Decouple SAML authentication from the default Omniauth logic

3 files changed, 56 insertions, 4 deletions

diff --git a/lib/gitlab/ldap/user.rb b/lib/gitlab/ldap/user.rb
index e044f0ecc6d..b84c81f1a6c 100644
--- a/lib/gitlab/ldap/user.rb
+++ b/lib/gitlab/ldap/user.rb
@@ -24,6 +24,10 @@ module Gitlab
         update_user_attributes
       end
 
+      def save
+        super('LDAP')
+      end
+
       # instance methods
       def gl_user
         @gl_user ||= find_by_uid_and_provider || find_by_email || build_new_user
diff --git a/lib/gitlab/o_auth/user.rb b/lib/gitlab/o_auth/user.rb
index d87a72f7ba3..675ded92a89 100644
--- a/lib/gitlab/o_auth/user.rb
+++ b/lib/gitlab/o_auth/user.rb
@@ -26,7 +26,7 @@ module Gitlab
         gl_user.try(:valid?)
       end
 
-      def save
+      def save(provider = 'OAuth')
         unauthorized_to_create unless gl_user
 
         if needs_blocking?
@@ -36,10 +36,10 @@ module Gitlab
           gl_user.save!
         end
 
-        log.info "(OAuth) saving user #{auth_hash.email} from login with extern_uid => #{auth_hash.uid}"
+        log.info "(#{provider}) saving user #{auth_hash.email} from login with extern_uid => #{auth_hash.uid}"
         gl_user
       rescue ActiveRecord::RecordInvalid => e
-        log.info "(OAuth) Error saving user: #{gl_user.errors.full_messages}"
+        log.info "(#{provider}) Error saving user: #{gl_user.errors.full_messages}"
         return self, e.record.errors
       end
 
@@ -105,7 +105,8 @@ module Gitlab
       end
 
       def signup_enabled?
-        Gitlab.config.omniauth.allow_single_sign_on
+        providers = Gitlab.config.omniauth.allow_single_sign_on
+        providers.include?(auth_hash.provider)
       end
 
       def block_after_signup?
diff --git a/lib/gitlab/saml/user.rb b/lib/gitlab/saml/user.rb
new file mode 100644
index 00000000000..b1e30110ef5
--- /dev/null
+++ b/lib/gitlab/saml/user.rb
@@ -0,0 +1,47 @@
+# SAML extension for User model
+#
+# * Find GitLab user based on SAML uid and provider
+# * Create new user from SAML data
+#
+module Gitlab
+  module Saml
+    class User < Gitlab::OAuth::User
+
+      def save
+        super('SAML')
+      end
+
+      def gl_user
+        @user ||= find_by_uid_and_provider
+
+        if auto_link_ldap_user?
+          @user ||= find_or_create_ldap_user
+        end
+
+        if auto_link_saml_enabled?
+          @user ||= find_by_email
+        end
+
+        if signup_enabled?
+          @user ||= build_new_user
+        end
+
+        @user
+      end
+
+      def find_by_email
+        if auth_hash.has_email?
+          user = ::User.find_by(email: auth_hash.email.downcase)
+          user.identities.new(extern_uid: auth_hash.uid, provider: auth_hash.provider) if user
+          user
+        end
+      end
+
+      protected
+
+      def auto_link_saml_enabled?
+        Gitlab.config.omniauth.auto_link_saml_user
+      end
+    end
+  end
+end