Adjust the SAML control flow to allow LDAP identities to be added to an existing SAML user.

author: Patricio Cano <suprnova32@gmail.com> 2016-06-06 18:47:49 -0500
committer: Patricio Cano <suprnova32@gmail.com> 2016-06-06 18:47:49 -0500
commit: 7038440e342a521807b1e5ffb6d47d4c0b13048d (patch)
tree: b22cdf0ac390d0ccec2ddee46ad351d62175a993
parent: 740a6ecba07a056fca481622b4fa89939c225987 (diff)
download: gitlab-ce-7038440e342a521807b1e5ffb6d47d4c0b13048d.tar.gz
3 files changed, 46 insertions, 3 deletions
diff --git a/lib/gitlab/o_auth/user.rb b/lib/gitlab/o_auth/user.rb
index 356e96fcbab..268ee115028 100644
--- a/lib/gitlab/o_auth/user.rb
+++ b/lib/gitlab/o_auth/user.rb
@@ -96,7 +96,7 @@ module Gitlab
         # Look for a corresponding person with same uid in any of the configured LDAP providers
         Gitlab::LDAP::Config.providers.each do |provider|
           adapter = Gitlab::LDAP::Adapter.new(provider)
-          @ldap_person = Gitlab::LDAP::Person.find_by_uid(auth_hash.uid, adapter)
+          @ldap_person = Gitlab::LDAP::Person.find_by_dn(auth_hash.uid, adapter)
           break if @ldap_person
         end
         @ldap_person
diff --git a/lib/gitlab/saml/user.rb b/lib/gitlab/saml/user.rb
index dba4bbfc899..6f7d4825ae5 100644
--- a/lib/gitlab/saml/user.rb
+++ b/lib/gitlab/saml/user.rb
@@ -12,12 +12,12 @@ module Gitlab
       end
 
       def gl_user
-        @user ||= find_by_uid_and_provider
-
         if auto_link_ldap_user?
           @user ||= find_or_create_ldap_user
         end
 
+        @user ||= find_by_uid_and_provider
+
         if auto_link_saml_user?
           @user ||= find_by_email
         end
@@ -62,6 +62,30 @@ module Gitlab
         !Gitlab::Saml::Config.external_groups.nil?
       end
 
+      def find_or_create_ldap_user
+        return unless ldap_person
+
+        # If a corresponding person exists with same uid in a LDAP server,
+        # check if the user already has a GitLab account
+        user = Gitlab::LDAP::User.find_by_uid_and_provider(ldap_person.dn, ldap_person.provider)
+        if user
+          # Case when a LDAP user already exists in Gitlab. Add the SAML identity to existing account.
+          user.identities.build(extern_uid: auth_hash.uid, provider: auth_hash.provider)
+        else
+          # No account found using LDAP in Gitlab yet: check if there is a SAML account with
+          # the passed uid and provider
+          user = find_by_uid_and_provider
+          if user.nil?
+            # No SAML account found, build a new user.
+            user = build_new_user
+          end
+          # Correct account is present, add the LDAP Identity to the user.
+          user.identities.new(provider: ldap_person.provider, extern_uid: ldap_person.dn)
+        end
+
+        user
+      end
+
       def auth_hash=(auth_hash)
         @auth_hash = Gitlab::Saml::AuthHash.new(auth_hash)
       end
diff --git a/spec/lib/gitlab/saml/user_spec.rb b/spec/lib/gitlab/saml/user_spec.rb
index c2a51d9249c..f0a17244ff6 100644
--- a/spec/lib/gitlab/saml/user_spec.rb
+++ b/spec/lib/gitlab/saml/user_spec.rb
@@ -145,6 +145,7 @@ describe Gitlab::Saml::User, lib: true do
               allow(ldap_user).to receive(:email) { %w(john@mail.com john2@example.com) }
               allow(ldap_user).to receive(:dn) { 'uid=user1,ou=People,dc=example' }
               allow(Gitlab::LDAP::Person).to receive(:find_by_uid).and_return(ldap_user)
+              allow(Gitlab::LDAP::Person).to receive(:find_by_dn).and_return(ldap_user)
             end
 
             context 'and no account for the LDAP user' do
@@ -177,6 +178,24 @@ describe Gitlab::Saml::User, lib: true do
                                                           ])
               end
             end
+
+            context 'user has SAML user, and wants to add their LDAP identity' do
+              it 'adds the LDAP identity to the existing SAML user' do
+                create(:omniauth_user, email: 'john@mail.com', extern_uid: 'uid=user1,ou=People,dc=example', provider: 'saml', username: 'john')
+                local_hash = OmniAuth::AuthHash.new(uid: 'uid=user1,ou=People,dc=example', provider: provider, info: info_hash, extra: { raw_info: OneLogin::RubySaml::Attributes.new({ 'groups' => %w(Developers Freelancers Designers) }) })
+                local_saml_user = described_class.new(local_hash)
+
+                local_saml_user.save
+                local_gl_user = local_saml_user.gl_user
+                expect(local_gl_user).to be_valid
+                expect(local_gl_user.identities.length).to eql 2
+                identities_as_hash = local_gl_user.identities.map { |id| { provider: id.provider, extern_uid: id.extern_uid } }
+                expect(identities_as_hash).to match_array([ { provider: 'ldapmain', extern_uid: 'uid=user1,ou=People,dc=example' },
+                                                            { provider: 'saml', extern_uid: 'uid=user1,ou=People,dc=example' }
+                                                          ])
+              end
+
+            end
           end
         end
       end
author	Patricio Cano <suprnova32@gmail.com>	2016-06-06 18:47:49 -0500
committer	Patricio Cano <suprnova32@gmail.com>	2016-06-06 18:47:49 -0500
commit	7038440e342a521807b1e5ffb6d47d4c0b13048d (patch)
tree	b22cdf0ac390d0ccec2ddee46ad351d62175a993
parent	740a6ecba07a056fca481622b4fa89939c225987 (diff)
download	gitlab-ce-7038440e342a521807b1e5ffb6d47d4c0b13048d.tar.gz