summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorManoj MJ <mmj@gitlab.com>2019-06-19 06:04:33 +0000
committerJan Provaznik <jprovaznik@gitlab.com>2019-06-19 06:04:33 +0000
commit83163fab43ba6d8262f6adbc8359acbeadf80f46 (patch)
tree375bd038132381db47baa206e9a0cd8843934d45
parent51267258d1c39835c995eaaf29b7df678334ded1 (diff)
downloadgitlab-ce-83163fab43ba6d8262f6adbc8359acbeadf80f46.tar.gz
Adds identity information while making external authorization requests
Issue: https://gitlab.com/gitlab-org/gitlab-ce/issues/61201#
-rw-r--r--changelogs/unreleased/61201-pass-identities-to-external-authorization.yml5
-rw-r--r--doc/user/admin_area/settings/external_authorization.md8
-rw-r--r--lib/gitlab/external_authorization/client.rb3
-rw-r--r--spec/lib/gitlab/external_authorization/client_spec.rb29
4 files changed, 41 insertions, 4 deletions
diff --git a/changelogs/unreleased/61201-pass-identities-to-external-authorization.yml b/changelogs/unreleased/61201-pass-identities-to-external-authorization.yml
new file mode 100644
index 00000000000..82eea653de6
--- /dev/null
+++ b/changelogs/unreleased/61201-pass-identities-to-external-authorization.yml
@@ -0,0 +1,5 @@
+---
+title: Add identity information to external authorization requests
+merge_request: 29461
+author:
+type: changed
diff --git a/doc/user/admin_area/settings/external_authorization.md b/doc/user/admin_area/settings/external_authorization.md
index 11c0867da17..c1aa04f7bc2 100644
--- a/doc/user/admin_area/settings/external_authorization.md
+++ b/doc/user/admin_area/settings/external_authorization.md
@@ -76,13 +76,19 @@ service with this body:
{
"user_identifier": "jane@acme.org",
"project_classification_label": "project-label",
- "user_ldap_dn": "CN=Jane Doe,CN=admin,DC=acme"
+ "user_ldap_dn": "CN=Jane Doe,CN=admin,DC=acme",
+ "identities": [
+ { "provider": "ldap", "extern_uid": "CN=Jane Doe,CN=admin,DC=acme" },
+ { "provider": "bitbucket", "extern_uid": "2435223452345" }
+ ]
}
```
The `user_ldap_dn` is optional and is only sent when the user is logged in
through LDAP.
+`identities` will contain the details of all the identities associated with the user. This will be an empty array if there are no identities associated with the user.
+
When the external authorization service responds with a status code 200, the
user is granted access. When the external service responds with a status code
401 or 403, the user is denied access. In any case, the request is cached for 6 hours.
diff --git a/lib/gitlab/external_authorization/client.rb b/lib/gitlab/external_authorization/client.rb
index 60aab2e7044..7985e6dcf7b 100644
--- a/lib/gitlab/external_authorization/client.rb
+++ b/lib/gitlab/external_authorization/client.rb
@@ -48,7 +48,8 @@ module Gitlab
@body ||= begin
body = {
user_identifier: @user.email,
- project_classification_label: @label
+ project_classification_label: @label,
+ identities: @user.identities.map { |identity| { provider: identity.provider, extern_uid: identity.extern_uid } }
}
if @user.ldap_identity
diff --git a/spec/lib/gitlab/external_authorization/client_spec.rb b/spec/lib/gitlab/external_authorization/client_spec.rb
index fa18c1e56e8..a87f50b4586 100644
--- a/spec/lib/gitlab/external_authorization/client_spec.rb
+++ b/spec/lib/gitlab/external_authorization/client_spec.rb
@@ -19,7 +19,8 @@ describe Gitlab::ExternalAuthorization::Client do
it 'adds the correct params for the user to the body of the request' do
expected_body = {
user_identifier: 'dummy_user@example.com',
- project_classification_label: 'dummy_label'
+ project_classification_label: 'dummy_label',
+ identities: []
}.to_json
expect(Excon).to receive(:post)
.with(dummy_url, hash_including(body: expected_body))
@@ -81,10 +82,11 @@ describe Gitlab::ExternalAuthorization::Client do
provider: 'ldapprovider')
end
- it 'includes the ldap dn for ldap users' do
+ it 'includes the ldap dn and identities for ldap users' do
expected_body = {
user_identifier: 'dummy_user@example.com',
project_classification_label: 'dummy_label',
+ identities: [{ provider: 'ldapprovider', extern_uid: 'external id' }],
user_ldap_dn: 'external id'
}.to_json
expect(Excon).to receive(:post)
@@ -93,5 +95,28 @@ describe Gitlab::ExternalAuthorization::Client do
client.request_access
end
end
+
+ describe 'for non-ldap users with identities' do
+ before do
+ %w(twitter facebook).each do |provider|
+ create(:identity, provider: provider, extern_uid: "#{provider}_external_id", user: user)
+ end
+ end
+
+ it 'includes all the identities' do
+ expected_body = {
+ user_identifier: 'dummy_user@example.com',
+ project_classification_label: 'dummy_label',
+ identities: [
+ { provider: 'twitter', extern_uid: 'twitter_external_id' },
+ { provider: 'facebook', extern_uid: 'facebook_external_id' }
+ ]
+ }.to_json
+ expect(Excon).to receive(:post)
+ .with(dummy_url, hash_including(body: expected_body))
+
+ client.request_access
+ end
+ end
end
end