fix shibboleth misconfigurations resulting in authentication bypass
This merge request fixes#22267 where a misconfigured Shibboleth `HTTP_UID` or `HTTP_EPPN` could result in users being logged into an account that did not belong to them.
See merge request !7428
Centralize all LDAP config logic in `GitLab::LDAP::Config`. Previously,
some logic was in the Devise initializer and it was not honoring the
`user_filter`. If a user outside the configured `user_filter` signed
in, an account would be created but they would then be denied access.
Now that logic is centralized, the filter is honored and users outside
the filter are never created.
Allow account unlock via email
We see a lot of users get confused about what it means when your account gets
locked. Many try to reset their password and are still faced with a lockout.
With this change, users receive an email that allows them to unlock their
account immediately. The previous behavior where the account is auto-unlocked
after a time also still works.
See merge request !2049
This reverts commit e9d4587ff1, which is
incompatible with GitLab's built in LDAP user filter: a GitLab LDAP
filter is [added on top of the other filters used to find the
user](982d4d51e8/lib/gitlab/ldap/adapter.rb (L61))
Example GitLab LDAP filter: `(memberOf=cn=foo,dc=bar)`.
In contrast, an omniauth-ldap filter [replaces the 'normal'
filters](76d77543de/lib/omniauth/strategies/ldap.rb (L55))
Example omniauth-ldap user filter:
`(&(uid=%{username})(memberOf=cn=foo,dc=bar))`.
This changes the email "From" field from "gitlab@example.com" to either:
* "John Doe <gitlab@example.com>" if the author of the action is known,
* "GitLab <gitlab@example.com>" otherwise.
Rationale: this allow mails to appear as if they were sent by the
author. It appears in the mailbox more like a real discussion between
the sender and the receiver ("John sent: we should refactor this") and
less like a robot notifying about something.
This refactoring allows a user to use omniauth providers which do not
use ```app_id``` and ```app_secret``` without needing to change the
devise configuration.
Now when you want to signup or change existing email you will be forced
to confirm that you really own this email. You get email with link to
follow in order to confirm your email address
Conflicts:
app/models/user.rb
Provide an omniauth.rb.sample file to avoid encouraging end-users to commit
their provider access details (passwords or api tokens) into their git
repositories.
Signed-off-by: Pat Thoyts <patthoyts@users.sourceforge.net>
Valery Sizov
Douwe Maan
Alexandros Keramidas
Rémy Coutable
Brian Neel
Drew Blessing
Tom Bell
Grzegorz Bizon
Gabriel Mazetto
Robert Speicher
Robert Speicher
tduehr
Valery Sizov
Dmitriy Zaporozhets
Stan Hu
Douwe Maan
Sytse Sijbrandij
Jan-Willem van der Meer
Marin Jankovski
Jacob Vosmaer
Travis Odom
Pierre de La Morinerie
Athos Ribeiro
Raffael Schmid
Sytse Sijbrandij
Izaak Alpert
Andrey Kumanyaev
Aaron Stone
Riyad Preukschas
Nihad Abbasov
Pat Thoyts