Commit 69e95808a49524033e561a3092e5bd6cf7b077b1
Exists in
spb-stable
and in
2 other branches
Merge branch 'master' into 7-0-stable
Conflicts: CHANGELOG Gemfile Gemfile.lock VERSION app/views/projects/edit.html.haml config.ru config/gitlab.yml.example lib/gitlab/backend/grack_auth.rb lib/gitlab/upgrader.rb
Showing
10 changed files
with
55 additions
and
15 deletions
Show diff stats
Gemfile
... | ... | @@ -149,6 +149,7 @@ gem "underscore-rails", "~> 1.4.4" |
149 | 149 | |
150 | 150 | # Sanitize user input |
151 | 151 | gem "sanitize", '~> 2.0' |
152 | +gem "omniauth-env", git: "https://github.com/colab-community/omniauth-env.git" | |
152 | 153 | |
153 | 154 | # Protect against bruteforcing |
154 | 155 | gem "rack-attack" | ... | ... |
Gemfile.lock
1 | +GIT | |
2 | + remote: https://github.com/colab-community/omniauth-env.git | |
3 | + revision: d8d33681dd33c22e7156ab77b34ef7cf3b731fa7 | |
4 | + specs: | |
5 | + omniauth-env (0.0.1) | |
6 | + gitlab_omniauth-ldap (~> 1.0.3) | |
7 | + omniauth (~> 1.0) | |
8 | + | |
1 | 9 | GEM |
2 | 10 | remote: https://rubygems.org/ |
3 | 11 | specs: |
... | ... | @@ -631,6 +639,7 @@ DEPENDENCIES |
631 | 639 | mysql2 |
632 | 640 | nprogress-rails |
633 | 641 | omniauth (~> 1.1.3) |
642 | + omniauth-env! | |
634 | 643 | omniauth-github |
635 | 644 | omniauth-google-oauth2 |
636 | 645 | omniauth-twitter | ... | ... |
app/controllers/omniauth_callbacks_controller.rb
app/helpers/oauth_helper.rb
... | ... | @@ -11,6 +11,10 @@ module OauthHelper |
11 | 11 | Devise.omniauth_providers |
12 | 12 | end |
13 | 13 | |
14 | + def env_enabled? | |
15 | + Devise.omniauth_providers.include?(:env) | |
16 | + end | |
17 | + | |
14 | 18 | def enabled_social_providers |
15 | 19 | enabled_oauth_providers.select do |name| |
16 | 20 | [:twitter, :github, :google_oauth2].include?(name.to_sym) | ... | ... |
app/views/devise/sessions/new.html.haml
config/gitlab.yml.example
... | ... | @@ -147,27 +147,29 @@ production: &base |
147 | 147 | # |
148 | 148 | # Ex. ou=People,dc=gitlab,dc=example |
149 | 149 | # |
150 | - base: '' | |
150 | + base: ' ' | |
151 | 151 | |
152 | 152 | # Filter LDAP users |
153 | 153 | # |
154 | 154 | # Format: RFC 4515 |
155 | 155 | # Ex. (employeeType=developer) |
156 | 156 | # |
157 | - user_filter: '' | |
157 | + user_filter: ' ' | |
158 | 158 | |
159 | + env: | |
160 | + enabled: true | |
159 | 161 | |
160 | 162 | ## OmniAuth settings |
161 | 163 | omniauth: |
162 | 164 | # Allow login via Twitter, Google, etc. using OmniAuth providers |
163 | - enabled: false | |
165 | + enabled: true | |
164 | 166 | |
165 | 167 | # CAUTION! |
166 | 168 | # This allows users to login without having a user account first (default: false). |
167 | 169 | # User accounts will be created automatically when authentication was successful. |
168 | - allow_single_sign_on: false | |
170 | + allow_single_sign_on: true | |
169 | 171 | # Locks down those users until they have been cleared by the admin (default: true). |
170 | - block_auto_created_users: true | |
172 | + block_auto_created_users: false | |
171 | 173 | |
172 | 174 | ## Auth providers |
173 | 175 | # Uncomment the following lines and fill in the data of the auth provider you want to use | ... | ... |
config/initializers/1_settings.rb
... | ... | @@ -63,6 +63,9 @@ Settings['omniauth'] ||= Settingslogic.new({}) |
63 | 63 | Settings.omniauth['enabled'] = false if Settings.omniauth['enabled'].nil? |
64 | 64 | Settings.omniauth['providers'] ||= [] |
65 | 65 | |
66 | +Settings['env'] ||= Settingslogic.new({}) | |
67 | +Settings.env['enabled'] = false if Settings.env['enabled'].nil? | |
68 | + | |
66 | 69 | Settings['issues_tracker'] ||= {} |
67 | 70 | |
68 | 71 | # | ... | ... |
config/initializers/devise.rb
... | ... | @@ -208,22 +208,25 @@ Devise.setup do |config| |
208 | 208 | # manager.default_strategies(scope: :user).unshift :some_external_strategy |
209 | 209 | # end |
210 | 210 | |
211 | + ldap_configs = { | |
212 | + host: Gitlab.config.ldap['host'], | |
213 | + base: Gitlab.config.ldap['base'], | |
214 | + uid: Gitlab.config.ldap['uid'], | |
215 | + port: Gitlab.config.ldap['port'], | |
216 | + method: Gitlab.config.ldap['method'], | |
217 | + bind_dn: Gitlab.config.ldap['bind_dn'], | |
218 | + password: Gitlab.config.ldap['password'] | |
219 | + } | |
220 | + | |
211 | 221 | if Gitlab.config.ldap.enabled |
212 | 222 | if Gitlab.config.ldap.allow_username_or_email_login |
213 | 223 | email_stripping_proc = ->(name) {name.gsub(/@.*$/,'')} |
214 | 224 | else |
215 | 225 | email_stripping_proc = ->(name) {name} |
216 | 226 | end |
217 | - | |
218 | - config.omniauth :ldap, | |
219 | - host: Gitlab.config.ldap['host'], | |
220 | - base: Gitlab.config.ldap['base'], | |
221 | - uid: Gitlab.config.ldap['uid'], | |
222 | - port: Gitlab.config.ldap['port'], | |
223 | - method: Gitlab.config.ldap['method'], | |
224 | - bind_dn: Gitlab.config.ldap['bind_dn'], | |
225 | - password: Gitlab.config.ldap['password'], | |
226 | - name_proc: email_stripping_proc | |
227 | + | |
228 | + ldap_configs[:name_proc] = email_stripping_proc | |
229 | + config.omniauth :ldap, ldap_configs | |
227 | 230 | end |
228 | 231 | |
229 | 232 | Gitlab.config.omniauth.providers.each do |provider| |
... | ... | @@ -244,4 +247,5 @@ Devise.setup do |config| |
244 | 247 | |
245 | 248 | config.omniauth provider['name'].to_sym, *provider_arguments |
246 | 249 | end |
250 | + config.omniauth :env, ldap_configs if Gitlab.config.env.enabled | |
247 | 251 | end | ... | ... |
lib/gitlab/backend/grack_auth.rb
... | ... | @@ -50,6 +50,15 @@ module Grack |
50 | 50 | Gitlab::ShellEnv.set_env(@user) |
51 | 51 | @env['REMOTE_USER'] = @auth.username |
52 | 52 | end |
53 | + elsif Gitlab.config.env.enabled | |
54 | + return unauthorized unless @env['HTTP_REMOTE_USER'] | |
55 | + @user = User.find_by_provider_and_extern_uid('env', @env['HTTP_REMOTE_USER']) | |
56 | + return unauthorized unless @user | |
57 | + Gitlab::ShellEnv.set_env(@user) | |
58 | + @env['REMOTE_USER'] = @env['HTTP_REMOTE_USER'] | |
59 | + | |
60 | + else | |
61 | + return unauthorized unless project.public? | |
53 | 62 | end |
54 | 63 | |
55 | 64 | if authorized_request? | ... | ... |