Merge branch 'master' into 7-0-stable

Conflicts: CHANGELOG Gemfile Gemfile.lock VERSION app/views/projects/edit.html.haml config.ru config/gitlab.yml.example lib/gitlab/backend/grack_auth.rb lib/gitlab/upgrader.rb

Merge branch 'master' into 7-0-stable
Conflicts: CHANGELOG Gemfile Gemfile.lock VERSION app/views/projects/edit.html.haml config.ru config/gitlab.yml.example lib/gitlab/backend/grack_auth.rb lib/gitlab/upgrader.rb
root
2 parents de9bf7da c50a9990
Showing 10 changed files with 55 additions and 15 deletions Show diff stats
Gemfile
Gemfile.lock
app/controllers/omniauth_callbacks_controller.rb
app/helpers/oauth_helper.rb
app/views/devise/sessions/_new_env.html.haml
app/views/devise/sessions/new.html.haml
config/gitlab.yml.example
config/initializers/1_settings.rb
config/initializers/devise.rb
lib/gitlab/backend/grack_auth.rb
@@ -149,6 +149,7 @@ gem &quot;underscore-rails&quot;, &quot;~&gt; 1.4.4&quot;
  
 # Sanitize user input
 gem "sanitize", '~> 2.0'
+gem "omniauth-env", git: "https://github.com/colab-community/omniauth-env.git"
  
 # Protect against bruteforcing
 gem "rack-attack"
+GIT
+  remote: https://github.com/colab-community/omniauth-env.git
+  revision: d8d33681dd33c22e7156ab77b34ef7cf3b731fa7
+  specs:
+    omniauth-env (0.0.1)
+      gitlab_omniauth-ldap (~> 1.0.3)
+      omniauth (~> 1.0)
+
 GEM
   remote: https://rubygems.org/
   specs:
@@ -631,6 +639,7 @@ DEPENDENCIES
   mysql2
   nprogress-rails
   omniauth (~> 1.1.3)
+  omniauth-env!
   omniauth-github
   omniauth-google-oauth2
   omniauth-twitter
@@ -31,6 +31,10 @@ class OmniauthCallbacksController &lt; Devise::OmniauthCallbacksController
     end
   end
  
+  def env
+    handle_omniauth
+  end
+
   private
  
   def handle_omniauth
@@ -11,6 +11,10 @@ module OauthHelper
     Devise.omniauth_providers
   end
  
+  def env_enabled?
+     Devise.omniauth_providers.include?(:env)
+  end
+
   def enabled_social_providers
     enabled_oauth_providers.select do |name|
       [:twitter, :github, :google_oauth2].include?(name.to_sym)
@@ -0,0 +1,2 @@
+%script
+    window.location.href = '/gitlab/users/auth/env'
+= render 'devise/sessions/new_env' if env_enabled?
+
 .login-box
   %h3.page-title Sign in
   - if ldap_enabled? && gitlab_config.signin_enabled
@@ -147,27 +147,29 @@ production: &amp;base
     #
     #   Ex. ou=People,dc=gitlab,dc=example
     #
-    base: ''
+    base: ' '
  
     # Filter LDAP users
     #
     #   Format: RFC 4515
     #   Ex. (employeeType=developer)
     #
-    user_filter: ''
+    user_filter: ' '
  
+  env:
+    enabled: true
  
   ## OmniAuth settings
   omniauth:
     # Allow login via Twitter, Google, etc. using OmniAuth providers
-    enabled: false
+    enabled: true
  
     # CAUTION!
     # This allows users to login without having a user account first (default: false).
     # User accounts will be created automatically when authentication was successful.
-    allow_single_sign_on: false
+    allow_single_sign_on: true
     # Locks down those users until they have been cleared by the admin (default: true).
-    block_auto_created_users: true
+    block_auto_created_users: false
  
     ## Auth providers
     # Uncomment the following lines and fill in the data of the auth provider you want to use
@@ -63,6 +63,9 @@ Settings[&#39;omniauth&#39;] ||= Settingslogic.new({})
 Settings.omniauth['enabled']      = false if Settings.omniauth['enabled'].nil?
 Settings.omniauth['providers']  ||= []
  
+Settings['env'] ||= Settingslogic.new({})
+Settings.env['enabled'] = false if Settings.env['enabled'].nil?
+
 Settings['issues_tracker']  ||= {}
  
 #
@@ -208,22 +208,25 @@ Devise.setup do |config|
   #   manager.default_strategies(scope: :user).unshift :some_external_strategy
   # end
  
+  ldap_configs = {
+     host:     Gitlab.config.ldap['host'],
+     base:     Gitlab.config.ldap['base'],
+     uid:      Gitlab.config.ldap['uid'],
+     port:     Gitlab.config.ldap['port'],
+     method:   Gitlab.config.ldap['method'],
+     bind_dn:  Gitlab.config.ldap['bind_dn'],
+     password: Gitlab.config.ldap['password']
+  }
+
   if Gitlab.config.ldap.enabled
     if Gitlab.config.ldap.allow_username_or_email_login
       email_stripping_proc = ->(name) {name.gsub(/@.*$/,'')}
     else
       email_stripping_proc = ->(name) {name}
     end
-
-    config.omniauth :ldap,
-      host:     Gitlab.config.ldap['host'],
-      base:     Gitlab.config.ldap['base'],
-      uid:      Gitlab.config.ldap['uid'],
-      port:     Gitlab.config.ldap['port'],
-      method:   Gitlab.config.ldap['method'],
-      bind_dn:  Gitlab.config.ldap['bind_dn'],
-      password: Gitlab.config.ldap['password'],
-      name_proc: email_stripping_proc
+    
+    ldap_configs[:name_proc] = email_stripping_proc
+    config.omniauth :ldap, ldap_configs
   end
  
   Gitlab.config.omniauth.providers.each do |provider|
@@ -244,4 +247,5 @@ Devise.setup do |config|
  
     config.omniauth provider['name'].to_sym, *provider_arguments
   end
+  config.omniauth :env, ldap_configs if Gitlab.config.env.enabled
 end
@@ -50,6 +50,15 @@ module Grack
           Gitlab::ShellEnv.set_env(@user)
           @env['REMOTE_USER'] = @auth.username
         end
+      elsif Gitlab.config.env.enabled
+        return unauthorized unless @env['HTTP_REMOTE_USER']
+        @user = User.find_by_provider_and_extern_uid('env', @env['HTTP_REMOTE_USER'])
+        return unauthorized unless @user
+        Gitlab::ShellEnv.set_env(@user)
+        @env['REMOTE_USER'] = @env['HTTP_REMOTE_USER']
+
+      else
+        return unauthorized unless project.public?
       end
  
       if authorized_request?
...	...	@@ -149,6 +149,7 @@ gem "underscore-rails", "~> 1.4.4"
149	149
150	150	# Sanitize user input
151	151	gem "sanitize", '~> 2.0'
	152	+gem "omniauth-env", git: "https://github.com/colab-community/omniauth-env.git"
152	153
153	154	# Protect against bruteforcing
154	155	gem "rack-attack"
...	...
	1	+GIT
	2	+ remote: https://github.com/colab-community/omniauth-env.git
	3	+ revision: d8d33681dd33c22e7156ab77b34ef7cf3b731fa7
	4	+ specs:
	5	+ omniauth-env (0.0.1)
	6	+ gitlab_omniauth-ldap (~> 1.0.3)
	7	+ omniauth (~> 1.0)
	8	+
1	9	GEM
2	10	remote: https://rubygems.org/
3	11	specs:
...	...	@@ -631,6 +639,7 @@ DEPENDENCIES
631	639	mysql2
632	640	nprogress-rails
633	641	omniauth (~> 1.1.3)
	642	+ omniauth-env!
634	643	omniauth-github
635	644	omniauth-google-oauth2
636	645	omniauth-twitter
...	...
...	...	@@ -31,6 +31,10 @@ class OmniauthCallbacksController < Devise::OmniauthCallbacksController
31	31	end
32	32	end
33	33
	34	+ def env
	35	+ handle_omniauth
	36	+ end
	37	+
34	38	private
35	39
36	40	def handle_omniauth
...	...
...	...	@@ -11,6 +11,10 @@ module OauthHelper
11	11	Devise.omniauth_providers
12	12	end
13	13
	14	+ def env_enabled?
	15	+ Devise.omniauth_providers.include?(:env)
	16	+ end
	17	+
14	18	def enabled_social_providers
15	19	enabled_oauth_providers.select do \|name\|
16	20	[:twitter, :github, :google_oauth2].include?(name.to_sym)
...	...
...	...	@@ -0,0 +1,2 @@
	1	+%script
	2	+ window.location.href = '/gitlab/users/auth/env'
...	...
	1	+= render 'devise/sessions/new_env' if env_enabled?
	2	+
1	3	.login-box
2	4	%h3.page-title Sign in
3	5	- if ldap_enabled? && gitlab_config.signin_enabled
...	...
...	...	@@ -147,27 +147,29 @@ production: &base
147	147	#
148	148	# Ex. ou=People,dc=gitlab,dc=example
149	149	#
150		- base: ''
	150	+ base: ' '
151	151
152	152	# Filter LDAP users
153	153	#
154	154	# Format: RFC 4515
155	155	# Ex. (employeeType=developer)
156	156	#
157		- user_filter: ''
	157	+ user_filter: ' '
158	158
	159	+ env:
	160	+ enabled: true
159	161
160	162	## OmniAuth settings
161	163	omniauth:
162	164	# Allow login via Twitter, Google, etc. using OmniAuth providers
163		- enabled: false
	165	+ enabled: true
164	166
165	167	# CAUTION!
166	168	# This allows users to login without having a user account first (default: false).
167	169	# User accounts will be created automatically when authentication was successful.
168		- allow_single_sign_on: false
	170	+ allow_single_sign_on: true
169	171	# Locks down those users until they have been cleared by the admin (default: true).
170		- block_auto_created_users: true
	172	+ block_auto_created_users: false
171	173
172	174	## Auth providers
173	175	# Uncomment the following lines and fill in the data of the auth provider you want to use
...	...
...	...	@@ -63,6 +63,9 @@ Settings['omniauth'] \|\|= Settingslogic.new({})
63	63	Settings.omniauth['enabled'] = false if Settings.omniauth['enabled'].nil?
64	64	Settings.omniauth['providers'] \|\|= []
65	65
	66	+Settings['env'] \|\|= Settingslogic.new({})
	67	+Settings.env['enabled'] = false if Settings.env['enabled'].nil?
	68	+
66	69	Settings['issues_tracker'] \|\|= {}
67	70
68	71	#
...	...
...	...	@@ -208,22 +208,25 @@ Devise.setup do \|config\|
208	208	# manager.default_strategies(scope: :user).unshift :some_external_strategy
209	209	# end
210	210
	211	+ ldap_configs = {
	212	+ host: Gitlab.config.ldap['host'],
	213	+ base: Gitlab.config.ldap['base'],
	214	+ uid: Gitlab.config.ldap['uid'],
	215	+ port: Gitlab.config.ldap['port'],
	216	+ method: Gitlab.config.ldap['method'],
	217	+ bind_dn: Gitlab.config.ldap['bind_dn'],
	218	+ password: Gitlab.config.ldap['password']
	219	+ }
	220	+
211	221	if Gitlab.config.ldap.enabled
212	222	if Gitlab.config.ldap.allow_username_or_email_login
213	223	email_stripping_proc = ->(name) {name.gsub(/@.*$/,'')}
214	224	else
215	225	email_stripping_proc = ->(name) {name}
216	226	end
217		-
218		- config.omniauth :ldap,
219		- host: Gitlab.config.ldap['host'],
220		- base: Gitlab.config.ldap['base'],
221		- uid: Gitlab.config.ldap['uid'],
222		- port: Gitlab.config.ldap['port'],
223		- method: Gitlab.config.ldap['method'],
224		- bind_dn: Gitlab.config.ldap['bind_dn'],
225		- password: Gitlab.config.ldap['password'],
226		- name_proc: email_stripping_proc
	227	+
	228	+ ldap_configs[:name_proc] = email_stripping_proc
	229	+ config.omniauth :ldap, ldap_configs
227	230	end
228	231
229	232	Gitlab.config.omniauth.providers.each do \|provider\|
...	...	@@ -244,4 +247,5 @@ Devise.setup do \|config\|
244	247
245	248	config.omniauth provider['name'].to_sym, *provider_arguments
246	249	end
	250	+ config.omniauth :env, ldap_configs if Gitlab.config.env.enabled
247	251	end
...	...
...	...	@@ -50,6 +50,15 @@ module Grack
50	50	Gitlab::ShellEnv.set_env(@user)
51	51	@env['REMOTE_USER'] = @auth.username
52	52	end
	53	+ elsif Gitlab.config.env.enabled
	54	+ return unauthorized unless @env['HTTP_REMOTE_USER']
	55	+ @user = User.find_by_provider_and_extern_uid('env', @env['HTTP_REMOTE_USER'])
	56	+ return unauthorized unless @user
	57	+ Gitlab::ShellEnv.set_env(@user)
	58	+ @env['REMOTE_USER'] = @env['HTTP_REMOTE_USER']
	59	+
	60	+ else
	61	+ return unauthorized unless project.public?
53	62	end
54	63
55	64	if authorized_request?
...	...