Allow manual bypass of auto_sign_in_with_providermabes/gitlab-ce-bypass-auto-login

This commit lets a user bypass the automatic signin on the login form,
in order to login with a technical (admin, etc) account

Closes #3786

Signed-off-by: Rémy Coutable <remy@rymai.me>

7 files changed, 49 insertions, 3 deletions

diff --git a/app/controllers/sessions_controller.rb b/app/controllers/sessions_controller.rb
index 8c6ba4915cd..10806895764 100644
--- a/app/controllers/sessions_controller.rb
+++ b/app/controllers/sessions_controller.rb
@@ -90,7 +90,7 @@ class SessionsController < Devise::SessionsController
 
     # Prevent a 'you are already signed in' message directly after signing:
     # we should never redirect to '/users/sign_in' after signing in successfully.
-    unless redirect_path == new_user_session_path
+    unless URI(redirect_path).path == new_user_session_path
       store_location_for(:redirect, redirect_path)
     end
   end
@@ -103,6 +103,10 @@ class SessionsController < Devise::SessionsController
     provider = Gitlab.config.omniauth.auto_sign_in_with_provider
     return unless provider.present?
 
+    # If a "auto_sign_in" query parameter is set to a falsy value, don't auto sign-in.
+    # Otherwise, the default is to auto sign-in.
+    return if Gitlab::Utils.to_boolean(params[:auto_sign_in]) == false
+
     # Auto sign in with an Omniauth provider only if the standard "you need to sign-in" alert is
     # registered or no alert at all. In case of another alert (such as a blocked user), it is safer
     # to do nothing to prevent redirection loops with certain Omniauth providers.
diff --git a/changelogs/unreleased/mabes-gitlab-ce-bypass-auto-login.yml b/changelogs/unreleased/mabes-gitlab-ce-bypass-auto-login.yml
new file mode 100644
index 00000000000..a321ed9d7d8
--- /dev/null
+++ b/changelogs/unreleased/mabes-gitlab-ce-bypass-auto-login.yml
@@ -0,0 +1,4 @@
+---
+title: Allow manual bypass of auto_sign_in_with_provider with a new param
+merge_request: 10187
+author: Maxime Besson
diff --git a/doc/integration/saml.md b/doc/integration/saml.md
index 2277aa827b7..b5b245c626f 100644
--- a/doc/integration/saml.md
+++ b/doc/integration/saml.md
@@ -201,6 +201,9 @@ Please keep in mind that every sign in attempt will be redirected to the SAML se
 so you will not be able to sign in using local credentials. Make sure that at least one
 of the SAML users has admin permissions.
 
+You may also bypass the auto signin feature by browsing to
+https://gitlab.example.com/users/sign_in?auto_sign_in=false.
+
 ### `attribute_statements`
 
 >**Note:**
diff --git a/spec/controllers/sessions_controller_spec.rb b/spec/controllers/sessions_controller_spec.rb
index 038132cffe0..e87e24a33a1 100644
--- a/spec/controllers/sessions_controller_spec.rb
+++ b/spec/controllers/sessions_controller_spec.rb
@@ -1,6 +1,37 @@
 require 'spec_helper'
 
 describe SessionsController do
+  describe '#new' do
+    before do
+      @request.env['devise.mapping'] = Devise.mappings[:user]
+    end
+
+    context 'when auto sign-in is enabled' do
+      before do
+        stub_omniauth_setting(auto_sign_in_with_provider: :saml)
+        allow(controller).to receive(:omniauth_authorize_path).with(:user, :saml).
+          and_return('/saml')
+      end
+
+      context 'and no auto_sign_in param is passed' do
+        it 'redirects to :omniauth_authorize_path' do
+          get(:new)
+
+          expect(response).to have_http_status(302)
+          expect(response).to redirect_to('/saml')
+        end
+      end
+
+      context 'and auto_sign_in=false param is passed' do
+        it 'responds with 200' do
+          get(:new, auto_sign_in: 'false')
+
+          expect(response).to have_http_status(200)
+        end
+      end
+    end
+  end
+
   describe '#create' do
     before do
       @request.env['devise.mapping'] = Devise.mappings[:user]
diff --git a/spec/services/projects/import_service_spec.rb b/spec/services/projects/import_service_spec.rb
index 852a4ac852f..44db299812f 100644
--- a/spec/services/projects/import_service_spec.rb
+++ b/spec/services/projects/import_service_spec.rb
@@ -186,7 +186,7 @@ describe Projects::ImportService, services: true do
         }
       )
 
-      allow(Gitlab.config.omniauth).to receive(:providers).and_return([provider])
+      stub_omniauth_setting(providers: [provider])
     end
   end
 end
diff --git a/spec/support/import_spec_helper.rb b/spec/support/import_spec_helper.rb
index 6710962f082..d4eced724fa 100644
--- a/spec/support/import_spec_helper.rb
+++ b/spec/support/import_spec_helper.rb
@@ -28,6 +28,6 @@ module ImportSpecHelper
       app_id: 'asd123',
       app_secret: 'asd123'
     )
-    allow(Gitlab.config.omniauth).to receive(:providers).and_return([provider])
+    stub_omniauth_setting(providers: [provider])
   end
 end
diff --git a/spec/support/stub_configuration.rb b/spec/support/stub_configuration.rb
index 444adcc1906..b39a23bd18a 100644
--- a/spec/support/stub_configuration.rb
+++ b/spec/support/stub_configuration.rb
@@ -25,6 +25,10 @@ module StubConfiguration
     allow(Gitlab.config.mattermost).to receive_messages(messages)
   end
 
+  def stub_omniauth_setting(messages)
+    allow(Gitlab.config.omniauth).to receive_messages(messages)
+  end
+
   private
 
   # Modifies stubbed messages to also stub possible predicate versions