Merge branch 'master' into 7-0-stable

Conflicts: CHANGELOG Gemfile Gemfile.lock VERSION app/views/projects/edit.html.haml config.ru config/gitlab.yml.example lib/gitlab/backend/grack_auth.rb lib/gitlab/upgrader.rb

Merge branch 'master' into 7-0-stable
Conflicts: CHANGELOG Gemfile Gemfile.lock VERSION app/views/projects/edit.html.haml config.ru config/gitlab.yml.example lib/gitlab/backend/grack_auth.rb lib/gitlab/upgrader.rb
root
2 parents de9bf7da c50a9990
Showing 10 changed files with 55 additions and 15 deletions Show diff stats
Gemfile
Gemfile.lock
app/controllers/omniauth_callbacks_controller.rb
app/helpers/oauth_helper.rb
app/views/devise/sessions/_new_env.html.haml
app/views/devise/sessions/new.html.haml
config/gitlab.yml.example
config/initializers/1_settings.rb
config/initializers/devise.rb
lib/gitlab/backend/grack_auth.rb
@@ -149,6 +149,7 @@ gem &quot;underscore-rails&quot;, &quot;~&gt; 1.4.4&quot;
 # Sanitize user input
 gem "sanitize", '~> 2.0'
+gem "omniauth-env", git: "https://github.com/colab-community/omniauth-env.git"
 # Protect against bruteforcing
 gem "rack-attack"
+GIT
+  remote: https://github.com/colab-community/omniauth-env.git
+  revision: d8d33681dd33c22e7156ab77b34ef7cf3b731fa7
+  specs:
+    omniauth-env (0.0.1)
+      gitlab_omniauth-ldap (~> 1.0.3)
+      omniauth (~> 1.0)
+
 GEM
   remote: https://rubygems.org/
   specs:
@@ -631,6 +639,7 @@ DEPENDENCIES
   mysql2
   nprogress-rails
   omniauth (~> 1.1.3)
+  omniauth-env!
   omniauth-github
   omniauth-google-oauth2
   omniauth-twitter
@@ -31,6 +31,10 @@ class OmniauthCallbacksController &lt; Devise::OmniauthCallbacksController
     end
   end
+  def env
+    handle_omniauth
+  end
+
   private
   def handle_omniauth
@@ -11,6 +11,10 @@ module OauthHelper
     Devise.omniauth_providers
   end
+  def env_enabled?
+     Devise.omniauth_providers.include?(:env)
+  end
+
   def enabled_social_providers
     enabled_oauth_providers.select do |name|
       [:twitter, :github, :google_oauth2].include?(name.to_sym)
@@ -0,0 +1,2 @@
+%script
+    window.location.href = '/gitlab/users/auth/env'
+= render 'devise/sessions/new_env' if env_enabled?
+
 .login-box
   %h3.page-title Sign in
   - if ldap_enabled? && gitlab_config.signin_enabled
@@ -147,27 +147,29 @@ production: &amp;base
     #
     #   Ex. ou=People,dc=gitlab,dc=example
     #
-    base: ''
+    base: ' '
     # Filter LDAP users
     #
     #   Format: RFC 4515
     #   Ex. (employeeType=developer)
     #
-    user_filter: ''
+    user_filter: ' '
+  env:
+    enabled: true
   ## OmniAuth settings
   omniauth:
     # Allow login via Twitter, Google, etc. using OmniAuth providers
-    enabled: false
+    enabled: true
     # CAUTION!
     # This allows users to login without having a user account first (default: false).
     # User accounts will be created automatically when authentication was successful.
-    allow_single_sign_on: false
+    allow_single_sign_on: true
     # Locks down those users until they have been cleared by the admin (default: true).
-    block_auto_created_users: true
+    block_auto_created_users: false
     ## Auth providers
     # Uncomment the following lines and fill in the data of the auth provider you want to use
@@ -63,6 +63,9 @@ Settings[&#39;omniauth&#39;] ||= Settingslogic.new({})
 Settings.omniauth['enabled']      = false if Settings.omniauth['enabled'].nil?
 Settings.omniauth['providers']  ||= []
+Settings['env'] ||= Settingslogic.new({})
+Settings.env['enabled'] = false if Settings.env['enabled'].nil?
+
 Settings['issues_tracker']  ||= {}
 #
@@ -208,22 +208,25 @@ Devise.setup do |config|
   #   manager.default_strategies(scope: :user).unshift :some_external_strategy
   # end
+  ldap_configs = {
+     host:     Gitlab.config.ldap['host'],
+     base:     Gitlab.config.ldap['base'],
+     uid:      Gitlab.config.ldap['uid'],
+     port:     Gitlab.config.ldap['port'],
+     method:   Gitlab.config.ldap['method'],
+     bind_dn:  Gitlab.config.ldap['bind_dn'],
+     password: Gitlab.config.ldap['password']
+  }
+
   if Gitlab.config.ldap.enabled
     if Gitlab.config.ldap.allow_username_or_email_login
       email_stripping_proc = ->(name) {name.gsub(/@.*$/,'')}
     else
       email_stripping_proc = ->(name) {name}
     end
-
-    config.omniauth :ldap,
-      host:     Gitlab.config.ldap['host'],
-      base:     Gitlab.config.ldap['base'],
-      uid:      Gitlab.config.ldap['uid'],
-      port:     Gitlab.config.ldap['port'],
-      method:   Gitlab.config.ldap['method'],
-      bind_dn:  Gitlab.config.ldap['bind_dn'],
-      password: Gitlab.config.ldap['password'],
-      name_proc: email_stripping_proc
+    
+    ldap_configs[:name_proc] = email_stripping_proc
+    config.omniauth :ldap, ldap_configs
   end
   Gitlab.config.omniauth.providers.each do |provider|
@@ -244,4 +247,5 @@ Devise.setup do |config|
     config.omniauth provider['name'].to_sym, *provider_arguments
   end
+  config.omniauth :env, ldap_configs if Gitlab.config.env.enabled
 end
@@ -50,6 +50,15 @@ module Grack
           Gitlab::ShellEnv.set_env(@user)
           @env['REMOTE_USER'] = @auth.username
         end
+      elsif Gitlab.config.env.enabled
+        return unauthorized unless @env['HTTP_REMOTE_USER']
+        @user = User.find_by_provider_and_extern_uid('env', @env['HTTP_REMOTE_USER'])
+        return unauthorized unless @user
+        Gitlab::ShellEnv.set_env(@user)
+        @env['REMOTE_USER'] = @env['HTTP_REMOTE_USER']
+
+      else
+        return unauthorized unless project.public?
       end
       if authorized_request?
	@@ -149,6 +149,7 @@ gem "underscore-rails", "~> 1.4.4"		@@ -149,6 +149,7 @@ gem "underscore-rails", "~> 1.4.4"
149		149
150	# Sanitize user input	150	# Sanitize user input
151	gem "sanitize", '~> 2.0'	151	gem "sanitize", '~> 2.0'
		152	+gem "omniauth-env", git: "https://github.com/colab-community/omniauth-env.git"
152		153
153	# Protect against bruteforcing	154	# Protect against bruteforcing
154	gem "rack-attack"	155	gem "rack-attack"
		1	+GIT
		2	+ remote: https://github.com/colab-community/omniauth-env.git
		3	+ revision: d8d33681dd33c22e7156ab77b34ef7cf3b731fa7
		4	+ specs:
		5	+ omniauth-env (0.0.1)
		6	+ gitlab_omniauth-ldap (~> 1.0.3)
		7	+ omniauth (~> 1.0)
		8	+
1	GEM	9	GEM
2	remote: https://rubygems.org/	10	remote: https://rubygems.org/
3	specs:	11	specs:
	@@ -631,6 +639,7 @@ DEPENDENCIES		@@ -631,6 +639,7 @@ DEPENDENCIES
631	mysql2	639	mysql2
632	nprogress-rails	640	nprogress-rails
633	omniauth (~> 1.1.3)	641	omniauth (~> 1.1.3)
		642	+ omniauth-env!
634	omniauth-github	643	omniauth-github
635	omniauth-google-oauth2	644	omniauth-google-oauth2
636	omniauth-twitter	645	omniauth-twitter
@@ -0,0 +1,2 @@		@@ -0,0 +1,2 @@
	1	+%script
	2	+ window.location.href = '/gitlab/users/auth/env'
		1	+= render 'devise/sessions/new_env' if env_enabled?
		2	+
1	.login-box	3	.login-box
2	%h3.page-title Sign in	4	%h3.page-title Sign in
3	- if ldap_enabled? && gitlab_config.signin_enabled	5	- if ldap_enabled? && gitlab_config.signin_enabled
	@@ -50,6 +50,15 @@ module Grack		@@ -50,6 +50,15 @@ module Grack
50	Gitlab::ShellEnv.set_env(@user)	50	Gitlab::ShellEnv.set_env(@user)
51	@env['REMOTE_USER'] = @auth.username	51	@env['REMOTE_USER'] = @auth.username
52	end	52	end
		53	+ elsif Gitlab.config.env.enabled
		54	+ return unauthorized unless @env['HTTP_REMOTE_USER']
		55	+ @user = User.find_by_provider_and_extern_uid('env', @env['HTTP_REMOTE_USER'])
		56	+ return unauthorized unless @user
		57	+ Gitlab::ShellEnv.set_env(@user)
		58	+ @env['REMOTE_USER'] = @env['HTTP_REMOTE_USER']
		59	+
		60	+ else
		61	+ return unauthorized unless project.public?
53	end	62	end
54		63
55	if authorized_request?	64	if authorized_request?