Merge branch 'funglaub-master'

Gemfile

@@ -16,6 +16,10 @@ gem "mysql2"
 
 # Auth
 gem "devise", "~> 2.1.0"
+gem 'omniauth'
+gem 'omniauth-google-oauth2'
+gem 'omniauth-twitter'
+gem 'omniauth-github'
 
 # GITLAB patched libs
 gem "grit",          :git => "https://github.com/gitlabhq/grit.git",            :ref => "7f35cb98ff17d534a07e3ce6ec3d580f67402837"

Gemfile.lock

@@ -158,6 +158,8 @@ GEM
     factory_girl_rails (4.0.0)
       factory_girl (~> 4.0.0)
       railties (>= 3.0.0)
+    faraday (0.8.4)
+      multipart-post (~> 1.1)
     ffaker (1.14.0)
     ffi (1.0.11)
     foreman (0.47.0)
@@ -194,6 +196,7 @@ GEM
     httparty (0.8.3)
       multi_json (~> 1.0)
       multi_xml
+    httpauth (0.1)
     i18n (0.6.1)
     journey (1.0.4)
     jquery-rails (2.0.2)
@@ -203,6 +206,8 @@ GEM
       jquery-rails
       railties (>= 3.1.0)
     json (1.7.5)
+    jwt (0.1.5)
+      multi_json (>= 1.0)
     kaminari (0.14.0)
       actionpack (>= 3.0.0)
       activesupport (>= 3.0.0)
@@ -225,12 +230,35 @@ GEM
       sprockets (~> 2.0)
     multi_json (1.3.6)
     multi_xml (0.5.1)
+    multipart-post (1.1.5)
     mysql2 (0.3.11)
     net-ldap (0.2.2)
     nokogiri (1.5.3)
+    oauth (0.4.7)
+    oauth2 (0.8.0)
+      faraday (~> 0.8)
+      httpauth (~> 0.1)
+      jwt (~> 0.1.4)
+      multi_json (~> 1.0)
+      rack (~> 1.2)
     omniauth (1.1.0)
       hashie (~> 1.2)
       rack
+    omniauth-github (1.0.3)
+      omniauth (~> 1.0)
+      omniauth-oauth2 (~> 1.1)
+    omniauth-google-oauth2 (0.1.13)
+      omniauth (~> 1.0)
+      omniauth-oauth2
+    omniauth-oauth (1.0.1)
+      oauth
+      omniauth (~> 1.0)
+    omniauth-oauth2 (1.1.0)
+      oauth2 (~> 0.8.0)
+      omniauth (~> 1.0)
+    omniauth-twitter (0.0.13)
+      multi_json (~> 1.3)
+      omniauth-oauth (~> 1.0)
     orm_adapter (0.3.0)
     polyglot (0.3.3)
     posix-spawn (0.3.6)
@@ -420,7 +448,11 @@ DEPENDENCIES
   linguist (~> 1.0.0)!
   modernizr (= 2.5.3)
   mysql2
+  omniauth
+  omniauth-github
+  omniauth-google-oauth2
   omniauth-ldap!
+  omniauth-twitter
   pry
   pygments.rb!
   rack-mini-profiler

app/assets/stylesheets/gitlab_bootstrap/blocks.scss

@@ -142,4 +142,8 @@
       border:none;
     }
   }
+
+  .ui-box-body {
+    padding:10px;
+  }
 }

app/assets/stylesheets/main.scss

@@ -135,7 +135,6 @@ $hover: #fdf5d9;
  */
 @import "common.scss";
 
-
 /**
  * Styles related to specific part of app
  */

app/controllers/omniauth_callbacks_controller.rb

 class OmniauthCallbacksController < Devise::OmniauthCallbacksController
+  Gitlab.config.omniauth_providers.each do |provider|
+    define_method provider['name'] do
+      handle_omniauth
+    end
+  end
 
   # Extend the standard message generation to accept our custom exception
   def failure_message
@@ -19,4 +24,27 @@ class OmniauthCallbacksController < Devise::OmniauthCallbacksController
     sign_in_and_redirect @user
   end
 
+  private
+
+  def handle_omniauth
+    oauth = request.env['omniauth.auth']
+    provider, uid = oauth['provider'], oauth['uid']
+
+    if current_user
+      # Change a logged-in user's authentication method:
+      current_user.extern_uid = uid
+      current_user.provider = provider
+      current_user.save
+      redirect_to profile_path
+    else
+      @user = User.find_or_new_for_omniauth(oauth)
+
+      if @user
+        sign_in_and_redirect @user
+      else
+        flash[:notice] = "There's no such user!"
+        redirect_to new_user_session_path
+      end
+    end
+  end
 end

app/helpers/application_helper.rb

@@ -135,4 +135,10 @@ module ApplicationHelper
       "Never"
     end
   end
+
+  def authbutton(provider, size = 64)
+    file_name = "#{provider.to_s.split('_').first}_#{size}.png"
+    image_tag("authbuttons/#{file_name}",
+              alt: "Sign in with #{provider.to_s.titleize}")
+  end
 end

app/models/user.rb

@@ -86,33 +86,20 @@ class User < ActiveRecord::Base
     where('id NOT IN (SELECT DISTINCT(user_id) FROM users_projects)')
   end
 
-  def self.find_for_ldap_auth(auth, signed_in_resource=nil)
-    uid = auth.info.uid
-    provider = auth.provider
-    name = auth.info.name.force_encoding("utf-8")
-    email = auth.info.email.downcase unless auth.info.email.nil?
-    raise OmniAuth::Error, "LDAP accounts must provide an uid and email address" if uid.nil? or email.nil?
-
-    if @user = User.find_by_extern_uid_and_provider(uid, provider)
-      @user
-    # workaround for backward compatibility
-    elsif @user = User.find_by_email(email)
-      logger.info "Updating legacy LDAP user #{email} with extern_uid => #{uid}"
-      @user.update_attributes(:extern_uid => uid, :provider => provider)
-      @user
-    else
-      logger.info "Creating user from LDAP login {uid => #{uid}, name => #{name}, email => #{email}}"
-      password = Devise.friendly_token[0, 8].downcase
-      @user = User.create(
-        :extern_uid => uid,
-        :provider => provider,
-        :name => name,
-        :email => email,
-        :password => password,
-        :password_confirmation => password,
-        :projects_limit => Gitlab.config.default_projects_limit
-      )
+  def self.create_from_omniauth(auth, ldap = false)
+    gitlab_auth.create_from_omniauth(auth, ldap)
+  end
+
+  def self.find_or_new_for_omniauth(auth)
+    gitlab_auth.find_or_new_for_omniauth(auth)
   end
+
+  def self.find_for_ldap_auth(auth, signed_in_resource = nil)
+    gitlab_auth.find_for_ldap_auth(auth, signed_in_resource)
+  end
+
+  def self.gitlab_auth
+    Gitlab::Auth.new
   end
 
   def self.search query
@@ -148,4 +135,3 @@ end
 #  bio                    :string(255)
 #  blocked                :boolean(1)      default(FALSE), not null
 #
-

app/views/devise/sessions/new.html.haml

@@ -15,7 +15,8 @@
     .right
       = render :partial => "devise/shared/links"
     - if devise_mapping.omniauthable?
-      - resource_class.omniauth_providers.each do |provider|
       %hr/
-        = link_to "Sign in with #{provider.to_s.titleize}", omniauth_authorize_path(resource_name, provider), :class => "btn primary"
-        %br/
+      %ul.unstyled
+        - resource_class.omniauth_providers.each do |provider|
+          %li
+            = link_to authbutton(provider, 32), omniauth_authorize_path(resource_name, provider)

app/views/layouts/profile.html.haml

@@ -10,7 +10,7 @@
           = link_to "Profile", profile_path
 
         %li{class: tab_class(:password)}
-          = link_to "Password", profile_password_path
+          = link_to "Authentication", profile_password_path
 
         %li{class: tab_class(:ssh_keys)}
           = link_to keys_path do

app/views/profile/password.html.haml

 %h3.page_title Password
 %hr
+
 = form_for @user, url: profile_password_path, method: :put do |f|
+  .row
+    .span7
       .data
         %p.slead After successful password update you will be redirected to login page where you should login with new password
         -if @user.errors.any?
@@ -15,5 +18,14 @@
         .clearfix
           = f.label :password_confirmation
           .input= f.password_field :password_confirmation
+
+    - if Gitlab.config.omniauth_enabled?
+      .span5.right
+        .alert.alert-info
+          %strong Tip: Use one of the following sites to login
+          %ul.unstyled
+            - User.omniauth_providers.each do |provider|
+              %li= link_to authbutton(provider), |
+                   omniauth_authorize_path(User, provider) |
   .actions
     = f.submit 'Save', class: "btn save-btn"

app/views/profile/show.html.haml

@@ -50,6 +50,18 @@
           %strong Tip:
           You can change your avatar at gravatar.com
 
+      - @user.provider = 'twitter'
+      - if Gitlab.config.omniauth_enabled? && @user.provider?
+        .ui-box
+          .ui-box-body
+            %h4
+              Omniauth Providers:
+            = link_to "Change", profile_password_path, class: "btn small right"
+            You can login through #{@user.provider.titleize}!
+            = authbutton(@user.provider, 32)
+
+      .ui-box
+        .ui-box-body
           %h4
             Personal projects:
             %small.right
@@ -59,12 +71,13 @@
           .progress
             .bar{style: "width: #{current_user.projects_limit_percent}%;"}
 
+      .ui-box
+        .ui-box-body
           %h4
             SSH public keys:
-        %small.right
-          %span= link_to current_user.keys.count, keys_path
+            %strong.right= link_to current_user.keys.count, keys_path
 
-      = link_to "Add Public Key", new_key_path, class: "btn small right"
+          = link_to "Add Public Key", new_key_path, class: "btn small"
 
   .form-actions
     = f.submit 'Save', class: "btn save-btn"

config/gitlab.yml.example

@@ -25,8 +25,45 @@ app:
   # backup_keep_time: 604800      # default: 0 (forever) (in seconds)
   # disable_gravatar: true        # default: false - Disable user avatars from Gravatar.com
 
+
+
+
+#
+# 2. Auth settings
+# ==========================
+ldap: 
+  enabled: false
+  host: '_your_ldap_server'
+  base: '_the_base_where_you_search_for_users'
+  port: 636
+  uid: 'sAMAccountName'
+  method: 'ssl' # plain
+  bind_dn: '_the_full_dn_of_the_user_you_will_bind_with'
+  password: '_the_password_of_the_bind_user'
+
+omniauth:
+  # Enable ability for users
+  # to login via twitter, google ..
+  enabled: true
+
+  # IMPORTANT! 
+  # It allows user to login without having user account
+  allow_single_sign_on: false
+  block_auto_created_users: true
+
+  # Auth providers 
+  providers:
+    # - { name: 'google_oauth2', app_id: 'YOUR APP ID',
+    #     app_secret: 'YOUR APP SECRET',
+    #     args: { access_type: 'offline', approval_prompt: '' } }
+    # - { name: 'twitter', app_id: 'YOUR APP ID',
+    #     app_secret: 'YOUR APP SECRET'}
+    # - { name: 'github', app_id: 'YOUR APP ID',
+    #     app_secret: 'YOUR APP SECRET' }
+
+
 #
-# 2. Advanced settings:
+# 3. Advanced settings:
 # ==========================
 
 # Git Hosting configuration

config/initializers/1_settings.rb

@@ -120,6 +120,22 @@ class Settings < Settingslogic
       app['backup_keep_time'] || 0
     end
 
+    def ldap_enabled?
+      ldap['enabled']
+    rescue
+      false
+    end
+
+    def omniauth_enabled?
+      omniauth && omniauth['enabled']
+    rescue
+      false
+    end
+
+    def omniauth_providers
+      omniauth['providers'] || []
+    end
+
     def disable_gravatar?
       app['disable_gravatar'] || false
     end

config/initializers/devise.rb

@@ -204,4 +204,21 @@ Devise.setup do |config|
   #   manager.intercept_401 = false
   #   manager.default_strategies(:scope => :user).unshift :some_external_strategy
   # end
+
+  gl = Gitlab.config
+
+  if gl.ldap_enabled?
+    config.omniauth :ldap,
+      :host     => gl.ldap['host'],
+      :base     => gl.ldap['base'],
+      :uid      => gl.ldap['uid'],
+      :port     => gl.ldap['port'],
+      :method   => gl.ldap['method'],
+      :bind_dn  => gl.ldap['bind_dn'],
+      :password => gl.ldap['password']
+  end
+
+  gl.omniauth_providers.each do |gl_provider|
+    config.omniauth gl_provider['name'].to_sym, gl_provider['app_id'], gl_provider['app_secret']
+  end
 end

config/initializers/omniauth.rb.sample

-# Copy this file to 'omniauth.rb' and configure it as necessary.
-# The wiki has further details on configuring each provider.
-
-Devise.setup do |config|
-  # config.omniauth :github, 'APP_ID', 'APP_SECRET', :scope => 'user,public_repo'
-
-  # config.omniauth :ldap, 
-  #     :host => 'YOUR_LDAP_SERVER',
-  #     :base => 'THE_BASE_WHERE_YOU_SEARCH_FOR_USERS',
-  #     :uid => 'sAMAccountName',
-  #     :port => 389,
-  #     :method => :plain,
-  #     :bind_dn => 'THE_FULL_DN_OF_THE_USER_YOU_WILL_BIND_WITH',
-  #     :password => 'THE_PASSWORD_OF_THE_BIND_USER'
-end

lib/gitlab/auth.rb

+module Gitlab
+  class Auth
+    def find_for_ldap_auth(auth, signed_in_resource = nil)
+      uid = auth.info.uid
+      provider = auth.provider
+      email = auth.info.email.downcase unless auth.info.email.nil?
+      raise OmniAuth::Error, "LDAP accounts must provide an uid and email address" if uid.nil? or email.nil?
+
+      if @user = User.find_by_extern_uid_and_provider(uid, provider)
+        @user
+      elsif @user = User.find_by_email(email)
+        log.info "Updating legacy LDAP user #{email} with extern_uid => #{uid}"
+        @user.update_attributes(:extern_uid => uid, :provider => provider)
+        @user
+      else
+        create_from_omniauth(auth, true)
+      end
+    end
+
+    def create_from_omniauth auth, ldap = false
+      provider = auth.provider
+      uid = auth.info.uid || auth.uid
+      name = auth.info.name.force_encoding("utf-8")
+      email = auth.info.email.downcase unless auth.info.email.nil?
+
+      ldap_prefix = ldap ? '(LDAP) ' : ''
+      raise OmniAuth::Error, "#{ldap_prefix}#{provider} does not provide an email"\
+        " address" if auth.info.email.blank?
+
+      log.info "#{ldap_prefix}Creating user from #{provider} login"\
+        " {uid => #{uid}, name => #{name}, email => #{email}}"
+      password = Devise.friendly_token[0, 8].downcase
+      @user = User.new(
+        extern_uid: uid,
+        provider: provider,
+        name: name,
+        email: email,
+        password: password,
+        password_confirmation: password,
+        projects_limit: Gitlab.config.default_projects_limit,
+      )
+      if Gitlab.config.omniauth.block_auto_created_users && !ldap
+        @user.blocked = true
+      end
+      @user.save!
+      @user
+    end
+
+    def find_or_new_for_omniauth(auth)
+      provider, uid = auth.provider, auth.uid
+
+      if @user = User.find_by_provider_and_extern_uid(provider, uid)
+        @user
+      else
+        if Gitlab.config.omniauth.allow_single_sign_on
+          @user = create_from_omniauth(auth)
+          @user
+        end
+      end
+    end
+
+    def log
+      Gitlab::AppLogger
+    end
+  end
+end

spec/lib/auth_spec.rb

+require 'spec_helper'
+
+describe Gitlab::Auth do
+  let(:gl_auth) { Gitlab::Auth.new }
+
+  before do
+    @info = mock(
+      uid: '12djsak321',
+      name: 'John',
+      email: 'john@mail.com'
+    )
+  end
+
+  describe :find_for_ldap_auth do
+    before do
+      @auth = mock(
+        uid: '12djsak321',
+        info: @info,
+        provider: 'ldap'
+      )
+    end
+
+    it "should find by uid & provider" do
+      User.should_receive :find_by_extern_uid_and_provider
+      gl_auth.find_for_ldap_auth(@auth)
+    end
+
+    it "should update credentials by email if missing uid" do
+      user = double('User')
+      User.stub find_by_extern_uid_and_provider: nil
+      User.stub find_by_email: user
+      user.should_receive :update_attributes
+      gl_auth.find_for_ldap_auth(@auth)
+    end
+
+
+    it "should create from auth if user doesnot exist"do
+      User.stub find_by_extern_uid_and_provider: nil
+      User.stub find_by_email: nil
+      gl_auth.should_receive :create_from_omniauth
+      gl_auth.find_for_ldap_auth(@auth)
+    end
+  end
+
+  describe :find_or_new_for_omniauth do
+    before do
+      @auth = mock(
+        info: @info,
+        provider: 'twitter',
+        uid: '12djsak321',
+      )
+    end
+
+    it "should find user"do
+      User.should_receive :find_by_provider_and_extern_uid
+      gl_auth.should_not_receive :create_from_omniauth
+      gl_auth.find_or_new_for_omniauth(@auth)
+    end
+
+    it "should not create user"do
+      User.stub find_by_provider_and_extern_uid: nil
+      gl_auth.should_not_receive :create_from_omniauth
+      gl_auth.find_or_new_for_omniauth(@auth)
+    end
+
+    it "should create user if single_sing_on"do
+      Gitlab.config.omniauth.stub allow_single_sign_on: true
+      User.stub find_by_provider_and_extern_uid: nil
+      gl_auth.should_receive :create_from_omniauth
+      gl_auth.find_or_new_for_omniauth(@auth)
+    end
+  end
+
+  describe :create_from_omniauth do
+    it "should create user from LDAP" do
+      @auth = mock(info: @info, provider: 'ldap')
+      user = gl_auth.create_from_omniauth(@auth, true)
+
+      user.should be_valid
+      user.extern_uid.should == @info.uid
+      user.provider.should == 'ldap'
+    end
+
+    it "should create user from Omniauth" do
+      @auth = mock(info: @info, provider: 'twitter')
+      user = gl_auth.create_from_omniauth(@auth, false)
+
+      user.should be_valid
+      user.extern_uid.should == @info.uid
+      user.provider.should == 'twitter'
+    end
+  end
+end