1 files changed, 29 insertions, 27 deletions

diff --git a/app/controllers/omniauth_callbacks_controller.rb b/app/controllers/omniauth_callbacks_controller.rb
index 3ed6a69c2d8..bb9d65c9ed6 100644
--- a/app/controllers/omniauth_callbacks_controller.rb
+++ b/app/controllers/omniauth_callbacks_controller.rb
@@ -15,15 +15,17 @@ class OmniauthCallbacksController < Devise::OmniauthCallbacksController
     error.to_s.humanize if error
   end
 
+  # We only find ourselves here
+  # if the authentication to LDAP was successful.
   def ldap
-    # We only find ourselves here
-    # if the authentication to LDAP was successful.
-    @user = Gitlab::LDAP::User.find_or_create(oauth)
-    @user.remember_me = true if @user.persisted?
+    @user = Gitlab::LDAP::User.new(oauth)
+    @user.save if @user.changed? # will also save new users
+    gl_user = @user.gl_user
+    gl_user.remember_me = true if @user.persisted?
 
     # Do additional LDAP checks for the user filter and EE features
-    if Gitlab::LDAP::Access.allowed?(@user)
-      sign_in_and_redirect(@user)
+    if @user.allowed?
+      sign_in_and_redirect(gl_user)
     else
       flash[:alert] = "Access denied for your LDAP account."
       redirect_to new_user_session_path
@@ -40,32 +42,32 @@ class OmniauthCallbacksController < Devise::OmniauthCallbacksController
 
   def handle_omniauth
     if current_user
-      # Change a logged-in user's authentication method:
-      current_user.extern_uid = oauth['uid']
-      current_user.provider = oauth['provider']
-      current_user.save
-      redirect_to profile_path
+      # Add new authentication method
+      current_user.identities.find_or_create_by(extern_uid: oauth['uid'], provider: oauth['provider'])
+      redirect_to profile_account_path, notice: 'Authentication method updated'
     else
-      @user = Gitlab::OAuth::User.find(oauth)
+      @user = Gitlab::OAuth::User.new(oauth)
+      @user.save
 
-      # Create user if does not exist
-      # and allow_single_sign_on is true
-      if Gitlab.config.omniauth['allow_single_sign_on'] && !@user
-        @user, errors = Gitlab::OAuth::User.create(oauth)
-      end
-
-      if @user && !errors
-        sign_in_and_redirect(@user)
+      # Only allow properly saved users to login.
+      if @user.persisted? && @user.valid?
+        sign_in_and_redirect(@user.gl_user)
       else
-        if errors
-          error_message = errors.map{ |attribute, message| "#{attribute} #{message}" }.join(", ")
-          redirect_to omniauth_error_path(oauth['provider'], error: error_message) and return
-        else
-          flash[:notice] = "There's no such user!"
-        end
-        redirect_to new_user_session_path
+        error_message =
+          if @user.gl_user.errors.any?
+            @user.gl_user.errors.map do |attribute, message|
+              "#{attribute} #{message}"
+            end.join(", ")
+          else
+            ''
+          end
+
+        redirect_to omniauth_error_path(oauth['provider'], error: error_message) and return
       end
     end
+  rescue Gitlab::OAuth::ForbiddenAction => e
+    flash[:notice] = e.message
+    redirect_to new_user_session_path
   end
 
   def oauth