Commit d0afab48 authored by Lin Jen-Shin's avatar Lin Jen-Shin

Disable SAML if OmniAuth is disabled

We also try to unify the way we setup OmniAuth, and how we check
if it's enabled or not.
parent 8895863c
...@@ -157,6 +157,8 @@ class SessionsController < Devise::SessionsController ...@@ -157,6 +157,8 @@ class SessionsController < Devise::SessionsController
end end
def auto_sign_in_with_provider def auto_sign_in_with_provider
return unless Gitlab::Auth.omniauth_enabled?
provider = Gitlab.config.omniauth.auto_sign_in_with_provider provider = Gitlab.config.omniauth.auto_sign_in_with_provider
return unless provider.present? return unless provider.present?
......
...@@ -7,7 +7,7 @@ module AuthHelper ...@@ -7,7 +7,7 @@ module AuthHelper
end end
def omniauth_enabled? def omniauth_enabled?
Gitlab.config.omniauth.enabled Gitlab::Auth.omniauth_enabled?
end end
def provider_has_icon?(name) def provider_has_icon?(name)
......
...@@ -91,10 +91,10 @@ ...@@ -91,10 +91,10 @@
%span.light.float-right %span.light.float-right
= boolean_to_icon gravatar_enabled? = boolean_to_icon gravatar_enabled?
- omniauth = "OmniAuth" - omniauth = "OmniAuth"
%p{ "aria-label" => "#{omniauth}: status " + (Gitlab.config.omniauth.enabled ? "on" : "off") } %p{ "aria-label" => "#{omniauth}: status " + (Gitlab::Auth.omniauth_enabled? ? "on" : "off") }
= omniauth = omniauth
%span.light.float-right %span.light.float-right
= boolean_to_icon Gitlab.config.omniauth.enabled = boolean_to_icon Gitlab::Auth.omniauth_enabled?
- reply_email = "Reply by email" - reply_email = "Reply by email"
%p{ "aria-label" => "#{reply_email}: status " + (Gitlab::IncomingEmail.enabled? ? "on" : "off") } %p{ "aria-label" => "#{reply_email}: status " + (Gitlab::IncomingEmail.enabled? ? "on" : "off") }
= reply_email = reply_email
......
---
title: Disable SAML and Bitbucket if OmniAuth is disabled
merge_request: 20608
author:
type: fixed
...@@ -219,7 +219,7 @@ Devise.setup do |config| ...@@ -219,7 +219,7 @@ Devise.setup do |config|
end end
end end
if Gitlab::OmniauthInitializer.enabled? if Gitlab::Auth.omniauth_enabled?
Gitlab::OmniauthInitializer.new(config).execute(Gitlab.config.omniauth.providers) Gitlab::OmniauthInitializer.new(config).execute(Gitlab.config.omniauth.providers)
end end
end end
...@@ -16,8 +16,3 @@ OmniAuth.config.allowed_request_methods << :get if Gitlab.config.omniauth.auto_s ...@@ -16,8 +16,3 @@ OmniAuth.config.allowed_request_methods << :get if Gitlab.config.omniauth.auto_s
OmniAuth.config.before_request_phase do |env| OmniAuth.config.before_request_phase do |env|
Gitlab::RequestForgeryProtection.call(env) Gitlab::RequestForgeryProtection.call(env)
end end
if Gitlab::OmniauthInitializer.enabled?
provider_names = Gitlab.config.omniauth.providers.map(&:name)
Gitlab::Auth.omniauth_setup_providers(provider_names)
end
...@@ -14,23 +14,8 @@ module Gitlab ...@@ -14,23 +14,8 @@ module Gitlab
DEFAULT_SCOPES = [:api].freeze DEFAULT_SCOPES = [:api].freeze
class << self class << self
def omniauth_customized_providers def omniauth_enabled?
@omniauth_customized_providers ||= %w[bitbucket jwt] Gitlab.config.omniauth.enabled
end
def omniauth_setup_providers(provider_names)
provider_names.each do |provider|
omniauth_setup_a_provider(provider)
end
end
def omniauth_setup_a_provider(provider)
case provider
when 'kerberos'
require 'omniauth-kerberos'
when *omniauth_customized_providers
require_dependency "omni_auth/strategies/#{provider}"
end
end end
def find_for_git_client(login, password, project:, ip:) def find_for_git_client(login, password, project:, ip:)
......
...@@ -30,7 +30,7 @@ module Gitlab ...@@ -30,7 +30,7 @@ module Gitlab
def self.enabled?(name) def self.enabled?(name)
return true if name == 'database' return true if name == 'database'
providers.include?(name.to_sym) Gitlab::Auth.omniauth_enabled? && providers.include?(name.to_sym)
end end
def self.ldap_provider?(name) def self.ldap_provider?(name)
......
module Gitlab module Gitlab
class OmniauthInitializer class OmniauthInitializer
def self.enabled?
Gitlab.config.omniauth.enabled ||
Gitlab.config.omniauth.auto_sign_in_with_provider.present?
end
def initialize(devise_config) def initialize(devise_config)
@devise_config = devise_config @devise_config = devise_config
end end
def execute(providers) def execute(providers)
providers.each do |provider| providers.each do |provider|
add_provider(provider['name'].to_sym, *arguments_for(provider)) name = provider['name'].to_sym
add_provider_to_devise(name, *arguments_for(provider))
setup_provider(name)
end end
end end
private private
def add_provider(*args) def add_provider_to_devise(*args)
@devise_config.omniauth(*args) @devise_config.omniauth(*args)
end end
...@@ -76,5 +74,23 @@ module Gitlab ...@@ -76,5 +74,23 @@ module Gitlab
end end
end end
end end
def omniauth_customized_providers
@omniauth_customized_providers ||= build_omniauth_customized_providers
end
# We override this in EE
def build_omniauth_customized_providers
%i[bitbucket jwt]
end
def setup_provider(provider)
case provider
when :kerberos
require 'omniauth-kerberos'
when *omniauth_customized_providers
require_dependency "omni_auth/strategies/#{provider}"
end
end
end end
end end
...@@ -95,7 +95,7 @@ module Gitlab ...@@ -95,7 +95,7 @@ module Gitlab
gravatar_enabled: Gitlab::CurrentSettings.gravatar_enabled?, gravatar_enabled: Gitlab::CurrentSettings.gravatar_enabled?,
ldap_enabled: Gitlab.config.ldap.enabled, ldap_enabled: Gitlab.config.ldap.enabled,
mattermost_enabled: Gitlab.config.mattermost.enabled, mattermost_enabled: Gitlab.config.mattermost.enabled,
omniauth_enabled: Gitlab.config.omniauth.enabled, omniauth_enabled: Gitlab::Auth.omniauth_enabled?,
reply_by_email_enabled: Gitlab::IncomingEmail.enabled?, reply_by_email_enabled: Gitlab::IncomingEmail.enabled?,
signup_enabled: Gitlab::CurrentSettings.allow_signup? signup_enabled: Gitlab::CurrentSettings.allow_signup?
} }
......
...@@ -54,8 +54,8 @@ namespace :gitlab do ...@@ -54,8 +54,8 @@ namespace :gitlab do
puts "HTTP Clone URL:\t#{http_clone_url}" puts "HTTP Clone URL:\t#{http_clone_url}"
puts "SSH Clone URL:\t#{ssh_clone_url}" puts "SSH Clone URL:\t#{ssh_clone_url}"
puts "Using LDAP:\t#{Gitlab.config.ldap.enabled ? "yes".color(:green) : "no"}" puts "Using LDAP:\t#{Gitlab.config.ldap.enabled ? "yes".color(:green) : "no"}"
puts "Using Omniauth:\t#{Gitlab.config.omniauth.enabled ? "yes".color(:green) : "no"}" puts "Using Omniauth:\t#{Gitlab::Auth.omniauth_enabled? ? "yes".color(:green) : "no"}"
puts "Omniauth Providers: #{omniauth_providers.join(', ')}" if Gitlab.config.omniauth.enabled puts "Omniauth Providers: #{omniauth_providers.join(', ')}" if Gitlab::Auth.omniauth_enabled?
# check Gitolite version # check Gitolite version
gitlab_shell_version_file = "#{Gitlab.config.gitlab_shell.hooks_path}/../VERSION" gitlab_shell_version_file = "#{Gitlab.config.gitlab_shell.hooks_path}/../VERSION"
......
...@@ -133,7 +133,7 @@ describe Gitlab::UsageData do ...@@ -133,7 +133,7 @@ describe Gitlab::UsageData do
expect(subject[:signup_enabled]).to eq(Gitlab::CurrentSettings.allow_signup?) expect(subject[:signup_enabled]).to eq(Gitlab::CurrentSettings.allow_signup?)
expect(subject[:ldap_enabled]).to eq(Gitlab.config.ldap.enabled) expect(subject[:ldap_enabled]).to eq(Gitlab.config.ldap.enabled)
expect(subject[:gravatar_enabled]).to eq(Gitlab::CurrentSettings.gravatar_enabled?) expect(subject[:gravatar_enabled]).to eq(Gitlab::CurrentSettings.gravatar_enabled?)
expect(subject[:omniauth_enabled]).to eq(Gitlab.config.omniauth.enabled) expect(subject[:omniauth_enabled]).to eq(Gitlab::Auth.omniauth_enabled?)
expect(subject[:reply_by_email_enabled]).to eq(Gitlab::IncomingEmail.enabled?) expect(subject[:reply_by_email_enabled]).to eq(Gitlab::IncomingEmail.enabled?)
expect(subject[:container_registry_enabled]).to eq(Gitlab.config.registry.enabled) expect(subject[:container_registry_enabled]).to eq(Gitlab.config.registry.enabled)
expect(subject[:gitlab_shared_runners_enabled]).to eq(Gitlab.config.gitlab_ci.shared_runners_enabled) expect(subject[:gitlab_shared_runners_enabled]).to eq(Gitlab.config.gitlab_ci.shared_runners_enabled)
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment