Commit d0afab48 authored by Lin Jen-Shin's avatar Lin Jen-Shin

Disable SAML if OmniAuth is disabled

We also try to unify the way we setup OmniAuth, and how we check
if it's enabled or not.
parent 8895863c
......@@ -157,6 +157,8 @@ class SessionsController < Devise::SessionsController
end
def auto_sign_in_with_provider
return unless Gitlab::Auth.omniauth_enabled?
provider = Gitlab.config.omniauth.auto_sign_in_with_provider
return unless provider.present?
......
......@@ -7,7 +7,7 @@ module AuthHelper
end
def omniauth_enabled?
Gitlab.config.omniauth.enabled
Gitlab::Auth.omniauth_enabled?
end
def provider_has_icon?(name)
......
......@@ -91,10 +91,10 @@
%span.light.float-right
= boolean_to_icon gravatar_enabled?
- omniauth = "OmniAuth"
%p{ "aria-label" => "#{omniauth}: status " + (Gitlab.config.omniauth.enabled ? "on" : "off") }
%p{ "aria-label" => "#{omniauth}: status " + (Gitlab::Auth.omniauth_enabled? ? "on" : "off") }
= omniauth
%span.light.float-right
= boolean_to_icon Gitlab.config.omniauth.enabled
= boolean_to_icon Gitlab::Auth.omniauth_enabled?
- reply_email = "Reply by email"
%p{ "aria-label" => "#{reply_email}: status " + (Gitlab::IncomingEmail.enabled? ? "on" : "off") }
= reply_email
......
---
title: Disable SAML and Bitbucket if OmniAuth is disabled
merge_request: 20608
author:
type: fixed
......@@ -219,7 +219,7 @@ Devise.setup do |config|
end
end
if Gitlab::OmniauthInitializer.enabled?
if Gitlab::Auth.omniauth_enabled?
Gitlab::OmniauthInitializer.new(config).execute(Gitlab.config.omniauth.providers)
end
end
......@@ -16,8 +16,3 @@ OmniAuth.config.allowed_request_methods << :get if Gitlab.config.omniauth.auto_s
OmniAuth.config.before_request_phase do |env|
Gitlab::RequestForgeryProtection.call(env)
end
if Gitlab::OmniauthInitializer.enabled?
provider_names = Gitlab.config.omniauth.providers.map(&:name)
Gitlab::Auth.omniauth_setup_providers(provider_names)
end
......@@ -14,23 +14,8 @@ module Gitlab
DEFAULT_SCOPES = [:api].freeze
class << self
def omniauth_customized_providers
@omniauth_customized_providers ||= %w[bitbucket jwt]
end
def omniauth_setup_providers(provider_names)
provider_names.each do |provider|
omniauth_setup_a_provider(provider)
end
end
def omniauth_setup_a_provider(provider)
case provider
when 'kerberos'
require 'omniauth-kerberos'
when *omniauth_customized_providers
require_dependency "omni_auth/strategies/#{provider}"
end
def omniauth_enabled?
Gitlab.config.omniauth.enabled
end
def find_for_git_client(login, password, project:, ip:)
......
......@@ -30,7 +30,7 @@ module Gitlab
def self.enabled?(name)
return true if name == 'database'
providers.include?(name.to_sym)
Gitlab::Auth.omniauth_enabled? && providers.include?(name.to_sym)
end
def self.ldap_provider?(name)
......
module Gitlab
class OmniauthInitializer
def self.enabled?
Gitlab.config.omniauth.enabled ||
Gitlab.config.omniauth.auto_sign_in_with_provider.present?
end
def initialize(devise_config)
@devise_config = devise_config
end
def execute(providers)
providers.each do |provider|
add_provider(provider['name'].to_sym, *arguments_for(provider))
name = provider['name'].to_sym
add_provider_to_devise(name, *arguments_for(provider))
setup_provider(name)
end
end
private
def add_provider(*args)
def add_provider_to_devise(*args)
@devise_config.omniauth(*args)
end
......@@ -76,5 +74,23 @@ module Gitlab
end
end
end
def omniauth_customized_providers
@omniauth_customized_providers ||= build_omniauth_customized_providers
end
# We override this in EE
def build_omniauth_customized_providers
%i[bitbucket jwt]
end
def setup_provider(provider)
case provider
when :kerberos
require 'omniauth-kerberos'
when *omniauth_customized_providers
require_dependency "omni_auth/strategies/#{provider}"
end
end
end
end
......@@ -95,7 +95,7 @@ module Gitlab
gravatar_enabled: Gitlab::CurrentSettings.gravatar_enabled?,
ldap_enabled: Gitlab.config.ldap.enabled,
mattermost_enabled: Gitlab.config.mattermost.enabled,
omniauth_enabled: Gitlab.config.omniauth.enabled,
omniauth_enabled: Gitlab::Auth.omniauth_enabled?,
reply_by_email_enabled: Gitlab::IncomingEmail.enabled?,
signup_enabled: Gitlab::CurrentSettings.allow_signup?
}
......
......@@ -54,8 +54,8 @@ namespace :gitlab do
puts "HTTP Clone URL:\t#{http_clone_url}"
puts "SSH Clone URL:\t#{ssh_clone_url}"
puts "Using LDAP:\t#{Gitlab.config.ldap.enabled ? "yes".color(:green) : "no"}"
puts "Using Omniauth:\t#{Gitlab.config.omniauth.enabled ? "yes".color(:green) : "no"}"
puts "Omniauth Providers: #{omniauth_providers.join(', ')}" if Gitlab.config.omniauth.enabled
puts "Using Omniauth:\t#{Gitlab::Auth.omniauth_enabled? ? "yes".color(:green) : "no"}"
puts "Omniauth Providers: #{omniauth_providers.join(', ')}" if Gitlab::Auth.omniauth_enabled?
# check Gitolite version
gitlab_shell_version_file = "#{Gitlab.config.gitlab_shell.hooks_path}/../VERSION"
......
......@@ -133,7 +133,7 @@ describe Gitlab::UsageData do
expect(subject[:signup_enabled]).to eq(Gitlab::CurrentSettings.allow_signup?)
expect(subject[:ldap_enabled]).to eq(Gitlab.config.ldap.enabled)
expect(subject[:gravatar_enabled]).to eq(Gitlab::CurrentSettings.gravatar_enabled?)
expect(subject[:omniauth_enabled]).to eq(Gitlab.config.omniauth.enabled)
expect(subject[:omniauth_enabled]).to eq(Gitlab::Auth.omniauth_enabled?)
expect(subject[:reply_by_email_enabled]).to eq(Gitlab::IncomingEmail.enabled?)
expect(subject[:container_registry_enabled]).to eq(Gitlab.config.registry.enabled)
expect(subject[:gitlab_shared_runners_enabled]).to eq(Gitlab.config.gitlab_ci.shared_runners_enabled)
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment