Commit 74c69709 authored by Douwe Maan's avatar Douwe Maan

Merge branch 'otzy007/gitlab-ce-disable_oauth_sign_in_sources'

parents f2303f9d d66833bc
...@@ -46,6 +46,7 @@ v 8.8.0 (unreleased) ...@@ -46,6 +46,7 @@ v 8.8.0 (unreleased)
- Fix adding a todo for private group members (Ahmad Sherif) - Fix adding a todo for private group members (Ahmad Sherif)
- Bump ace-rails-ap gem version from 2.0.1 to 4.0.2 which upgrades Ace Editor from 1.1.2 to 1.2.3 - Bump ace-rails-ap gem version from 2.0.1 to 4.0.2 which upgrades Ace Editor from 1.1.2 to 1.2.3
- Total method execution timings are no longer tracked - Total method execution timings are no longer tracked
- Allow Admins to remove the Login with buttons for OAuth services and still be able to import !4034. (Andrei Gliga)
v 8.7.5 v 8.7.5
- Fix relative links in wiki pages. !4050 - Fix relative links in wiki pages. !4050
......
...@@ -53,6 +53,12 @@ class Admin::ApplicationSettingsController < Admin::ApplicationController ...@@ -53,6 +53,12 @@ class Admin::ApplicationSettingsController < Admin::ApplicationController
end end
end end
enabled_oauth_sign_in_sources = params[:application_setting].delete(:enabled_oauth_sign_in_sources)
params[:application_setting][:disabled_oauth_sign_in_sources] =
AuthHelper.button_based_providers.map(&:to_s) -
Array(enabled_oauth_sign_in_sources)
params.require(:application_setting).permit( params.require(:application_setting).permit(
:default_projects_limit, :default_projects_limit,
:default_branch_protection, :default_branch_protection,
...@@ -95,7 +101,8 @@ class Admin::ApplicationSettingsController < Admin::ApplicationController ...@@ -95,7 +101,8 @@ class Admin::ApplicationSettingsController < Admin::ApplicationController
:repository_checks_enabled, :repository_checks_enabled,
:metrics_packet_size, :metrics_packet_size,
restricted_visibility_levels: [], restricted_visibility_levels: [],
import_sources: [] import_sources: [],
disabled_oauth_sign_in_sources: []
) )
end end
end end
...@@ -60,4 +60,18 @@ module ApplicationSettingsHelper ...@@ -60,4 +60,18 @@ module ApplicationSettingsHelper
end end
end end
end end
def oauth_providers_checkboxes
button_based_providers.map do |source|
disabled = current_application_settings.disabled_oauth_sign_in_sources.include?(source.to_s)
css_class = 'btn'
css_class << ' active' unless disabled
checkbox_name = 'application_setting[enabled_oauth_sign_in_sources][]'
label_tag(checkbox_name, class: css_class) do
check_box_tag(checkbox_name, source, !disabled,
autocomplete: 'off') + Gitlab::OAuth::Provider.label_for(source)
end
end
end
end end
...@@ -38,6 +38,16 @@ module AuthHelper ...@@ -38,6 +38,16 @@ module AuthHelper
auth_providers.reject { |provider| form_based_provider?(provider) } auth_providers.reject { |provider| form_based_provider?(provider) }
end end
def enabled_button_based_providers
disabled_providers = current_application_settings.disabled_oauth_sign_in_sources || []
button_based_providers.map(&:to_s) - disabled_providers
end
def button_based_providers_enabled?
enabled_button_based_providers.any?
end
def provider_image_tag(provider, size = 64) def provider_image_tag(provider, size = 64)
label = label_for_provider(provider) label = label_for_provider(provider)
......
...@@ -6,6 +6,7 @@ class ApplicationSetting < ActiveRecord::Base ...@@ -6,6 +6,7 @@ class ApplicationSetting < ActiveRecord::Base
serialize :restricted_visibility_levels serialize :restricted_visibility_levels
serialize :import_sources serialize :import_sources
serialize :disabled_oauth_sign_in_sources
serialize :restricted_signup_domains, Array serialize :restricted_signup_domains, Array
attr_accessor :restricted_signup_domains_raw attr_accessor :restricted_signup_domains_raw
...@@ -69,6 +70,16 @@ class ApplicationSetting < ActiveRecord::Base ...@@ -69,6 +70,16 @@ class ApplicationSetting < ActiveRecord::Base
end end
end end
validates_each :disabled_oauth_sign_in_sources do |record, attr, value|
unless value.nil?
value.each do |source|
unless Devise.omniauth_providers.include?(source.to_sym)
record.errors.add(attr, "'#{source}' is not an OAuth sign-in source")
end
end
end
end
before_save :ensure_runners_registration_token before_save :ensure_runners_registration_token
after_commit do after_commit do
...@@ -107,6 +118,7 @@ class ApplicationSetting < ActiveRecord::Base ...@@ -107,6 +118,7 @@ class ApplicationSetting < ActiveRecord::Base
recaptcha_enabled: false, recaptcha_enabled: false,
akismet_enabled: false, akismet_enabled: false,
repository_checks_enabled: true, repository_checks_enabled: true,
disabled_oauth_sign_in_sources: []
) )
end end
......
...@@ -109,6 +109,13 @@ ...@@ -109,6 +109,13 @@
= f.label :signin_enabled do = f.label :signin_enabled do
= f.check_box :signin_enabled = f.check_box :signin_enabled
Sign-in enabled Sign-in enabled
- if omniauth_enabled? && button_based_providers.any?
.form-group
= f.label :enabled_oauth_sign_in_sources, 'Enabled OAuth Sign-In sources', class: 'control-label col-sm-2'
.col-sm-10
.btn-group{ data: { toggle: 'buttons' } }
- oauth_providers_checkboxes.each do |source|
= source
.form-group .form-group
= f.label :two_factor_authentication, 'Two-factor authentication', class: 'control-label col-sm-2' = f.label :two_factor_authentication, 'Two-factor authentication', class: 'control-label col-sm-2'
.col-sm-10 .col-sm-10
......
...@@ -4,7 +4,7 @@ ...@@ -4,7 +4,7 @@
= render 'devise/shared/signin_box' = render 'devise/shared/signin_box'
-# Omniauth fits between signin/ldap signin and signup and does not have a surrounding box -# Omniauth fits between signin/ldap signin and signup and does not have a surrounding box
- if omniauth_enabled? && devise_mapping.omniauthable? - if omniauth_enabled? && devise_mapping.omniauthable? && button_based_providers_enabled?
.clearfix.prepend-top-20 .clearfix.prepend-top-20
= render 'devise/shared/omniauth_box' = render 'devise/shared/omniauth_box'
......
%p %p
%span.light %span.light
Sign in with &nbsp; Sign in with &nbsp;
- providers = button_based_providers - providers = enabled_button_based_providers
- providers.each do |provider| - providers.each do |provider|
%span.light %span.light
- has_icon = provider_has_icon?(provider) - has_icon = provider_has_icon?(provider)
......
class AddDisabledOauthSignInSourcesToApplicationSettings < ActiveRecord::Migration
def change
add_column :application_settings, :disabled_oauth_sign_in_sources, :text
end
end
...@@ -80,6 +80,7 @@ ActiveRecord::Schema.define(version: 20160508194200) do ...@@ -80,6 +80,7 @@ ActiveRecord::Schema.define(version: 20160508194200) do
t.boolean "repository_checks_enabled", default: false t.boolean "repository_checks_enabled", default: false
t.text "shared_runners_text" t.text "shared_runners_text"
t.integer "metrics_packet_size", default: 1 t.integer "metrics_packet_size", default: 1
t.text "disabled_oauth_sign_in_sources"
end end
create_table "audit_events", force: :cascade do |t| create_table "audit_events", force: :cascade do |t|
......
...@@ -11,6 +11,7 @@ of the configured mechanisms. ...@@ -11,6 +11,7 @@ of the configured mechanisms.
- [Supported Providers](#supported-providers) - [Supported Providers](#supported-providers)
- [Enable OmniAuth for an Existing User](#enable-omniauth-for-an-existing-user) - [Enable OmniAuth for an Existing User](#enable-omniauth-for-an-existing-user)
- [OmniAuth configuration sample when using Omnibus GitLab](https://gitlab.com/gitlab-org/omnibus-gitlab/tree/master#omniauth-google-twitter-github-login) - [OmniAuth configuration sample when using Omnibus GitLab](https://gitlab.com/gitlab-org/omnibus-gitlab/tree/master#omniauth-google-twitter-github-login)
- [Enable or disable Sign In with an OmniAuth provider without disabling import sources](#enable-or-disable-sign-in-with-an-omniauth-provider-without-disabling-import-sources)
## Supported Providers ## Supported Providers
...@@ -191,3 +192,17 @@ experience [in the public Wiki](https://github.com/gitlabhq/gitlab-public-wiki/w ...@@ -191,3 +192,17 @@ experience [in the public Wiki](https://github.com/gitlabhq/gitlab-public-wiki/w
While we can't officially support every possible authentication mechanism out there, While we can't officially support every possible authentication mechanism out there,
we'd like to at least help those with specific needs. we'd like to at least help those with specific needs.
## Enable or disable Sign In with an OmniAuth provider without disabling import sources
>**Note:**
This setting was introduced with version 8.8 of GitLab.
Administrators are able to enable or disable Sign In via some OmniAuth providers.
>**Note:**
By default Sign In is enabled via all the OAuth Providers that have been configured in `config/gitlab.yml`.
In order to enable/disable an OmniAuth provider, go to Admin Area -> Settings -> Sign-in Restrictions section -> Enabled OAuth Sign-In sources and select the providers you want to enable or disable.
![Enabled OAuth Sign-In sources](img/enabled-oauth-sign-in-sources.png)
...@@ -2,7 +2,7 @@ require "spec_helper" ...@@ -2,7 +2,7 @@ require "spec_helper"
describe AuthHelper do describe AuthHelper do
describe "button_based_providers" do describe "button_based_providers" do
it 'returns all enabled providers' do it 'returns all enabled providers from devise' do
allow(helper).to receive(:auth_providers) { [:twitter, :github] } allow(helper).to receive(:auth_providers) { [:twitter, :github] }
expect(helper.button_based_providers).to include(*[:twitter, :github]) expect(helper.button_based_providers).to include(*[:twitter, :github])
end end
...@@ -17,4 +17,49 @@ describe AuthHelper do ...@@ -17,4 +17,49 @@ describe AuthHelper do
expect(helper.button_based_providers).to eq([]) expect(helper.button_based_providers).to eq([])
end end
end end
describe 'enabled_button_based_providers' do
before do
allow(helper).to receive(:auth_providers) { [:twitter, :github] }
end
context 'all providers are enabled to sign in' do
it 'returns all the enabled providers from settings' do
expect(helper.enabled_button_based_providers).to include('twitter', 'github')
end
end
context 'GitHub OAuth sign in is disabled from application setting' do
it "doesn't return github as provider" do
stub_application_setting(
disabled_oauth_sign_in_sources: ['github']
)
expect(helper.enabled_button_based_providers).to include('twitter')
expect(helper.enabled_button_based_providers).to_not include('github')
end
end
end
describe 'button_based_providers_enabled?' do
before do
allow(helper).to receive(:auth_providers) { [:twitter, :github] }
end
context 'button based providers enabled' do
it 'returns true' do
expect(helper.button_based_providers_enabled?).to be true
end
end
context 'all the button based providers are disabled via application_setting' do
it 'returns false' do
stub_application_setting(
disabled_oauth_sign_in_sources: ['github', 'twitter']
)
expect(helper.button_based_providers_enabled?).to be false
end
end
end
end end
...@@ -20,6 +20,15 @@ describe ApplicationSetting, models: true do ...@@ -20,6 +20,15 @@ describe ApplicationSetting, models: true do
it { is_expected.to allow_value(https).for(:after_sign_out_path) } it { is_expected.to allow_value(https).for(:after_sign_out_path) }
it { is_expected.not_to allow_value(ftp).for(:after_sign_out_path) } it { is_expected.not_to allow_value(ftp).for(:after_sign_out_path) }
describe 'disabled_oauth_sign_in_sources validations' do
before do
allow(Devise).to receive(:omniauth_providers).and_return([:github])
end
it { is_expected.to allow_value(['github']).for(:disabled_oauth_sign_in_sources) }
it { is_expected.not_to allow_value(['test']).for(:disabled_oauth_sign_in_sources) }
end
it { is_expected.to validate_presence_of(:max_attachment_size) } it { is_expected.to validate_presence_of(:max_attachment_size) }
it do it do
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment