1 files changed, 117 insertions, 2 deletions

diff --git a/spec/lib/gitlab/omniauth_initializer_spec.rb b/spec/lib/gitlab/omniauth_initializer_spec.rb
index 1c665ec6e18..e12c0f4e78b 100644
--- a/spec/lib/gitlab/omniauth_initializer_spec.rb
+++ b/spec/lib/gitlab/omniauth_initializer_spec.rb
@@ -2,7 +2,9 @@
 
 require 'spec_helper'
 
-RSpec.describe Gitlab::OmniauthInitializer do
+RSpec.describe Gitlab::OmniauthInitializer, feature_category: :system_access do
+  include LoginHelpers
+
   let(:devise_config) { class_double(Devise) }
 
   subject(:initializer) { described_class.new(devise_config) }
@@ -171,7 +173,7 @@ RSpec.describe Gitlab::OmniauthInitializer do
     end
 
     it 'allows "args" array for app_id and app_secret' do
-      legacy_config = { 'name' => 'legacy', 'args' => %w(123 abc) }
+      legacy_config = { 'name' => 'legacy', 'args' => %w[123 abc] }
 
       expect(devise_config).to receive(:omniauth).with(:legacy, '123', 'abc')
 
@@ -224,6 +226,119 @@ RSpec.describe Gitlab::OmniauthInitializer do
       subject.execute([shibboleth_config])
     end
 
+    context 'when SAML providers are configured' do
+      it 'configures default args for a single SAML provider' do
+        stub_omniauth_config(providers: [{ name: 'saml', args: { idp_sso_service_url: 'https://saml.example.com' } }])
+
+        expect(devise_config).to receive(:omniauth).with(
+          :saml,
+          {
+            idp_sso_service_url: 'https://saml.example.com',
+            attribute_statements: ::Gitlab::Auth::Saml::Config.default_attribute_statements
+          }
+        )
+
+        initializer.execute(Gitlab.config.omniauth.providers)
+      end
+
+      context 'when configuration provides matching keys' do
+        before do
+          stub_omniauth_config(
+            providers: [
+              {
+                name: 'saml',
+                args: { idp_sso_service_url: 'https://saml.example.com', attribute_statements: { email: ['custom_attr'] } }
+              }
+            ]
+          )
+        end
+
+        it 'merges arguments with user configuration preference' do
+          expect(devise_config).to receive(:omniauth).with(
+            :saml,
+            {
+              idp_sso_service_url: 'https://saml.example.com',
+              attribute_statements: ::Gitlab::Auth::Saml::Config.default_attribute_statements
+                                                                .merge({ email: ['custom_attr'] })
+            }
+          )
+
+          initializer.execute(Gitlab.config.omniauth.providers)
+        end
+
+        it 'merges arguments with defaults preference when invert_omniauth_args_merging is not enabled' do
+          stub_feature_flags(invert_omniauth_args_merging: false)
+
+          expect(devise_config).to receive(:omniauth).with(
+            :saml,
+            {
+              idp_sso_service_url: 'https://saml.example.com',
+              attribute_statements: ::Gitlab::Auth::Saml::Config.default_attribute_statements
+            }
+          )
+
+          initializer.execute(Gitlab.config.omniauth.providers)
+        end
+      end
+
+      it 'configures defaults args for multiple SAML providers' do
+        stub_omniauth_config(
+          providers: [
+            { name: 'saml', args: { idp_sso_service_url: 'https://saml.example.com' } },
+            {
+              name: 'saml2',
+              args: { strategy_class: 'OmniAuth::Strategies::SAML', idp_sso_service_url: 'https://saml2.example.com' }
+            }
+          ]
+        )
+
+        expect(devise_config).to receive(:omniauth).with(
+          :saml,
+          {
+            idp_sso_service_url: 'https://saml.example.com',
+            attribute_statements: ::Gitlab::Auth::Saml::Config.default_attribute_statements
+          }
+        )
+        expect(devise_config).to receive(:omniauth).with(
+          :saml2,
+          {
+            idp_sso_service_url: 'https://saml2.example.com',
+            strategy_class: OmniAuth::Strategies::SAML,
+            attribute_statements: ::Gitlab::Auth::Saml::Config.default_attribute_statements
+          }
+        )
+
+        initializer.execute(Gitlab.config.omniauth.providers)
+      end
+
+      it 'merges arguments with user configuration preference for custom SAML provider' do
+        stub_omniauth_config(
+          providers: [
+            {
+              name: 'custom_saml',
+              args: {
+                strategy_class: 'OmniAuth::Strategies::SAML',
+                idp_sso_service_url: 'https://saml2.example.com',
+                attribute_statements: { email: ['custom_attr'] }
+              }
+            }
+          ]
+        )
+
+        expect(devise_config).to receive(:omniauth).with(
+          :custom_saml,
+          {
+            idp_sso_service_url: 'https://saml2.example.com',
+            strategy_class: OmniAuth::Strategies::SAML,
+            attribute_statements: ::Gitlab::Auth::Saml::Config.default_attribute_statements
+                                                              .merge({ email: ['custom_attr'] })
+          }
+        )
+
+        initializer.execute(Gitlab.config.omniauth.providers)
+      end
+    end
+
     it 'configures defaults for google_oauth2' do
       google_config = {
         'name' => 'google_oauth2',