Merge branch 'patope-saml-attribute-statements'

README.md

@@ -916,6 +916,12 @@ Below is the complete list of available options that can be used to customize yo
 - **OAUTH_SAML_ISSUER**: The name of your application. When `GITLAB_HTTPS=true`, defaults to `https://${GITLAB_HOST}` else defaults to `http://${GITLAB_HOST}`.
 - **OAUTH_SAML_LABEL**: The "Sign in with" button label. Defaults to "Our SAML Provider".
 - **OAUTH_SAML_NAME_IDENTIFIER_FORMAT**: Describes the format of the username required by GitLab, Defaults to `urn:oasis:names:tc:SAML:2.0:nameid-format:transient`
+- **OAUTH_SAML_GROUPS_ATTRIBUTE**: Map groups attribute in a SAMLResponse to external groups. No defaults.
+- **OAUTH_SAML_EXTERNAL_GROUPS**: List of external groups in a SAMLResponse. Value is comma separated list of single quoted groups. Example: `'group1','group2'`. No defaults. 
+- **OAUTH_SAML_ATTRIBUTE_STATEMENTS_EMAIL**: Map 'email' attribute name in a SAMLResponse to entries in the OmniAuth info hash, No defaults. See [Gitlab documentation](http://doc.gitlab.com/ce/integration/saml.html#attribute_statements) for more details.
+- **OAUTH_SAML_ATTRIBUTE_STATEMENTS_NAME**: Map 'name' attribute in a SAMLResponse to entries in the OmniAuth info hash, No defaults. See [Gitlab documentation](http://doc.gitlab.com/ce/integration/saml.html#attribute_statements) for more details.
+- **OAUTH_SAML_ATTRIBUTE_STATEMENTS_FIRST_NAME**: Map 'first_name' attribute in a SAMLResponse to entries in the OmniAuth info hash, No defaults. See [Gitlab documentation](http://doc.gitlab.com/ce/integration/saml.html#attribute_statements) for more details.
+- **OAUTH_SAML_ATTRIBUTE_STATEMENTS_LAST_NAME**: Map 'last_name' attribute in a SAMLResponse to entries in the OmniAuth info hash, No defaults. See [Gitlab documentation](http://doc.gitlab.com/ce/integration/saml.html#attribute_statements) for more details.
 - **OAUTH_CROWD_SERVER_URL**: Crowd server url. No defaults.
 - **OAUTH_CROWD_APP_NAME**: Crowd server application name. No defaults.
 - **OAUTH_CROWD_APP_PASSWORD**: Crowd server application password. No defaults.

assets/runtime/config/gitlabhq/gitlab.yml

@@ -373,13 +373,18 @@ production: &base
           app_secret: '{{OAUTH_TWITTER_APP_SECRET}}' }
       - { name: 'saml',
           label: '{{OAUTH_SAML_LABEL}}',
-          groups_attribute: 'Groups',
-          external_groups: ['Contractors', 'Freelancers'],
+          groups_attribute: '{{OAUTH_SAML_GROUPS_ATTRIBUTE}}',
+          external_groups: [{{OAUTH_SAML_EXTERNAL_GROUPS}}],
           args: {
                   assertion_consumer_service_url: '{{OAUTH_SAML_ASSERTION_CONSUMER_SERVICE_URL}}',
                   idp_cert_fingerprint: '{{OAUTH_SAML_IDP_CERT_FINGERPRINT}}',
                   idp_sso_target_url: '{{OAUTH_SAML_IDP_SSO_TARGET_URL}}',
                   issuer: '{{OAUTH_SAML_ISSUER}}',
+                  attribute_statements: { 
+                    first_name: ['{{OAUTH_SAML_ATTRIBUTE_STATEMENTS_FIRST_NAME}}'],
+                    last_name: ['{{OAUTH_SAML_ATTRIBUTE_STATEMENTS_LAST_NAME}}'],
+                    name: ['{{OAUTH_SAML_ATTRIBUTE_STATEMENTS_NAME}}'],
+                    email: ['{{OAUTH_SAML_ATTRIBUTE_STATEMENTS_EMAIL}}'] },
                   name_identifier_format: '{{OAUTH_SAML_NAME_IDENTIFIER_FORMAT}}' } }
       - { name: 'crowd',
           args: {

assets/runtime/env-defaults

@@ -273,6 +273,12 @@ OAUTH_SAML_LABEL=${OAUTH_SAML_LABEL:-'Our SAML Provider'}
 OAUTH_SAML_IDP_CERT_FINGERPRINT=${OAUTH_SAML_IDP_CERT_FINGERPRINT:-}
 OAUTH_SAML_IDP_SSO_TARGET_URL=${OAUTH_SAML_IDP_SSO_TARGET_URL:-}
 OAUTH_SAML_NAME_IDENTIFIER_FORMAT=${OAUTH_SAML_NAME_IDENTIFIER_FORMAT:-urn:oasis:names:tc:SAML:2.0:nameid-format:transient}
+OAUTH_SAML_GROUPS_ATTRIBUTE=${OAUTH_SAML_GROUPS_ATTRIBUTE:-}
+OAUTH_SAML_EXTERNAL_GROUPS=${OAUTH_SAML_EXTERNAL_GROUPS:-}
+OAUTH_SAML_ATTRIBUTE_STATEMENTS_EMAIL=${OAUTH_SAML_ATTRIBUTE_STATEMENTS_EMAIL:-}
+OAUTH_SAML_ATTRIBUTE_STATEMENTS_NAME=${OAUTH_SAML_ATTRIBUTE_STATEMENTS_NAME:-}
+OAUTH_SAML_ATTRIBUTE_STATEMENTS_LAST_NAME=${OAUTH_SAML_ATTRIBUTE_STATEMENTS_LAST_NAME:-}
+OAUTH_SAML_ATTRIBUTE_STATEMENTS_FIRST_NAME=${OAUTH_SAML_ATTRIBUTE_STATEMENTS_FIRST_NAME:-}
 
 ### CAS3
 OAUTH_CAS3_LABEL=${OAUTH_CAS3_LABEL:-cas3}

assets/runtime/functions

@@ -514,6 +514,23 @@ gitlab_configure_oauth_bitbucket() {
   fi
 }
 
+gitlab_configure_oauth_saml_attribute_statements() {
+  if [[ -n ${OAUTH_SAML_ATTRIBUTE_STATEMENTS_EMAIL} && \
+        -n ${OAUTH_SAML_ATTRIBUTE_STATEMENTS_NAME} ]]; then
+    echo "Configuring gitlab::oauth::saml::attribute_statements..."
+    update_template ${GITLAB_CONFIG} \
+      OAUTH_SAML_ATTRIBUTE_STATEMENTS_EMAIL \
+      OAUTH_SAML_ATTRIBUTE_STATEMENTS_NAME \
+      OAUTH_SAML_ATTRIBUTE_STATEMENTS_FIRST_NAME \
+      OAUTH_SAML_ATTRIBUTE_STATEMENTS_LAST_NAME
+    # Remove undefined optional attributes
+    exec_as_git sed -i "/first_name: \\[''\\],/d" ${GITLAB_CONFIG}
+    exec_as_git sed -i "/last_name: \\[''\\],/d" ${GITLAB_CONFIG}
+  else
+    exec_as_git sed -i "/attribute_statements:/,/{{OAUTH_SAML_ATTRIBUTE_STATEMENTS_EMAIL}}/d" ${GITLAB_CONFIG}
+  fi
+}
+
 gitlab_configure_oauth_saml() {
   if [[ -n ${OAUTH_SAML_ASSERTION_CONSUMER_SERVICE_URL} && \
         -n ${OAUTH_SAML_IDP_CERT_FINGERPRINT} && \
@@ -528,7 +545,12 @@ gitlab_configure_oauth_saml() {
       OAUTH_SAML_IDP_CERT_FINGERPRINT \
       OAUTH_SAML_IDP_SSO_TARGET_URL \
       OAUTH_SAML_ISSUER \
-      OAUTH_SAML_NAME_IDENTIFIER_FORMAT
+      OAUTH_SAML_NAME_IDENTIFIER_FORMAT \
+      OAUTH_SAML_GROUPS_ATTRIBUTE \
+      OAUTH_SAML_EXTERNAL_GROUPS
+    exec_as_git sed -i "/groups_attribute: '',/d" ${GITLAB_CONFIG}
+    exec_as_git sed -i "/external_groups: \\[\\],/d" ${GITLAB_CONFIG}
+    gitlab_configure_oauth_saml_attribute_statements
   else
     exec_as_git sed -i "/name: 'saml'/,/{{OAUTH_SAML_NAME_IDENTIFIER_FORMAT}}/d" ${GITLAB_CONFIG}
   fi