diff options
| author | Robert Speicher <robert@gitlab.com> | 2016-04-07 00:35:08 +0000 |
|---|---|---|
| committer | Robert Speicher <robert@gitlab.com> | 2016-04-07 00:35:08 +0000 |
| commit | 936be025cde7fad6857410ef2cd842f2b1fc2a67 (patch) | |
| tree | e2dd3aa5623b8a6f112cecaab683e655e2967303 /lib | |
| parent | 730625f022b1c3b9394cf944f04968a29ac8dc36 (diff) | |
| parent | 8110e7530902de8744ff985f08938306e2c38367 (diff) | |
| download | gitlab-ce-936be025cde7fad6857410ef2cd842f2b1fc2a67.tar.gz | |
Merge branch 'saml-external-groups' into 'master'
Allow SAML to identify external users and set them as such
Related to #4009
Fixes #14577
This allows SAML to retrieve group information form the `SAML Response`
and match that to a setting that will flag all matching users as external.
See merge request !3530
Diffstat (limited to 'lib')
| -rw-r--r-- | lib/gitlab/saml/auth_hash.rb | 19 | ||||
| -rw-r--r-- | lib/gitlab/saml/config.rb | 21 | ||||
| -rw-r--r-- | lib/gitlab/saml/user.rb | 26 |
3 files changed, 64 insertions, 2 deletions
diff --git a/lib/gitlab/saml/auth_hash.rb b/lib/gitlab/saml/auth_hash.rb new file mode 100644 index 00000000000..32c1c9ec5bb --- /dev/null +++ b/lib/gitlab/saml/auth_hash.rb @@ -0,0 +1,19 @@ +module Gitlab + module Saml + class AuthHash < Gitlab::OAuth::AuthHash + + def groups + get_raw(Gitlab::Saml::Config.groups) + end + + private + + def get_raw(key) + # Needs to call `all` because of https://git.io/vVo4u + # otherwise just the first value is returned + auth_hash.extra[:raw_info].all[key] + end + + end + end +end diff --git a/lib/gitlab/saml/config.rb b/lib/gitlab/saml/config.rb new file mode 100644 index 00000000000..0f40c00f547 --- /dev/null +++ b/lib/gitlab/saml/config.rb @@ -0,0 +1,21 @@ +module Gitlab + module Saml + class Config + + class << self + def options + Gitlab.config.omniauth.providers.find { |provider| provider.name == 'saml' } + end + + def groups + options[:groups_attribute] + end + + def external_groups + options[:external_groups] + end + end + + end + end +end diff --git a/lib/gitlab/saml/user.rb b/lib/gitlab/saml/user.rb index b1e30110ef5..c1072452abe 100644 --- a/lib/gitlab/saml/user.rb +++ b/lib/gitlab/saml/user.rb @@ -18,7 +18,7 @@ module Gitlab @user ||= find_or_create_ldap_user end - if auto_link_saml_enabled? + if auto_link_saml_user? @user ||= find_by_email end @@ -26,6 +26,16 @@ module Gitlab @user ||= build_new_user end + if external_users_enabled? + # Check if there is overlap between the user's groups and the external groups + # setting then set user as external or internal. + if (auth_hash.groups & Gitlab::Saml::Config.external_groups).empty? + @user.external = false + else + @user.external = true + end + end + @user end @@ -37,11 +47,23 @@ module Gitlab end end + def changed? + gl_user.changed? || gl_user.identities.any?(&:changed?) + end + protected - def auto_link_saml_enabled? + def auto_link_saml_user? Gitlab.config.omniauth.auto_link_saml_user end + + def external_users_enabled? + !Gitlab::Saml::Config.external_groups.nil? + end + + def auth_hash=(auth_hash) + @auth_hash = Gitlab::Saml::AuthHash.new(auth_hash) + end end end end |