Merge branch 'feature/sso_integration' into 'master'

Add an option to automatically sign-in with an Omniauth provider Split of !669 as requested This is useful when integrating with existing SSO environments and we want to use a single Omniauth provider for all user authentication. See merge request !723

Merge branch 'feature/sso_integration' into 'master'
Add an option to automatically sign-in with an Omniauth provider Split of !669 as requested This is useful when integrating with existing SSO environments and we want to use a single Omniauth provider for all user authentication. See merge request !723
d99637bf · Douwe Maan · 76ae8719 · 5491f6fb · d99637bf · d99637bf
Commit d99637bf authored Jun 02, 2015 by Douwe Maan
5 changed files
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -37,6 +37,7 @@ v 7.12.0 (unreleased)
  - User has ability to leave project
  - Add SAML support as an omniauth provider
  - Allow to configure a URL to show after sign out 
+  - Add an option to automatically sign-in with an Omniauth provider

 v 7.11.4
  - Fix missing bullets when creating lists

--- a/app/controllers/sessions_controller.rb
+++ b/app/controllers/sessions_controller.rb
@@ -2,6 +2,7 @@ class SessionsController < Devise::SessionsController
  include AuthenticatesWithTwoFactor

  prepend_before_action :authenticate_with_two_factor, only: [:create]
+  before_action :auto_sign_in_with_provider, only: [:new]

  def new
    redirect_path =
@@ -75,6 +76,21 @@ class SessionsController < Devise::SessionsController
    end
  end

+  def auto_sign_in_with_provider
+    provider = Gitlab.config.omniauth.auto_sign_in_with_provider
+    return unless provider.present?
+
+    # Auto sign in with an Omniauth provider only if the standard "you need to sign-in" alert is 
+    # registered or no alert at all. In case of another alert (such as a blocked user), it is safer  
+    # to do nothing to prevent redirection loops with certain Omniauth providers.
+    return unless flash[:alert].blank? || flash[:alert] == I18n.t('devise.failure.unauthenticated')
+    
+    # Prevent alert from popping up on the first page shown after authentication.
+    flash[:alert] = nil 
+    
+    redirect_to omniauth_authorize_path(:user, provider.to_sym)
+  end
+
  def valid_otp_attempt?(user)
    user.valid_otp?(user_params[:otp_attempt]) ||
    user.invalidate_otp_backup_code!(user_params[:otp_attempt])

--- a/config/gitlab.yml.example
+++ b/config/gitlab.yml.example
@@ -182,6 +182,10 @@ production: &base
    # Allow login via Twitter, Google, etc. using OmniAuth providers
    enabled: false

+    # Uncomment this to automatically sign in with a specific omniauth provider's without
+    # showing GitLab's sign-in page (default: show the GitLab sign-in page)
+    # auto_sign_in_with_provider: saml
+
    # CAUTION!
    # This allows users to login without having a user account first (default: false).
    # User accounts will be created automatically when authentication was successful.

--- a/config/initializers/1_settings.rb
+++ b/config/initializers/1_settings.rb
@@ -87,6 +87,8 @@ end

 Settings['omniauth'] ||= Settingslogic.new({})
 Settings.omniauth['enabled']      = false if Settings.omniauth['enabled'].nil?
+Settings.omniauth['auto_sign_in_with_provider'] = false if Settings.omniauth['auto_sign_in_with_provider'].nil?
+
 Settings.omniauth['providers']  ||= []

 Settings['issues_tracker']  ||= {}

--- a/config/initializers/7_omniauth.rb
+++ b/config/initializers/7_omniauth.rb
@@ -12,6 +12,8 @@ if Gitlab::LDAP::Config.enabled?
 end

 OmniAuth.config.allowed_request_methods = [:post]
+#In case of auto sign-in, the GET method is used (users don't get to click on a button)
+OmniAuth.config.allowed_request_methods << :get if Gitlab.config.omniauth.auto_sign_in_with_provider.present?
 OmniAuth.config.before_request_phase do |env|
  OmniAuth::RequestForgeryProtection.new(env).call
 end