summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorDouwe Maan <douwe@gitlab.com>2015-06-02 08:50:54 +0000
committerDouwe Maan <douwe@gitlab.com>2015-06-02 08:50:54 +0000
commitd99637bf69bde4fb5717c80a896302c6dda104a8 (patch)
tree3d58a793c1677e21a5f5cf30caa881368c58ce8c
parent76ae871908b83c9de9fb05f6cf491153209a79d4 (diff)
parent5491f6fbdeeff35589ef5b6f0aa3264a77e9aa36 (diff)
downloadgitlab-ce-d99637bf69bde4fb5717c80a896302c6dda104a8.tar.gz
Merge branch 'feature/sso_integration' into 'master'
Add an option to automatically sign-in with an Omniauth provider Split of !669 as requested This is useful when integrating with existing SSO environments and we want to use a single Omniauth provider for all user authentication. See merge request !723
-rw-r--r--CHANGELOG1
-rw-r--r--app/controllers/sessions_controller.rb16
-rw-r--r--config/gitlab.yml.example4
-rw-r--r--config/initializers/1_settings.rb2
-rw-r--r--config/initializers/7_omniauth.rb2
5 files changed, 25 insertions, 0 deletions
diff --git a/CHANGELOG b/CHANGELOG
index 61e9084a39e..699824e9af4 100644
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -37,6 +37,7 @@ v 7.12.0 (unreleased)
- User has ability to leave project
- Add SAML support as an omniauth provider
- Allow to configure a URL to show after sign out
+ - Add an option to automatically sign-in with an Omniauth provider
v 7.11.4
- Fix missing bullets when creating lists
diff --git a/app/controllers/sessions_controller.rb b/app/controllers/sessions_controller.rb
index b89b4c27350..4d976fe6630 100644
--- a/app/controllers/sessions_controller.rb
+++ b/app/controllers/sessions_controller.rb
@@ -2,6 +2,7 @@ class SessionsController < Devise::SessionsController
include AuthenticatesWithTwoFactor
prepend_before_action :authenticate_with_two_factor, only: [:create]
+ before_action :auto_sign_in_with_provider, only: [:new]
def new
redirect_path =
@@ -75,6 +76,21 @@ class SessionsController < Devise::SessionsController
end
end
+ def auto_sign_in_with_provider
+ provider = Gitlab.config.omniauth.auto_sign_in_with_provider
+ return unless provider.present?
+
+ # Auto sign in with an Omniauth provider only if the standard "you need to sign-in" alert is
+ # registered or no alert at all. In case of another alert (such as a blocked user), it is safer
+ # to do nothing to prevent redirection loops with certain Omniauth providers.
+ return unless flash[:alert].blank? || flash[:alert] == I18n.t('devise.failure.unauthenticated')
+
+ # Prevent alert from popping up on the first page shown after authentication.
+ flash[:alert] = nil
+
+ redirect_to omniauth_authorize_path(:user, provider.to_sym)
+ end
+
def valid_otp_attempt?(user)
user.valid_otp?(user_params[:otp_attempt]) ||
user.invalidate_otp_backup_code!(user_params[:otp_attempt])
diff --git a/config/gitlab.yml.example b/config/gitlab.yml.example
index 5acfe548502..c7f22b9388b 100644
--- a/config/gitlab.yml.example
+++ b/config/gitlab.yml.example
@@ -182,6 +182,10 @@ production: &base
# Allow login via Twitter, Google, etc. using OmniAuth providers
enabled: false
+ # Uncomment this to automatically sign in with a specific omniauth provider's without
+ # showing GitLab's sign-in page (default: show the GitLab sign-in page)
+ # auto_sign_in_with_provider: saml
+
# CAUTION!
# This allows users to login without having a user account first (default: false).
# User accounts will be created automatically when authentication was successful.
diff --git a/config/initializers/1_settings.rb b/config/initializers/1_settings.rb
index 2351ef7b0ce..c234bd69e9a 100644
--- a/config/initializers/1_settings.rb
+++ b/config/initializers/1_settings.rb
@@ -87,6 +87,8 @@ end
Settings['omniauth'] ||= Settingslogic.new({})
Settings.omniauth['enabled'] = false if Settings.omniauth['enabled'].nil?
+Settings.omniauth['auto_sign_in_with_provider'] = false if Settings.omniauth['auto_sign_in_with_provider'].nil?
+
Settings.omniauth['providers'] ||= []
Settings['issues_tracker'] ||= {}
diff --git a/config/initializers/7_omniauth.rb b/config/initializers/7_omniauth.rb
index 103aa06ca32..6f1f267bf97 100644
--- a/config/initializers/7_omniauth.rb
+++ b/config/initializers/7_omniauth.rb
@@ -12,6 +12,8 @@ if Gitlab::LDAP::Config.enabled?
end
OmniAuth.config.allowed_request_methods = [:post]
+#In case of auto sign-in, the GET method is used (users don't get to click on a button)
+OmniAuth.config.allowed_request_methods << :get if Gitlab.config.omniauth.auto_sign_in_with_provider.present?
OmniAuth.config.before_request_phase do |env|
OmniAuth::RequestForgeryProtection.new(env).call
end