BigW Consortium Gitlab
Skip to content
Projects
Groups
Snippets
Help
This project
Loading...
Sign in / Register
Toggle navigation
G
gitlab-ce
Project
Overview
Details
Activity
Cycle Analytics
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Charts
Issues
0
Issues
0
List
Board
Labels
Milestones
Merge Requests
0
Merge Requests
0
Registry
Registry
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Charts
Create a new issue
Commits
Issue Boards
Open sidebar
Forest Godfrey
gitlab-ce
Commits
8110e753
Commit
8110e753
authored
Apr 06, 2016
by
Patricio Cano
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
Implemented suggested fixes
parent
eb0f1de3
Hide whitespace changes
Inline
Side-by-side
Showing
5 changed files
with
21 additions
and
33 deletions
+21
-33
saml.md
doc/integration/saml.md
+1
-2
auth_hash.rb
lib/gitlab/saml/auth_hash.rb
+1
-1
config.rb
lib/gitlab/saml/config.rb
+0
-1
user.rb
lib/gitlab/saml/user.rb
+3
-4
user_spec.rb
spec/lib/gitlab/saml/user_spec.rb
+16
-25
No files found.
doc/integration/saml.md
View file @
8110e753
...
...
@@ -159,8 +159,7 @@ with the regular SAML response. Here is an example:
The name of the attribute can be anything you like, but it must contain the groups
to which a user belongs. In order to tell GitLab where to find these groups, you need
to add a `groups_attribute:` element to your SAML settings. You will also need to
tell GitLab which groups are external, for that you need the `external_groups:`
element:
tell GitLab which groups are external via the `external_groups:` element:
```
yaml
{ name: 'saml',
...
...
lib/gitlab/saml/auth_hash.rb
View file @
8110e753
...
...
@@ -9,7 +9,7 @@ module Gitlab
private
def
get_raw
(
key
)
# Needs to call `all` because of https://git
hub.com/onelogin/ruby-saml/blob/master/lib/onelogin/ruby-saml/attributes.rb#L78
# Needs to call `all` because of https://git
.io/vVo4u
# otherwise just the first value is returned
auth_hash
.
extra
[
:raw_info
].
all
[
key
]
end
...
...
lib/gitlab/saml/config.rb
View file @
8110e753
# Load a specific server configuration
module
Gitlab
module
Saml
class
Config
...
...
lib/gitlab/saml/user.rb
View file @
8110e753
...
...
@@ -28,12 +28,11 @@ module Gitlab
if
external_users_enabled?
# Check if there is overlap between the user's groups and the external groups
# setting
and
set user as external or internal.
# setting
then
set user as external or internal.
if
(
auth_hash
.
groups
&
Gitlab
::
Saml
::
Config
.
external_groups
).
empty?
# Avoid an unnecessary change of values and the subsequent save
@user
.
external
=
false
if
@user
.
external
@user
.
external
=
false
else
@user
.
external
=
true
unless
@user
.
external
@user
.
external
=
true
end
end
...
...
spec/lib/gitlab/saml/user_spec.rb
View file @
8110e753
...
...
@@ -23,11 +23,15 @@ describe Gitlab::Saml::User, lib: true do
allow
(
Gitlab
::
LDAP
::
Config
).
to
receive_messages
(
messages
)
end
def
stub_
saml_config
(
messages
)
allow
(
Gitlab
::
Saml
::
Config
).
to
receive_messages
(
messages
)
def
stub_
basic_saml_config
allow
(
Gitlab
::
Saml
::
Config
).
to
receive_messages
(
{
options:
{
name:
'saml'
,
args:
{}
}
}
)
end
before
{
stub_saml_config
({
options:
{
name:
'saml'
,
args:
{}
}
})
}
def
stub_saml_group_config
(
groups
)
allow
(
Gitlab
::
Saml
::
Config
).
to
receive_messages
({
options:
{
name:
'saml'
,
groups_attribute:
'groups'
,
external_groups:
groups
,
args:
{}
}
})
end
before
{
stub_basic_saml_config
}
describe
'account exists on server'
do
before
{
stub_omniauth_config
({
allow_single_sign_on:
[
'saml'
],
auto_link_saml_user:
true
})
}
...
...
@@ -45,15 +49,15 @@ describe Gitlab::Saml::User, lib: true do
context
'external groups'
do
context
'are defined'
do
before
{
stub_saml_config
({
options:
{
name:
'saml'
,
groups_attribute:
'groups'
,
external_groups:
%w(Freelancers)
,
args:
{}
}
})
}
it
'marks the user as external'
do
stub_saml_group_config
(
%w(Freelancers)
)
saml_user
.
save
expect
(
gl_user
).
to
be_valid
expect
(
gl_user
.
external
).
to
be_truthy
end
end
before
{
stub_saml_
config
({
options:
{
name:
'saml'
,
groups_attribute:
'groups'
,
external_groups:
%w(Interns)
,
args:
{}
}
}
)
}
before
{
stub_saml_
group_config
(
%w(Interns)
)
}
context
'are defined but the user does not belong there'
do
it
'does not mark the user as external'
do
saml_user
.
save
...
...
@@ -105,17 +109,17 @@ describe Gitlab::Saml::User, lib: true do
context
'external groups'
do
context
'are defined'
do
before
{
stub_saml_config
({
options:
{
name:
'saml'
,
groups_attribute:
'groups'
,
external_groups:
%w(Freelancers)
,
args:
{}
}
})
}
it
'marks the user as external'
do
stub_saml_group_config
(
%w(Freelancers)
)
saml_user
.
save
expect
(
gl_user
).
to
be_valid
expect
(
gl_user
.
external
).
to
be_truthy
end
end
before
{
stub_saml_config
({
options:
{
name:
'saml'
,
groups_attribute:
'groups'
,
external_groups:
%w(Interns)
,
args:
{}
}
})
}
context
'are defined but the user does not belong there'
do
it
'does not mark the user as external'
do
stub_saml_group_config
(
%w(Interns)
)
saml_user
.
save
expect
(
gl_user
).
to
be_valid
expect
(
gl_user
.
external
).
to
be_falsey
...
...
@@ -131,12 +135,6 @@ describe Gitlab::Saml::User, lib: true do
context
'with auto_link_ldap_user enabled'
do
before
{
stub_omniauth_config
({
auto_link_ldap_user:
true
,
auto_link_saml_user:
false
})
}
context
'and no LDAP provider defined'
do
before
{
stub_ldap_config
(
providers:
[])
}
include_examples
'to verify compliance with allow_single_sign_on'
end
context
'and at least one LDAP provider is defined'
do
before
{
stub_ldap_config
(
providers:
%w(ldapmain)
)
}
...
...
@@ -144,19 +142,18 @@ describe Gitlab::Saml::User, lib: true do
before
do
allow
(
ldap_user
).
to
receive
(
:uid
)
{
uid
}
allow
(
ldap_user
).
to
receive
(
:username
)
{
uid
}
allow
(
ldap_user
).
to
receive
(
:email
)
{
[
'johndoe@example.com'
,
'john2@example.com'
]
}
allow
(
ldap_user
).
to
receive
(
:email
)
{
%w(john@mail.com john2@example.com)
}
allow
(
ldap_user
).
to
receive
(
:dn
)
{
'uid=user1,ou=People,dc=example'
}
allow
(
Gitlab
::
LDAP
::
Person
).
to
receive
(
:find_by_uid
).
and_return
(
ldap_user
)
end
context
'and no account for the LDAP user'
do
it
'creates a user with dual LDAP and SAML identities'
do
saml_user
.
save
expect
(
gl_user
).
to
be_valid
expect
(
gl_user
.
username
).
to
eql
uid
expect
(
gl_user
.
email
).
to
eql
'john
doe@example
.com'
expect
(
gl_user
.
email
).
to
eql
'john
@mail
.com'
expect
(
gl_user
.
identities
.
length
).
to
eql
2
identities_as_hash
=
gl_user
.
identities
.
map
{
|
id
|
{
provider:
id
.
provider
,
extern_uid:
id
.
extern_uid
}
}
expect
(
identities_as_hash
).
to
match_array
([
{
provider:
'ldapmain'
,
extern_uid:
'uid=user1,ou=People,dc=example'
},
...
...
@@ -166,13 +163,13 @@ describe Gitlab::Saml::User, lib: true do
end
context
'and LDAP user has an account already'
do
let!
(
:existing_user
)
{
create
(
:omniauth_user
,
email:
'john@
example
.com'
,
extern_uid:
'uid=user1,ou=People,dc=example'
,
provider:
'ldapmain'
,
username:
'john'
)
}
it
"adds the omniauth identity to the LDAP account"
do
let!
(
:existing_user
)
{
create
(
:omniauth_user
,
email:
'john@
mail
.com'
,
extern_uid:
'uid=user1,ou=People,dc=example'
,
provider:
'ldapmain'
,
username:
'john'
)
}
it
'adds the omniauth identity to the LDAP account'
do
saml_user
.
save
expect
(
gl_user
).
to
be_valid
expect
(
gl_user
.
username
).
to
eql
'john'
expect
(
gl_user
.
email
).
to
eql
'john@
example
.com'
expect
(
gl_user
.
email
).
to
eql
'john@
mail
.com'
expect
(
gl_user
.
identities
.
length
).
to
eql
2
identities_as_hash
=
gl_user
.
identities
.
map
{
|
id
|
{
provider:
id
.
provider
,
extern_uid:
id
.
extern_uid
}
}
expect
(
identities_as_hash
).
to
match_array
([
{
provider:
'ldapmain'
,
extern_uid:
'uid=user1,ou=People,dc=example'
},
...
...
@@ -181,12 +178,6 @@ describe Gitlab::Saml::User, lib: true do
end
end
end
context
'and no corresponding LDAP person'
do
before
{
allow
(
Gitlab
::
LDAP
::
Person
).
to
receive
(
:find_by_uid
).
and_return
(
nil
)
}
include_examples
'to verify compliance with allow_single_sign_on'
end
end
end
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment