Commit 74c69709 authored by Douwe Maan's avatar Douwe Maan

Merge branch 'otzy007/gitlab-ce-disable_oauth_sign_in_sources'

parents f2303f9d d66833bc
......@@ -46,6 +46,7 @@ v 8.8.0 (unreleased)
- Fix adding a todo for private group members (Ahmad Sherif)
- Bump ace-rails-ap gem version from 2.0.1 to 4.0.2 which upgrades Ace Editor from 1.1.2 to 1.2.3
- Total method execution timings are no longer tracked
- Allow Admins to remove the Login with buttons for OAuth services and still be able to import !4034. (Andrei Gliga)
v 8.7.5
- Fix relative links in wiki pages. !4050
......
......@@ -53,6 +53,12 @@ class Admin::ApplicationSettingsController < Admin::ApplicationController
end
end
enabled_oauth_sign_in_sources = params[:application_setting].delete(:enabled_oauth_sign_in_sources)
params[:application_setting][:disabled_oauth_sign_in_sources] =
AuthHelper.button_based_providers.map(&:to_s) -
Array(enabled_oauth_sign_in_sources)
params.require(:application_setting).permit(
:default_projects_limit,
:default_branch_protection,
......@@ -95,7 +101,8 @@ class Admin::ApplicationSettingsController < Admin::ApplicationController
:repository_checks_enabled,
:metrics_packet_size,
restricted_visibility_levels: [],
import_sources: []
import_sources: [],
disabled_oauth_sign_in_sources: []
)
end
end
......@@ -60,4 +60,18 @@ module ApplicationSettingsHelper
end
end
end
def oauth_providers_checkboxes
button_based_providers.map do |source|
disabled = current_application_settings.disabled_oauth_sign_in_sources.include?(source.to_s)
css_class = 'btn'
css_class << ' active' unless disabled
checkbox_name = 'application_setting[enabled_oauth_sign_in_sources][]'
label_tag(checkbox_name, class: css_class) do
check_box_tag(checkbox_name, source, !disabled,
autocomplete: 'off') + Gitlab::OAuth::Provider.label_for(source)
end
end
end
end
......@@ -38,6 +38,16 @@ module AuthHelper
auth_providers.reject { |provider| form_based_provider?(provider) }
end
def enabled_button_based_providers
disabled_providers = current_application_settings.disabled_oauth_sign_in_sources || []
button_based_providers.map(&:to_s) - disabled_providers
end
def button_based_providers_enabled?
enabled_button_based_providers.any?
end
def provider_image_tag(provider, size = 64)
label = label_for_provider(provider)
......
......@@ -6,6 +6,7 @@ class ApplicationSetting < ActiveRecord::Base
serialize :restricted_visibility_levels
serialize :import_sources
serialize :disabled_oauth_sign_in_sources
serialize :restricted_signup_domains, Array
attr_accessor :restricted_signup_domains_raw
......@@ -69,6 +70,16 @@ class ApplicationSetting < ActiveRecord::Base
end
end
validates_each :disabled_oauth_sign_in_sources do |record, attr, value|
unless value.nil?
value.each do |source|
unless Devise.omniauth_providers.include?(source.to_sym)
record.errors.add(attr, "'#{source}' is not an OAuth sign-in source")
end
end
end
end
before_save :ensure_runners_registration_token
after_commit do
......@@ -107,6 +118,7 @@ class ApplicationSetting < ActiveRecord::Base
recaptcha_enabled: false,
akismet_enabled: false,
repository_checks_enabled: true,
disabled_oauth_sign_in_sources: []
)
end
......
......@@ -109,6 +109,13 @@
= f.label :signin_enabled do
= f.check_box :signin_enabled
Sign-in enabled
- if omniauth_enabled? && button_based_providers.any?
.form-group
= f.label :enabled_oauth_sign_in_sources, 'Enabled OAuth Sign-In sources', class: 'control-label col-sm-2'
.col-sm-10
.btn-group{ data: { toggle: 'buttons' } }
- oauth_providers_checkboxes.each do |source|
= source
.form-group
= f.label :two_factor_authentication, 'Two-factor authentication', class: 'control-label col-sm-2'
.col-sm-10
......
......@@ -4,7 +4,7 @@
= render 'devise/shared/signin_box'
-# Omniauth fits between signin/ldap signin and signup and does not have a surrounding box
- if omniauth_enabled? && devise_mapping.omniauthable?
- if omniauth_enabled? && devise_mapping.omniauthable? && button_based_providers_enabled?
.clearfix.prepend-top-20
= render 'devise/shared/omniauth_box'
......
%p
%span.light
Sign in with &nbsp;
- providers = button_based_providers
- providers = enabled_button_based_providers
- providers.each do |provider|
%span.light
- has_icon = provider_has_icon?(provider)
......
class AddDisabledOauthSignInSourcesToApplicationSettings < ActiveRecord::Migration
def change
add_column :application_settings, :disabled_oauth_sign_in_sources, :text
end
end
......@@ -80,6 +80,7 @@ ActiveRecord::Schema.define(version: 20160508194200) do
t.boolean "repository_checks_enabled", default: false
t.text "shared_runners_text"
t.integer "metrics_packet_size", default: 1
t.text "disabled_oauth_sign_in_sources"
end
create_table "audit_events", force: :cascade do |t|
......
......@@ -11,6 +11,7 @@ of the configured mechanisms.
- [Supported Providers](#supported-providers)
- [Enable OmniAuth for an Existing User](#enable-omniauth-for-an-existing-user)
- [OmniAuth configuration sample when using Omnibus GitLab](https://gitlab.com/gitlab-org/omnibus-gitlab/tree/master#omniauth-google-twitter-github-login)
- [Enable or disable Sign In with an OmniAuth provider without disabling import sources](#enable-or-disable-sign-in-with-an-omniauth-provider-without-disabling-import-sources)
## Supported Providers
......@@ -191,3 +192,17 @@ experience [in the public Wiki](https://github.com/gitlabhq/gitlab-public-wiki/w
While we can't officially support every possible authentication mechanism out there,
we'd like to at least help those with specific needs.
## Enable or disable Sign In with an OmniAuth provider without disabling import sources
>**Note:**
This setting was introduced with version 8.8 of GitLab.
Administrators are able to enable or disable Sign In via some OmniAuth providers.
>**Note:**
By default Sign In is enabled via all the OAuth Providers that have been configured in `config/gitlab.yml`.
In order to enable/disable an OmniAuth provider, go to Admin Area -> Settings -> Sign-in Restrictions section -> Enabled OAuth Sign-In sources and select the providers you want to enable or disable.
![Enabled OAuth Sign-In sources](img/enabled-oauth-sign-in-sources.png)
......@@ -2,7 +2,7 @@ require "spec_helper"
describe AuthHelper do
describe "button_based_providers" do
it 'returns all enabled providers' do
it 'returns all enabled providers from devise' do
allow(helper).to receive(:auth_providers) { [:twitter, :github] }
expect(helper.button_based_providers).to include(*[:twitter, :github])
end
......@@ -17,4 +17,49 @@ describe AuthHelper do
expect(helper.button_based_providers).to eq([])
end
end
describe 'enabled_button_based_providers' do
before do
allow(helper).to receive(:auth_providers) { [:twitter, :github] }
end
context 'all providers are enabled to sign in' do
it 'returns all the enabled providers from settings' do
expect(helper.enabled_button_based_providers).to include('twitter', 'github')
end
end
context 'GitHub OAuth sign in is disabled from application setting' do
it "doesn't return github as provider" do
stub_application_setting(
disabled_oauth_sign_in_sources: ['github']
)
expect(helper.enabled_button_based_providers).to include('twitter')
expect(helper.enabled_button_based_providers).to_not include('github')
end
end
end
describe 'button_based_providers_enabled?' do
before do
allow(helper).to receive(:auth_providers) { [:twitter, :github] }
end
context 'button based providers enabled' do
it 'returns true' do
expect(helper.button_based_providers_enabled?).to be true
end
end
context 'all the button based providers are disabled via application_setting' do
it 'returns false' do
stub_application_setting(
disabled_oauth_sign_in_sources: ['github', 'twitter']
)
expect(helper.button_based_providers_enabled?).to be false
end
end
end
end
......@@ -20,6 +20,15 @@ describe ApplicationSetting, models: true do
it { is_expected.to allow_value(https).for(:after_sign_out_path) }
it { is_expected.not_to allow_value(ftp).for(:after_sign_out_path) }
describe 'disabled_oauth_sign_in_sources validations' do
before do
allow(Devise).to receive(:omniauth_providers).and_return([:github])
end
it { is_expected.to allow_value(['github']).for(:disabled_oauth_sign_in_sources) }
it { is_expected.not_to allow_value(['test']).for(:disabled_oauth_sign_in_sources) }
end
it { is_expected.to validate_presence_of(:max_attachment_size) }
it do
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment