diff options
| -rw-r--r-- | CHANGELOG | 3 | ||||
| -rw-r--r-- | app/controllers/omniauth_callbacks_controller.rb | 54 | ||||
| -rw-r--r-- | app/views/dashboard/projects/_zero_authorized_projects.html.haml | 4 | ||||
| -rw-r--r-- | config/gitlab.yml.example | 11 | ||||
| -rw-r--r-- | config/initializers/2_app.rb | 4 | ||||
| -rw-r--r-- | config/initializers/sentry.rb | 1 | ||||
| -rw-r--r-- | config/sidekiq.yml.example | 2 | ||||
| -rw-r--r-- | doc/update/8.3-to-8.4.md | 21 | ||||
| -rw-r--r-- | lib/gitlab/ldap/user.rb | 4 | ||||
| -rw-r--r-- | lib/gitlab/o_auth/user.rb | 9 | ||||
| -rw-r--r-- | lib/gitlab/saml/user.rb | 47 | ||||
| -rw-r--r-- | spec/lib/gitlab/o_auth/user_spec.rb | 6 | ||||
| -rw-r--r-- | spec/lib/gitlab/saml/user_spec.rb | 271 |
13 files changed, 33 insertions, 404 deletions
diff --git a/CHANGELOG b/CHANGELOG index a889ce744ed..b0d08d97226 100644 --- a/CHANGELOG +++ b/CHANGELOG @@ -64,9 +64,6 @@ v 8.5.0 (unreleased) - Fix broken link to project in build notification emails - Ability to see and sort on vote count from Issues and MR lists - Fix builds scheduler when first build in stage was allowed to fail - - Allow SAML users to login with no previous account without having to allow - all Omniauth providers to do so. - - Allow existing users to auto link their SAML credentials by logging in via SAML v 8.4.4 - Update omniauth-saml gem to 1.4.2 diff --git a/app/controllers/omniauth_callbacks_controller.rb b/app/controllers/omniauth_callbacks_controller.rb index 21135f7d607..9cf76521a0d 100644 --- a/app/controllers/omniauth_callbacks_controller.rb +++ b/app/controllers/omniauth_callbacks_controller.rb @@ -42,26 +42,6 @@ class OmniauthCallbacksController < Devise::OmniauthCallbacksController end end - def saml - if current_user - log_audit_event(current_user, with: :saml) - # Update SAML identity if data has changed. - identity = current_user.identities.find_by(extern_uid: oauth['uid'], provider: :saml) - if identity.nil? - current_user.identities.create(extern_uid: oauth['uid'], provider: :saml) - redirect_to profile_account_path, notice: 'Authentication method updated' - else - redirect_to after_sign_in_path_for(current_user) - end - else - saml_user = Gitlab::Saml::User.new(oauth) - saml_user.save - @user = saml_user.gl_user - - continue_login_process - end - end - def omniauth_error @provider = params[:provider] @error = params[:error] @@ -85,11 +65,25 @@ class OmniauthCallbacksController < Devise::OmniauthCallbacksController log_audit_event(current_user, with: oauth['provider']) redirect_to profile_account_path, notice: 'Authentication method updated' else - oauth_user = Gitlab::OAuth::User.new(oauth) - oauth_user.save - @user = oauth_user.gl_user + @user = Gitlab::OAuth::User.new(oauth) + @user.save - continue_login_process + # Only allow properly saved users to login. + if @user.persisted? && @user.valid? + log_audit_event(@user.gl_user, with: oauth['provider']) + sign_in_and_redirect(@user.gl_user) + else + error_message = + if @user.gl_user.errors.any? + @user.gl_user.errors.map do |attribute, message| + "#{attribute} #{message}" + end.join(", ") + else + '' + end + + redirect_to omniauth_error_path(oauth['provider'], error: error_message) and return + end end rescue Gitlab::OAuth::SignupDisabledError label = Gitlab::OAuth::Provider.label_for(oauth['provider']) @@ -110,18 +104,6 @@ class OmniauthCallbacksController < Devise::OmniauthCallbacksController session[:service_tickets][provider] = ticket end - def continue_login_process - # Only allow properly saved users to login. - if @user.persisted? && @user.valid? - log_audit_event(@user, with: oauth['provider']) - sign_in_and_redirect(@user) - else - error_message = @user.errors.full_messages.to_sentence - - redirect_to omniauth_error_path(oauth['provider'], error: error_message) and return - end - end - def oauth @oauth ||= request.env['omniauth.auth'] end diff --git a/app/views/dashboard/projects/_zero_authorized_projects.html.haml b/app/views/dashboard/projects/_zero_authorized_projects.html.haml index 4e7d6639727..c3efa7727b1 100644 --- a/app/views/dashboard/projects/_zero_authorized_projects.html.haml +++ b/app/views/dashboard/projects/_zero_authorized_projects.html.haml @@ -11,7 +11,7 @@ %br - if current_user.can_create_project? You can create up to - %strong= pluralize(current_user.projects_limit, "project") + "." + %strong= pluralize(number_with_delimiter(current_user.projects_limit), "project") + "." - else If you are added to a project, it will be displayed here. @@ -44,7 +44,7 @@ .dashboard-intro-text %p.slead There are - %strong= publicish_project_count + %strong= number_with_delimiter(publicish_project_count) public projects on this server. %br Public projects are an easy way to allow everyone to have read-only access. diff --git a/config/gitlab.yml.example b/config/gitlab.yml.example index b6954b3152b..faf05ecd466 100644 --- a/config/gitlab.yml.example +++ b/config/gitlab.yml.example @@ -288,22 +288,15 @@ production: &base # auto_sign_in_with_provider: saml # CAUTION! - # This allows users to login without having a user account first. Define the allowed - # providers using an array, e.g. ["saml", "twitter"] + # This allows users to login without having a user account first (default: false). # User accounts will be created automatically when authentication was successful. - allow_single_sign_on: ["saml"] - + allow_single_sign_on: false # Locks down those users until they have been cleared by the admin (default: true). block_auto_created_users: true # Look up new users in LDAP servers. If a match is found (same uid), automatically # link the omniauth identity with the LDAP account. (default: false) auto_link_ldap_user: false - # Allow users with existing accounts to login and auto link their account via SAML - # login, without having to do a manual login first and manually add SAML - # (default: false) - auto_link_saml_user: false - ## Auth providers # Uncomment the following lines and fill in the data of the auth provider you want to use # If your favorite auth provider is not listed you can use others: diff --git a/config/initializers/2_app.rb b/config/initializers/2_app.rb index 35b150c9929..bd74f90e7d2 100644 --- a/config/initializers/2_app.rb +++ b/config/initializers/2_app.rb @@ -3,6 +3,6 @@ module Gitlab Settings end - VERSION = File.read(Rails.root.join("VERSION")).strip - REVISION = Gitlab::Popen.popen(%W(#{config.git.bin_path} log --pretty=format:%h -n 1)).first.chomp + VERSION = File.read(Rails.root.join("VERSION")).strip.freeze + REVISION = Gitlab::Popen.popen(%W(#{config.git.bin_path} log --pretty=format:%h -n 1)).first.chomp.freeze end diff --git a/config/initializers/sentry.rb b/config/initializers/sentry.rb index d0630b9fa07..e87899b2d5c 100644 --- a/config/initializers/sentry.rb +++ b/config/initializers/sentry.rb @@ -14,6 +14,7 @@ if Rails.env.production? if sentry_enabled Raven.configure do |config| config.dsn = current_application_settings.sentry_dsn + config.release = Gitlab::REVISION end end end diff --git a/config/sidekiq.yml.example b/config/sidekiq.yml.example index c691db67c6c..714bc06cb24 100644 --- a/config/sidekiq.yml.example +++ b/config/sidekiq.yml.example @@ -1,2 +1,2 @@ --- +--- :concurrency: 5
\ No newline at end of file diff --git a/doc/update/8.3-to-8.4.md b/doc/update/8.3-to-8.4.md index 616b1f58b65..269deec7a9c 100644 --- a/doc/update/8.3-to-8.4.md +++ b/doc/update/8.3-to-8.4.md @@ -81,27 +81,6 @@ There are new configuration options available for [`gitlab.yml`](config/gitlab.y git diff origin/8-3-stable:config/gitlab.yml.example origin/8-4-stable:config/gitlab.yml.example ``` -#### Nginx configuration - -GitLab 8.3 introduced major changes in the NGINX configuration. Ensure you're -still up-to-date with the latest changes: - -```sh -# For HTTPS configurations -git diff origin/8-3-stable:lib/support/nginx/gitlab-ssl origin/8-4-stable:lib/support/nginx/gitlab-ssl - -# For HTTP configurations -git diff origin/8-3-stable:lib/support/nginx/gitlab origin/8-4-stable:lib/support/nginx/gitlab -``` - -If you are using Apache instead of NGINX please see the updated [Apache templates]. -Also note that because Apache does not support upstreams behind Unix sockets you -will need to let gitlab-workhorse listen on a TCP port. You can do this -via [/etc/default/gitlab]. - -[Apache templates]: https://gitlab.com/gitlab-org/gitlab-recipes/tree/master/web-server/apache -[/etc/default/gitlab]: https://gitlab.com/gitlab-org/gitlab-ce/blob/8-4-stable/lib/support/init.d/gitlab.default.example#L34 - #### Init script We updated the init script for GitLab in order to set a specific PATH for gitlab-workhorse. diff --git a/lib/gitlab/ldap/user.rb b/lib/gitlab/ldap/user.rb index b84c81f1a6c..e044f0ecc6d 100644 --- a/lib/gitlab/ldap/user.rb +++ b/lib/gitlab/ldap/user.rb @@ -24,10 +24,6 @@ module Gitlab update_user_attributes end - def save - super('LDAP') - end - # instance methods def gl_user @gl_user ||= find_by_uid_and_provider || find_by_email || build_new_user diff --git a/lib/gitlab/o_auth/user.rb b/lib/gitlab/o_auth/user.rb index 675ded92a89..d87a72f7ba3 100644 --- a/lib/gitlab/o_auth/user.rb +++ b/lib/gitlab/o_auth/user.rb @@ -26,7 +26,7 @@ module Gitlab gl_user.try(:valid?) end - def save(provider = 'OAuth') + def save unauthorized_to_create unless gl_user if needs_blocking? @@ -36,10 +36,10 @@ module Gitlab gl_user.save! end - log.info "(#{provider}) saving user #{auth_hash.email} from login with extern_uid => #{auth_hash.uid}" + log.info "(OAuth) saving user #{auth_hash.email} from login with extern_uid => #{auth_hash.uid}" gl_user rescue ActiveRecord::RecordInvalid => e - log.info "(#{provider}) Error saving user: #{gl_user.errors.full_messages}" + log.info "(OAuth) Error saving user: #{gl_user.errors.full_messages}" return self, e.record.errors end @@ -105,8 +105,7 @@ module Gitlab end def signup_enabled? - providers = Gitlab.config.omniauth.allow_single_sign_on - providers.include?(auth_hash.provider) + Gitlab.config.omniauth.allow_single_sign_on end def block_after_signup? diff --git a/lib/gitlab/saml/user.rb b/lib/gitlab/saml/user.rb deleted file mode 100644 index b1e30110ef5..00000000000 --- a/lib/gitlab/saml/user.rb +++ /dev/null @@ -1,47 +0,0 @@ -# SAML extension for User model -# -# * Find GitLab user based on SAML uid and provider -# * Create new user from SAML data -# -module Gitlab - module Saml - class User < Gitlab::OAuth::User - - def save - super('SAML') - end - - def gl_user - @user ||= find_by_uid_and_provider - - if auto_link_ldap_user? - @user ||= find_or_create_ldap_user - end - - if auto_link_saml_enabled? - @user ||= find_by_email - end - - if signup_enabled? - @user ||= build_new_user - end - - @user - end - - def find_by_email - if auth_hash.has_email? - user = ::User.find_by(email: auth_hash.email.downcase) - user.identities.new(extern_uid: auth_hash.uid, provider: auth_hash.provider) if user - user - end - end - - protected - - def auto_link_saml_enabled? - Gitlab.config.omniauth.auto_link_saml_user - end - end - end -end diff --git a/spec/lib/gitlab/o_auth/user_spec.rb b/spec/lib/gitlab/o_auth/user_spec.rb index 76b1360f208..925bc442a90 100644 --- a/spec/lib/gitlab/o_auth/user_spec.rb +++ b/spec/lib/gitlab/o_auth/user_spec.rb @@ -42,7 +42,7 @@ describe Gitlab::OAuth::User, lib: true do describe 'signup' do shared_examples "to verify compliance with allow_single_sign_on" do context "with allow_single_sign_on enabled" do - before { stub_omniauth_config(allow_single_sign_on: ['twitter']) } + before { stub_omniauth_config(allow_single_sign_on: true) } it "creates a user from Omniauth" do oauth_user.save @@ -55,7 +55,7 @@ describe Gitlab::OAuth::User, lib: true do end context "with allow_single_sign_on disabled (Default)" do - before { stub_omniauth_config(allow_single_sign_on: []) } + before { stub_omniauth_config(allow_single_sign_on: false) } it "throws an error" do expect{ oauth_user.save }.to raise_error StandardError end @@ -135,7 +135,7 @@ describe Gitlab::OAuth::User, lib: true do describe 'blocking' do let(:provider) { 'twitter' } - before { stub_omniauth_config(allow_single_sign_on: ['twitter']) } + before { stub_omniauth_config(allow_single_sign_on: true) } context 'signup with omniauth only' do context 'dont block on create' do diff --git a/spec/lib/gitlab/saml/user_spec.rb b/spec/lib/gitlab/saml/user_spec.rb deleted file mode 100644 index 480ca1aee4b..00000000000 --- a/spec/lib/gitlab/saml/user_spec.rb +++ /dev/null @@ -1,271 +0,0 @@ -require 'spec_helper' - -describe Gitlab::Saml::User, lib: true do - let(:saml_user) { described_class.new(auth_hash) } - let(:gl_user) { saml_user.gl_user } - let(:uid) { 'my-uid' } - let(:provider) { 'saml' } - let(:auth_hash) { OmniAuth::AuthHash.new(uid: uid, provider: provider, info: info_hash) } - let(:info_hash) do - { - name: 'John', - email: 'john@mail.com' - } - end - let(:ldap_user) { Gitlab::LDAP::Person.new(Net::LDAP::Entry.new, 'ldapmain') } - - describe '#save' do - def stub_omniauth_config(messages) - allow(Gitlab.config.omniauth).to receive_messages(messages) - end - - def stub_ldap_config(messages) - allow(Gitlab::LDAP::Config).to receive_messages(messages) - end - - describe 'account exists on server' do - before { stub_omniauth_config({ allow_single_sign_on: ['saml'], auto_link_saml_user: true }) } - context 'and should bind with SAML' do - let!(:existing_user) { create(:user, email: 'john@mail.com', username: 'john') } - it 'adds the SAML identity to the existing user' do - saml_user.save - expect(gl_user).to be_valid - expect(gl_user).to eq existing_user - identity = gl_user.identities.first - expect(identity.extern_uid).to eql uid - expect(identity.provider).to eql 'saml' - end - end - end - - describe 'no account exists on server' do - shared_examples 'to verify compliance with allow_single_sign_on' do - context 'with allow_single_sign_on enabled' do - before { stub_omniauth_config(allow_single_sign_on: ['saml']) } - - it 'creates a user from SAML' do - saml_user.save - - expect(gl_user).to be_valid - identity = gl_user.identities.first - expect(identity.extern_uid).to eql uid - expect(identity.provider).to eql 'saml' - end - end - - context 'with allow_single_sign_on default (["saml"])' do - before { stub_omniauth_config(allow_single_sign_on: ['saml']) } - it 'should not throw an error' do - expect{ saml_user.save }.not_to raise_error - end - end - - context 'with allow_single_sign_on disabled' do - before { stub_omniauth_config(allow_single_sign_on: []) } - it 'should throw an error' do - expect{ saml_user.save }.to raise_error StandardError - end - end - end - - context 'with auto_link_ldap_user disabled (default)' do - before { stub_omniauth_config({ auto_link_ldap_user: false, auto_link_saml_user: false, allow_single_sign_on: ['saml'] }) } - include_examples 'to verify compliance with allow_single_sign_on' - end - - context 'with auto_link_ldap_user enabled' do - before { stub_omniauth_config({ auto_link_ldap_user: true, auto_link_saml_user: false }) } - - context 'and no LDAP provider defined' do - before { stub_ldap_config(providers: []) } - - include_examples 'to verify compliance with allow_single_sign_on' - end - - context 'and at least one LDAP provider is defined' do - before { stub_ldap_config(providers: %w(ldapmain)) } - - context 'and a corresponding LDAP person' do - before do - allow(ldap_user).to receive(:uid) { uid } - allow(ldap_user).to receive(:username) { uid } - allow(ldap_user).to receive(:email) { ['johndoe@example.com','john2@example.com'] } - allow(ldap_user).to receive(:dn) { 'uid=user1,ou=People,dc=example' } - allow(Gitlab::LDAP::Person).to receive(:find_by_uid).and_return(ldap_user) - end - - context 'and no account for the LDAP user' do - - it 'creates a user with dual LDAP and SAML identities' do - saml_user.save - - expect(gl_user).to be_valid - expect(gl_user.username).to eql uid - expect(gl_user.email).to eql 'johndoe@example.com' - expect(gl_user.identities.length).to eql 2 - identities_as_hash = gl_user.identities.map { |id| { provider: id.provider, extern_uid: id.extern_uid } } - expect(identities_as_hash).to match_array([ { provider: 'ldapmain', extern_uid: 'uid=user1,ou=People,dc=example' }, - { provider: 'saml', extern_uid: uid } - ]) - end - end - - context 'and LDAP user has an account already' do - let!(:existing_user) { create(:omniauth_user, email: 'john@example.com', extern_uid: 'uid=user1,ou=People,dc=example', provider: 'ldapmain', username: 'john') } - it "adds the omniauth identity to the LDAP account" do - saml_user.save - - expect(gl_user).to be_valid - expect(gl_user.username).to eql 'john' - expect(gl_user.email).to eql 'john@example.com' - expect(gl_user.identities.length).to eql 2 - identities_as_hash = gl_user.identities.map { |id| { provider: id.provider, extern_uid: id.extern_uid } } - expect(identities_as_hash).to match_array([ { provider: 'ldapmain', extern_uid: 'uid=user1,ou=People,dc=example' }, - { provider: 'saml', extern_uid: uid } - ]) - end - end - end - - context 'and no corresponding LDAP person' do - before { allow(Gitlab::LDAP::Person).to receive(:find_by_uid).and_return(nil) } - - include_examples 'to verify compliance with allow_single_sign_on' - end - end - end - - end - - describe 'blocking' do - before { stub_omniauth_config({ allow_saml_sign_up: true, auto_link_saml_user: true }) } - - context 'signup with SAML only' do - context 'dont block on create' do - before { stub_omniauth_config(block_auto_created_users: false) } - - it 'should not block the user' do - saml_user.save - expect(gl_user).to be_valid - expect(gl_user).not_to be_blocked - end - end - - context 'block on create' do - before { stub_omniauth_config(block_auto_created_users: true) } - - it 'should block user' do - saml_user.save - expect(gl_user).to be_valid - expect(gl_user).to be_blocked - end - end - end - - context 'signup with linked omniauth and LDAP account' do - before do - stub_omniauth_config(auto_link_ldap_user: true) - allow(ldap_user).to receive(:uid) { uid } - allow(ldap_user).to receive(:username) { uid } - allow(ldap_user).to receive(:email) { ['johndoe@example.com','john2@example.com'] } - allow(ldap_user).to receive(:dn) { 'uid=user1,ou=People,dc=example' } - allow(saml_user).to receive(:ldap_person).and_return(ldap_user) - end - - context "and no account for the LDAP user" do - context 'dont block on create (LDAP)' do - before { allow_any_instance_of(Gitlab::LDAP::Config).to receive_messages(block_auto_created_users: false) } - - it do - saml_user.save - expect(gl_user).to be_valid - expect(gl_user).not_to be_blocked - end - end - - context 'block on create (LDAP)' do - before { allow_any_instance_of(Gitlab::LDAP::Config).to receive_messages(block_auto_created_users: true) } - - it do - saml_user.save - expect(gl_user).to be_valid - expect(gl_user).to be_blocked - end - end - end - - context 'and LDAP user has an account already' do - let!(:existing_user) { create(:omniauth_user, email: 'john@example.com', extern_uid: 'uid=user1,ou=People,dc=example', provider: 'ldapmain', username: 'john') } - - context 'dont block on create (LDAP)' do - before { allow_any_instance_of(Gitlab::LDAP::Config).to receive_messages(block_auto_created_users: false) } - - it do - saml_user.save - expect(gl_user).to be_valid - expect(gl_user).not_to be_blocked - end - end - - context 'block on create (LDAP)' do - before { allow_any_instance_of(Gitlab::LDAP::Config).to receive_messages(block_auto_created_users: true) } - - it do - saml_user.save - expect(gl_user).to be_valid - expect(gl_user).not_to be_blocked - end - end - end - end - - - context 'sign-in' do - before do - saml_user.save - saml_user.gl_user.activate - end - - context 'dont block on create' do - before { stub_omniauth_config(block_auto_created_users: false) } - - it do - saml_user.save - expect(gl_user).to be_valid - expect(gl_user).not_to be_blocked - end - end - - context 'block on create' do - before { stub_omniauth_config(block_auto_created_users: true) } - - it do - saml_user.save - expect(gl_user).to be_valid - expect(gl_user).not_to be_blocked - end - end - - context 'dont block on create (LDAP)' do - before { allow_any_instance_of(Gitlab::LDAP::Config).to receive_messages(block_auto_created_users: false) } - - it do - saml_user.save - expect(gl_user).to be_valid - expect(gl_user).not_to be_blocked - end - end - - context 'block on create (LDAP)' do - before { allow_any_instance_of(Gitlab::LDAP::Config).to receive_messages(block_auto_created_users: true) } - - it do - saml_user.save - expect(gl_user).to be_valid - expect(gl_user).not_to be_blocked - end - end - end - end - end -end |