Fix user cap evaluation for OAuth and LDAP login
What does this MR do and why?
Related to #353534 (closed)
This MR fixes the fact that OAuth sign up should lead to a new user being blocked when the related block_auto_created_users config attribute is set to true, regardless of the sign up user cap.
The key part of the fix here is that we were not reading the correct block_auto_created_users config for the correct protocol. We should have:
-
::Gitlab.config.omniauth.block_auto_created_userswhich is related to all Omniauth-related connections (see related docs) -
::Gitlab::Auth::Ldap::Config.new(provider).block_auto_created_userswhich is related to connections to a specific LDAP directory (see related docs)
This fix is the result of a regression, as mentioned here, when this fix was released.
Screenshots or screen recordings
Scenario 1 - high user cap, "block_auto_created_users: true" and SAML login -> User is blocked.
::Gitlab.config.omniauth.block_auto_created_users returns true.
video_output-2022-02-23_17.16.02.mkv
Scenario 2 - high user cap, "block_auto_created_users: true" and OAuth Gitlab login -> User is blocked.
::Gitlab.config.omniauth.block_auto_created_users returns true.
video_output-2022-02-23_17.14.30.mkv
Scenario 3 - User cap has been reached, "block_auto_created_users: false" and SAML login -> User is blocked.
::Gitlab.config.omniauth.block_auto_created_users returns false.
video_output-2022-02-23_17.44.36.mkv
Scenario 4 - high user cap, "block_auto_created_users: true" for LDAP, "false" for Omniauth. SAML login -> User is active.
::Gitlab::Auth::Ldap::Config.new(provider).block_auto_created_users returns true while ::Gitlab.config.omniauth.block_auto_created_users returns false.
video_output-2022-03-10_15.05.26.mkv
Scenario 5 - high user cap, "block_auto_created_users": "false" for LDAP, "true" for Omniauth. LDAP login -> User is active
This scenario focuses specifically on this issue scenario.
::Gitlab::Auth::Ldap::Config.new(provider).block_auto_created_users returns false while ::Gitlab.config.omniauth.block_auto_created_users returns true.
video_output-2022-02-24_16.03.32.mkv
Scenario 6 - high user cap, "block_auto_created_users": "true" for LDAP, "true" for Omniauth. LDAP login -> User is active
::Gitlab::Auth::Ldap::Config.new(provider).block_auto_created_users and ::Gitlab.config.omniauth.block_auto_created_users both return true
video_output-2022-03-10_15.10.16.mkv
Local setup for testing
Snippet in my local config/gitlab.yml:
development:
<<: *base
ldap:
enabled: true
servers:
main:
label: 'LDAP'
host: 'gitlab.local'
port: 10389
uid: 'uid'
encryption: 'plain'
base: 'dc=planetexpress,dc=com'
block_auto_created_users: true # or false, depending on the scenario.
omniauth:
enabled: true
providers:
- { name: 'gitlab',
app_id: '<redacted>',
app_secret: '<redacted>',
args: { scope: 'api' } }
- { name: 'saml',
label: 'SAML',
args: {
assertion_consumer_service_url: 'https://gitlab.local:3443/users/auth/saml/callback',
idp_cert_fingerprint: '<redacted>',
idp_sso_target_url: 'http://gitlab.local:8080/simplesaml/saml2/idp/SSOService.php',
issuer: 'https://gitlab.local:3443',
name_identifier_format: 'urn:oasis:names:tc:SAML:2.0:nameid-format:persistent'
}
}
allow_single_sign_on: ['gitlab', 'saml']
auto_link_saml_user: true
block_auto_created_users: true # or false depending on the scenarioMR acceptance checklist
This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.
-
I have evaluated the MR acceptance checklist for this MR.
Related to #338980 (closed)