Merge branch '61201-pass-identities-to-external-authorization' into 'master'

Add identity information to external authorization requests

See merge request gitlab-org/gitlab-ce!29461

4 files changed, 41 insertions, 4 deletions

diff --git a/changelogs/unreleased/61201-pass-identities-to-external-authorization.yml b/changelogs/unreleased/61201-pass-identities-to-external-authorization.yml
new file mode 100644
index 00000000000..82eea653de6
--- /dev/null
+++ b/changelogs/unreleased/61201-pass-identities-to-external-authorization.yml
@@ -0,0 +1,5 @@
+---
+title: Add identity information to external authorization requests
+merge_request: 29461
+author:
+type: changed
diff --git a/doc/user/admin_area/settings/external_authorization.md b/doc/user/admin_area/settings/external_authorization.md
index 11c0867da17..c1aa04f7bc2 100644
--- a/doc/user/admin_area/settings/external_authorization.md
+++ b/doc/user/admin_area/settings/external_authorization.md
@@ -76,13 +76,19 @@ service with this body:
 {
   "user_identifier": "jane@acme.org",
   "project_classification_label": "project-label",
-  "user_ldap_dn": "CN=Jane Doe,CN=admin,DC=acme"
+  "user_ldap_dn": "CN=Jane Doe,CN=admin,DC=acme",
+  "identities": [
+    { "provider": "ldap", "extern_uid": "CN=Jane Doe,CN=admin,DC=acme" },
+    { "provider": "bitbucket", "extern_uid": "2435223452345" }
+  ]
 }
 ```
 
 The `user_ldap_dn` is optional and is only sent when the user is logged in
 through LDAP.
 
+`identities` will contain the details of all the identities associated with the user. This will be an empty array if there are no identities associated with the user.
+
 When the external authorization service responds with a status code 200, the
 user is granted access. When the external service responds with a status code
 401 or 403, the user is denied access. In any case, the request is cached for 6 hours.
diff --git a/lib/gitlab/external_authorization/client.rb b/lib/gitlab/external_authorization/client.rb
index 60aab2e7044..7985e6dcf7b 100644
--- a/lib/gitlab/external_authorization/client.rb
+++ b/lib/gitlab/external_authorization/client.rb
@@ -48,7 +48,8 @@ module Gitlab
         @body ||= begin
                     body = {
                       user_identifier: @user.email,
-                      project_classification_label: @label
+                      project_classification_label: @label,
+                      identities: @user.identities.map { |identity| { provider: identity.provider, extern_uid: identity.extern_uid } }
                     }
 
                     if @user.ldap_identity
diff --git a/spec/lib/gitlab/external_authorization/client_spec.rb b/spec/lib/gitlab/external_authorization/client_spec.rb
index fa18c1e56e8..a87f50b4586 100644
--- a/spec/lib/gitlab/external_authorization/client_spec.rb
+++ b/spec/lib/gitlab/external_authorization/client_spec.rb
@@ -19,7 +19,8 @@ describe Gitlab::ExternalAuthorization::Client do
     it 'adds the correct params for the user to the body of the request' do
       expected_body = {
         user_identifier: 'dummy_user@example.com',
-        project_classification_label: 'dummy_label'
+        project_classification_label: 'dummy_label',
+        identities: []
       }.to_json
       expect(Excon).to receive(:post)
                          .with(dummy_url, hash_including(body: expected_body))
@@ -81,10 +82,11 @@ describe Gitlab::ExternalAuthorization::Client do
                provider: 'ldapprovider')
       end
 
-      it 'includes the ldap dn for ldap users' do
+      it 'includes the ldap dn and identities for ldap users' do
         expected_body = {
           user_identifier: 'dummy_user@example.com',
           project_classification_label: 'dummy_label',
+          identities: [{ provider: 'ldapprovider', extern_uid: 'external id' }],
           user_ldap_dn: 'external id'
         }.to_json
         expect(Excon).to receive(:post)
@@ -93,5 +95,28 @@ describe Gitlab::ExternalAuthorization::Client do
         client.request_access
       end
     end
+
+    describe 'for non-ldap users with identities' do
+      before do
+        %w(twitter facebook).each do |provider|
+          create(:identity, provider: provider, extern_uid: "#{provider}_external_id", user: user)
+        end
+      end
+
+      it 'includes all the identities' do
+        expected_body = {
+          user_identifier: 'dummy_user@example.com',
+          project_classification_label: 'dummy_label',
+          identities: [
+            { provider: 'twitter', extern_uid: 'twitter_external_id' },
+            { provider: 'facebook', extern_uid: 'facebook_external_id' }
+          ]
+        }.to_json
+        expect(Excon).to receive(:post)
+                           .with(dummy_url, hash_including(body: expected_body))
+
+        client.request_access
+      end
+    end
   end
 end