Merge branch 'refactor/oauth' of /home/git/repositories/gitlab/gitlabhq

Dmitriy Zaporozhets
2 parents 38cebe03 8e238f42
Showing 13 changed files with 372 additions and 322 deletions Show diff stats
app/controllers/omniauth_callbacks_controller.rb
app/controllers/registrations_controller.rb
app/helpers/profile_helper.rb
app/models/user.rb
app/views/profiles/account.html.haml
lib/gitlab/auth.rb
lib/gitlab/backend/grack_auth.rb
lib/gitlab/backend/grack_ldap.rb
lib/gitlab/ldap/user.rb
lib/gitlab/oauth/user.rb
spec/features/profile_spec.rb
spec/lib/auth_spec.rb
spec/lib/oauth_spec.rb
@@ -16,35 +16,41 @@ class OmniauthCallbacksController &lt; Devise::OmniauthCallbacksController
   end
  
   def ldap
-    # We only find ourselves here if the authentication to LDAP was successful.
-    @user = User.find_for_ldap_auth(request.env["omniauth.auth"], current_user)
-    if @user.persisted?
-      @user.remember_me = true
-    end
-    sign_in_and_redirect @user
+    # We only find ourselves here
+    # if the authentication to LDAP was successful.
+    @user = Gitlab::LDAP::User.find_or_create(oauth)
+    @user.remember_me = true if @user.persisted?
+    sign_in_and_redirect(@user)
   end
  
   private
  
   def handle_omniauth
-    oauth = request.env['omniauth.auth']
-    provider, uid = oauth['provider'], oauth['uid']
-
     if current_user
       # Change a logged-in user's authentication method:
-      current_user.extern_uid = uid
-      current_user.provider = provider
+      current_user.extern_uid = oauth['uid']
+      current_user.provider = oauth['provider']
       current_user.save
       redirect_to profile_path
     else
-      @user = User.find_or_new_for_omniauth(oauth)
+      @user = Gitlab::OAuth::User.find(oauth)
+
+      # Create user if does not exist
+      # and allow_single_sign_on is true
+      if Gitlab.config.omniauth['allow_single_sign_on']
+        @user ||= Gitlab::OAuth::User.create(oauth)
+      end
  
       if @user
-        sign_in_and_redirect @user
+        sign_in_and_redirect(@user)
       else
         flash[:notice] = "There's no such user!"
         redirect_to new_user_session_path
       end
     end
   end
+
+  def oauth
+    @oauth ||= request.env['omniauth.auth']
+  end
 end
@@ -2,9 +2,6 @@ class RegistrationsController &lt; Devise::RegistrationsController
   before_filter :signup_enabled?
  
   def destroy
-    if current_user.owned_projects.count > 0
-      redirect_to account_profile_path, alert: "Remove projects and groups before removing account." and return
-    end
     current_user.destroy
  
     respond_to do |format|
@@ -4,4 +4,16 @@ module ProfileHelper
       'active'
     end
   end
+
+  def show_profile_username_tab?
+    current_user.can_change_username?
+  end
+
+  def show_profile_social_tab?
+    Gitlab.config.omniauth.enabled && !current_user.ldap_user?
+  end
+
+  def show_profile_remove_tab?
+    Gitlab.config.gitlab.signup_enabled && !current_user.ldap_user?
+  end
 end
@@ -159,6 +159,7 @@ class User &lt; ActiveRecord::Base
   scope :not_in_team, ->(team){ where('users.id NOT IN (:ids)', ids: team.member_ids) }
   scope :not_in_project, ->(project) { project.users.present? ? where("id not in (:ids)", ids: project.users.map(&:id) ) : scoped }
   scope :without_projects, -> { where('id NOT IN (SELECT DISTINCT(user_id) FROM users_projects)') }
+  scope :ldap, -> { where(provider:  'ldap') }
  
   scope :potential_team_members, ->(team) { team.members.any? ? active.not_in_team(team) : active  }
  
@@ -186,22 +187,6 @@ class User &lt; ActiveRecord::Base
       end
     end
  
-    def create_from_omniauth(auth, ldap = false)
-      gitlab_auth.create_from_omniauth(auth, ldap)
-    end
-
-    def find_or_new_for_omniauth(auth)
-      gitlab_auth.find_or_new_for_omniauth(auth)
-    end
-
-    def find_for_ldap_auth(auth, signed_in_resource = nil)
-      gitlab_auth.find_for_ldap_auth(auth, signed_in_resource)
-    end
-
-    def gitlab_auth
-      Gitlab::Auth.new
-    end
-
     def search query
       where("name LIKE :query OR email LIKE :query OR username LIKE :query", query: "%#{query}%")
     end
@@ -5,91 +5,128 @@
   - if current_user.ldap_user?
     Some options are unavailable for LDAP accounts
 %hr
-- unless current_user.ldap_user?
-  - if Gitlab.config.omniauth.enabled
-    %fieldset
-      %legend Social Accounts
-      .oauth_select_holder
-        %p.hint Tip: Click on icon to activate signin with one of the following services
-        - enabled_social_providers.each do |provider|
-          %span{class: oauth_active_class(provider) }
-            = link_to authbutton(provider, 32), omniauth_authorize_path(User, provider)
  
  
-  %fieldset.update-password
-    %legend Password
-    = form_for @user, url: update_password_profile_path, method: :put do |f|
-      .padded
-        %p.slead After a successful password update you will be redirected to login page where you should login with your new password
-        -if @user.errors.any?
-          .alert.alert-error
-            %ul
-              - @user.errors.full_messages.each do |msg|
-                %li= msg
+.row
+  .span2
+    %ul.nav.nav-pills.nav-stacked.nav-stacked-menu
+      %li.active
+        = link_to '#tab-token', 'data-toggle' => 'tab' do
+          Private Token
+      %li
+        = link_to '#tab-password', 'data-toggle' => 'tab' do
+          Password
  
-        .control-group
-          = f.label :password
-          .controls= f.password_field :password, required: true
-        .control-group
-          = f.label :password_confirmation
-          .controls
-            = f.password_field :password_confirmation, required: true
-        .control-group
-          .controls
-            = f.submit 'Save password', class: "btn btn-save"
+      - if show_profile_social_tab?
+        %li
+          = link_to '#tab-social', 'data-toggle' => 'tab' do
+            Social Accounts
  
+      - if show_profile_username_tab?
+        %li
+          = link_to '#tab-username', 'data-toggle' => 'tab' do
+            Change Username
  
+      - if show_profile_remove_tab?
+        %li
+          = link_to '#tab-remove', 'data-toggle' => 'tab' do
+            Remove Account
+  .span10
+    .tab-content
+      .tab-pane.active#tab-token
+        %fieldset.update-token
+          %legend
+            Private token
+            %span.cred.pull-right
+              keep it secret!
+          %div
+            = form_for @user, url: reset_private_token_profile_path, method: :put do |f|
+              .data
+                %p.slead
+                  Your private token is used to access application resources without authentication.
+                  %br
+                  It can be used for atom feeds or the API.
+                %p.cgray
+                  - if current_user.private_token
+                    = text_field_tag "token", current_user.private_token, class: "input-xxlarge large_text input-xpadding"
+                    = f.submit 'Reset', confirm: "Are you sure?", class: "btn btn-primary btn-build-token"
+                  - else
+                    %span You don`t have one yet. Click generate to fix it.
+                    = f.submit 'Generate', class: "btn success btn-build-token"
  
-%fieldset.update-token
-  %legend
-    Private token
-    %span.cred.pull-right
-      keep it secret!
-  .padded
-    = form_for @user, url: reset_private_token_profile_path, method: :put do |f|
-      .data
-        %p.slead
-          Your private token is used to access application resources without authentication.
-          %br
-          It can be used for atom feeds or the API.
-        %p.cgray
-          - if current_user.private_token
-            = text_field_tag "token", current_user.private_token, class: "input-xxlarge large_text input-xpadding"
-            = f.submit 'Reset', confirm: "Are you sure?", class: "btn btn-primary btn-build-token"
-          - else
-            %span You don`t have one yet. Click generate to fix it.
-            = f.submit 'Generate', class: "btn success btn-build-token"
+      .tab-pane#tab-password
+        %fieldset.update-password
+          %legend Password
+          = form_for @user, url: update_password_profile_path, method: :put do |f|
+            %div
+              %p.slead After a successful password update you will be redirected to login page where you should login with your new password
+              -if @user.errors.any?
+                .alert.alert-error
+                  %ul
+                    - @user.errors.full_messages.each do |msg|
+                      %li= msg
+              .control-group
+                = f.label :password
+                .controls= f.password_field :password, required: true
+              .control-group
+                = f.label :password_confirmation
+                .controls
+                  = f.password_field :password_confirmation, required: true
+              .control-group
+                .controls
+                  = f.submit 'Save password', class: "btn btn-save"
  
+      - if show_profile_social_tab?
+        .tab-pane#tab-social
+          %fieldset
+            %legend Social Accounts
+            .oauth_select_holder
+              %p.hint Tip: Click on icon to activate signin with one of the following services
+              - enabled_social_providers.each do |provider|
+                %span{class: oauth_active_class(provider) }
+                  = link_to authbutton(provider, 32), omniauth_authorize_path(User, provider)
  
-- if current_user.can_change_username?
-  %fieldset.update-username
-    %legend
-      Username
-      %small.cred.pull-right
-        Changing your username can have unintended side effects!
-    = form_for @user, url: update_username_profile_path,  method: :put, remote: true do |f|
-      .padded
-        = f.label :username
-        .controls
-          = f.text_field :username, required: true
-          &nbsp;
-          %span.loading-gif.hide= image_tag "ajax_loader.gif"
-          %span.update-success.cgreen.hide
-            %i.icon-ok
-            Saved
-          %span.update-failed.cred.hide
-            %i.icon-remove
-            Failed
-          %ul.cred
-            %li This will change the web URL for personal projects.
-            %li This will change the git path to repositories for personal projects.
-        .controls
-          = f.submit 'Save username', class: "btn btn-save"
+      - if show_profile_username_tab?
+        .tab-pane#tab-username
+          %fieldset.update-username
+            %legend
+              Username
+              %small.cred.pull-right
+                Changing your username can have unintended side effects!
+            = form_for @user, url: update_username_profile_path,  method: :put, remote: true do |f|
+              %div
+              .control-group
+                = f.label :username
+                .controls
+                  = f.text_field :username, required: true
+                  &nbsp;
+                  %span.loading-gif.hide= image_tag "ajax_loader.gif"
+                  %span.update-success.cgreen.hide
+                    %i.icon-ok
+                    Saved
+                  %span.update-failed.cred.hide
+                    %i.icon-remove
+                    Failed
+                  %ul.cred
+                    %li This will change the web URL for personal projects.
+                    %li This will change the git path to repositories for personal projects.
+                .controls
+                  = f.submit 'Save username', class: "btn btn-save"
  
-- if gitlab_config.signup_enabled
-  %fieldset.remove-account
-    %legend
-      Remove account
-      %small.cred.pull-right
-        Before removing the account you must remove all projects!
-    = link_to 'Delete account', user_registration_path, confirm: "REMOVE #{current_user.name}? Are you sure?", method: :delete, class: "btn btn-remove delete-key btn-small pull-right"
+      - if show_profile_remove_tab?
+        .tab-pane#tab-remove
+          %fieldset.remove-account
+            %legend
+              Remove account
+            %div
+              %p Deleting an account has the following effects:
+              %ul
+                %li All user content like authored issues, snippets, comments will be removed
+                - rp = current_user.personal_projects.count
+                - unless rp.zero?
+                  %li #{pluralize rp, 'personal project'} will be removed and cannot be restored
+                - if current_user.solo_owned_groups.present?
+                  %li
+                    Next groups will be abandoned. You should transfer or remove them:
+                    %strong #{current_user.solo_owned_groups.map(&:name).join(', ')}
+              = link_to 'Delete account', user_registration_path, confirm: "REMOVE #{current_user.name}? Are you sure?", method: :delete, class: "btn btn-remove"
@@ -7,97 +7,16 @@ module Gitlab
         # Second chance - try LDAP authentication
         return nil unless ldap_conf.enabled
  
-        ldap_auth(login, password)
+        Gitlab::LDAP::User.authenticate(login, password)
       else
         user if user.valid_password?(password)
       end
     end
  
-    def find_for_ldap_auth(auth, signed_in_resource = nil)
-      uid = auth.info.uid
-      provider = auth.provider
-      email = auth.info.email.downcase unless auth.info.email.nil?
-      raise OmniAuth::Error, "LDAP accounts must provide an uid and email address" if uid.nil? or email.nil?
-
-      if @user = User.find_by_extern_uid_and_provider(uid, provider)
-        @user
-      elsif @user = User.find_by_email(email)
-        log.info "Updating legacy LDAP user #{email} with extern_uid => #{uid}"
-        @user.update_attributes(extern_uid: uid, provider: provider)
-        @user
-      else
-        create_from_omniauth(auth, true)
-      end
-    end
-
-    def create_from_omniauth(auth, ldap = false)
-      provider = auth.provider
-      uid = auth.info.uid || auth.uid
-      uid = uid.to_s.force_encoding("utf-8")
-      name = auth.info.name.to_s.force_encoding("utf-8")
-      email = auth.info.email.to_s.downcase unless auth.info.email.nil?
-
-      ldap_prefix = ldap ? '(LDAP) ' : ''
-      raise OmniAuth::Error, "#{ldap_prefix}#{provider} does not provide an email"\
-        " address" if auth.info.email.blank?
-
-      log.info "#{ldap_prefix}Creating user from #{provider} login"\
-        " {uid => #{uid}, name => #{name}, email => #{email}}"
-      password = Devise.friendly_token[0, 8].downcase
-      @user = User.new({
-        extern_uid: uid,
-        provider: provider,
-        name: name,
-        username: email.match(/^[^@]*/)[0],
-        email: email,
-        password: password,
-        password_confirmation: password,
-      }, as: :admin).with_defaults
-      @user.save!
-
-      if Gitlab.config.omniauth['block_auto_created_users'] && !ldap
-        @user.block
-      end
-
-      @user
-    end
-
-    def find_or_new_for_omniauth(auth)
-      provider, uid = auth.provider, auth.uid
-      email = auth.info.email.downcase unless auth.info.email.nil?
-
-      if @user = User.find_by_provider_and_extern_uid(provider, uid)
-        @user
-      elsif @user = User.find_by_email(email)
-        @user.update_attributes(extern_uid: uid, provider: provider)
-        @user
-      else
-        if Gitlab.config.omniauth['allow_single_sign_on']
-          @user = create_from_omniauth(auth)
-          @user
-        end
-      end
-    end
-
     def log
       Gitlab::AppLogger
     end
  
-    def ldap_auth(login, password)
-      # Check user against LDAP backend if user is not authenticated
-      # Only check with valid login and password to prevent anonymous bind results
-      return nil unless ldap_conf.enabled && !login.blank? && !password.blank?
-
-      ldap = OmniAuth::LDAP::Adaptor.new(ldap_conf)
-      ldap_user = ldap.bind_as(
-        filter: Net::LDAP::Filter.eq(ldap.uid, login),
-        size: 1,
-        password: password
-      )
-
-      User.find_by_extern_uid_and_provider(ldap_user.dn, 'ldap') if ldap_user
-    end
-
     def ldap_conf
       @ldap_conf ||= Gitlab.config.ldap
     end
 require_relative 'shell_env'
-require_relative 'grack_ldap'
 require_relative 'grack_helpers'
  
 module Grack
   class Auth < Rack::Auth::Basic
-    include LDAP
     include Helpers
  
     attr_accessor :user, :project, :ref, :env
@@ -1,24 +0,0 @@
-require 'omniauth-ldap'
-
-module Grack
-  module LDAP
-    def ldap_auth(login, password)
-      # Check user against LDAP backend if user is not authenticated
-      # Only check with valid login and password to prevent anonymous bind results
-      return nil unless ldap_conf.enabled && !login.blank? && !password.blank?
-
-      ldap = OmniAuth::LDAP::Adaptor.new(ldap_conf)
-      ldap_user = ldap.bind_as(
-        filter: Net::LDAP::Filter.eq(ldap.uid, login),
-        size: 1,
-        password: password
-      )
-
-      User.find_by_extern_uid_and_provider(ldap_user.dn, 'ldap') if ldap_user
-    end
-
-    def ldap_conf
-      @ldap_conf ||= Gitlab.config.ldap
-    end
-  end
-end
@@ -0,0 +1,81 @@
+require 'gitlab/oauth/user'
+
+# LDAP extension for User model
+#
+# * Find or create user from omniauth.auth data
+# * Links LDAP account with existing user
+# * Auth LDAP user with login and password
+#
+module Gitlab
+  module LDAP
+    class User < Gitlab::OAuth::User
+      class << self
+        def find_or_create(auth)
+          @auth = auth
+
+          if uid.blank? || email.blank?
+            raise_error("Account must provide an uid and email address")
+          end
+
+          user = find(auth)
+
+          unless user
+            # Look for user with same emails
+            #
+            # Possible cases:
+            # * When user already has account and need to link his LDAP account.
+            # * LDAP uid changed for user with same email and we need to update his uid
+            #
+            user = model.find_by_email(email)
+
+            if user
+              user.update_attributes(extern_uid: uid, provider: provider)
+              log.info("(LDAP) Updating legacy LDAP user #{email} with extern_uid => #{uid}")
+            else
+              # Create a new user inside GitLab database
+              # based on LDAP credentials
+              #
+              #
+              user = create(auth)
+            end
+          end
+
+          user
+        end
+
+        def authenticate(login, password)
+          # Check user against LDAP backend if user is not authenticated
+          # Only check with valid login and password to prevent anonymous bind results
+          return nil unless ldap_conf.enabled && login.present? && password.present?
+
+          ldap = OmniAuth::LDAP::Adaptor.new(ldap_conf)
+          ldap_user = ldap.bind_as(
+            filter: Net::LDAP::Filter.eq(ldap.uid, login),
+            size: 1,
+            password: password
+          )
+
+          find_by_uid(ldap_user.dn) if ldap_user
+        end
+
+        private
+
+        def find_by_uid(uid)
+          model.where(provider: provider, extern_uid: uid).last
+        end
+
+        def provider
+          'ldap'
+        end
+
+        def raise_error(message)
+          raise OmniAuth::Error, "(LDAP) " + message
+        end
+
+        def ldap_conf
+          Gitlab.config.ldap
+        end
+      end
+    end
+  end
+end
@@ -0,0 +1,85 @@
+# OAuth extension for User model
+#
+# * Find GitLab user based on omniauth uid and provider
+# * Create new user from omniauth data
+#
+module Gitlab
+  module OAuth
+    class User
+      class << self
+        attr_reader :auth
+
+        def find(auth)
+          @auth = auth
+          find_by_uid_and_provider
+        end
+
+        def create(auth)
+          @auth = auth
+          password = Devise.friendly_token[0, 8].downcase
+          opts = {
+            extern_uid: uid,
+            provider: provider,
+            name: name,
+            username: username,
+            email: email,
+            password: password,
+            password_confirmation: password,
+          }
+
+          user = model.new(opts, as: :admin).with_defaults
+          user.save!
+          log.info "(OAuth) Creating user #{email} from login with extern_uid => #{uid}"
+
+          if Gitlab.config.omniauth['block_auto_created_users'] && !ldap?
+            user.block
+          end
+
+          user
+        end
+
+        private
+
+        def find_by_uid_and_provider
+          model.where(provider: provider, extern_uid: uid).last
+        end
+
+        def uid
+          auth.info.uid || auth.uid
+        end
+
+        def email
+          auth.info.email.downcase unless auth.info.email.nil?
+        end
+
+        def name
+          auth.info.name.to_s.force_encoding("utf-8")
+        end
+
+        def username
+          email.match(/^[^@]*/)[0]
+        end
+
+        def provider
+          auth.provider
+        end
+
+        def log
+          Gitlab::AppLogger
+        end
+
+        def model
+          ::User
+        end
+
+        def raise_error(message)
+          raise OmniAuth::Error, "(OAuth) " + message
+        end
+
+        def ldap?
+          provider == 'ldap'
+        end
+      end
+    end
+  end
+end
@@ -17,26 +17,12 @@ describe &quot;Profile account page&quot; do
  
     it { page.should have_content("Remove account") }
  
-    it "should delete the account", js: true do
+    it "should delete the account" do
       expect { click_link "Delete account" }.to change {User.count}.by(-1)
       current_path.should == new_user_session_path
     end
   end
  
-  describe "when signup is enabled and user has a project" do
-    before do
-      Gitlab.config.gitlab.stub(:signup_enabled).and_return(true)
-      @project = create(:project, namespace: @user.namespace)
-      @project.team << [@user, :master]
-      visit account_profile_path
-    end
-    it { page.should have_content("Remove account") }
-
-    it "should not allow user to delete the account" do
-      expect { click_link "Delete account" }.not_to change {User.count}.by(-1)
-    end
-  end
-
   describe "when signup is disabled" do
     before do
       Gitlab.config.gitlab.stub(:signup_enabled).and_return(false)
@@ -3,102 +3,26 @@ require &#39;spec_helper&#39;
 describe Gitlab::Auth do
   let(:gl_auth) { Gitlab::Auth.new }
  
-  before do
-    Gitlab.config.stub(omniauth: {})
-
-    @info = mock(
-      uid: '12djsak321',
-      name: 'John',
-      email: 'john@mail.com'
-    )
-  end
-
-  describe :find_for_ldap_auth do
+  describe :find do
     before do
-      @auth = mock(
-        uid: '12djsak321',
-        info: @info,
-        provider: 'ldap'
+      @user = create(
+        :user,
+        username: 'john',
+        password: '888777',
+        password_confirmation: '888777'
       )
     end
  
-    it "should find by uid & provider" do
-      User.should_receive :find_by_extern_uid_and_provider
-      gl_auth.find_for_ldap_auth(@auth)
-    end
-
-    it "should update credentials by email if missing uid" do
-      user = double('User')
-      User.stub find_by_extern_uid_and_provider: nil
-      User.stub find_by_email: user
-      user.should_receive :update_attributes
-      gl_auth.find_for_ldap_auth(@auth)
-    end
-
-
-    it "should create from auth if user does not exist"do
-      User.stub find_by_extern_uid_and_provider: nil
-      User.stub find_by_email: nil
-      gl_auth.should_receive :create_from_omniauth
-      gl_auth.find_for_ldap_auth(@auth)
-    end
-  end
-
-  describe :find_or_new_for_omniauth do
-    before do
-      @auth = mock(
-        info: @info,
-        provider: 'twitter',
-        uid: '12djsak321',
-      )
+    it "should find user by valid login/password" do
+      gl_auth.find('john', '888777').should == @user
     end
  
-    it "should find user"do
-      User.should_receive :find_by_provider_and_extern_uid
-      gl_auth.should_not_receive :create_from_omniauth
-      gl_auth.find_or_new_for_omniauth(@auth)
+    it "should not find user with invalid password" do
+      gl_auth.find('john', 'invalid').should_not == @user
     end
  
-    it "should not create user"do
-      User.stub find_by_provider_and_extern_uid: nil
-      gl_auth.should_not_receive :create_from_omniauth
-      gl_auth.find_or_new_for_omniauth(@auth)
-    end
-
-    it "should create user if single_sing_on"do
-      Gitlab.config.omniauth['allow_single_sign_on'] = true
-      User.stub find_by_provider_and_extern_uid: nil
-      gl_auth.should_receive :create_from_omniauth
-      gl_auth.find_or_new_for_omniauth(@auth)
-    end
-  end
-
-  describe :create_from_omniauth do
-    it "should create user from LDAP" do
-      @auth = mock(info: @info, provider: 'ldap')
-      user = gl_auth.create_from_omniauth(@auth, true)
-
-      user.should be_valid
-      user.extern_uid.should == @info.uid
-      user.provider.should == 'ldap'
-    end
-
-    it "should create user from Omniauth" do
-      @auth = mock(info: @info, provider: 'twitter')
-      user = gl_auth.create_from_omniauth(@auth, false)
-
-      user.should be_valid
-      user.extern_uid.should == @info.uid
-      user.provider.should == 'twitter'
-    end
-
-    it "should apply defaults to user" do
-      @auth = mock(info: @info, provider: 'ldap')
-      user = gl_auth.create_from_omniauth(@auth, true)
-
-      user.should be_valid
-      user.projects_limit.should == Gitlab.config.gitlab.default_projects_limit
-      user.can_create_group.should == Gitlab.config.gitlab.default_can_create_group
+    it "should not find user with invalid login and password" do
+      gl_auth.find('jon', 'invalid').should_not == @user
     end
   end
 end
@@ -0,0 +1,44 @@
+require 'spec_helper'
+
+describe Gitlab::OAuth::User do
+  let(:gl_auth) { Gitlab::OAuth::User }
+
+  before do
+    Gitlab.config.stub(omniauth: {})
+
+    @info = mock(
+      uid: '12djsak321',
+      name: 'John',
+      email: 'john@mail.com'
+    )
+  end
+
+  describe :create do
+    it "should create user from LDAP" do
+      @auth = mock(info: @info, provider: 'ldap')
+      user = gl_auth.create(@auth)
+
+      user.should be_valid
+      user.extern_uid.should == @info.uid
+      user.provider.should == 'ldap'
+    end
+
+    it "should create user from Omniauth" do
+      @auth = mock(info: @info, provider: 'twitter')
+      user = gl_auth.create(@auth)
+
+      user.should be_valid
+      user.extern_uid.should == @info.uid
+      user.provider.should == 'twitter'
+    end
+
+    it "should apply defaults to user" do
+      @auth = mock(info: @info, provider: 'ldap')
+      user = gl_auth.create(@auth)
+
+      user.should be_valid
+      user.projects_limit.should == Gitlab.config.gitlab.default_projects_limit
+      user.can_create_group.should == Gitlab.config.gitlab.default_can_create_group
+    end
+  end
+end
...	...	@@ -16,35 +16,41 @@ class OmniauthCallbacksController < Devise::OmniauthCallbacksController
16	16	end
17	17
18	18	def ldap
19		- # We only find ourselves here if the authentication to LDAP was successful.
20		- @user = User.find_for_ldap_auth(request.env["omniauth.auth"], current_user)
21		- if @user.persisted?
22		- @user.remember_me = true
23		- end
24		- sign_in_and_redirect @user
	19	+ # We only find ourselves here
	20	+ # if the authentication to LDAP was successful.
	21	+ @user = Gitlab::LDAP::User.find_or_create(oauth)
	22	+ @user.remember_me = true if @user.persisted?
	23	+ sign_in_and_redirect(@user)
25	24	end
26	25
27	26	private
28	27
29	28	def handle_omniauth
30		- oauth = request.env['omniauth.auth']
31		- provider, uid = oauth['provider'], oauth['uid']
32		-
33	29	if current_user
34	30	# Change a logged-in user's authentication method:
35		- current_user.extern_uid = uid
36		- current_user.provider = provider
	31	+ current_user.extern_uid = oauth['uid']
	32	+ current_user.provider = oauth['provider']
37	33	current_user.save
38	34	redirect_to profile_path
39	35	else
40		- @user = User.find_or_new_for_omniauth(oauth)
	36	+ @user = Gitlab::OAuth::User.find(oauth)
	37	+
	38	+ # Create user if does not exist
	39	+ # and allow_single_sign_on is true
	40	+ if Gitlab.config.omniauth['allow_single_sign_on']
	41	+ @user \|\|= Gitlab::OAuth::User.create(oauth)
	42	+ end
41	43
42	44	if @user
43		- sign_in_and_redirect @user
	45	+ sign_in_and_redirect(@user)
44	46	else
45	47	flash[:notice] = "There's no such user!"
46	48	redirect_to new_user_session_path
47	49	end
48	50	end
49	51	end
	52	+
	53	+ def oauth
	54	+ @oauth \|\|= request.env['omniauth.auth']
	55	+ end
50	56	end
...	...
...	...	@@ -2,9 +2,6 @@ class RegistrationsController < Devise::RegistrationsController
2	2	before_filter :signup_enabled?
3	3
4	4	def destroy
5		- if current_user.owned_projects.count > 0
6		- redirect_to account_profile_path, alert: "Remove projects and groups before removing account." and return
7		- end
8	5	current_user.destroy
9	6
10	7	respond_to do \|format\|
...	...
...	...	@@ -4,4 +4,16 @@ module ProfileHelper
4	4	'active'
5	5	end
6	6	end
	7	+
	8	+ def show_profile_username_tab?
	9	+ current_user.can_change_username?
	10	+ end
	11	+
	12	+ def show_profile_social_tab?
	13	+ Gitlab.config.omniauth.enabled && !current_user.ldap_user?
	14	+ end
	15	+
	16	+ def show_profile_remove_tab?
	17	+ Gitlab.config.gitlab.signup_enabled && !current_user.ldap_user?
	18	+ end
7	19	end
...	...
...	...	@@ -159,6 +159,7 @@ class User < ActiveRecord::Base
159	159	scope :not_in_team, ->(team){ where('users.id NOT IN (:ids)', ids: team.member_ids) }
160	160	scope :not_in_project, ->(project) { project.users.present? ? where("id not in (:ids)", ids: project.users.map(&:id) ) : scoped }
161	161	scope :without_projects, -> { where('id NOT IN (SELECT DISTINCT(user_id) FROM users_projects)') }
	162	+ scope :ldap, -> { where(provider: 'ldap') }
162	163
163	164	scope :potential_team_members, ->(team) { team.members.any? ? active.not_in_team(team) : active }
164	165
...	...	@@ -186,22 +187,6 @@ class User < ActiveRecord::Base
186	187	end
187	188	end
188	189
189		- def create_from_omniauth(auth, ldap = false)
190		- gitlab_auth.create_from_omniauth(auth, ldap)
191		- end
192		-
193		- def find_or_new_for_omniauth(auth)
194		- gitlab_auth.find_or_new_for_omniauth(auth)
195		- end
196		-
197		- def find_for_ldap_auth(auth, signed_in_resource = nil)
198		- gitlab_auth.find_for_ldap_auth(auth, signed_in_resource)
199		- end
200		-
201		- def gitlab_auth
202		- Gitlab::Auth.new
203		- end
204		-
205	190	def search query
206	191	where("name LIKE :query OR email LIKE :query OR username LIKE :query", query: "%#{query}%")
207	192	end
...	...
...	...	@@ -5,91 +5,128 @@
5	5	- if current_user.ldap_user?
6	6	Some options are unavailable for LDAP accounts
7	7	%hr
8		-- unless current_user.ldap_user?
9		- - if Gitlab.config.omniauth.enabled
10		- %fieldset
11		- %legend Social Accounts
12		- .oauth_select_holder
13		- %p.hint Tip: Click on icon to activate signin with one of the following services
14		- - enabled_social_providers.each do \|provider\|
15		- %span{class: oauth_active_class(provider) }
16		- = link_to authbutton(provider, 32), omniauth_authorize_path(User, provider)
17	8
18	9
19		- %fieldset.update-password
20		- %legend Password
21		- = form_for @user, url: update_password_profile_path, method: :put do \|f\|
22		- .padded
23		- %p.slead After a successful password update you will be redirected to login page where you should login with your new password
24		- -if @user.errors.any?
25		- .alert.alert-error
26		- %ul
27		- - @user.errors.full_messages.each do \|msg\|
28		- %li= msg
	10	+.row
	11	+ .span2
	12	+ %ul.nav.nav-pills.nav-stacked.nav-stacked-menu
	13	+ %li.active
	14	+ = link_to '#tab-token', 'data-toggle' => 'tab' do
	15	+ Private Token
	16	+ %li
	17	+ = link_to '#tab-password', 'data-toggle' => 'tab' do
	18	+ Password
29	19
30		- .control-group
31		- = f.label :password
32		- .controls= f.password_field :password, required: true
33		- .control-group
34		- = f.label :password_confirmation
35		- .controls
36		- = f.password_field :password_confirmation, required: true
37		- .control-group
38		- .controls
39		- = f.submit 'Save password', class: "btn btn-save"
	20	+ - if show_profile_social_tab?
	21	+ %li
	22	+ = link_to '#tab-social', 'data-toggle' => 'tab' do
	23	+ Social Accounts
40	24
	25	+ - if show_profile_username_tab?
	26	+ %li
	27	+ = link_to '#tab-username', 'data-toggle' => 'tab' do
	28	+ Change Username
41	29
	30	+ - if show_profile_remove_tab?
	31	+ %li
	32	+ = link_to '#tab-remove', 'data-toggle' => 'tab' do
	33	+ Remove Account
	34	+ .span10
	35	+ .tab-content
	36	+ .tab-pane.active#tab-token
	37	+ %fieldset.update-token
	38	+ %legend
	39	+ Private token
	40	+ %span.cred.pull-right
	41	+ keep it secret!
	42	+ %div
	43	+ = form_for @user, url: reset_private_token_profile_path, method: :put do \|f\|
	44	+ .data
	45	+ %p.slead
	46	+ Your private token is used to access application resources without authentication.
	47	+ %br
	48	+ It can be used for atom feeds or the API.
	49	+ %p.cgray
	50	+ - if current_user.private_token
	51	+ = text_field_tag "token", current_user.private_token, class: "input-xxlarge large_text input-xpadding"
	52	+ = f.submit 'Reset', confirm: "Are you sure?", class: "btn btn-primary btn-build-token"
	53	+ - else
	54	+ %span You don`t have one yet. Click generate to fix it.
	55	+ = f.submit 'Generate', class: "btn success btn-build-token"
42	56
43		-%fieldset.update-token
44		- %legend
45		- Private token
46		- %span.cred.pull-right
47		- keep it secret!
48		- .padded
49		- = form_for @user, url: reset_private_token_profile_path, method: :put do \|f\|
50		- .data
51		- %p.slead
52		- Your private token is used to access application resources without authentication.
53		- %br
54		- It can be used for atom feeds or the API.
55		- %p.cgray
56		- - if current_user.private_token
57		- = text_field_tag "token", current_user.private_token, class: "input-xxlarge large_text input-xpadding"
58		- = f.submit 'Reset', confirm: "Are you sure?", class: "btn btn-primary btn-build-token"
59		- - else
60		- %span You don`t have one yet. Click generate to fix it.
61		- = f.submit 'Generate', class: "btn success btn-build-token"
	57	+ .tab-pane#tab-password
	58	+ %fieldset.update-password
	59	+ %legend Password
	60	+ = form_for @user, url: update_password_profile_path, method: :put do \|f\|
	61	+ %div
	62	+ %p.slead After a successful password update you will be redirected to login page where you should login with your new password
	63	+ -if @user.errors.any?
	64	+ .alert.alert-error
	65	+ %ul
	66	+ - @user.errors.full_messages.each do \|msg\|
	67	+ %li= msg
	68	+ .control-group
	69	+ = f.label :password
	70	+ .controls= f.password_field :password, required: true
	71	+ .control-group
	72	+ = f.label :password_confirmation
	73	+ .controls
	74	+ = f.password_field :password_confirmation, required: true
	75	+ .control-group
	76	+ .controls
	77	+ = f.submit 'Save password', class: "btn btn-save"
62	78
	79	+ - if show_profile_social_tab?
	80	+ .tab-pane#tab-social
	81	+ %fieldset
	82	+ %legend Social Accounts
	83	+ .oauth_select_holder
	84	+ %p.hint Tip: Click on icon to activate signin with one of the following services
	85	+ - enabled_social_providers.each do \|provider\|
	86	+ %span{class: oauth_active_class(provider) }
	87	+ = link_to authbutton(provider, 32), omniauth_authorize_path(User, provider)
63	88
64		-- if current_user.can_change_username?
65		- %fieldset.update-username
66		- %legend
67		- Username
68		- %small.cred.pull-right
69		- Changing your username can have unintended side effects!
70		- = form_for @user, url: update_username_profile_path, method: :put, remote: true do \|f\|
71		- .padded
72		- = f.label :username
73		- .controls
74		- = f.text_field :username, required: true
75		-
76		- %span.loading-gif.hide= image_tag "ajax_loader.gif"
77		- %span.update-success.cgreen.hide
78		- %i.icon-ok
79		- Saved
80		- %span.update-failed.cred.hide
81		- %i.icon-remove
82		- Failed
83		- %ul.cred
84		- %li This will change the web URL for personal projects.
85		- %li This will change the git path to repositories for personal projects.
86		- .controls
87		- = f.submit 'Save username', class: "btn btn-save"
	89	+ - if show_profile_username_tab?
	90	+ .tab-pane#tab-username
	91	+ %fieldset.update-username
	92	+ %legend
	93	+ Username
	94	+ %small.cred.pull-right
	95	+ Changing your username can have unintended side effects!
	96	+ = form_for @user, url: update_username_profile_path, method: :put, remote: true do \|f\|
	97	+ %div
	98	+ .control-group
	99	+ = f.label :username
	100	+ .controls
	101	+ = f.text_field :username, required: true
	102	+
	103	+ %span.loading-gif.hide= image_tag "ajax_loader.gif"
	104	+ %span.update-success.cgreen.hide
	105	+ %i.icon-ok
	106	+ Saved
	107	+ %span.update-failed.cred.hide
	108	+ %i.icon-remove
	109	+ Failed
	110	+ %ul.cred
	111	+ %li This will change the web URL for personal projects.
	112	+ %li This will change the git path to repositories for personal projects.
	113	+ .controls
	114	+ = f.submit 'Save username', class: "btn btn-save"
88	115
89		-- if gitlab_config.signup_enabled
90		- %fieldset.remove-account
91		- %legend
92		- Remove account
93		- %small.cred.pull-right
94		- Before removing the account you must remove all projects!
95		- = link_to 'Delete account', user_registration_path, confirm: "REMOVE #{current_user.name}? Are you sure?", method: :delete, class: "btn btn-remove delete-key btn-small pull-right"
	116	+ - if show_profile_remove_tab?
	117	+ .tab-pane#tab-remove
	118	+ %fieldset.remove-account
	119	+ %legend
	120	+ Remove account
	121	+ %div
	122	+ %p Deleting an account has the following effects:
	123	+ %ul
	124	+ %li All user content like authored issues, snippets, comments will be removed
	125	+ - rp = current_user.personal_projects.count
	126	+ - unless rp.zero?
	127	+ %li #{pluralize rp, 'personal project'} will be removed and cannot be restored
	128	+ - if current_user.solo_owned_groups.present?
	129	+ %li
	130	+ Next groups will be abandoned. You should transfer or remove them:
	131	+ %strong #{current_user.solo_owned_groups.map(&:name).join(', ')}
	132	+ = link_to 'Delete account', user_registration_path, confirm: "REMOVE #{current_user.name}? Are you sure?", method: :delete, class: "btn btn-remove"
...	...
...	...	@@ -7,97 +7,16 @@ module Gitlab
7	7	# Second chance - try LDAP authentication
8	8	return nil unless ldap_conf.enabled
9	9
10		- ldap_auth(login, password)
	10	+ Gitlab::LDAP::User.authenticate(login, password)
11	11	else
12	12	user if user.valid_password?(password)
13	13	end
14	14	end
15	15
16		- def find_for_ldap_auth(auth, signed_in_resource = nil)
17		- uid = auth.info.uid
18		- provider = auth.provider
19		- email = auth.info.email.downcase unless auth.info.email.nil?
20		- raise OmniAuth::Error, "LDAP accounts must provide an uid and email address" if uid.nil? or email.nil?
21		-
22		- if @user = User.find_by_extern_uid_and_provider(uid, provider)
23		- @user
24		- elsif @user = User.find_by_email(email)
25		- log.info "Updating legacy LDAP user #{email} with extern_uid => #{uid}"
26		- @user.update_attributes(extern_uid: uid, provider: provider)
27		- @user
28		- else
29		- create_from_omniauth(auth, true)
30		- end
31		- end
32		-
33		- def create_from_omniauth(auth, ldap = false)
34		- provider = auth.provider
35		- uid = auth.info.uid \|\| auth.uid
36		- uid = uid.to_s.force_encoding("utf-8")
37		- name = auth.info.name.to_s.force_encoding("utf-8")
38		- email = auth.info.email.to_s.downcase unless auth.info.email.nil?
39		-
40		- ldap_prefix = ldap ? '(LDAP) ' : ''
41		- raise OmniAuth::Error, "#{ldap_prefix}#{provider} does not provide an email"\
42		- " address" if auth.info.email.blank?
43		-
44		- log.info "#{ldap_prefix}Creating user from #{provider} login"\
45		- " {uid => #{uid}, name => #{name}, email => #{email}}"
46		- password = Devise.friendly_token[0, 8].downcase
47		- @user = User.new({
48		- extern_uid: uid,
49		- provider: provider,
50		- name: name,
51		- username: email.match(/^[^@]*/)[0],
52		- email: email,
53		- password: password,
54		- password_confirmation: password,
55		- }, as: :admin).with_defaults
56		- @user.save!
57		-
58		- if Gitlab.config.omniauth['block_auto_created_users'] && !ldap
59		- @user.block
60		- end
61		-
62		- @user
63		- end
64		-
65		- def find_or_new_for_omniauth(auth)
66		- provider, uid = auth.provider, auth.uid
67		- email = auth.info.email.downcase unless auth.info.email.nil?
68		-
69		- if @user = User.find_by_provider_and_extern_uid(provider, uid)
70		- @user
71		- elsif @user = User.find_by_email(email)
72		- @user.update_attributes(extern_uid: uid, provider: provider)
73		- @user
74		- else
75		- if Gitlab.config.omniauth['allow_single_sign_on']
76		- @user = create_from_omniauth(auth)
77		- @user
78		- end
79		- end
80		- end
81		-
82	16	def log
83	17	Gitlab::AppLogger
84	18	end
85	19
86		- def ldap_auth(login, password)
87		- # Check user against LDAP backend if user is not authenticated
88		- # Only check with valid login and password to prevent anonymous bind results
89		- return nil unless ldap_conf.enabled && !login.blank? && !password.blank?
90		-
91		- ldap = OmniAuth::LDAP::Adaptor.new(ldap_conf)
92		- ldap_user = ldap.bind_as(
93		- filter: Net::LDAP::Filter.eq(ldap.uid, login),
94		- size: 1,
95		- password: password
96		- )
97		-
98		- User.find_by_extern_uid_and_provider(ldap_user.dn, 'ldap') if ldap_user
99		- end
100		-
101	20	def ldap_conf
102	21	@ldap_conf \|\|= Gitlab.config.ldap
103	22	end
...	...
1	1	require_relative 'shell_env'
2		-require_relative 'grack_ldap'
3	2	require_relative 'grack_helpers'
4	3
5	4	module Grack
6	5	class Auth < Rack::Auth::Basic
7		- include LDAP
8	6	include Helpers
9	7
10	8	attr_accessor :user, :project, :ref, :env
...	...
...	...	@@ -1,24 +0,0 @@
1		-require 'omniauth-ldap'
2		-
3		-module Grack
4		- module LDAP
5		- def ldap_auth(login, password)
6		- # Check user against LDAP backend if user is not authenticated
7		- # Only check with valid login and password to prevent anonymous bind results
8		- return nil unless ldap_conf.enabled && !login.blank? && !password.blank?
9		-
10		- ldap = OmniAuth::LDAP::Adaptor.new(ldap_conf)
11		- ldap_user = ldap.bind_as(
12		- filter: Net::LDAP::Filter.eq(ldap.uid, login),
13		- size: 1,
14		- password: password
15		- )
16		-
17		- User.find_by_extern_uid_and_provider(ldap_user.dn, 'ldap') if ldap_user
18		- end
19		-
20		- def ldap_conf
21		- @ldap_conf \|\|= Gitlab.config.ldap
22		- end
23		- end
24		-end
...	...	@@ -0,0 +1,81 @@
	1	+require 'gitlab/oauth/user'
	2	+
	3	+# LDAP extension for User model
	4	+#
	5	+# * Find or create user from omniauth.auth data
	6	+# * Links LDAP account with existing user
	7	+# * Auth LDAP user with login and password
	8	+#
	9	+module Gitlab
	10	+ module LDAP
	11	+ class User < Gitlab::OAuth::User
	12	+ class << self
	13	+ def find_or_create(auth)
	14	+ @auth = auth
	15	+
	16	+ if uid.blank? \|\| email.blank?
	17	+ raise_error("Account must provide an uid and email address")
	18	+ end
	19	+
	20	+ user = find(auth)
	21	+
	22	+ unless user
	23	+ # Look for user with same emails
	24	+ #
	25	+ # Possible cases:
	26	+ # * When user already has account and need to link his LDAP account.
	27	+ # * LDAP uid changed for user with same email and we need to update his uid
	28	+ #
	29	+ user = model.find_by_email(email)
	30	+
	31	+ if user
	32	+ user.update_attributes(extern_uid: uid, provider: provider)
	33	+ log.info("(LDAP) Updating legacy LDAP user #{email} with extern_uid => #{uid}")
	34	+ else
	35	+ # Create a new user inside GitLab database
	36	+ # based on LDAP credentials
	37	+ #
	38	+ #
	39	+ user = create(auth)
	40	+ end
	41	+ end
	42	+
	43	+ user
	44	+ end
	45	+
	46	+ def authenticate(login, password)
	47	+ # Check user against LDAP backend if user is not authenticated
	48	+ # Only check with valid login and password to prevent anonymous bind results
	49	+ return nil unless ldap_conf.enabled && login.present? && password.present?
	50	+
	51	+ ldap = OmniAuth::LDAP::Adaptor.new(ldap_conf)
	52	+ ldap_user = ldap.bind_as(
	53	+ filter: Net::LDAP::Filter.eq(ldap.uid, login),
	54	+ size: 1,
	55	+ password: password
	56	+ )
	57	+
	58	+ find_by_uid(ldap_user.dn) if ldap_user
	59	+ end
	60	+
	61	+ private
	62	+
	63	+ def find_by_uid(uid)
	64	+ model.where(provider: provider, extern_uid: uid).last
	65	+ end
	66	+
	67	+ def provider
	68	+ 'ldap'
	69	+ end
	70	+
	71	+ def raise_error(message)
	72	+ raise OmniAuth::Error, "(LDAP) " + message
	73	+ end
	74	+
	75	+ def ldap_conf
	76	+ Gitlab.config.ldap
	77	+ end
	78	+ end
	79	+ end
	80	+ end
	81	+end
...	...
...	...	@@ -0,0 +1,85 @@
	1	+# OAuth extension for User model
	2	+#
	3	+# * Find GitLab user based on omniauth uid and provider
	4	+# * Create new user from omniauth data
	5	+#
	6	+module Gitlab
	7	+ module OAuth
	8	+ class User
	9	+ class << self
	10	+ attr_reader :auth
	11	+
	12	+ def find(auth)
	13	+ @auth = auth
	14	+ find_by_uid_and_provider
	15	+ end
	16	+
	17	+ def create(auth)
	18	+ @auth = auth
	19	+ password = Devise.friendly_token[0, 8].downcase
	20	+ opts = {
	21	+ extern_uid: uid,
	22	+ provider: provider,
	23	+ name: name,
	24	+ username: username,
	25	+ email: email,
	26	+ password: password,
	27	+ password_confirmation: password,
	28	+ }
	29	+
	30	+ user = model.new(opts, as: :admin).with_defaults
	31	+ user.save!
	32	+ log.info "(OAuth) Creating user #{email} from login with extern_uid => #{uid}"
	33	+
	34	+ if Gitlab.config.omniauth['block_auto_created_users'] && !ldap?
	35	+ user.block
	36	+ end
	37	+
	38	+ user
	39	+ end
	40	+
	41	+ private
	42	+
	43	+ def find_by_uid_and_provider
	44	+ model.where(provider: provider, extern_uid: uid).last
	45	+ end
	46	+
	47	+ def uid
	48	+ auth.info.uid \|\| auth.uid
	49	+ end
	50	+
	51	+ def email
	52	+ auth.info.email.downcase unless auth.info.email.nil?
	53	+ end
	54	+
	55	+ def name
	56	+ auth.info.name.to_s.force_encoding("utf-8")
	57	+ end
	58	+
	59	+ def username
	60	+ email.match(/^[^@]*/)[0]
	61	+ end
	62	+
	63	+ def provider
	64	+ auth.provider
	65	+ end
	66	+
	67	+ def log
	68	+ Gitlab::AppLogger
	69	+ end
	70	+
	71	+ def model
	72	+ ::User
	73	+ end
	74	+
	75	+ def raise_error(message)
	76	+ raise OmniAuth::Error, "(OAuth) " + message
	77	+ end
	78	+
	79	+ def ldap?
	80	+ provider == 'ldap'
	81	+ end
	82	+ end
	83	+ end
	84	+ end
	85	+end
...	...