Skip to content

Activate user upon SAML sign in

Etienne Baqué requested to merge 338980-saml-blocked-on-sign-in into master

What does this MR do and why?

This MR updates the find_user method in EE::Gitlab::Auth::Saml::User so that we can activate potentially blocked SAML users if the sign up user cap has not been reached yet.

This activation is already initially done in this worker following the creation a User. However, as outlined by the related issue, this async process led to a race condition which created some confusion around the real state of the user, after SAML sign up (see analysis here)

Because of this confusion, there's value in doing this activation synchronously. In that regards, this MR mainly does two things:

  • it extracts logic from the worker into EE::User.
  • it leverages that logic in the related EE SAML module.

If the new user is activated as part of this find_user method in the SAML module, then the perform_async of this worker is skipped.

Screenshots or screen recordings

video_capture-2021-11-09_16.17.03.mkv

How to set up and validate locally

  1. Setup
  2. Go to the login page, you should see a button for authentication via SAML. Click on it.
  3. If you're using test-saml-idp as mentioned above, user is user1, password is user1pass.
  4. Upon submission, you should be logged in right away.

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

Related to #338980 (closed)

Edited by Etienne Baqué

Merge request reports

Loading