summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorDouwe Maan <douwe@gitlab.com>2016-06-30 15:42:15 +0000
committerDouwe Maan <douwe@gitlab.com>2016-06-30 15:42:15 +0000
commit5e6342b7ac08b4b37b233cad54f4aeaf0144b977 (patch)
tree846fda82cc1a09464c3099012176038ac2ba7c24
parent293cf09056250c975c2b221f348b629b6d424b71 (diff)
parent10444f61f85219eb6b2c10586996717d3b0afa8b (diff)
downloadgitlab-ce-5e6342b7ac08b4b37b233cad54f4aeaf0144b977.tar.gz
Merge branch '19312-confidential-issue' into 'master'
Fix privilege escalation issue with OAuth external users Related to https://gitlab.com/gitlab-org/gitlab-ce/issues/19312 This MR fixes a privilege escalation issue, where manually set external users would be reverted back to internal users if they logged in via OAuth and that provider was not in the `external_providers` list. /cc @douwe See merge request !1975
-rw-r--r--doc/integration/omniauth.md12
-rw-r--r--lib/gitlab/o_auth/user.rb2
-rw-r--r--spec/lib/gitlab/o_auth/user_spec.rb17
3 files changed, 24 insertions, 7 deletions
diff --git a/doc/integration/omniauth.md b/doc/integration/omniauth.md
index 820f40f81a9..46b260e7033 100644
--- a/doc/integration/omniauth.md
+++ b/doc/integration/omniauth.md
@@ -127,9 +127,15 @@ The chosen OmniAuth provider is now active and can be used to sign in to GitLab
This setting was introduced with version 8.7 of GitLab
You can define which OmniAuth providers you want to be `external` so that all users
-creating accounts via these providers will not be able to have access to internal
-projects. You will need to use the full name of the provider, like `google_oauth2`
-for Google. Refer to the examples for the full names of the supported providers.
+**creating accounts, or logging in via these providers** will not be able to have
+access to internal projects. You will need to use the full name of the provider,
+like `google_oauth2` for Google. Refer to the examples for the full names of the
+supported providers.
+
+>**Note:**
+If you decide to remove an OmniAuth provider from the external providers list
+you will need to manually update the users that use this method to login, if you
+want their accounts to be upgraded to full internal accounts.
**For Omnibus installations**
diff --git a/lib/gitlab/o_auth/user.rb b/lib/gitlab/o_auth/user.rb
index 7af75a9cc4c..0a91d3918d5 100644
--- a/lib/gitlab/o_auth/user.rb
+++ b/lib/gitlab/o_auth/user.rb
@@ -56,8 +56,6 @@ module Gitlab
if external_provider? && @user
@user.external = true
- elsif @user
- @user.external = false
end
@user
diff --git a/spec/lib/gitlab/o_auth/user_spec.rb b/spec/lib/gitlab/o_auth/user_spec.rb
index 6727a83e58a..fbb5895c2ef 100644
--- a/spec/lib/gitlab/o_auth/user_spec.rb
+++ b/spec/lib/gitlab/o_auth/user_spec.rb
@@ -51,12 +51,25 @@ describe Gitlab::OAuth::User, lib: true do
end
context 'provider was external, now has been removed' do
- it 'should mark existing user internal' do
+ it 'should not mark external user as internal' do
create(:omniauth_user, extern_uid: 'my-uid', provider: 'twitter', external: true)
stub_omniauth_config(allow_single_sign_on: ['twitter'], external_providers: ['facebook'])
oauth_user.save
expect(gl_user).to be_valid
- expect(gl_user.external).to be_falsey
+ expect(gl_user.external).to be_truthy
+ end
+ end
+
+ context 'provider is not external' do
+ context 'when adding a new OAuth identity' do
+ it 'should not promote an external user to internal' do
+ user = create(:user, email: 'john@mail.com', external: true)
+ user.identities.create(provider: provider, extern_uid: uid)
+
+ oauth_user.save
+ expect(gl_user).to be_valid
+ expect(gl_user.external).to be_truthy
+ end
end
end