gitlab-org--gitlab-foss/app/controllers/omniauth_callbacks_controller.rb

class OmniauthCallbacksController < Devise::OmniauthCallbacksController
  include AuthenticatesWithTwoFactor

  protect_from_forgery except: [:kerberos, :saml, :cas3]

  Gitlab.config.omniauth.providers.each do |provider|
    define_method provider['name'] do
      handle_omniauth
    end
  end

  # Extend the standard message generation to accept our custom exception
  def failure_message
    exception = env["omniauth.error"]
    error   = exception.error_reason if exception.respond_to?(:error_reason)
    error ||= exception.error        if exception.respond_to?(:error)
    error ||= exception.message      if exception.respond_to?(:message)
    error ||= env["omniauth.error.type"].to_s
    error.to_s.humanize if error
  end

  # We only find ourselves here
  # if the authentication to LDAP was successful.
  def ldap
    ldap_user = Gitlab::LDAP::User.new(oauth)
    ldap_user.save if ldap_user.changed? # will also save new users

    @user = ldap_user.gl_user
    @user.remember_me = params[:remember_me] if ldap_user.persisted?

    # Do additional LDAP checks for the user filter and EE features
    if ldap_user.allowed?
      if @user.two_factor_enabled?
        prompt_for_two_factor(@user)
      else
        log_audit_event(@user, with: :ldap)
        sign_in_and_redirect(@user)
      end
    else
      flash[:alert] = "Access denied for your LDAP account."
      redirect_to new_user_session_path
    end
  end

  def saml
    if current_user
      log_audit_event(current_user, with: :saml)
      # Update SAML identity if data has changed.
      identity = current_user.identities.find_by(extern_uid: oauth['uid'], provider: :saml)
      if identity.nil?
        current_user.identities.create(extern_uid: oauth['uid'], provider: :saml)
        redirect_to profile_account_path, notice: 'Authentication method updated'
      else
        redirect_to after_sign_in_path_for(current_user)
      end
    else
      saml_user = Gitlab::Saml::User.new(oauth)
      saml_user.save if saml_user.changed?
      @user = saml_user.gl_user

      continue_login_process
    end
  rescue Gitlab::OAuth::SignupDisabledError
    handle_signup_error
  end

  def omniauth_error
    @provider = params[:provider]
    @error = params[:error]
    render 'errors/omniauth_error', layout: "errors", status: 422
  end

  def cas3
    ticket = params['ticket']
    if ticket
      handle_service_ticket oauth['provider'], ticket
    end
    handle_omniauth
  end

  private

  def handle_omniauth
    if current_user
      # Add new authentication method
      current_user.identities.find_or_create_by(extern_uid: oauth['uid'], provider: oauth['provider'])
      log_audit_event(current_user, with: oauth['provider'])
      redirect_to profile_account_path, notice: 'Authentication method updated'
    else
      oauth_user = Gitlab::OAuth::User.new(oauth)
      oauth_user.save
      @user = oauth_user.gl_user

      continue_login_process
    end
  rescue Gitlab::OAuth::SignupDisabledError
    handle_signup_error
  end

  def handle_service_ticket(provider, ticket)
    Gitlab::OAuth::Session.create provider, ticket
    session[:service_tickets] ||= {}
    session[:service_tickets][provider] = ticket
  end

  def continue_login_process
    # Only allow properly saved users to login.
    if @user.persisted? && @user.valid?
      log_audit_event(@user, with: oauth['provider'])
      if @user.two_factor_enabled?
        prompt_for_two_factor(@user)
      else
        sign_in_and_redirect(@user)
      end
    else
      error_message = @user.errors.full_messages.to_sentence

      redirect_to omniauth_error_path(oauth['provider'], error: error_message) and return
    end
  end

  def handle_signup_error
    label = Gitlab::OAuth::Provider.label_for(oauth['provider'])
    message = "Signing in using your #{label} account without a pre-existing GitLab account is not allowed."

    if current_application_settings.signup_enabled?
      message << " Create a GitLab account first, and then connect it to your #{label} account."
    end

    flash[:notice] = message

    redirect_to new_user_session_path
  end

  def oauth
    @oauth ||= request.env['omniauth.auth']
  end

  def log_audit_event(user, options = {})
    AuditEventService.new(user, user, options).
      for_authentication.security_event
  end
end
LDAP done 2012-01-28 08:23:17 -05:00			`class OmniauthCallbacksController < Devise::OmniauthCallbacksController`
Support Two-factor Authentication for LDAP users Closes #12653 2016-02-03 13:31:12 -05:00			`include AuthenticatesWithTwoFactor`
Add SAML support via Omniauth 2015-05-27 10:37:22 -04:00
add CAS authentication support 2015-11-11 23:25:31 -05:00			`protect_from_forgery except: [:kerberos, :saml, :cas3]`
Add SAML support via Omniauth 2015-05-27 10:37:22 -04:00
Update uses of Gitolite.config.foo settings 2012-12-14 19:16:25 -05:00			`Gitlab.config.omniauth.providers.each do \|provider\|`
Cleanup after omniauth 2012-09-12 01:23:20 -04:00			`define_method provider['name'] do`
			`handle_omniauth`
			`end`
			`end`
Improve handling of misconfigured LDAP accounts. Gitlab requires an email address for all user accounts as this is the default account id and is used for sending notifications. LDAP accounts may be missing email fields so handle this by showing a sensible error message before redirecting to the login screen again. Resolves github issue #899 Signed-off-by: Pat Thoyts <patthoyts@users.sourceforge.net> 2012-07-16 18:31:28 -04:00
			`# Extend the standard message generation to accept our custom exception`
			`def failure_message`
			`exception = env["omniauth.error"]`
Handle LDAP missing credentials error with a flash message. If a user fails to provide a username or password to the LDAP login form then a 500 error is returned due to an exception being raised in omniauth-ldap. This gem has been amended to use the omniauth error propagation function (fail!) to pass this exception message to the registered omniauth failure handler so that the Rails application can handle it approriately. The failure function now knows about standard exceptions and no longer requires a specific check for the OmniAuth::Error exception added by commit f322975. This resolves issue #1077. Signed-off-by: Pat Thoyts <patthoyts@users.sourceforge.net> 2012-07-21 04:04:05 -04:00			`error = exception.error_reason if exception.respond_to?(:error_reason)`
			`error \|\|= exception.error if exception.respond_to?(:error)`
			`error \|\|= exception.message if exception.respond_to?(:message)`
			`error \|\|= env["omniauth.error.type"].to_s`
Improve handling of misconfigured LDAP accounts. Gitlab requires an email address for all user accounts as this is the default account id and is used for sending notifications. LDAP accounts may be missing email fields so handle this by showing a sensible error message before redirecting to the login screen again. Resolves github issue #899 Signed-off-by: Pat Thoyts <patthoyts@users.sourceforge.net> 2012-07-16 18:31:28 -04:00			`error.to_s.humanize if error`
			`end`
Omniauth Support 2012-08-03 11:27:39 -04:00
Add refactoring for multiple LDAP server support These changes are ported from EE to CE. Apply changes for app directory 2014-10-13 07:39:54 -04:00			`# We only find ourselves here`
			`# if the authentication to LDAP was successful.`
LDAP done 2012-01-28 08:23:17 -05:00			`def ldap`
Backport LDAP user assignment changes from EE See https://gitlab.com/gitlab-org/gitlab-ee/merge_requests/146 2016-01-28 13:31:48 -05:00			`ldap_user = Gitlab::LDAP::User.new(oauth)`
			`ldap_user.save if ldap_user.changed? # will also save new users`

			`@user = ldap_user.gl_user`
			`@user.remember_me = params[:remember_me] if ldap_user.persisted?`
Check LDAP user filter during sign-in 2014-06-12 10:01:23 -04:00
Move LDAP timeout code to Gitlab::LDAP::Access 2014-07-30 03:50:50 -04:00			`# Do additional LDAP checks for the user filter and EE features`
Backport LDAP user assignment changes from EE See https://gitlab.com/gitlab-org/gitlab-ee/merge_requests/146 2016-01-28 13:31:48 -05:00			`if ldap_user.allowed?`
Support Two-factor Authentication for LDAP users Closes #12653 2016-02-03 13:31:12 -05:00			`if @user.two_factor_enabled?`
			`prompt_for_two_factor(@user)`
			`else`
			`log_audit_event(@user, with: :ldap)`
			`sign_in_and_redirect(@user)`
			`end`
Move LDAP timeout code to Gitlab::LDAP::Access 2014-07-30 03:50:50 -04:00			`else`
			`flash[:alert] = "Access denied for your LDAP account."`
			`redirect_to new_user_session_path`
Check LDAP user filter during sign-in 2014-06-12 10:01:23 -04:00			`end`
LDAP done 2012-01-28 08:23:17 -05:00			`end`

Decouple SAML authentication from the default Omniauth logic 2016-02-18 17:01:07 -05:00			`def saml`
			`if current_user`
			`log_audit_event(current_user, with: :saml)`
			`# Update SAML identity if data has changed.`
			`identity = current_user.identities.find_by(extern_uid: oauth['uid'], provider: :saml)`
			`if identity.nil?`
			`current_user.identities.create(extern_uid: oauth['uid'], provider: :saml)`
			`redirect_to profile_account_path, notice: 'Authentication method updated'`
			`else`
			`redirect_to after_sign_in_path_for(current_user)`
			`end`
			`else`
			`saml_user = Gitlab::Saml::User.new(oauth)`
Avoid saving again if the user attributes haven't changed 2016-04-04 20:10:59 -04:00			`saml_user.save if saml_user.changed?`
Decouple SAML authentication from the default Omniauth logic 2016-02-18 17:01:07 -05:00			`@user = saml_user.gl_user`

			`continue_login_process`
			`end`
Add missing proper nil and error handling to SAML login process. 2016-04-07 17:45:33 -04:00			`rescue Gitlab::OAuth::SignupDisabledError`
			`handle_signup_error`
Decouple SAML authentication from the default Omniauth logic 2016-02-18 17:01:07 -05:00			`end`

Use an error page when oauth fails. 2014-06-24 08:16:52 -04:00			`def omniauth_error`
			`@provider = params[:provider]`
			`@error = params[:error]`
			`render 'errors/omniauth_error', layout: "errors", status: 422`
			`end`

add CAS authentication support 2015-11-11 23:25:31 -05:00			`def cas3`
			`ticket = params['ticket']`
			`if ticket`
			`handle_service_ticket oauth['provider'], ticket`
			`end`
			`handle_omniauth`
			`end`

Omniauth Support 2012-08-03 11:27:39 -04:00			`private`

			`def handle_omniauth`
			`if current_user`
Multi-provider auth. LDAP is not reworked 2014-11-25 11:15:30 -05:00			`# Add new authentication method`
			`current_user.identities.find_or_create_by(extern_uid: oauth['uid'], provider: oauth['provider'])`
Audit log for user authentication 2015-07-03 07:54:50 -04:00			`log_audit_event(current_user, with: oauth['provider'])`
When add new social account - redirect to accounts page and show notice message 2015-02-08 03:53:31 -05:00			`redirect_to profile_account_path, notice: 'Authentication method updated'`
Omniauth Support 2012-08-03 11:27:39 -04:00			`else`
Decouple SAML authentication from the default Omniauth logic 2016-02-18 17:01:07 -05:00			`oauth_user = Gitlab::OAuth::User.new(oauth)`
			`oauth_user.save`
			`@user = oauth_user.gl_user`
Omniauth Support 2012-08-03 11:27:39 -04:00
Decouple SAML authentication from the default Omniauth logic 2016-02-18 17:01:07 -05:00			`continue_login_process`
Omniauth Support 2012-08-03 11:27:39 -04:00			`end`
Fix rubocop warnings in app 2015-10-03 01:56:37 -04:00			`rescue Gitlab::OAuth::SignupDisabledError`
Add missing proper nil and error handling to SAML login process. 2016-04-07 17:45:33 -04:00			`handle_signup_error`
Omniauth Support 2012-08-03 11:27:39 -04:00			`end`
Use new OAuth classes 2013-09-03 17:06:29 -04:00
Enable Style/MethodDefParentheses rubocop cop Use def with parentheses when there are parameters. See #17478 2016-05-30 06:08:53 -04:00			`def handle_service_ticket(provider, ticket)`
add CAS authentication support 2015-11-11 23:25:31 -05:00			`Gitlab::OAuth::Session.create provider, ticket`
			`session[:service_tickets] \|\|= {}`
			`session[:service_tickets][provider] = ticket`
			`end`

Decouple SAML authentication from the default Omniauth logic 2016-02-18 17:01:07 -05:00			`def continue_login_process`
			`# Only allow properly saved users to login.`
			`if @user.persisted? && @user.valid?`
			`log_audit_event(@user, with: oauth['provider'])`
Added tests for 2FA check on OAuth request 2016-06-30 15:54:07 -04:00			`if @user.two_factor_enabled?`
			`prompt_for_two_factor(@user)`
			`else`
			`sign_in_and_redirect(@user)`
			`end`
Decouple SAML authentication from the default Omniauth logic 2016-02-18 17:01:07 -05:00			`else`
			`error_message = @user.errors.full_messages.to_sentence`

			`redirect_to omniauth_error_path(oauth['provider'], error: error_message) and return`
			`end`
			`end`

Add missing proper nil and error handling to SAML login process. 2016-04-07 17:45:33 -04:00			`def handle_signup_error`
			`label = Gitlab::OAuth::Provider.label_for(oauth['provider'])`
			`message = "Signing in using your #{label} account without a pre-existing GitLab account is not allowed."`

			`if current_application_settings.signup_enabled?`
			`message << " Create a GitLab account first, and then connect it to your #{label} account."`
			`end`

			`flash[:notice] = message`

			`redirect_to new_user_session_path`
			`end`

Use new OAuth classes 2013-09-03 17:06:29 -04:00			`def oauth`
			`@oauth \|\|= request.env['omniauth.auth']`
			`end`
Audit log for user authentication 2015-07-03 07:54:50 -04:00
			`def log_audit_event(user, options = {})`
			`AuditEventService.new(user, user, options).`
			`for_authentication.security_event`
			`end`
LDAP done 2012-01-28 08:23:17 -05:00			`end`