Commit 69e95808a49524033e561a3092e5bd6cf7b077b1

Authored by root
2 parents de9bf7da c50a9990

Merge branch 'master' into 7-0-stable

Conflicts:
	CHANGELOG
	Gemfile
	Gemfile.lock
	VERSION
	app/views/projects/edit.html.haml
	config.ru
	config/gitlab.yml.example
	lib/gitlab/backend/grack_auth.rb
	lib/gitlab/upgrader.rb
Gemfile
... ... @@ -149,6 +149,7 @@ gem "underscore-rails", "~> 1.4.4"
149 149  
150 150 # Sanitize user input
151 151 gem "sanitize", '~> 2.0'
  152 +gem "omniauth-env", git: "https://github.com/colab-community/omniauth-env.git"
152 153  
153 154 # Protect against bruteforcing
154 155 gem "rack-attack"
... ...
Gemfile.lock
  1 +GIT
  2 + remote: https://github.com/colab-community/omniauth-env.git
  3 + revision: d8d33681dd33c22e7156ab77b34ef7cf3b731fa7
  4 + specs:
  5 + omniauth-env (0.0.1)
  6 + gitlab_omniauth-ldap (~> 1.0.3)
  7 + omniauth (~> 1.0)
  8 +
1 9 GEM
2 10 remote: https://rubygems.org/
3 11 specs:
... ... @@ -631,6 +639,7 @@ DEPENDENCIES
631 639 mysql2
632 640 nprogress-rails
633 641 omniauth (~> 1.1.3)
  642 + omniauth-env!
634 643 omniauth-github
635 644 omniauth-google-oauth2
636 645 omniauth-twitter
... ...
app/controllers/omniauth_callbacks_controller.rb
... ... @@ -31,6 +31,10 @@ class OmniauthCallbacksController < Devise::OmniauthCallbacksController
31 31 end
32 32 end
33 33  
  34 + def env
  35 + handle_omniauth
  36 + end
  37 +
34 38 private
35 39  
36 40 def handle_omniauth
... ...
app/helpers/oauth_helper.rb
... ... @@ -11,6 +11,10 @@ module OauthHelper
11 11 Devise.omniauth_providers
12 12 end
13 13  
  14 + def env_enabled?
  15 + Devise.omniauth_providers.include?(:env)
  16 + end
  17 +
14 18 def enabled_social_providers
15 19 enabled_oauth_providers.select do |name|
16 20 [:twitter, :github, :google_oauth2].include?(name.to_sym)
... ...
app/views/devise/sessions/_new_env.html.haml 0 → 100644
... ... @@ -0,0 +1,2 @@
  1 +%script
  2 + window.location.href = '/gitlab/users/auth/env'
... ...
app/views/devise/sessions/new.html.haml
  1 += render 'devise/sessions/new_env' if env_enabled?
  2 +
1 3 .login-box
2 4 %h3.page-title Sign in
3 5 - if ldap_enabled? && gitlab_config.signin_enabled
... ...
config/gitlab.yml.example
... ... @@ -147,27 +147,29 @@ production: &base
147 147 #
148 148 # Ex. ou=People,dc=gitlab,dc=example
149 149 #
150   - base: ''
  150 + base: ' '
151 151  
152 152 # Filter LDAP users
153 153 #
154 154 # Format: RFC 4515
155 155 # Ex. (employeeType=developer)
156 156 #
157   - user_filter: ''
  157 + user_filter: ' '
158 158  
  159 + env:
  160 + enabled: true
159 161  
160 162 ## OmniAuth settings
161 163 omniauth:
162 164 # Allow login via Twitter, Google, etc. using OmniAuth providers
163   - enabled: false
  165 + enabled: true
164 166  
165 167 # CAUTION!
166 168 # This allows users to login without having a user account first (default: false).
167 169 # User accounts will be created automatically when authentication was successful.
168   - allow_single_sign_on: false
  170 + allow_single_sign_on: true
169 171 # Locks down those users until they have been cleared by the admin (default: true).
170   - block_auto_created_users: true
  172 + block_auto_created_users: false
171 173  
172 174 ## Auth providers
173 175 # Uncomment the following lines and fill in the data of the auth provider you want to use
... ...
config/initializers/1_settings.rb
... ... @@ -63,6 +63,9 @@ Settings['omniauth'] ||= Settingslogic.new({})
63 63 Settings.omniauth['enabled'] = false if Settings.omniauth['enabled'].nil?
64 64 Settings.omniauth['providers'] ||= []
65 65  
  66 +Settings['env'] ||= Settingslogic.new({})
  67 +Settings.env['enabled'] = false if Settings.env['enabled'].nil?
  68 +
66 69 Settings['issues_tracker'] ||= {}
67 70  
68 71 #
... ...
config/initializers/devise.rb
... ... @@ -208,22 +208,25 @@ Devise.setup do |config|
208 208 # manager.default_strategies(scope: :user).unshift :some_external_strategy
209 209 # end
210 210  
  211 + ldap_configs = {
  212 + host: Gitlab.config.ldap['host'],
  213 + base: Gitlab.config.ldap['base'],
  214 + uid: Gitlab.config.ldap['uid'],
  215 + port: Gitlab.config.ldap['port'],
  216 + method: Gitlab.config.ldap['method'],
  217 + bind_dn: Gitlab.config.ldap['bind_dn'],
  218 + password: Gitlab.config.ldap['password']
  219 + }
  220 +
211 221 if Gitlab.config.ldap.enabled
212 222 if Gitlab.config.ldap.allow_username_or_email_login
213 223 email_stripping_proc = ->(name) {name.gsub(/@.*$/,'')}
214 224 else
215 225 email_stripping_proc = ->(name) {name}
216 226 end
217   -
218   - config.omniauth :ldap,
219   - host: Gitlab.config.ldap['host'],
220   - base: Gitlab.config.ldap['base'],
221   - uid: Gitlab.config.ldap['uid'],
222   - port: Gitlab.config.ldap['port'],
223   - method: Gitlab.config.ldap['method'],
224   - bind_dn: Gitlab.config.ldap['bind_dn'],
225   - password: Gitlab.config.ldap['password'],
226   - name_proc: email_stripping_proc
  227 +
  228 + ldap_configs[:name_proc] = email_stripping_proc
  229 + config.omniauth :ldap, ldap_configs
227 230 end
228 231  
229 232 Gitlab.config.omniauth.providers.each do |provider|
... ... @@ -244,4 +247,5 @@ Devise.setup do |config|
244 247  
245 248 config.omniauth provider['name'].to_sym, *provider_arguments
246 249 end
  250 + config.omniauth :env, ldap_configs if Gitlab.config.env.enabled
247 251 end
... ...
lib/gitlab/backend/grack_auth.rb
... ... @@ -50,6 +50,15 @@ module Grack
50 50 Gitlab::ShellEnv.set_env(@user)
51 51 @env['REMOTE_USER'] = @auth.username
52 52 end
  53 + elsif Gitlab.config.env.enabled
  54 + return unauthorized unless @env['HTTP_REMOTE_USER']
  55 + @user = User.find_by_provider_and_extern_uid('env', @env['HTTP_REMOTE_USER'])
  56 + return unauthorized unless @user
  57 + Gitlab::ShellEnv.set_env(@user)
  58 + @env['REMOTE_USER'] = @env['HTTP_REMOTE_USER']
  59 +
  60 + else
  61 + return unauthorized unless project.public?
53 62 end
54 63  
55 64 if authorized_request?
... ...