b042382bbf
Add latest changes from gitlab-org/gitlab@master
2020-02-05 18:09:06 +00:00
ca05512007
Add latest changes from gitlab-org/gitlab@master
2020-02-04 18:08:50 +00:00
88a0824944
Add latest changes from gitlab-org/gitlab@master
2020-02-04 12:09:00 +00:00
22e9af3c8b
Add latest changes from gitlab-org/gitlab@master
2020-01-27 12:08:35 +00:00
0012439861
Add latest changes from gitlab-org/gitlab@master
2020-01-22 09:08:39 +00:00
a5ab3467a7
Add latest changes from gitlab-org/gitlab@master
2020-01-13 15:07:53 +00:00
cddaddb86b
Add latest changes from gitlab-org/gitlab@master
2020-01-09 12:08:03 +00:00
9763c08170
Add latest changes from gitlab-org/gitlab@master
2019-12-17 03:07:45 +00:00
b86f474bf5
Add latest changes from gitlab-org/gitlab@master
2019-12-11 12:08:10 +00:00
115c8ea7af
Add latest changes from gitlab-org/gitlab@master
2019-12-10 18:08:04 +00:00
e1867c38fc
Add latest changes from gitlab-org/gitlab@master
2019-12-06 18:07:44 +00:00
4529c19950
Add latest changes from gitlab-org/gitlab@master
2019-12-03 21:06:23 +00:00
18a102a5b9
Add latest changes from gitlab-org/gitlab@master
2019-11-08 03:06:48 +00:00
8078bd185f
Add latest changes from gitlab-org/gitlab@master
2019-11-01 00:06:02 +00:00
308146dc39
Add latest changes from gitlab-org/gitlab@master
2019-10-10 00:06:44 +00:00
3692e9f8a2
Validate that SAML requests are originated from gitlab
...
If the request wasn't initiated by gitlab we shouldn't add the new
identity to the user, and instead show that we weren't able to link
the identity to the user.
This should fix: https://gitlab.com/gitlab-org/gitlab-ce/issues/56509
2019-09-30 14:22:06 +02:00
4309992515
Add latest changes from gitlab-org/gitlab@master
2019-09-26 21:06:29 +00:00
5707f305f4
Add latest changes from gitlab-org/gitlab@master
2019-09-26 12:06:00 +00:00
bd860c22f6
Add latest changes from gitlab-org/gitlab@master
2019-09-17 12:06:48 +00:00
b7dfe2ae40
Add latest changes from gitlab-org/gitlab@master
2019-09-13 13:26:31 +00:00
3c2b4a1ced
Enable serving static objects from an external storage
...
It consists of two parts:
1. Redirecting users to the configured external storage
1. Allowing the external storage to request the static object(s)
on behalf of the user by means of specific tokens
Part of https://gitlab.com/gitlab-com/gl-infra/infrastructure/issues/6829
2019-09-10 13:43:11 +02:00
e908e11776
Avoid calling freeze on already frozen strings in lib/gitlab
2019-09-04 09:52:02 +05:30
6e2032f24e
Update docs and comments about saml with allow_bypass_two_factor
...
allow_bypass_two_factor configration dose not work with saml provider
2019-08-27 03:46:32 +00:00
929b403d21
Ensure Warden triggers after_authentication callback
...
By not triggering the callback:
- ActiveSession lookup keys are not cleaned
- Devise also misses its hook related to session cleanup
2019-07-26 07:05:50 +00:00
d4ef3be35b
Frozen string cannot change encoding
...
This was shown in specs but surely this will be happening in application
code as well if this method is passes a frozen string.
We were also trying to force_encode a OmniAuth::AuthHash which had the
very confusing behaviour of returning nil when it was sent a method that
it did not define. Fix that by only force_encoding a String.
2019-07-26 00:13:25 +12:00
aba93fe2d5
OAuth2 support for GitLab personal access tokens
...
PATs are accepted using the OAuth2 compliant header
"Authorization: Bearer {token}" in order to allow for
OAuth requests while 2FA is enabled.
2019-07-22 08:50:25 +00:00
0ab89d8e36
Add a rubocop for Rails.logger
...
Suggests to use a JSON structured log instead
Related to https://gitlab.com/gitlab-org/gitlab-ce/issues/54102
2019-07-10 19:26:47 +00:00
82c31a9add
Support CIDR notation in IP rate limiter
...
This will make it possible to whitelist multiple IP addresses
(e.g. 192.168.0.1/24).
2019-06-27 23:16:11 -07:00
53af3e6b9e
#57815 Password authentication disabled for UltraAuth users
...
Disabled password authentication for the users registered using
omniauth-ultraauth strategy
2019-06-18 16:18:14 +00:00
9c95200219
Add no-tabs class and externalize strings
...
- Add .no-tabs to login-box
- Externalize strings in common signup box
- Leverage render_if_exists
- Update PO file
2019-05-27 13:20:27 +00:00
f93b2e02a5
Run rubocop -a on CE files
2019-05-05 03:24:28 -07:00
45da7dd306
Backport 'Update user name upon LDAP sync' from EE
...
Signed-off-by: Rémy Coutable <remy@rymai.me>
2019-03-25 11:16:01 +01:00
8018bc96a3
Handle nil name in Gitlab::Auth::LDAP::Person#name
...
Signed-off-by: Rémy Coutable <remy@rymai.me>
2019-03-20 14:59:07 +01:00
3288e1a874
Adds the Rubocop ReturnNil cop
...
This style change enforces `return if ...` instead of
`return nil if ...` to save maintainers a few minor review points
2019-03-06 17:51:56 +02:00
ed41f4e6ea
Merge branch 'add_ldap_tls_options' into 'master'
...
Allow raw `tls_options` to be passed in LDAP configuration
Closes #46391
See merge request gitlab-org/gitlab-ce!20678
2019-03-05 13:17:23 +00:00
040e6e72bf
Merge branch 'ce-security-jej/group-saml-link-origin-verification' into 'master'
...
Ensure request to link GroupSAML acount was GitLab initiated
See merge request gitlab/gitlabhq!2976
2019-03-04 18:36:26 +00:00
f6350faca1
Allow raw `tls_options` to be passed in LDAP configuration
...
We've previously exposed ca_file and ssl_version but there are many
possible options that can be used inside tls_options. Instead of
exposing individual ones, simply expose the entire hash so it can
be passed in and we won't have to add things in the future.
2019-03-04 10:27:43 -06:00
b57cf4ae3f
Backport of ee/9235: Add LDAP integration to smartcard authentication
2019-01-27 22:26:32 +01:00
104c8b890d
Backport EE GroupSAML origin verification changes
2019-01-23 19:42:16 +00:00
157b385411
Log admin status of user when OAuth::User is saved
2019-01-23 14:26:15 +01:00
c379973bce
chore(rubocop): fix Style/TrivialAccessors issues
2019-01-16 13:53:04 +05:00
bd3a484032
Add config to disable impersonation
...
Adds gitlab.impersonation_enabled config option defaulting to true to
keep the current default behaviour.
Only the act of impersonation is modified, impersonation token
management is not affected.
2018-11-29 09:37:16 +01:00
fe5f75930e
Merge branch 'security-fix-pat-web-access' into 'master'
...
[master] Resolve "Personal access token with only `read_user` scope can be used to authenticate any web request"
See merge request gitlab/gitlabhq!2583
2018-11-28 19:13:59 -05:00
6f0ff56ef8
Merge branch 'fix/allow-saml2-for-2fa-bypass' into 'master'
...
saml/auth_hash: Allow 2FA bypass for SAML 2.0 responses
See merge request gitlab-org/gitlab-ce!22568
2018-11-20 11:07:59 +00:00
733ae94921
Fix typos in comments and specs
2018-11-01 08:59:20 +02:00
b9652d8e4d
[master] Persist only SHA digest of PersonalAccessToken#token
2018-10-29 16:06:45 +00:00
2a8a4897ff
saml/auth_hash: Allow 2FA bypass for SAML 2.0 responses
...
Closes gitlab-org/gitlab-ce/#53102.
2018-10-25 12:08:07 +01:00
e166e5747c
Enable some frozen string in lib/gitlab
...
Enable frozen string for the following files:
* lib/gitlab/auth/**/*.rb
* lib/gitlab/badge/**/*.rb
* lib/gitlab/bare_repository_import/**/*.rb
* lib/gitlab/bitbucket_import/**/*.rb
* lib/gitlab/bitbucket_server_import/**/*.rb
* lib/gitlab/cache/**/*.rb
* lib/gitlab/checks/**/*.rb
Partially addresses #47424 .
2018-10-13 02:31:31 -07:00
eb640eded7
Correct Gitlab Capitalization in code files
2018-09-21 12:05:37 +00:00
2039c8280d
Disable existing offenses for the CodeReuse cops
...
This whitelists all existing offenses for the various CodeReuse cops, of
which most are triggered by the CodeReuse/ActiveRecord cop.
2018-09-11 17:32:00 +02:00
5894dfabc5
Backport LDAP changes to CE
2018-08-23 15:46:45 +02:00
7486d424b9
Fix broken Git over HTTP clones with LDAP users
...
Due to a regression in !20608 , the LDAP authenticator was not being used
unless OmniAuth was enabled. This change allows the LDAP provider to be used
if it is configured regardless of the OmniAuth setting.
Closes #50579
2018-08-22 13:07:14 -07:00
98e9f52cf4
Improve blocked user tracking code readability
2018-08-03 12:58:00 +02:00
5bbd3a93e9
Remove an empty line from blocker user tracker class
2018-08-02 15:41:14 +02:00
c2a5bbc295
Remove an empty line from the end of blocked_user_tracker.rb
2018-08-02 07:04:12 +00:00
9c6aa0a0a6
Improve authentication events-related code readability
2018-08-01 17:08:59 +02:00
2b05562c5b
Simplify blocked user tracking during authentication
2018-08-01 15:56:44 +02:00
4bcf72e734
Improve blocked user tracking and fire some events only once
2018-08-01 14:23:06 +02:00
e6dd3c5276
Merge branch 'feature/gb/login-activity-metrics' into 'master'
...
Add user authentication activity metrics
Closes #47789
See merge request gitlab-org/gitlab-ce!20668
2018-07-31 10:44:22 +00:00
de8f8cdf06
Improve authentication activity code readability
2018-07-31 09:24:19 +02:00
5f66d1de09
Improve specs for blocked user tracker class
2018-07-27 13:54:31 +02:00
00e4d918a3
Add authentication metrics for sessionless sign in
2018-07-27 12:56:34 +02:00
c44541a506
Improve readability and move custom matchers to better place
2018-07-27 12:29:49 +02:00
ede8c0ced4
Catch custom warden events too to increment metrics
2018-07-27 12:19:34 +02:00
656985bf75
Make authentication metrics events explicit is specs
2018-07-26 18:36:04 +02:00
0da5c588b1
Fix activity metric name that need to be symbols
2018-07-24 08:20:48 +00:00
01cac53d71
Make it easier to stub authentication metrics
2018-07-23 17:20:24 +02:00
68547bc0e0
Track blocked users and two factor authentications
2018-07-23 15:13:11 +02:00
1a39d24d20
Refactor blocked user tracker class
2018-07-20 16:00:28 +02:00
33e11345e0
Add custom expectations for authentication activity metrics
2018-07-20 15:06:11 +02:00
d0afab482f
Disable SAML if OmniAuth is disabled
...
We also try to unify the way we setup OmniAuth, and how we check
if it's enabled or not.
2018-07-20 18:54:46 +08:00
ac4b954c5f
Rename authentication activity observer methods
2018-07-19 10:34:58 +02:00
416076610e
Implement scaffold of authentication activity metrics
2018-07-17 14:50:04 +02:00
4ee08b77bc
Updates from `rubocop -a`
2018-07-09 21:13:08 +08:00
2efe27ba18
Honor saml assurance level to allow 2FA bypassing
2018-06-25 15:32:03 +00:00
20dfe25c15
Export assigned issues in iCalendar feed
2018-05-31 14:01:04 +00:00
7a139c1602
Add username to terms message in git and API calls
...
This will make it clearer to users which account is being used to make
the API/git call. So they know which account needs to be used to
accept the terms.
Closes #46649
2018-05-24 18:19:48 +02:00
6226d19c71
Minimize CE/EE difference in Gitlab::Auth::LDAP::Config
...
Signed-off-by: Rémy Coutable <remy@rymai.me>
2018-05-18 16:30:53 +02:00
8b287679a1
Minimize CE/EE difference in Gitlab::Auth::LDAP::Access
...
Signed-off-by: Rémy Coutable <remy@rymai.me>
2018-05-18 16:30:53 +02:00
dfdbf198b3
Minimize CE/EE difference in Gitlab::Auth::UserAuthFinders
...
Signed-off-by: Rémy Coutable <remy@rymai.me>
2018-05-18 16:30:53 +02:00
37cd2b9b4d
Minimize CE/EE difference in Gitlab::Auth::Saml::User
...
Signed-off-by: Rémy Coutable <remy@rymai.me>
2018-05-18 16:30:53 +02:00
0a581fcfa2
Minimize CE/EE difference in Gitlab::Auth::Saml::Config
...
Signed-off-by: Rémy Coutable <remy@rymai.me>
2018-05-18 16:30:53 +02:00
1be2ec2d04
Fix system hook not firing for blocked users when LDAP sign-in is used
...
An LDAP sign-in request results in a different request parameter than
a standard GitLab sign-in. Since Warden doesn't pass us the user that
was blocked, we first search for a `username` in the request parameters
and then look for `user.login`.
Closes #46307
2018-05-12 22:33:29 -07:00
f7f13f9db0
Block access to API & git when terms are enforced
...
When terms are enforced, but the user has not accepted the terms
access to the API & git is rejected with a message directing the user
to the web app to accept the terms.
2018-05-10 17:02:27 +02:00
7425f2b322
Backport IdentityLinker#failed? from GroupSaml callback flow
2018-05-04 15:00:59 +01:00
dd09a19ad6
Auth::User classes refactor adds should_save?
2018-04-23 16:24:56 +01:00
795cd7f952
Replace define_method with alias_method in Omniauth Controllers
2018-04-23 16:24:47 +01:00
d3a8a07423
Unify Saml::IdentityLinker and OAuth::IdentityLinker
2018-04-23 13:53:32 +01:00
f8d54913bb
Show error on failed OAuth account link
2018-04-22 23:50:56 +01:00
f10c999bca
Refactor OmniauthCallbacksController to remove duplication
...
Moves LDAP to its own controller with tests
Provides path forward for implementing GroupSaml
2018-04-22 23:50:55 +01:00
ae84eaeba7
Add better LDAP connection handling
2018-04-04 09:07:28 +00:00
7d01792614
Fix LDAP login without user in DB
2018-03-27 09:21:17 +02:00
afe2c15e6b
Fix provider server URL used when listing repos to import
...
Also use Gitlab::Auth::OAuth::Provider.config_for to access OmniAuth config
2018-03-12 16:01:43 -05:00
5c7a738105
[CE] Add Naming/FileName rule checking expected class/module per filename
2018-03-08 12:56:54 +00:00
6d3cb7e22e
Make oauth provider login generic
2018-03-05 22:26:40 +00:00
1ad5df49b1
Moved o_auth/saml/ldap modules under gitlab/auth
2018-02-28 16:53:02 +01:00
7a6c7bd66b
Allow token authentication on go-get request
2018-02-23 10:33:46 +00:00
4f6e0379b4
Fixing request json mime type
2018-01-15 09:09:21 +00:00
0d187a9a65
Log and send a system hook if a blocked user fails to login
...
Closes #41633
2018-01-14 22:22:06 -08:00
4188c10c07
Renaming AuthenticationException to AuthenticationError
2017-11-17 13:33:21 +01:00
7f0317917a
Changes after rebase
2017-11-17 10:09:56 +01:00
b810f479d5
Removing Offender
2017-11-17 10:02:11 +01:00
1436598e49
Moved Exceptions to Gitlab::Auth
2017-11-17 10:02:11 +01:00
aa84ef1e1a
Moving exceptions to UserAuthFinders
2017-11-17 10:02:11 +01:00
98f7982cec
Leaving atom? query to fix tests
2017-11-17 10:02:11 +01:00
29521a313a
Change the rss url guard clause
2017-11-17 10:02:11 +01:00
f189657523
Added some more comments
2017-11-17 10:02:11 +01:00
2d5397d928
Removed method handle_return_value
2017-11-17 10:02:11 +01:00
21153a4f47
Homogenising the type of the request handled by UserAuthFinder. Also tests fixed
2017-11-17 10:02:11 +01:00
aecc3eb080
Applied some code review comments
2017-11-17 10:02:10 +01:00
374179a970
Removing private token
2017-11-17 10:01:21 +01:00
41ebd06ddc
Some fixes after rebase
2017-11-17 10:01:20 +01:00
470b5dc326
Updated refactor and pushing to see if test fails
2017-11-17 10:00:48 +01:00
d948e67913
First refactor
2017-11-17 10:00:08 +01:00
4e5a97d4f3
Refactor with ActionDispatch::Request
2017-11-17 09:58:18 +01:00
43a682ccaa
Fix OAuth API and RSS rate limiting
2017-11-17 09:58:18 +01:00
4edfad9678
Enable Layout/TrailingWhitespace cop and auto-correct offenses
2017-08-15 13:44:37 -04:00
cb3b4a15e6
Support multiple Redis instances based on queue type
2017-07-11 03:35:47 +00:00
0b81b5ace0
Create read_registry scope with JWT auth
...
This is the first commit doing mainly 3 things:
1. create a new scope and allow users to use it
2. Have the JWTController respond correctly on this
3. Updates documentation to suggest usage of PATs
There is one gotcha, there will be no support for impersonation tokens, as this
seems not needed.
Fixes gitlab-org/gitlab-ce#19219
2017-06-05 12:26:49 +02:00
70b9d8da4c
Remove unecessary defaults for uniq ip block, cleanup refactoring leftovers
2017-03-06 15:45:43 +01:00
8a9bc24ef8
align schema.rb with upstream and fix rubocop warning about not freezing mutable constants and empty error classes
2017-03-06 15:41:50 +01:00
0ef8a64348
Remove unecessary calls to limit_user!, UniqueIps Middleware, and address MR review
...
- cleanup formating in haml
- clarify time window is in seconds
- cleanup straneous chunks in db/schema
- rename count_uniqe_ips to update_and_return_ips_count
- other
2017-03-06 15:41:25 +01:00
9cc0ff8f46
Cleanup common code in Unique Ips tests
2017-03-06 15:41:25 +01:00
8993801f0c
Test various login scenarios if the limit gets enforced
2017-03-06 15:41:25 +01:00
66dc71599c
Cleanup formatting
2017-03-06 15:41:24 +01:00
e5cf3f51fb
Allow limiting logging in users from too many different IPs.
2017-03-06 15:41:24 +01:00
a9765fb47f
Introduce has_access_to? so that we could reuse it
...
Feedback:
https://gitlab.com/gitlab-org/gitlab-ce/merge_requests/7383#note_18439108
2016-11-16 20:31:23 +08:00
795acf2e4e
Move logic to check ci? or lfs_deploy_token? to Gitlab::Auth::Result
2016-09-20 11:03:10 +02:00
3c1bb3432b
Revert "Revert all changes introduced by https://gitlab.com/gitlab-org/gitlab-ce/merge_requests/6043 "
...
This reverts commit 6d43c95b70
2016-09-19 16:34:32 +02:00
135be3cabb
Solve code review comments
2016-09-19 14:23:18 +02:00
dc29685465
Properly support Gitlab::Auth::Result
2016-09-19 13:50:28 +02:00
6d43c95b70
Revert all changes introduced by https://gitlab.com/gitlab-org/gitlab-ce/merge_requests/6043
2016-09-19 13:45:28 +02:00
79f60e2b5c
Move Gitlab::Auth.Result to separate file
2016-09-19 13:42:10 +02:00
07f49626d0
Fix tests
2016-06-06 17:40:26 +02:00
03bec6b0e9
Argh mixed up all the negatives
2016-06-03 17:14:13 +02:00
fa35aea3dd
Refactor Gitlab::Auth rate limiting
2016-06-03 17:07:40 +02:00
GitLab Bot
Sebastian Arcila Valenzuela
Ahmad Sherif
dineshpanda
dodocat
Imre Farkas
Thong Kuah
Steve Abrams
Mayra Cabrera
Stan Hu
Kartikey Tanna
Martin Wortschack
Rémy Coutable
Andrew Newdigate
Douwe Maan
Yorick Peterse
Drew Blessing
James Edwards-Jones
Semyon Pupkov
Cindy Pallares
George Tsiolis
115100
gfyoung
Marcel Amirault
Douglas Barbosa Alexandre
Grzegorz Bizon
Grzegorz Bizon
Sean McGivern
Lin Jen-Shin
Roger Rüttimann
Bob Van Landuyt
Francisco Javier López
Horatiu Eugen Vlad
Rubén Dávila
Gabriel Mazetto
Michael Kozono
Robert Speicher
Paul Charlton
Z.J. van de Weg
Pawel Chojnacki
Kamil Trzcinski
Jacob Vosmaer