diff options
| author | Nick Thomas <nick@gitlab.com> | 2019-08-26 10:22:34 +0000 |
|---|---|---|
| committer | Nick Thomas <nick@gitlab.com> | 2019-08-26 10:22:34 +0000 |
| commit | 74904116d81903ec854f81421720d9edd6fe9926 (patch) | |
| tree | 4432faeabb2666850f64721323335443d8f7099a | |
| parent | f5fa604c3e6ae3fd6915480b96a3c956cdcfcb8f (diff) | |
| parent | f56c2191a10667783d488eb3415ac2ba2b3f06a3 (diff) | |
| download | gitlab-ce-74904116d81903ec854f81421720d9edd6fe9926.tar.gz | |
Merge branch '66443-unrecoverable-configuration-loop-in-external-auth-control' into 'master'
Resolve "Unrecoverable configuration loop in external auth control"
Closes #66443
See merge request gitlab-org/gitlab-ce!32102
3 files changed, 28 insertions, 1 deletions
diff --git a/app/services/application_settings/update_service.rb b/app/services/application_settings/update_service.rb index 471df6e2d0c..8115585b7a8 100644 --- a/app/services/application_settings/update_service.rb +++ b/app/services/application_settings/update_service.rb @@ -7,7 +7,7 @@ module ApplicationSettings attr_reader :params, :application_setting def execute - validate_classification_label(application_setting, :external_authorization_service_default_label) + validate_classification_label(application_setting, :external_authorization_service_default_label) unless bypass_external_auth? if application_setting.errors.any? return false @@ -59,5 +59,9 @@ module ApplicationSettings Group.find_by_full_path(group_full_path)&.id if group_full_path.present? end + + def bypass_external_auth? + params.key?(:external_authorization_service_enabled) && !Gitlab::Utils.to_boolean(params[:external_authorization_service_enabled]) + end end end diff --git a/changelogs/unreleased/66443-unrecoverable-configuration-loop-in-external-auth-control.yml b/changelogs/unreleased/66443-unrecoverable-configuration-loop-in-external-auth-control.yml new file mode 100644 index 00000000000..ab52e3e5a2c --- /dev/null +++ b/changelogs/unreleased/66443-unrecoverable-configuration-loop-in-external-auth-control.yml @@ -0,0 +1,5 @@ +--- +title: Don't check external authorization when disabling the service +merge_request: 32102 +author: Robert Schilling +type: fixed diff --git a/spec/services/application_settings/update_service_spec.rb b/spec/services/application_settings/update_service_spec.rb index adb5219d691..ab06c1a1209 100644 --- a/spec/services/application_settings/update_service_spec.rb +++ b/spec/services/application_settings/update_service_spec.rb @@ -201,6 +201,24 @@ describe ApplicationSettings::UpdateService do enable_external_authorization_service_check end + it 'does not validate labels if external authorization gets disabled' do + expect_any_instance_of(described_class).not_to receive(:validate_classification_label) + + described_class.new(application_settings, admin, { external_authorization_service_enabled: false }).execute + end + + it 'does validate labels if external authorization gets enabled ' do + expect_any_instance_of(described_class).to receive(:validate_classification_label) + + described_class.new(application_settings, admin, { external_authorization_service_enabled: true }).execute + end + + it 'does validate labels if external authorization is left unchanged' do + expect_any_instance_of(described_class).to receive(:validate_classification_label) + + described_class.new(application_settings, admin, { external_authorization_service_default_label: 'new-label' }).execute + end + it 'does not save the settings with an error if the service denies access' do expect(::Gitlab::ExternalAuthorization) .to receive(:access_allowed?).with(admin, 'new-label') { false } |