charts
Issues
0
Issues
0
List
Board
Labels
Milestones
Merge Requests
0
Merge Requests
0
Registry
Registry
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Charts
Create a new issue
Commits
Issue Boards
Open sidebar
Forest Godfrey
gitlab-ce
Commits
583ef945
Unverified
Commit
583ef945
authored
May 30, 2017
by
Hassan Zamani
Committed by
Markus Koller
Feb 08, 2018
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
Add groups to OpenID Connect claims
parent
bfb32b46
Hide whitespace changes
Inline
Side-by-side
Showing
7 changed files
with
57 additions
and
7 deletions
+57
-7
user.rb
app/models/user.rb
+6
-1
feature-oidc-groups-claim.yml
changelogs/unreleased/feature-oidc-groups-claim.yml
+4
-0
doorkeeper_openid_connect.rb
config/initializers/doorkeeper_openid_connect.rb
+1
-0
doorkeeper.en.yml
config/locales/doorkeeper.en.yml
+1
-1
openid_connect_provider.md
doc/integration/openid_connect_provider.md
+1
-0
user_spec.rb
spec/models/user_spec.rb
+24
-1
openid_connect_spec.rb
spec/requests/openid_connect_spec.rb
+20
-4
No files found.
app/models/user.rb
View file @
583ef945
...
...
@@ -564,7 +564,7 @@ class User < ActiveRecord::Base
gpg_keys
.
each
(
&
:update_invalid_gpg_signatures
)
end
# Returns the groups a user has access to
# Returns the groups a user has access to
, either through a membership or a project authorization
def
authorized_groups
union
=
Gitlab
::
SQL
::
Union
.
new
([
groups
.
select
(
:id
),
authorized_projects
.
select
(
:namespace_id
)])
...
...
@@ -572,6 +572,11 @@ class User < ActiveRecord::Base
Group
.
where
(
"namespaces.id IN (
#{
union
.
to_sql
}
)"
)
# rubocop:disable GitlabSecurity/SqlInjection
end
# Returns the groups a user is a member of, either directly or through a parent group
def
membership_groups
Gitlab
::
GroupHierarchy
.
new
(
groups
).
base_and_descendants
end
# Returns a relation of groups the user has access to, including their parent
# and child groups (recursively).
def
all_expanded_groups
...
...
changelogs/unreleased/feature-oidc-groups-claim.yml
0 → 100644
View file @
583ef945
---
title
:
Add groups to OpenID Connect claims
merge_request
:
16929
author
:
Hassan Zamani
config/initializers/doorkeeper_openid_connect.rb
View file @
583ef945
...
...
@@ -31,6 +31,7 @@ Doorkeeper::OpenidConnect.configure do
o
.
claim
(
:website
)
{
|
user
|
user
.
full_website_url
if
user
.
website_url?
}
o
.
claim
(
:profile
)
{
|
user
|
Gitlab
::
Routing
.
url_helpers
.
user_url
user
}
o
.
claim
(
:picture
)
{
|
user
|
user
.
avatar_url
(
only_path:
false
)
}
o
.
claim
(
:groups
)
{
|
user
|
user
.
membership_groups
.
map
(
&
:full_path
)
}
end
end
end
config/locales/doorkeeper.en.yml
View file @
583ef945
...
...
@@ -68,7 +68,7 @@ en:
read_user
:
Read-only access to the user's profile information, like username, public email and full name
openid
:
The ability to authenticate using GitLab, and read-only access to the user's profile information
The ability to authenticate using GitLab, and read-only access to the user's profile information
and group memberships
sudo
:
Access to the Sudo feature, to perform API actions as any user in the system (only available for admins)
flash
:
...
...
doc/integration/openid_connect_provider.md
View file @
583ef945
...
...
@@ -39,6 +39,7 @@ Currently the following user information is shared with clients:
|
`website`
|
`string`
| URL for the user's website
|
`profile`
|
`string`
| URL for the user's GitLab profile
|
`picture`
|
`string`
| URL for the user's GitLab avatar
|
`groups`
|
`array`
| Names of the groups the user is a member of
[
OpenID Connect
]:
http://openid.net/connect/
"OpenID Connect website"
[
doorkeeper-openid_connect
]:
https://github.com/doorkeeper-gem/doorkeeper-openid_connect
"Doorkeeper::OpenidConnect website"
...
...
spec/models/user_spec.rb
View file @
583ef945
...
...
@@ -1557,14 +1557,37 @@ describe User do
describe
'#authorized_groups'
do
let!
(
:user
)
{
create
(
:user
)
}
let!
(
:private_group
)
{
create
(
:group
)
}
let!
(
:child_group
)
{
create
(
:group
,
parent:
private_group
)
}
let!
(
:project_group
)
{
create
(
:group
)
}
let!
(
:project
)
{
create
(
:project
,
group:
project_group
)
}
before
do
private_group
.
add_user
(
user
,
Gitlab
::
Access
::
MASTER
)
project
.
add_master
(
user
)
end
subject
{
user
.
authorized_groups
}
it
{
is_expected
.
to
eq
([
private_group
])
}
it
{
is_expected
.
to
contain_exactly
private_group
,
project_group
}
end
describe
'#membership_groups'
do
let!
(
:user
)
{
create
(
:user
)
}
let!
(
:parent_group
)
{
create
(
:group
)
}
let!
(
:child_group
)
{
create
(
:group
,
parent:
parent_group
)
}
before
do
parent_group
.
add_user
(
user
,
Gitlab
::
Access
::
MASTER
)
end
subject
{
user
.
membership_groups
}
if
Group
.
supports_nested_groups?
it
{
is_expected
.
to
contain_exactly
parent_group
,
child_group
}
else
it
{
is_expected
.
to
contain_exactly
parent_group
}
end
end
describe
'#authorized_projects'
,
:delete
do
...
...
spec/requests/openid_connect_spec.rb
View file @
583ef945
...
...
@@ -65,10 +65,20 @@ describe 'OpenID Connect requests' do
)
end
let
(
:public_email
)
{
build
:email
,
email:
'public@example.com'
}
let
(
:private_email
)
{
build
:email
,
email:
'private@example.com'
}
let
!
(
:public_email
)
{
build
:email
,
email:
'public@example.com'
}
let
!
(
:private_email
)
{
build
:email
,
email:
'private@example.com'
}
it
'includes all user information'
do
let!
(
:group1
)
{
create
:group
,
path:
'group1'
}
let!
(
:group2
)
{
create
:group
,
path:
'group2'
}
let!
(
:group3
)
{
create
:group
,
path:
'group3'
,
parent:
group2
}
let!
(
:group4
)
{
create
:group
,
path:
'group4'
,
parent:
group3
}
before
do
group1
.
add_user
(
user
,
GroupMember
::
OWNER
)
group3
.
add_user
(
user
,
Gitlab
::
Access
::
DEVELOPER
)
end
it
'includes all user information and group memberships'
do
request_user_info
expect
(
json_response
).
to
eq
({
...
...
@@ -79,7 +89,13 @@ describe 'OpenID Connect requests' do
'email_verified'
=>
true
,
'website'
=>
'https://example.com'
,
'profile'
=>
'http://localhost/alice'
,
'picture'
=>
"http://localhost/uploads/-/system/user/avatar/
#{
user
.
id
}
/dk.png"
'picture'
=>
"http://localhost/uploads/-/system/user/avatar/
#{
user
.
id
}
/dk.png"
,
'groups'
=>
if
Group
.
supports_nested_groups?
[
'group1'
,
'group2/group3'
,
'group2/group3/group4'
]
else
[
'group1'
,
'group2/group3'
]
end
})
end
end
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment