diff options
author | Manoj MJ <mmj@gitlab.com> | 2019-06-19 06:04:33 +0000 |
---|---|---|
committer | Jan Provaznik <jprovaznik@gitlab.com> | 2019-06-19 06:04:33 +0000 |
commit | 83163fab43ba6d8262f6adbc8359acbeadf80f46 (patch) | |
tree | 375bd038132381db47baa206e9a0cd8843934d45 | |
parent | 51267258d1c39835c995eaaf29b7df678334ded1 (diff) | |
download | gitlab-ce-83163fab43ba6d8262f6adbc8359acbeadf80f46.tar.gz |
Adds identity information while making external authorization requests
Issue: https://gitlab.com/gitlab-org/gitlab-ce/issues/61201#
4 files changed, 41 insertions, 4 deletions
diff --git a/changelogs/unreleased/61201-pass-identities-to-external-authorization.yml b/changelogs/unreleased/61201-pass-identities-to-external-authorization.yml new file mode 100644 index 00000000000..82eea653de6 --- /dev/null +++ b/changelogs/unreleased/61201-pass-identities-to-external-authorization.yml @@ -0,0 +1,5 @@ +--- +title: Add identity information to external authorization requests +merge_request: 29461 +author: +type: changed diff --git a/doc/user/admin_area/settings/external_authorization.md b/doc/user/admin_area/settings/external_authorization.md index 11c0867da17..c1aa04f7bc2 100644 --- a/doc/user/admin_area/settings/external_authorization.md +++ b/doc/user/admin_area/settings/external_authorization.md @@ -76,13 +76,19 @@ service with this body: { "user_identifier": "jane@acme.org", "project_classification_label": "project-label", - "user_ldap_dn": "CN=Jane Doe,CN=admin,DC=acme" + "user_ldap_dn": "CN=Jane Doe,CN=admin,DC=acme", + "identities": [ + { "provider": "ldap", "extern_uid": "CN=Jane Doe,CN=admin,DC=acme" }, + { "provider": "bitbucket", "extern_uid": "2435223452345" } + ] } ``` The `user_ldap_dn` is optional and is only sent when the user is logged in through LDAP. +`identities` will contain the details of all the identities associated with the user. This will be an empty array if there are no identities associated with the user. + When the external authorization service responds with a status code 200, the user is granted access. When the external service responds with a status code 401 or 403, the user is denied access. In any case, the request is cached for 6 hours. diff --git a/lib/gitlab/external_authorization/client.rb b/lib/gitlab/external_authorization/client.rb index 60aab2e7044..7985e6dcf7b 100644 --- a/lib/gitlab/external_authorization/client.rb +++ b/lib/gitlab/external_authorization/client.rb @@ -48,7 +48,8 @@ module Gitlab @body ||= begin body = { user_identifier: @user.email, - project_classification_label: @label + project_classification_label: @label, + identities: @user.identities.map { |identity| { provider: identity.provider, extern_uid: identity.extern_uid } } } if @user.ldap_identity diff --git a/spec/lib/gitlab/external_authorization/client_spec.rb b/spec/lib/gitlab/external_authorization/client_spec.rb index fa18c1e56e8..a87f50b4586 100644 --- a/spec/lib/gitlab/external_authorization/client_spec.rb +++ b/spec/lib/gitlab/external_authorization/client_spec.rb @@ -19,7 +19,8 @@ describe Gitlab::ExternalAuthorization::Client do it 'adds the correct params for the user to the body of the request' do expected_body = { user_identifier: 'dummy_user@example.com', - project_classification_label: 'dummy_label' + project_classification_label: 'dummy_label', + identities: [] }.to_json expect(Excon).to receive(:post) .with(dummy_url, hash_including(body: expected_body)) @@ -81,10 +82,11 @@ describe Gitlab::ExternalAuthorization::Client do provider: 'ldapprovider') end - it 'includes the ldap dn for ldap users' do + it 'includes the ldap dn and identities for ldap users' do expected_body = { user_identifier: 'dummy_user@example.com', project_classification_label: 'dummy_label', + identities: [{ provider: 'ldapprovider', extern_uid: 'external id' }], user_ldap_dn: 'external id' }.to_json expect(Excon).to receive(:post) @@ -93,5 +95,28 @@ describe Gitlab::ExternalAuthorization::Client do client.request_access end end + + describe 'for non-ldap users with identities' do + before do + %w(twitter facebook).each do |provider| + create(:identity, provider: provider, extern_uid: "#{provider}_external_id", user: user) + end + end + + it 'includes all the identities' do + expected_body = { + user_identifier: 'dummy_user@example.com', + project_classification_label: 'dummy_label', + identities: [ + { provider: 'twitter', extern_uid: 'twitter_external_id' }, + { provider: 'facebook', extern_uid: 'facebook_external_id' } + ] + }.to_json + expect(Excon).to receive(:post) + .with(dummy_url, hash_including(body: expected_body)) + + client.request_access + end + end end end |