b57cf4ae3f
Backport of ee/9235: Add LDAP integration to smartcard authentication
2019-01-27 22:26:32 +01:00
104c8b890d
Backport EE GroupSAML origin verification changes
2019-01-23 19:42:16 +00:00
157b385411
Log admin status of user when OAuth::User is saved
2019-01-23 14:26:15 +01:00
c379973bce
chore(rubocop): fix Style/TrivialAccessors issues
2019-01-16 13:53:04 +05:00
bd3a484032
Add config to disable impersonation
...
Adds gitlab.impersonation_enabled config option defaulting to true to
keep the current default behaviour.
Only the act of impersonation is modified, impersonation token
management is not affected.
2018-11-29 09:37:16 +01:00
fe5f75930e
Merge branch 'security-fix-pat-web-access' into 'master'
...
[master] Resolve "Personal access token with only `read_user` scope can be used to authenticate any web request"
See merge request gitlab/gitlabhq!2583
2018-11-28 19:13:59 -05:00
6f0ff56ef8
Merge branch 'fix/allow-saml2-for-2fa-bypass' into 'master'
...
saml/auth_hash: Allow 2FA bypass for SAML 2.0 responses
See merge request gitlab-org/gitlab-ce!22568
2018-11-20 11:07:59 +00:00
733ae94921
Fix typos in comments and specs
2018-11-01 08:59:20 +02:00
b9652d8e4d
[master] Persist only SHA digest of PersonalAccessToken#token
2018-10-29 16:06:45 +00:00
2a8a4897ff
saml/auth_hash: Allow 2FA bypass for SAML 2.0 responses
...
Closes gitlab-org/gitlab-ce/#53102.
2018-10-25 12:08:07 +01:00
e166e5747c
Enable some frozen string in lib/gitlab
...
Enable frozen string for the following files:
* lib/gitlab/auth/**/*.rb
* lib/gitlab/badge/**/*.rb
* lib/gitlab/bare_repository_import/**/*.rb
* lib/gitlab/bitbucket_import/**/*.rb
* lib/gitlab/bitbucket_server_import/**/*.rb
* lib/gitlab/cache/**/*.rb
* lib/gitlab/checks/**/*.rb
Partially addresses #47424 .
2018-10-13 02:31:31 -07:00
eb640eded7
Correct Gitlab Capitalization in code files
2018-09-21 12:05:37 +00:00
2039c8280d
Disable existing offenses for the CodeReuse cops
...
This whitelists all existing offenses for the various CodeReuse cops, of
which most are triggered by the CodeReuse/ActiveRecord cop.
2018-09-11 17:32:00 +02:00
5894dfabc5
Backport LDAP changes to CE
2018-08-23 15:46:45 +02:00
7486d424b9
Fix broken Git over HTTP clones with LDAP users
...
Due to a regression in !20608 , the LDAP authenticator was not being used
unless OmniAuth was enabled. This change allows the LDAP provider to be used
if it is configured regardless of the OmniAuth setting.
Closes #50579
2018-08-22 13:07:14 -07:00
98e9f52cf4
Improve blocked user tracking code readability
2018-08-03 12:58:00 +02:00
5bbd3a93e9
Remove an empty line from blocker user tracker class
2018-08-02 15:41:14 +02:00
c2a5bbc295
Remove an empty line from the end of blocked_user_tracker.rb
2018-08-02 07:04:12 +00:00
9c6aa0a0a6
Improve authentication events-related code readability
2018-08-01 17:08:59 +02:00
2b05562c5b
Simplify blocked user tracking during authentication
2018-08-01 15:56:44 +02:00
4bcf72e734
Improve blocked user tracking and fire some events only once
2018-08-01 14:23:06 +02:00
e6dd3c5276
Merge branch 'feature/gb/login-activity-metrics' into 'master'
...
Add user authentication activity metrics
Closes #47789
See merge request gitlab-org/gitlab-ce!20668
2018-07-31 10:44:22 +00:00
de8f8cdf06
Improve authentication activity code readability
2018-07-31 09:24:19 +02:00
5f66d1de09
Improve specs for blocked user tracker class
2018-07-27 13:54:31 +02:00
00e4d918a3
Add authentication metrics for sessionless sign in
2018-07-27 12:56:34 +02:00
c44541a506
Improve readability and move custom matchers to better place
2018-07-27 12:29:49 +02:00
ede8c0ced4
Catch custom warden events too to increment metrics
2018-07-27 12:19:34 +02:00
656985bf75
Make authentication metrics events explicit is specs
2018-07-26 18:36:04 +02:00
0da5c588b1
Fix activity metric name that need to be symbols
2018-07-24 08:20:48 +00:00
01cac53d71
Make it easier to stub authentication metrics
2018-07-23 17:20:24 +02:00
68547bc0e0
Track blocked users and two factor authentications
2018-07-23 15:13:11 +02:00
1a39d24d20
Refactor blocked user tracker class
2018-07-20 16:00:28 +02:00
33e11345e0
Add custom expectations for authentication activity metrics
2018-07-20 15:06:11 +02:00
d0afab482f
Disable SAML if OmniAuth is disabled
...
We also try to unify the way we setup OmniAuth, and how we check
if it's enabled or not.
2018-07-20 18:54:46 +08:00
ac4b954c5f
Rename authentication activity observer methods
2018-07-19 10:34:58 +02:00
416076610e
Implement scaffold of authentication activity metrics
2018-07-17 14:50:04 +02:00
4ee08b77bc
Updates from `rubocop -a`
2018-07-09 21:13:08 +08:00
2efe27ba18
Honor saml assurance level to allow 2FA bypassing
2018-06-25 15:32:03 +00:00
20dfe25c15
Export assigned issues in iCalendar feed
2018-05-31 14:01:04 +00:00
7a139c1602
Add username to terms message in git and API calls
...
This will make it clearer to users which account is being used to make
the API/git call. So they know which account needs to be used to
accept the terms.
Closes #46649
2018-05-24 18:19:48 +02:00
6226d19c71
Minimize CE/EE difference in Gitlab::Auth::LDAP::Config
...
Signed-off-by: Rémy Coutable <remy@rymai.me>
2018-05-18 16:30:53 +02:00
8b287679a1
Minimize CE/EE difference in Gitlab::Auth::LDAP::Access
...
Signed-off-by: Rémy Coutable <remy@rymai.me>
2018-05-18 16:30:53 +02:00
dfdbf198b3
Minimize CE/EE difference in Gitlab::Auth::UserAuthFinders
...
Signed-off-by: Rémy Coutable <remy@rymai.me>
2018-05-18 16:30:53 +02:00
37cd2b9b4d
Minimize CE/EE difference in Gitlab::Auth::Saml::User
...
Signed-off-by: Rémy Coutable <remy@rymai.me>
2018-05-18 16:30:53 +02:00
0a581fcfa2
Minimize CE/EE difference in Gitlab::Auth::Saml::Config
...
Signed-off-by: Rémy Coutable <remy@rymai.me>
2018-05-18 16:30:53 +02:00
1be2ec2d04
Fix system hook not firing for blocked users when LDAP sign-in is used
...
An LDAP sign-in request results in a different request parameter than
a standard GitLab sign-in. Since Warden doesn't pass us the user that
was blocked, we first search for a `username` in the request parameters
and then look for `user.login`.
Closes #46307
2018-05-12 22:33:29 -07:00
f7f13f9db0
Block access to API & git when terms are enforced
...
When terms are enforced, but the user has not accepted the terms
access to the API & git is rejected with a message directing the user
to the web app to accept the terms.
2018-05-10 17:02:27 +02:00
7425f2b322
Backport IdentityLinker#failed? from GroupSaml callback flow
2018-05-04 15:00:59 +01:00
dd09a19ad6
Auth::User classes refactor adds should_save?
2018-04-23 16:24:56 +01:00
795cd7f952
Replace define_method with alias_method in Omniauth Controllers
2018-04-23 16:24:47 +01:00
d3a8a07423
Unify Saml::IdentityLinker and OAuth::IdentityLinker
2018-04-23 13:53:32 +01:00
f8d54913bb
Show error on failed OAuth account link
2018-04-22 23:50:56 +01:00
f10c999bca
Refactor OmniauthCallbacksController to remove duplication
...
Moves LDAP to its own controller with tests
Provides path forward for implementing GroupSaml
2018-04-22 23:50:55 +01:00
ae84eaeba7
Add better LDAP connection handling
2018-04-04 09:07:28 +00:00
7d01792614
Fix LDAP login without user in DB
2018-03-27 09:21:17 +02:00
afe2c15e6b
Fix provider server URL used when listing repos to import
...
Also use Gitlab::Auth::OAuth::Provider.config_for to access OmniAuth config
2018-03-12 16:01:43 -05:00
5c7a738105
[CE] Add Naming/FileName rule checking expected class/module per filename
2018-03-08 12:56:54 +00:00
6d3cb7e22e
Make oauth provider login generic
2018-03-05 22:26:40 +00:00
1ad5df49b1
Moved o_auth/saml/ldap modules under gitlab/auth
2018-02-28 16:53:02 +01:00
7a6c7bd66b
Allow token authentication on go-get request
2018-02-23 10:33:46 +00:00
4f6e0379b4
Fixing request json mime type
2018-01-15 09:09:21 +00:00
0d187a9a65
Log and send a system hook if a blocked user fails to login
...
Closes #41633
2018-01-14 22:22:06 -08:00
4188c10c07
Renaming AuthenticationException to AuthenticationError
2017-11-17 13:33:21 +01:00
7f0317917a
Changes after rebase
2017-11-17 10:09:56 +01:00
b810f479d5
Removing Offender
2017-11-17 10:02:11 +01:00
1436598e49
Moved Exceptions to Gitlab::Auth
2017-11-17 10:02:11 +01:00
aa84ef1e1a
Moving exceptions to UserAuthFinders
2017-11-17 10:02:11 +01:00
98f7982cec
Leaving atom? query to fix tests
2017-11-17 10:02:11 +01:00
29521a313a
Change the rss url guard clause
2017-11-17 10:02:11 +01:00
f189657523
Added some more comments
2017-11-17 10:02:11 +01:00
2d5397d928
Removed method handle_return_value
2017-11-17 10:02:11 +01:00
21153a4f47
Homogenising the type of the request handled by UserAuthFinder. Also tests fixed
2017-11-17 10:02:11 +01:00
aecc3eb080
Applied some code review comments
2017-11-17 10:02:10 +01:00
374179a970
Removing private token
2017-11-17 10:01:21 +01:00
41ebd06ddc
Some fixes after rebase
2017-11-17 10:01:20 +01:00
470b5dc326
Updated refactor and pushing to see if test fails
2017-11-17 10:00:48 +01:00
d948e67913
First refactor
2017-11-17 10:00:08 +01:00
4e5a97d4f3
Refactor with ActionDispatch::Request
2017-11-17 09:58:18 +01:00
43a682ccaa
Fix OAuth API and RSS rate limiting
2017-11-17 09:58:18 +01:00
4edfad9678
Enable Layout/TrailingWhitespace cop and auto-correct offenses
2017-08-15 13:44:37 -04:00
cb3b4a15e6
Support multiple Redis instances based on queue type
2017-07-11 03:35:47 +00:00
0b81b5ace0
Create read_registry scope with JWT auth
...
This is the first commit doing mainly 3 things:
1. create a new scope and allow users to use it
2. Have the JWTController respond correctly on this
3. Updates documentation to suggest usage of PATs
There is one gotcha, there will be no support for impersonation tokens, as this
seems not needed.
Fixes gitlab-org/gitlab-ce#19219
2017-06-05 12:26:49 +02:00
70b9d8da4c
Remove unecessary defaults for uniq ip block, cleanup refactoring leftovers
2017-03-06 15:45:43 +01:00
8a9bc24ef8
align schema.rb with upstream and fix rubocop warning about not freezing mutable constants and empty error classes
2017-03-06 15:41:50 +01:00
0ef8a64348
Remove unecessary calls to limit_user!, UniqueIps Middleware, and address MR review
...
- cleanup formating in haml
- clarify time window is in seconds
- cleanup straneous chunks in db/schema
- rename count_uniqe_ips to update_and_return_ips_count
- other
2017-03-06 15:41:25 +01:00
9cc0ff8f46
Cleanup common code in Unique Ips tests
2017-03-06 15:41:25 +01:00
8993801f0c
Test various login scenarios if the limit gets enforced
2017-03-06 15:41:25 +01:00
66dc71599c
Cleanup formatting
2017-03-06 15:41:24 +01:00
e5cf3f51fb
Allow limiting logging in users from too many different IPs.
2017-03-06 15:41:24 +01:00
a9765fb47f
Introduce has_access_to? so that we could reuse it
...
Feedback:
https://gitlab.com/gitlab-org/gitlab-ce/merge_requests/7383#note_18439108
2016-11-16 20:31:23 +08:00
795acf2e4e
Move logic to check ci? or lfs_deploy_token? to Gitlab::Auth::Result
2016-09-20 11:03:10 +02:00
3c1bb3432b
Revert "Revert all changes introduced by https://gitlab.com/gitlab-org/gitlab-ce/merge_requests/6043 "
...
This reverts commit 6d43c95b70
2016-09-19 16:34:32 +02:00
135be3cabb
Solve code review comments
2016-09-19 14:23:18 +02:00
dc29685465
Properly support Gitlab::Auth::Result
2016-09-19 13:50:28 +02:00
6d43c95b70
Revert all changes introduced by https://gitlab.com/gitlab-org/gitlab-ce/merge_requests/6043
2016-09-19 13:45:28 +02:00
79f60e2b5c
Move Gitlab::Auth.Result to separate file
2016-09-19 13:42:10 +02:00
07f49626d0
Fix tests
2016-06-06 17:40:26 +02:00
03bec6b0e9
Argh mixed up all the negatives
2016-06-03 17:14:13 +02:00
fa35aea3dd
Refactor Gitlab::Auth rate limiting
2016-06-03 17:07:40 +02:00
Imre Farkas
James Edwards-Jones
Semyon Pupkov
Cindy Pallares
Douwe Maan
George Tsiolis
115100
gfyoung
Marcel Amirault
Yorick Peterse
Douglas Barbosa Alexandre
Stan Hu
Grzegorz Bizon
Grzegorz Bizon
Sean McGivern
Lin Jen-Shin
Roger Rüttimann
Bob Van Landuyt
Rémy Coutable
Francisco Javier López
Horatiu Eugen Vlad
Rubén Dávila
Gabriel Mazetto
Michael Kozono
Robert Speicher
Paul Charlton
Z.J. van de Weg
Pawel Chojnacki
Kamil Trzcinski
Jacob Vosmaer