gitlab-org--gitlab-foss/app/controllers/omniauth_callbacks_controll...

class OmniauthCallbacksController < Devise::OmniauthCallbacksController

  protect_from_forgery except: [:kerberos, :saml]

  Gitlab.config.omniauth.providers.each do |provider|
    define_method provider['name'] do
      handle_omniauth
    end
  end

  # Extend the standard message generation to accept our custom exception
  def failure_message
    exception = env["omniauth.error"]
    error   = exception.error_reason if exception.respond_to?(:error_reason)
    error ||= exception.error        if exception.respond_to?(:error)
    error ||= exception.message      if exception.respond_to?(:message)
    error ||= env["omniauth.error.type"].to_s
    error.to_s.humanize if error
  end

  # We only find ourselves here
  # if the authentication to LDAP was successful.
  def ldap
    @user = Gitlab::LDAP::User.new(oauth)
    @user.save if @user.changed? # will also save new users
    gl_user = @user.gl_user
    gl_user.remember_me = params[:remember_me] if @user.persisted?

    # Do additional LDAP checks for the user filter and EE features
    if @user.allowed?
      sign_in_and_redirect(gl_user)
    else
      flash[:alert] = "Access denied for your LDAP account."
      redirect_to new_user_session_path
    end
  end

  def omniauth_error
    @provider = params[:provider]
    @error = params[:error]
    render 'errors/omniauth_error', layout: "errors", status: 422
  end

  private

  def handle_omniauth
    if current_user
      # Add new authentication method
      current_user.identities.find_or_create_by(extern_uid: oauth['uid'], provider: oauth['provider'])
      redirect_to profile_account_path, notice: 'Authentication method updated'
    else
      @user = Gitlab::OAuth::User.new(oauth)
      @user.save

      # Only allow properly saved users to login.
      if @user.persisted? && @user.valid?
        sign_in_and_redirect(@user.gl_user)
      else
        error_message =
          if @user.gl_user.errors.any?
            @user.gl_user.errors.map do |attribute, message|
              "#{attribute} #{message}"
            end.join(", ")
          else
            ''
          end

        redirect_to omniauth_error_path(oauth['provider'], error: error_message) and return
      end
    end
  rescue Gitlab::OAuth::SignupDisabledError => e
    message = "Signing in using your #{oauth['provider']} account without a pre-existing GitLab account is not allowed."

    if current_application_settings.signup_enabled?
      message << " Create a GitLab account first, and then connect it to your #{oauth['provider']} account."
    end

    flash[:notice] = message
    
    redirect_to new_user_session_path
  end

  def oauth
    @oauth ||= request.env['omniauth.auth']
  end
end
LDAP done 2012-01-28 13:23:17 +00:00			`class OmniauthCallbacksController < Devise::OmniauthCallbacksController`
Add SAML support via Omniauth 2015-05-27 14:37:22 +00:00
			`protect_from_forgery except: [:kerberos, :saml]`

Update uses of Gitolite.config.foo settings 2012-12-15 00:16:25 +00:00			`Gitlab.config.omniauth.providers.each do \|provider\|`
Cleanup after omniauth 2012-09-12 05:23:20 +00:00			`define_method provider['name'] do`
			`handle_omniauth`
			`end`
			`end`
Improve handling of misconfigured LDAP accounts. Gitlab requires an email address for all user accounts as this is the default account id and is used for sending notifications. LDAP accounts may be missing email fields so handle this by showing a sensible error message before redirecting to the login screen again. Resolves github issue #899 Signed-off-by: Pat Thoyts <patthoyts@users.sourceforge.net> 2012-07-16 22:31:28 +00:00
			`# Extend the standard message generation to accept our custom exception`
			`def failure_message`
			`exception = env["omniauth.error"]`
Handle LDAP missing credentials error with a flash message. If a user fails to provide a username or password to the LDAP login form then a 500 error is returned due to an exception being raised in omniauth-ldap. This gem has been amended to use the omniauth error propagation function (fail!) to pass this exception message to the registered omniauth failure handler so that the Rails application can handle it approriately. The failure function now knows about standard exceptions and no longer requires a specific check for the OmniAuth::Error exception added by commit f322975. This resolves issue #1077. Signed-off-by: Pat Thoyts <patthoyts@users.sourceforge.net> 2012-07-21 08:04:05 +00:00			`error = exception.error_reason if exception.respond_to?(:error_reason)`
			`error \|\|= exception.error if exception.respond_to?(:error)`
			`error \|\|= exception.message if exception.respond_to?(:message)`
			`error \|\|= env["omniauth.error.type"].to_s`
Improve handling of misconfigured LDAP accounts. Gitlab requires an email address for all user accounts as this is the default account id and is used for sending notifications. LDAP accounts may be missing email fields so handle this by showing a sensible error message before redirecting to the login screen again. Resolves github issue #899 Signed-off-by: Pat Thoyts <patthoyts@users.sourceforge.net> 2012-07-16 22:31:28 +00:00			`error.to_s.humanize if error`
			`end`
Omniauth Support 2012-08-03 15:27:39 +00:00
Add refactoring for multiple LDAP server support These changes are ported from EE to CE. Apply changes for app directory 2014-10-13 11:39:54 +00:00			`# We only find ourselves here`
			`# if the authentication to LDAP was successful.`
LDAP done 2012-01-28 13:23:17 +00:00			`def ldap`
Add refactoring for multiple LDAP server support These changes are ported from EE to CE. Apply changes for app directory 2014-10-13 11:39:54 +00:00			`@user = Gitlab::LDAP::User.new(oauth)`
			`@user.save if @user.changed? # will also save new users`
			`gl_user = @user.gl_user`
Add "Remember me" checkbox to LDAP signin form. 2015-06-05 12:37:01 +00:00			`gl_user.remember_me = params[:remember_me] if @user.persisted?`
Check LDAP user filter during sign-in 2014-06-12 14:01:23 +00:00
Move LDAP timeout code to Gitlab::LDAP::Access 2014-07-30 07:50:50 +00:00			`# Do additional LDAP checks for the user filter and EE features`
Add refactoring for multiple LDAP server support These changes are ported from EE to CE. Apply changes for app directory 2014-10-13 11:39:54 +00:00			`if @user.allowed?`
			`sign_in_and_redirect(gl_user)`
Move LDAP timeout code to Gitlab::LDAP::Access 2014-07-30 07:50:50 +00:00			`else`
			`flash[:alert] = "Access denied for your LDAP account."`
			`redirect_to new_user_session_path`
Check LDAP user filter during sign-in 2014-06-12 14:01:23 +00:00			`end`
LDAP done 2012-01-28 13:23:17 +00:00			`end`

Use an error page when oauth fails. 2014-06-24 12:16:52 +00:00			`def omniauth_error`
			`@provider = params[:provider]`
			`@error = params[:error]`
			`render 'errors/omniauth_error', layout: "errors", status: 422`
			`end`

Omniauth Support 2012-08-03 15:27:39 +00:00			`private`

			`def handle_omniauth`
			`if current_user`
Multi-provider auth. LDAP is not reworked 2014-11-25 16:15:30 +00:00			`# Add new authentication method`
			`current_user.identities.find_or_create_by(extern_uid: oauth['uid'], provider: oauth['provider'])`
When add new social account - redirect to accounts page and show notice message 2015-02-08 08:53:31 +00:00			`redirect_to profile_account_path, notice: 'Authentication method updated'`
Omniauth Support 2012-08-03 15:27:39 +00:00			`else`
Add refactoring for multiple LDAP server support These changes are ported from EE to CE. Apply changes for app directory 2014-10-13 11:39:54 +00:00			`@user = Gitlab::OAuth::User.new(oauth)`
Add regressiontest to verify allow_single_sign_on setting verification for #1677 Since testing omniauth_callback_controller.rb is very difficult, the logic is moved to the models 2014-10-16 18:08:30 +00:00			`@user.save`
Omniauth Support 2012-08-03 15:27:39 +00:00
Disallow new users from Oauth signup if `allow_single_sign_on` is disabled Because devise will trigger a save, allowing unsaved users to login, behaviour had changed. The current implementation returns a pre-build user, which can be saved without errors. Reported in #1677 2014-10-16 09:46:40 +00:00			`# Only allow properly saved users to login.`
			`if @user.persisted? && @user.valid?`
Add refactoring for multiple LDAP server support These changes are ported from EE to CE. Apply changes for app directory 2014-10-13 11:39:54 +00:00			`sign_in_and_redirect(@user.gl_user)`
Refactor error message a bit Signed-off-by: Dmitriy Zaporozhets <dmitriy.zaporozhets@gmail.com> 2014-10-17 10:15:59 +00:00			`else`
			`error_message =`
			`if @user.gl_user.errors.any?`
			`@user.gl_user.errors.map do \|attribute, message\|`
			`"#{attribute} #{message}"`
			`end.join(", ")`
			`else`
			`''`
			`end`

Add refactoring for multiple LDAP server support These changes are ported from EE to CE. Apply changes for app directory 2014-10-13 11:39:54 +00:00			`redirect_to omniauth_error_path(oauth['provider'], error: error_message) and return`
Omniauth Support 2012-08-03 15:27:39 +00:00			`end`
			`end`
Improve OAuth signup error message. 2015-05-12 10:50:06 +00:00			`rescue Gitlab::OAuth::SignupDisabledError => e`
			`message = "Signing in using your #{oauth['provider']} account without a pre-existing GitLab account is not allowed."`

			`if current_application_settings.signup_enabled?`
			`message << " Create a GitLab account first, and then connect it to your #{oauth['provider']} account."`
			`end`

			`flash[:notice] = message`

Add regressiontest to verify allow_single_sign_on setting verification for #1677 Since testing omniauth_callback_controller.rb is very difficult, the logic is moved to the models 2014-10-16 18:08:30 +00:00			`redirect_to new_user_session_path`
Omniauth Support 2012-08-03 15:27:39 +00:00			`end`
Use new OAuth classes 2013-09-03 21:06:29 +00:00
			`def oauth`
			`@oauth \|\|= request.env['omniauth.auth']`
			`end`
LDAP done 2012-01-28 13:23:17 +00:00			`end`