oauth/gitlab: Be sure to load all groups

Signed-off-by: Mathieu Le Marec - Pasquet <[email protected]>

app/controllers/auth/omniauth_callbacks_controller.rb

@@ -24,6 +24,22 @@ def google_oauth2
   # Callback for Bitbucket.
   alias bitbucket google_oauth2
 
+  protected
+
+  def github_next(resp)
+    # -> gitlab: x-next-page is in headers, and not empty
+    resp.headers.key?("x-next-page") && \
+      resp.headers["x-next-page"].present?
+  end
+
+  def gitlab_next(resp)
+    # -> github: Link is in headers
+    #            and if we are not on last page, we have a last link
+    resp.headers.key?("Link") && \
+      resp.headers["Link"].include?('rel="last"') && \
+      !resp.headers.key?("x-next-page")
+  end
+
   private
 
   # If user does not exist then ask for username and display_name.
@@ -70,9 +86,8 @@ def check_membership
     when "gitlab"
       if conf["group"].present?
         # Get user's groups.
-        server = conf.fetch("server", "")
-        server = server.presence || "https://gitlab.com"
-        is_member = member_of("#{server}/api/v4/groups") do |g|
+        server = conf.fetch("server", "").presence || "https://gitlab.com"
+        is_member = member_of("#{server}/api/v4/groups", per_page: 100) do |g|
           g["name"] == conf["group"]
         end
         "The Gitlab account isn't in allowed group." unless is_member
@@ -99,11 +114,21 @@ def github_member?(conf)
   end
 
   # Get user's teams and check if one match to restriction.
-  def member_of(url)
+  # This method uses pagination, and the caller can specify
+  # the number of teams per page in the `per_page` parameter.
+  def member_of(url, per_page: nil)
     # Get user's groups.
     token = request.env["omniauth.auth"].credentials["token"]
-    resp = Faraday.get url, access_token: token
-    teams = JSON.parse resp.body
+    teams = []
+    np = 0
+    loop do
+      np += 1
+      resp = Faraday.get url, { page: np, per_page: per_page,
+                                access_token: token }.compact
+      teams.concat JSON.parse resp.body
+      # if no last/next page, we stop iteration
+      break unless gitlab_next(resp) || github_next(resp)
+    end
 
     # Check if the user is member of allowed group.
     !teams.find_all { |t| yield(t) }.empty?

spec/controllers/auth/omniauth_callbacks_controller_spec.rb

@@ -154,6 +154,46 @@
     end
   end
 
+  describe "GET custom #gitlab" do
+    before do
+      APP_CONFIG["oauth"] = { "gitlab" => { "server": "https://gitlab.com",
+                                            "domain" => "", "group" => "" } }
+      OmniAuth.config.add_mock(:gitlab,
+                               provider:    "gitlab",
+                               uid:         "12345",
+                               credentials: { token: "1234567890" },
+                               info:        { email: "[email protected]" })
+      request.env["omniauth.auth"] = OmniAuth.config.mock_auth[:gitlab]
+      create :user, email: "[email protected]"
+    end
+
+    context "CUSTOMGITLAB: with group is setted," do
+      it "when group matches, sign in and redirect to /" do
+        APP_CONFIG["oauth"]["gitlab"]["group"] = "group"
+        VCR.use_cassette "api_gitlab_groups" do
+          get :gitlab
+        end
+        expect(response).to redirect_to authenticated_root_url
+        expect(subject.current_user).not_to eql nil
+      end
+
+      it "when group not match, redirect to /users/sign_in" do
+        APP_CONFIG["oauth"]["gitlab"]["group"] = "wrong_group"
+        VCR.use_cassette "api_gitlab_groups" do
+          get :gitlab
+        end
+        expect(response).to redirect_to new_user_session_url
+        expect(subject.current_user).to be nil
+      end
+    end
+
+    it "when group isn't setted, sign in and redirect to /" do
+      get :gitlab
+      expect(response).to redirect_to authenticated_root_url
+      expect(subject.current_user).not_to eql nil
+    end
+  end
+
   describe "GET #gitlab" do
     before do
       APP_CONFIG["oauth"] = { "gitlab" => { "domain" => "", "group" => "" } }