Empty required_groups results in blocked users getting unblocked.
Summary
Empty required_groups in the SAML OmniAuth provider config results in blocked users getting unblocked.
Steps to reproduce
With a working SAML setup:
- Set a user to blocked
- Login with that user through SAML
- User will be unblocked and logged in
Example Project
N/A
What is the current bug behavior?
When required_groups is not set in the SAML OmniAuth provider config, blocked users are unblocked when they authenticate with a SAML provider.
What is the expected correct behavior?
When required_groups is not set, users are created as documented. "When required_groups is not set or it is empty, anyone with proper authentication will be able to use the service" (https://docs.gitlab.com/ee/integration/saml.html#required-groups). But users are not unblocked automatically.
Relevant logs and/or screenshots
December 14, 2018 13:41: SAML(saml) account "xxxxxxx=" in required group, unblocking GitLab user "User Name" (username@example.com)Output of checks
Results of GitLab environment info
Expand for output related to GitLab environment info
System information System: Proxy: no Current User: git Using RVM: no Ruby Version: 2.4.5p335 Gem Version: 2.7.6 Bundler Version:1.16.6 Rake Version: 12.3.1 Redis Version: 3.2.12 Git Version: 2.18.1 Sidekiq Version:5.2.1 Go Version: unknownGitLab information Version: 11.5.1-ee Revision: cab68f5 Directory: /opt/gitlab/embedded/service/gitlab-rails DB Adapter: postgresql DB Version: 9.6.8 URL: https://gitlab.umich.edu HTTP Clone URL: https://gitlab.umich.edu/some-group/some-project.git SSH Clone URL: git@gitlab.umich.edu:some-group/some-project.git Elasticsearch: no Geo: no Using LDAP: no Using Omniauth: yes Omniauth Providers: saml
GitLab Shell Version: 8.4.1 Repository storage paths:
- default: /var/opt/gitlab/git-data/repositories Hooks: /opt/gitlab/embedded/service/gitlab-shell/hooks Git: /opt/gitlab/embedded/bin/git
Results of GitLab application Check
Expand for output related to the GitLab application check
Checking GitLab Shell ...GitLab Shell version >= 8.4.1 ? ... OK (8.4.1) hooks directories in repos are links: ... 29/5 ... ok 41/6 ... ok 41/8 ... ok 37/9 ... ok 56/10 ... ok 75/12 ... ok 75/13 ... ok 75/14 ... ok 75/15 ... ok 75/16 ... ok 56/17 ... ok 56/18 ... ok 37/19 ... ok 79/20 ... ok 80/21 ... ok 79/22 ... ok 72/23 ... ok 65/26 ... ok 37/27 ... ok 65/28 ... ok 37/30 ... ok 41/32 ... ok 65/33 ... ok 65/34 ... ok 70/35 ... ok 27/36 ... ok 65/38 ... ok 41/39 ... ok 41/40 ... ok 65/41 ... ok 92/42 ... ok 92/43 ... ok 65/45 ... ok 84/46 ... ok 84/47 ... ok 41/50 ... ok 65/52 ... ok 65/53 ... repository is empty 65/54 ... ok 67/55 ... ok 41/56 ... ok 37/57 ... ok 65/58 ... ok 41/59 ... ok 75/60 ... ok 108/61 ... ok 41/62 ... ok 123/63 ... ok 65/66 ... ok 125/68 ... ok 125/70 ... ok 37/71 ... ok 142/72 ... ok 193/73 ... ok 151/74 ... repository is empty 120/75 ... ok 152/77 ... ok 104/78 ... ok 65/79 ... ok 125/81 ... ok 65/82 ... ok 65/83 ... ok 41/84 ... ok 108/87 ... ok 108/88 ... ok 176/93 ... ok 137/94 ... ok 37/95 ... repository is empty 37/97 ... ok 118/99 ... ok 50/101 ... ok 103/102 ... ok 44/103 ... ok 182/105 ... ok 49/106 ... ok 184/108 ... repository is empty 117/110 ... ok 53/111 ... ok 183/114 ... ok 94/115 ... ok 96/116 ... ok 37/117 ... ok 180/118 ... repository is empty 179/119 ... ok 180/120 ... ok 103/122 ... ok 182/124 ... ok 49/125 ... ok 180/128 ... ok 117/131 ... ok 44/132 ... ok 179/133 ... ok 53/134 ... ok 65/138 ... ok 118/139 ... ok 48/140 ... ok 105/142 ... ok 160/143 ... ok 41/144 ... ok 125/145 ... ok 193/146 ... ok 108/148 ... ok 90/149 ... ok 65/150 ... ok 41/151 ... ok 41/153 ... ok 41/155 ... ok 41/157 ... ok 110/159 ... ok 65/160 ... ok 84/161 ... ok 188/164 ... ok 188/165 ... ok 41/166 ... ok 188/167 ... ok 147/168 ... ok 137/170 ... ok 41/171 ... ok 41/172 ... ok 41/173 ... ok 198/176 ... ok 381/177 ... ok 381/178 ... ok 42/179 ... ok 125/180 ... ok 41/181 ... ok 75/183 ... ok 65/185 ... ok 120/186 ... repository is empty 108/187 ... ok 108/189 ... ok 84/190 ... ok 90/191 ... ok 27/193 ... ok 125/194 ... ok 125/195 ... ok 186/196 ... repository is empty 210/197 ... ok 210/198 ... ok 29/199 ... ok 84/200 ... ok 125/201 ... ok 211/202 ... ok 217/203 ... repository is empty 217/204 ... repository is empty 251/205 ... repository is empty 251/206 ... repository is empty 147/207 ... ok 147/208 ... ok 188/209 ... repository is empty 188/210 ... ok 211/211 ... repository is empty 70/212 ... ok 92/213 ... ok 70/214 ... ok 84/215 ... ok 84/216 ... ok 41/217 ... ok 70/218 ... ok 102/219 ... ok 41/220 ... ok 37/221 ... ok 125/222 ... ok 29/223 ... ok 254/228 ... ok 37/229 ... ok 188/232 ... ok 254/234 ... ok 254/236 ... ok 211/244 ... ok 254/245 ... ok 102/246 ... ok 185/247 ... ok 125/249 ... ok 125/250 ... ok 125/251 ... ok 137/252 ... ok 125/257 ... ok 125/258 ... ok 125/259 ... ok 125/260 ... ok 125/261 ... ok 125/262 ... ok 125/263 ... ok 125/264 ... ok 125/265 ... ok 75/266 ... ok 188/269 ... ok 125/270 ... ok 211/272 ... ok 211/274 ... ok 211/275 ... ok 211/276 ... ok 211/277 ... ok 210/278 ... ok 211/280 ... ok 211/281 ... ok 211/282 ... ok 151/283 ... ok 259/284 ... ok 211/285 ... ok 125/286 ... ok 125/287 ... ok 92/288 ... ok 92/289 ... ok 211/290 ... ok 125/292 ... ok 41/293 ... ok 125/294 ... ok 125/295 ... ok 188/296 ... ok 125/297 ... ok 211/298 ... ok 56/300 ... ok 125/301 ... ok 211/302 ... ok 257/303 ... ok 211/304 ... ok 125/306 ... ok 110/308 ... ok 188/309 ... ok 125/310 ... ok 84/311 ... ok 125/313 ... ok 70/315 ... ok 41/316 ... ok 37/317 ... ok 65/318 ... ok 65/319 ... ok 84/320 ... ok 121/321 ... ok 291/322 ... ok 284/323 ... ok 317/324 ... ok 137/325 ... ok 44/326 ... ok 123/327 ... ok 257/328 ... ok 257/329 ... ok 257/330 ... ok 257/331 ... ok 257/332 ... ok 257/333 ... ok 257/334 ... ok 257/335 ... ok 188/336 ... ok 125/337 ... ok 189/340 ... ok 55/344 ... repository is empty 376/345 ... repository is empty 41/347 ... repository is empty 125/348 ... ok 75/349 ... repository is empty 198/350 ... ok 188/351 ... repository is empty 188/353 ... ok 211/354 ... ok 211/355 ... ok 381/356 ... ok 254/357 ... ok 150/358 ... ok 209/359 ... ok 37/361 ... repository is empty 306/362 ... ok 186/365 ... ok 386/367 ... ok 76/368 ... ok 98/369 ... ok 44/370 ... ok 55/371 ... ok 135/372 ... ok 306/373 ... ok 53/374 ... ok 207/377 ... ok 205/378 ... ok 315/379 ... ok 94/380 ... ok 48/381 ... ok 110/382 ... ok 131/383 ... ok 101/384 ... ok 106/385 ... ok 112/386 ... ok 58/387 ... ok 384/388 ... repository is empty 100/389 ... ok 60/390 ... ok 160/391 ... ok 216/392 ... repository is empty 135/393 ... ok 138/395 ... ok 58/396 ... ok 70/397 ... ok 388/398 ... ok 387/399 ... ok 82/400 ... ok 69/401 ... ok 389/402 ... repository is empty 389/403 ... ok 52/404 ... ok 120/405 ... ok 125/406 ... ok 65/407 ... ok 391/409 ... repository is empty 112/410 ... ok 84/411 ... ok 186/412 ... ok 125/413 ... ok 102/414 ... ok 125/415 ... ok 50/416 ... repository is empty 56/417 ... ok 392/418 ... ok 305/420 ... ok 375/421 ... ok 375/422 ... ok 125/423 ... ok 125/424 ... ok 125/425 ... ok 386/427 ... ok 385/428 ... ok 166/429 ... ok 92/430 ... ok 186/431 ... ok 37/432 ... repository is empty 171/433 ... repository is empty 265/434 ... ok 65/435 ... ok 65/436 ... ok 265/437 ... ok 211/438 ... ok 44/439 ... ok 65/440 ... ok 125/441 ... ok 125/442 ... ok 37/443 ... repository is empty 65/444 ... ok 65/445 ... ok 188/447 ... ok 125/448 ... ok 207/449 ... ok 381/451 ... repository is empty 108/452 ... ok 108/453 ... ok 108/454 ... ok 108/455 ... ok 108/456 ... ok 29/457 ... ok 139/458 ... repository is empty 301/459 ... ok 125/460 ... ok 125/461 ... ok 207/463 ... ok 125/465 ... ok 196/467 ... ok 196/468 ... ok 381/469 ... ok 381/470 ... ok 381/471 ... ok 195/472 ... ok 196/473 ... ok 196/474 ... ok 37/475 ... repository is empty 301/476 ... ok 195/477 ... ok 195/478 ... ok 195/479 ... ok 195/480 ... ok 195/481 ... ok 125/483 ... ok 125/484 ... ok 125/485 ... ok 125/486 ... ok 125/489 ... ok 125/490 ... ok 125/491 ... ok 125/495 ... ok 125/496 ... ok 125/497 ... ok 50/498 ... ok 125/499 ... ok 125/500 ... ok 125/503 ... ok 125/504 ... ok 125/505 ... ok 125/506 ... ok 125/507 ... ok 125/508 ... ok 125/509 ... ok 125/510 ... ok 125/512 ... ok 125/513 ... ok 125/514 ... ok 125/515 ... ok 125/516 ... ok 433/517 ... ok 125/518 ... ok 150/519 ... ok 125/520 ... ok 125/521 ... ok 125/522 ... ok 125/523 ... ok 125/524 ... ok 125/525 ... ok 104/526 ... ok 75/527 ... ok 37/528 ... ok 41/529 ... ok 186/530 ... ok 82/531 ... repository is empty 212/532 ... ok 75/533 ... ok Running /opt/gitlab/embedded/service/gitlab-shell/bin/check Check GitLab API access: OK Redis available via internal API: OK
Access to /var/opt/gitlab/.ssh/authorized_keys: OK gitlab-shell self-check successful
Checking GitLab Shell ... Finished
Checking Gitaly ...
default ... OK
Checking Gitaly ... Finished
Checking Sidekiq ...
Running? ... yes Number of Sidekiq processes ... 1
Checking Sidekiq ... Finished
Reply by email is disabled in config/gitlab.yml Checking LDAP ...
LDAP is disabled in config/gitlab.yml
Checking LDAP ... Finished
Checking GitLab ...
Git configured correctly? ... yes Database config exists? ... yes All migrations up? ... yes Database contains orphaned GroupMembers? ... no GitLab config exists? ... yes GitLab config up to date? ... yes Log directory writable? ... yes Tmp directory writable? ... yes Uploads directory exists? ... yes Uploads directory has correct permissions? ... yes Uploads directory tmp has correct permissions? ... yes Init script exists? ... skipped (omnibus-gitlab has no init script) Init script up-to-date? ... skipped (omnibus-gitlab has no init script) Projects have namespace: ... 29/5 ... yes 41/6 ... yes 41/8 ... yes 37/9 ... yes 56/10 ... yes 75/12 ... yes 75/13 ... yes 75/14 ... yes 75/15 ... yes 75/16 ... yes 56/17 ... yes 56/18 ... yes 37/19 ... yes 79/20 ... yes 80/21 ... yes 79/22 ... yes 72/23 ... yes 65/26 ... yes 37/27 ... yes 65/28 ... yes 37/30 ... yes 41/32 ... yes 65/33 ... yes 65/34 ... yes 70/35 ... yes 27/36 ... yes 65/38 ... yes 41/39 ... yes 41/40 ... yes 65/41 ... yes 92/42 ... yes 92/43 ... yes 65/45 ... yes 84/46 ... yes 84/47 ... yes 41/50 ... yes 65/52 ... yes 65/53 ... yes 65/54 ... yes 67/55 ... yes 41/56 ... yes 37/57 ... yes 65/58 ... yes 41/59 ... yes 75/60 ... yes 108/61 ... yes 41/62 ... yes 123/63 ... yes 65/66 ... yes 125/68 ... yes 125/70 ... yes 37/71 ... yes 142/72 ... yes 193/73 ... yes 151/74 ... yes 120/75 ... yes 152/77 ... yes 104/78 ... yes 65/79 ... yes 125/81 ... yes 65/82 ... yes 65/83 ... yes 41/84 ... yes 108/87 ... yes 108/88 ... yes 176/93 ... yes 137/94 ... yes 37/95 ... yes 37/97 ... yes 118/99 ... yes 50/101 ... yes 103/102 ... yes 44/103 ... yes 182/105 ... yes 49/106 ... yes 184/108 ... yes 117/110 ... yes 53/111 ... yes 183/114 ... yes 94/115 ... yes 96/116 ... yes 37/117 ... yes 180/118 ... yes 179/119 ... yes 180/120 ... yes 103/122 ... yes 182/124 ... yes 49/125 ... yes 180/128 ... yes 117/131 ... yes 44/132 ... yes 179/133 ... yes 53/134 ... yes 65/138 ... yes 118/139 ... yes 48/140 ... yes 105/142 ... yes 160/143 ... yes 41/144 ... yes 125/145 ... yes 193/146 ... yes 108/148 ... yes 90/149 ... yes 65/150 ... yes 41/151 ... yes 41/153 ... yes 41/155 ... yes 41/157 ... yes 110/159 ... yes 65/160 ... yes 84/161 ... yes 188/164 ... yes 188/165 ... yes 41/166 ... yes 188/167 ... yes 147/168 ... yes 137/170 ... yes 41/171 ... yes 41/172 ... yes 41/173 ... yes 198/176 ... yes 381/177 ... yes 381/178 ... yes 42/179 ... yes 125/180 ... yes 41/181 ... yes 75/183 ... yes 65/185 ... yes 120/186 ... yes 108/187 ... yes 108/189 ... yes 84/190 ... yes 90/191 ... yes 27/193 ... yes 125/194 ... yes 125/195 ... yes 186/196 ... yes 210/197 ... yes 210/198 ... yes 29/199 ... yes 84/200 ... yes 125/201 ... yes 211/202 ... yes 217/203 ... yes 217/204 ... yes 251/205 ... yes 251/206 ... yes 147/207 ... yes 147/208 ... yes 188/209 ... yes 188/210 ... yes 211/211 ... yes 70/212 ... yes 92/213 ... yes 70/214 ... yes 84/215 ... yes 84/216 ... yes 41/217 ... yes 70/218 ... yes 102/219 ... yes 41/220 ... yes 37/221 ... yes 125/222 ... yes 29/223 ... yes 254/228 ... yes 37/229 ... yes 188/232 ... yes 254/234 ... yes 254/236 ... yes 211/244 ... yes 254/245 ... yes 102/246 ... yes 185/247 ... yes 125/249 ... yes 125/250 ... yes 125/251 ... yes 137/252 ... yes 125/257 ... yes 125/258 ... yes 125/259 ... yes 125/260 ... yes 125/261 ... yes 125/262 ... yes 125/263 ... yes 125/264 ... yes 125/265 ... yes 75/266 ... yes 188/269 ... yes 125/270 ... yes 211/272 ... yes 211/274 ... yes 211/275 ... yes 211/276 ... yes 211/277 ... yes 210/278 ... yes 211/280 ... yes 211/281 ... yes 211/282 ... yes 151/283 ... yes 259/284 ... yes 211/285 ... yes 125/286 ... yes 125/287 ... yes 92/288 ... yes 92/289 ... yes 211/290 ... yes 125/292 ... yes 41/293 ... yes 125/294 ... yes 125/295 ... yes 188/296 ... yes 125/297 ... yes 211/298 ... yes 56/300 ... yes 125/301 ... yes 211/302 ... yes 257/303 ... yes 211/304 ... yes 125/306 ... yes 110/308 ... yes 188/309 ... yes 125/310 ... yes 84/311 ... yes 125/313 ... yes 70/315 ... yes 41/316 ... yes 37/317 ... yes 65/318 ... yes 65/319 ... yes 84/320 ... yes 121/321 ... yes 291/322 ... yes 284/323 ... yes 317/324 ... yes 137/325 ... yes 44/326 ... yes 123/327 ... yes 257/328 ... yes 257/329 ... yes 257/330 ... yes 257/331 ... yes 257/332 ... yes 257/333 ... yes 257/334 ... yes 257/335 ... yes 188/336 ... yes 125/337 ... yes 189/340 ... yes 55/344 ... yes 376/345 ... yes 41/347 ... yes 125/348 ... yes 75/349 ... yes 198/350 ... yes 188/351 ... yes 188/353 ... yes 211/354 ... yes 211/355 ... yes 381/356 ... yes 254/357 ... yes 150/358 ... yes 209/359 ... yes 37/361 ... yes 306/362 ... yes 186/365 ... yes 386/367 ... yes 76/368 ... yes 98/369 ... yes 44/370 ... yes 55/371 ... yes 135/372 ... yes 306/373 ... yes 53/374 ... yes 207/377 ... yes 205/378 ... yes 315/379 ... yes 94/380 ... yes 48/381 ... yes 110/382 ... yes 131/383 ... yes 101/384 ... yes 106/385 ... yes 112/386 ... yes 58/387 ... yes 384/388 ... yes 100/389 ... yes 60/390 ... yes 160/391 ... yes 216/392 ... yes 135/393 ... yes 138/395 ... yes 58/396 ... yes 70/397 ... yes 388/398 ... yes 387/399 ... yes 82/400 ... yes 69/401 ... yes 389/402 ... yes 389/403 ... yes 52/404 ... yes 120/405 ... yes 125/406 ... yes 65/407 ... yes 391/409 ... yes 112/410 ... yes 84/411 ... yes 186/412 ... yes 125/413 ... yes 102/414 ... yes 125/415 ... yes 50/416 ... yes 56/417 ... yes 392/418 ... yes 305/420 ... yes 375/421 ... yes 375/422 ... yes 125/423 ... yes 125/424 ... yes 125/425 ... yes 386/427 ... yes 385/428 ... yes 166/429 ... yes 92/430 ... yes 186/431 ... yes 37/432 ... yes 171/433 ... yes 265/434 ... yes 65/435 ... yes 65/436 ... yes 265/437 ... yes 211/438 ... yes 44/439 ... yes 65/440 ... yes 125/441 ... yes 125/442 ... yes 37/443 ... yes 65/444 ... yes 65/445 ... yes 188/447 ... yes 125/448 ... yes 207/449 ... yes 381/451 ... yes 108/452 ... yes 108/453 ... yes 108/454 ... yes 108/455 ... yes 108/456 ... yes 29/457 ... yes 139/458 ... yes 301/459 ... yes 125/460 ... yes 125/461 ... yes 207/463 ... yes 125/465 ... yes 196/467 ... yes 196/468 ... yes 381/469 ... yes 381/470 ... yes 381/471 ... yes 195/472 ... yes 196/473 ... yes 196/474 ... yes 37/475 ... yes 301/476 ... yes 195/477 ... yes 195/478 ... yes 195/479 ... yes 195/480 ... yes 195/481 ... yes 125/483 ... yes 125/484 ... yes 125/485 ... yes 125/486 ... yes 125/489 ... yes 125/490 ... yes 125/491 ... yes 125/495 ... yes 125/496 ... yes 125/497 ... yes 50/498 ... yes 125/499 ... yes 125/500 ... yes 125/503 ... yes 125/504 ... yes 125/505 ... yes 125/506 ... yes 125/507 ... yes 125/508 ... yes 125/509 ... yes 125/510 ... yes 125/512 ... yes 125/513 ... yes 125/514 ... yes 125/515 ... yes 125/516 ... yes 433/517 ... yes 125/518 ... yes 150/519 ... yes 125/520 ... yes 125/521 ... yes 125/522 ... yes 125/523 ... yes 125/524 ... yes 125/525 ... yes 104/526 ... yes 75/527 ... yes 37/528 ... yes 41/529 ... yes 186/530 ... yes 82/531 ... yes 212/532 ... yes 75/533 ... yes Redis version >= 2.8.0? ... yes Ruby version >= 2.3.5 ? ... yes (2.4.5) Git version >= 2.9.5 ? ... yes (2.18.1) Git user has default SSH configuration? ... yes Active users: ... 323 Elasticsearch version 5.1 - 5.5? ... skipped (elasticsearch is disabled)
Checking GitLab ... Finished
Possible fixes
ee/lib/ee/gitlab/auth/saml/user.rb:13 seems to be responsible.