kotovalexarian-likes-gitlab/gitlab-org--gitlab-foss
1
0
Fork 0
Code Releases Activity
gitlab-org--gitlab-foss/app/controllers/omniauth_callbacks_controller.rb

293 lines
8.1 KiB
Ruby
Raw Normal View History

Enable frozen string in app/controllers/**/*.rb Enables frozen string for the following: * app/controllers/*.rb * app/controllers/admin/**/*.rb * app/controllers/boards/**/*.rb * app/controllers/ci/**/*.rb * app/controllers/concerns/**/*.rb Partially addresses #47424.
2018-09-14 01:42:05 -04:00
# frozen_string_literal: true
LDAP done
2012-01-28 08:23:17 -05:00
class OmniauthCallbacksController < Devise::OmniauthCallbacksController
Add latest changes from gitlab-org/gitlab@master
2020-09-24 11:09:51 -04:00
include AuthenticatesWithTwoFactorForAdminMode
Implement "remember me" for OAuth-based login. - Pass a `remember_me` query parameter along with the initial OAuth request, and pick this parameter up during the omniauth callback from request.env['omniauth.params']`. - For 2FA-based login, copy the `remember_me` param from `omniauth.params` to `params`, which the 2FA process will pick up. - For non-2FA-based login, simply call the `remember_me` devise method to set the session cookie.
2017-06-07 04:45:34 -04:00
include Devise::Controllers::Rememberable
Move out link\unlink ability checks to a policy We can extend the policy in EE for additional behavior
2019-03-18 10:36:34 -04:00
include AuthHelper
Add latest changes from gitlab-org/gitlab@master
2019-12-11 07:08:10 -05:00
include InitializesCurrentUserMode
Add latest changes from gitlab-org/gitlab@master
2020-05-12 23:08:26 -04:00
include KnownSignIn
after_action :verify_known_sign_in
Add SAML support via Omniauth
2015-05-27 10:37:22 -04:00
Avoid CSRF check on SAML failure endpoint SAML and OAuth failures should cause a message to be presented, as well as logging that an attempt was made. These were incorrectly prevented by the CSRF check on POST endpoints such as SAML. In addition we were using a NullSession forgery protection, which made testing more difficult and could have allowed account linking to take place if a CSRF was ever needed but not present.
2019-01-19 15:41:39 -05:00
protect_from_forgery except: [:kerberos, :saml, :cas3, :failure], with: :exception, prepend: true
Add SAML support via Omniauth
2015-05-27 10:37:22 -04:00
Add latest changes from gitlab-org/gitlab@master
2020-10-05 08:08:47 -04:00
feature_category :authentication_and_authorization
Replace define_method with alias_method in Omniauth Controllers
2018-04-23 11:03:01 -04:00
def handle_omniauth
omniauth_flow(Gitlab::Auth::OAuth)
end
Exclude LDAP from OmniauthCallbackController base methods
2018-04-22 19:15:48 -04:00
AuthHelper.providers_for_base_controller.each do |provider|
alias_method provider, :handle_omniauth
Cleanup after omniauth
2012-09-12 01:23:20 -04:00
end
Improve handling of misconfigured LDAP accounts. Gitlab requires an email address for all user accounts as this is the default account id and is used for sending notifications. LDAP accounts may be missing email fields so handle this by showing a sensible error message before redirecting to the login screen again. Resolves github issue #899 Signed-off-by: Pat Thoyts <patthoyts@users.sourceforge.net>
2012-07-16 18:31:28 -04:00
Tracks the number of failed attempts made by a user trying to authenticate with any external authentication method
2018-03-20 09:49:51 -04:00
# Extend the standard implementation to also increment
# the number of failed sign in attempts
def failure
Writes specs
2018-03-22 06:34:42 -04:00
if params[:username].present? && AuthHelper.form_based_provider?(failed_strategy.name)
user = User.by_login(params[:username])
Tracks the number of failed attempts made by a user trying to authenticate with any external authentication method
2018-03-20 09:49:51 -04:00
Writes specs
2018-03-22 06:34:42 -04:00
user&.increment_failed_attempts!
Add latest changes from gitlab-org/gitlab@master
2020-08-11 11:10:08 -04:00
log_failed_login(params[:username], failed_strategy.name)
Writes specs
2018-03-22 06:34:42 -04:00
end
Tracks the number of failed attempts made by a user trying to authenticate with any external authentication method
2018-03-20 09:49:51 -04:00
super
end
Improve handling of misconfigured LDAP accounts. Gitlab requires an email address for all user accounts as this is the default account id and is used for sending notifications. LDAP accounts may be missing email fields so handle this by showing a sensible error message before redirecting to the login screen again. Resolves github issue #899 Signed-off-by: Pat Thoyts <patthoyts@users.sourceforge.net>
2012-07-16 18:31:28 -04:00
# Extend the standard message generation to accept our custom exception
def failure_message
Backport helpers from GroupSAML failure messages
2018-04-22 19:17:49 -04:00
exception = request.env["omniauth.error"]
Add latest changes from gitlab-org/gitlab@master
2019-12-20 04:24:38 -05:00
error = exception.error_reason if exception.respond_to?(:error_reason)
Handle LDAP missing credentials error with a flash message. If a user fails to provide a username or password to the LDAP login form then a 500 error is returned due to an exception being raised in omniauth-ldap. This gem has been amended to use the omniauth error propagation function (fail!) to pass this exception message to the registered omniauth failure handler so that the Rails application can handle it approriately. The failure function now knows about standard exceptions and no longer requires a specific check for the OmniAuth::Error exception added by commit f322975. This resolves issue #1077. Signed-off-by: Pat Thoyts <patthoyts@users.sourceforge.net>
2012-07-21 04:04:05 -04:00
error ||= exception.error if exception.respond_to?(:error)
error ||= exception.message if exception.respond_to?(:message)
Backport helpers from GroupSAML failure messages
2018-04-22 19:17:49 -04:00
error ||= request.env["omniauth.error.type"].to_s
Backport LDAP user assignment changes from EE See https://gitlab.com/gitlab-org/gitlab-ee/merge_requests/146
2016-01-28 13:31:48 -05:00
Refactor OmniauthCallbacksController to remove duplication Moves LDAP to its own controller with tests Provides path forward for implementing GroupSaml
2018-04-18 10:03:27 -04:00
error.to_s.humanize if error
LDAP done
2012-01-28 08:23:17 -05:00
end
Decouple SAML authentication from the default Omniauth logic
2016-02-18 17:01:07 -05:00
def saml
Refactor OmniauthCallbacksController to remove duplication Moves LDAP to its own controller with tests Provides path forward for implementing GroupSaml
2018-04-18 10:03:27 -04:00
omniauth_flow(Gitlab::Auth::Saml)
Validate that SAML requests are originated from gitlab If the request wasn't initiated by gitlab we shouldn't add the new identity to the user, and instead show that we weren't able to link the identity to the user. This should fix: https://gitlab.com/gitlab-org/gitlab-ce/issues/56509
2019-08-19 09:19:19 -04:00
rescue Gitlab::Auth::Saml::IdentityLinker::UnverifiedRequest
redirect_unverified_saml_initiation
Decouple SAML authentication from the default Omniauth logic
2016-02-18 17:01:07 -05:00
end
add CAS authentication support
2015-11-11 23:25:31 -05:00
def cas3
ticket = params['ticket']
if ticket
handle_service_ticket oauth['provider'], ticket
end
Adds Rubocop rule for line break around conditionals
2018-01-11 11:34:01 -05:00
add CAS authentication support
2015-11-11 23:25:31 -05:00
handle_omniauth
end
Added support for Authentiq Back-Channel Logout
2017-01-06 14:07:27 -05:00
def authentiq
if params['sid']
handle_service_ticket oauth['provider'], params['sid']
end
Adds Rubocop rule for line break around conditionals
2018-01-11 11:34:01 -05:00
Added support for Authentiq Back-Channel Logout
2017-01-06 14:07:27 -05:00
handle_omniauth
end
Merge branch 'fix/auth0-unsafe-login-10-6' into 'security-10-6' [10.6] Fix GitLab Auth0 integration signs in the wrong user See merge request gitlab/gitlabhq!2354
2018-03-15 11:01:13 -04:00
def auth0
if oauth['uid'].blank?
fail_auth0_login
else
handle_omniauth
end
end
Add checking for email_verified key Fix rubocop offences and add changelog Add email_verified key for feature specs Add code review remarks Add code review remarks Fix specs
2019-09-04 09:18:36 -04:00
def salesforce
if oauth.dig('extra', 'email_verified')
handle_omniauth
else
fail_salesforce_login
end
end
Add latest changes from gitlab-org/gitlab@master
2020-09-10 14:08:54 -04:00
def atlassian_oauth2
omniauth_flow(Gitlab::Auth::Atlassian)
end
Omniauth Support
2012-08-03 11:27:39 -04:00
private
Add latest changes from gitlab-org/gitlab@master
2020-08-11 11:10:08 -04:00
def log_failed_login(user, provider)
# overridden in EE
end
Add latest changes from gitlab-org/gitlab@master
2020-04-24 11:09:37 -04:00
def after_omniauth_failure_path_for(scope)
if Feature.enabled?(:user_mode_in_session)
return new_admin_session_path if current_user_mode.admin_mode_requested?
end
super
end
Refactor OmniauthCallbacksController to remove duplication Moves LDAP to its own controller with tests Provides path forward for implementing GroupSaml
2018-04-18 10:03:27 -04:00
def omniauth_flow(auth_module, identity_linker: nil)
Addressing peer review feedback. Replacing inline JS with ES 2015 functions included in pages/sessions/new. Also applying suggested server-side syntax improvements to OmniAuthCallbacksController.
2018-06-04 17:28:18 -04:00
if fragment = request.env.dig('omniauth.params', 'redirect_fragment').presence
store_redirect_fragment(fragment)
Preserve URL fragment across sign-in and sign-up redirects If window.location contains a URL fragment, append the fragment to all sign-in forms, the sign-up form, and all button based providers.
2018-05-22 16:04:19 -04:00
end
Omniauth Support
2012-08-03 11:27:39 -04:00
if current_user
Move out link\unlink ability checks to a policy We can extend the policy in EE for additional behavior
2019-03-18 10:36:34 -04:00
return render_403 unless link_provider_allowed?(oauth['provider'])
Audit log for user authentication
2015-07-03 07:54:50 -04:00
log_audit_event(current_user, with: oauth['provider'])
CE changes for SSO web enforcement Adds two methods for us to extend in EE: - OmniauthCallbacksController#link_identity - GroupPolicy#lookup_access_level!
2019-05-06 12:18:03 -04:00
Add latest changes from gitlab-org/gitlab@master
2019-12-11 07:08:10 -05:00
if Feature.enabled?(:user_mode_in_session)
Add latest changes from gitlab-org/gitlab@master
2020-03-13 08:09:22 -04:00
return admin_mode_flow(auth_module::User) if current_user_mode.admin_mode_requested?
Add latest changes from gitlab-org/gitlab@master
2019-12-11 07:08:10 -05:00
end
identity_linker ||= auth_module::IdentityLinker.new(current_user, oauth, session)
CE changes for SSO web enforcement Adds two methods for us to extend in EE: - OmniauthCallbacksController#link_identity - GroupPolicy#lookup_access_level!
2019-05-06 12:18:03 -04:00
link_identity(identity_linker)
Refactor OmniauthCallbacksController to remove duplication Moves LDAP to its own controller with tests Provides path forward for implementing GroupSaml
2018-04-18 10:03:27 -04:00
Unify Saml::IdentityLinker and OAuth::IdentityLinker
2018-04-23 06:56:44 -04:00
if identity_linker.changed?
Refactor OmniauthCallbacksController to remove duplication Moves LDAP to its own controller with tests Provides path forward for implementing GroupSaml
2018-04-18 10:03:27 -04:00
redirect_identity_linked
Backport IdentityLinker#failed? from GroupSaml callback flow
2018-04-22 19:05:12 -04:00
elsif identity_linker.failed?
Show error on failed OAuth account link
2018-04-22 14:08:08 -04:00
redirect_identity_link_failed(identity_linker.error_message)
Refactor OmniauthCallbacksController to remove duplication Moves LDAP to its own controller with tests Provides path forward for implementing GroupSaml
2018-04-18 10:03:27 -04:00
else
redirect_identity_exists
end
else
sign_in_user_flow(auth_module::User)
Omniauth Support
2012-08-03 11:27:39 -04:00
end
Refactor OmniauthCallbacksController to remove duplication Moves LDAP to its own controller with tests Provides path forward for implementing GroupSaml
2018-04-18 10:03:27 -04:00
end
CE changes for SSO web enforcement Adds two methods for us to extend in EE: - OmniauthCallbacksController#link_identity - GroupPolicy#lookup_access_level!
2019-05-06 12:18:03 -04:00
def link_identity(identity_linker)
identity_linker.link
end
Refactor OmniauthCallbacksController to remove duplication Moves LDAP to its own controller with tests Provides path forward for implementing GroupSaml
2018-04-18 10:03:27 -04:00
def redirect_identity_exists
redirect_to after_sign_in_path_for(current_user)
end
Show error on failed OAuth account link
2018-04-22 14:08:08 -04:00
def redirect_identity_link_failed(error_message)
Externalize strings in flash messages - Externalize strings in controllers - Update PO file
2019-04-08 10:17:45 -04:00
redirect_to profile_account_path, notice: _("Authentication failed: %{error_message}") % { error_message: error_message }
Show error on failed OAuth account link
2018-04-22 14:08:08 -04:00
end
Refactor OmniauthCallbacksController to remove duplication Moves LDAP to its own controller with tests Provides path forward for implementing GroupSaml
2018-04-18 10:03:27 -04:00
def redirect_identity_linked
Externalize strings in flash messages - Externalize strings in controllers - Update PO file
2019-04-08 10:17:45 -04:00
redirect_to profile_account_path, notice: _('Authentication method updated')
Omniauth Support
2012-08-03 11:27:39 -04:00
end
Use new OAuth classes
2013-09-03 17:06:29 -04:00
Enable Style/MethodDefParentheses rubocop cop Use def with parentheses when there are parameters. See #17478
2016-05-30 06:08:53 -04:00
def handle_service_ticket(provider, ticket)
Moved o_auth/saml/ldap modules under gitlab/auth
2018-02-23 07:10:39 -05:00
Gitlab::Auth::OAuth::Session.create provider, ticket
add CAS authentication support
2015-11-11 23:25:31 -05:00
session[:service_tickets] ||= {}
session[:service_tickets][provider] = ticket
end
Backport build_auth_user for GroupSAML callback
2019-02-06 12:28:35 -05:00
def build_auth_user(auth_user_class)
auth_user_class.new(oauth)
end
Refactor OmniauthCallbacksController to remove duplication Moves LDAP to its own controller with tests Provides path forward for implementing GroupSaml
2018-04-18 10:03:27 -04:00
def sign_in_user_flow(auth_user_class)
Backport build_auth_user for GroupSAML callback
2019-02-06 12:28:35 -05:00
auth_user = build_auth_user(auth_user_class)
Refactor OmniauthCallbacksController to remove duplication Moves LDAP to its own controller with tests Provides path forward for implementing GroupSaml
2018-04-18 10:03:27 -04:00
user = auth_user.find_and_update!
if auth_user.valid_sign_in?
log_audit_event(user, with: oauth['provider'])
set_remember_me(user)
Adds Rubocop rule for line break around conditionals
2018-01-11 11:34:01 -05:00
Honor saml assurance level to allow 2FA bypassing
2018-06-25 11:32:03 -04:00
if user.two_factor_enabled? && !auth_user.bypass_two_factor?
Refactor OmniauthCallbacksController to remove duplication Moves LDAP to its own controller with tests Provides path forward for implementing GroupSaml
2018-04-18 10:03:27 -04:00
prompt_for_two_factor(user)
Added tests for 2FA check on OAuth request
2016-06-30 15:54:07 -04:00
else
Add latest changes from gitlab-org/gitlab@master
2019-10-09 20:06:44 -04:00
if user.deactivated?
user.activate
flash[:notice] = _('Welcome back! Your account had been deactivated due to inactivity but is now reactivated.')
end
Ensure Warden triggers after_authentication callback By not triggering the callback: - ActiveSession lookup keys are not cleaned - Devise also misses its hook related to session cleanup
2019-07-26 03:05:50 -04:00
sign_in_and_redirect(user, event: :authentication)
Added tests for 2FA check on OAuth request
2016-06-30 15:54:07 -04:00
end
Decouple SAML authentication from the default Omniauth logic
2016-02-18 17:01:07 -05:00
else
Refactor OmniauthCallbacksController to remove duplication Moves LDAP to its own controller with tests Provides path forward for implementing GroupSaml
2018-04-18 10:03:27 -04:00
fail_login(user)
Decouple SAML authentication from the default Omniauth logic
2016-02-18 17:01:07 -05:00
end
Refactor OmniauthCallbacksController to remove duplication Moves LDAP to its own controller with tests Provides path forward for implementing GroupSaml
2018-04-18 10:03:27 -04:00
rescue Gitlab::Auth::OAuth::User::SigninDisabledForProviderError
handle_disabled_provider
rescue Gitlab::Auth::OAuth::User::SignupDisabledError
handle_signup_error
Decouple SAML authentication from the default Omniauth logic
2016-02-18 17:01:07 -05:00
end
Add missing proper nil and error handling to SAML login process.
2016-04-07 17:45:33 -04:00
def handle_signup_error
Moved o_auth/saml/ldap modules under gitlab/auth
2018-02-23 07:10:39 -05:00
label = Gitlab::Auth::OAuth::Provider.label_for(oauth['provider'])
Externalize strings in flash messages - Externalize strings in controllers - Update PO file
2019-04-08 10:17:45 -04:00
message = [_("Signing in using your %{label} account without a pre-existing GitLab account is not allowed.") % { label: label }]
Add missing proper nil and error handling to SAML login process.
2016-04-07 17:45:33 -04:00
use Gitlab::UserSettings directly as a singleton instead of including/extending it
2018-02-02 13:39:55 -05:00
if Gitlab::CurrentSettings.allow_signup?
Externalize strings in flash messages - Externalize strings in controllers - Update PO file
2019-04-08 10:17:45 -04:00
message << _("Create a GitLab account first, and then connect it to your %{label} account.") % { label: label }
Add missing proper nil and error handling to SAML login process.
2016-04-07 17:45:33 -04:00
end
Add latest changes from gitlab-org/gitlab@master
2020-01-08 13:07:32 -05:00
flash[:alert] = message.join(' ')
Add missing proper nil and error handling to SAML login process.
2016-04-07 17:45:33 -04:00
redirect_to new_user_session_path
end
Use new OAuth classes
2013-09-03 17:06:29 -04:00
def oauth
@oauth ||= request.env['omniauth.auth']
end
Enable Layout/TrailingWhitespace cop and auto-correct offenses
2017-08-15 13:44:37 -04:00
Refactor OmniauthCallbacksController to remove duplication Moves LDAP to its own controller with tests Provides path forward for implementing GroupSaml
2018-04-18 10:03:27 -04:00
def fail_login(user)
Add latest changes from gitlab-org/gitlab@master
2020-08-11 11:10:08 -04:00
log_failed_login(user.username, oauth['provider'])
Add latest changes from gitlab-org/gitlab@master
2020-09-02 11:10:54 -04:00
@provider = Gitlab::Auth::OAuth::Provider.label_for(params[:action])
@error = user.errors.full_messages.to_sentence
[EE Backport] Update log audit event in omniauth_callbacks_controller.rb
2017-08-07 16:10:24 -04:00
Add latest changes from gitlab-org/gitlab@master
2020-09-02 11:10:54 -04:00
render 'errors/omniauth_error', layout: "oauth_error", status: :unprocessable_entity
[EE Backport] Update log audit event in omniauth_callbacks_controller.rb
2017-08-07 16:10:24 -04:00
end
Enable Layout/TrailingWhitespace cop and auto-correct offenses
2017-08-15 13:44:37 -04:00
Merge branch 'fix/auth0-unsafe-login-10-6' into 'security-10-6' [10.6] Fix GitLab Auth0 integration signs in the wrong user See merge request gitlab/gitlabhq!2354
2018-03-15 11:01:13 -04:00
def fail_auth0_login
Add checking for email_verified key Fix rubocop offences and add changelog Add email_verified key for feature specs Add code review remarks Add code review remarks Fix specs
2019-09-04 09:18:36 -04:00
fail_login_with_message(_('Wrong extern UID provided. Make sure Auth0 is configured correctly.'))
end
def fail_salesforce_login
fail_login_with_message(_('Email not verified. Please verify your email in Salesforce.'))
end
def fail_login_with_message(message)
flash[:alert] = message
Merge branch 'fix/auth0-unsafe-login-10-6' into 'security-10-6' [10.6] Fix GitLab Auth0 integration signs in the wrong user See merge request gitlab/gitlabhq!2354
2018-03-15 11:01:13 -04:00
redirect_to new_user_session_path
end
Validate that SAML requests are originated from gitlab If the request wasn't initiated by gitlab we shouldn't add the new identity to the user, and instead show that we weren't able to link the identity to the user. This should fix: https://gitlab.com/gitlab-org/gitlab-ce/issues/56509
2019-08-19 09:19:19 -04:00
def redirect_unverified_saml_initiation
redirect_to profile_account_path, notice: _('Request to link SAML account must be authorized')
end
Merge branch 'fix/auth0-unsafe-login-10-6' into 'security-10-6' [10.6] Fix GitLab Auth0 integration signs in the wrong user See merge request gitlab/gitlabhq!2354
2018-03-15 11:01:13 -04:00
Merge branch 'jej/fix-disabled-oauth-access-10-3' into 'security-10-3' [10.3] Prevent login with disabled OAuth providers See merge request gitlab/gitlabhq!2296 (cherry picked from commit 4936650427ffc88e6ee927aedbb2c724d24b094c) a0f9d222 Prevents login with disabled OAuth providers
2018-01-09 11:47:31 -05:00
def handle_disabled_provider
Moved o_auth/saml/ldap modules under gitlab/auth
2018-02-23 07:10:39 -05:00
label = Gitlab::Auth::OAuth::Provider.label_for(oauth['provider'])
Externalize strings in flash messages - Externalize strings in controllers - Update PO file
2019-04-08 10:17:45 -04:00
flash[:alert] = _("Signing in using %{label} has been disabled") % { label: label }
Merge branch 'jej/fix-disabled-oauth-access-10-3' into 'security-10-3' [10.3] Prevent login with disabled OAuth providers See merge request gitlab/gitlabhq!2296 (cherry picked from commit 4936650427ffc88e6ee927aedbb2c724d24b094c) a0f9d222 Prevents login with disabled OAuth providers
2018-01-09 11:47:31 -05:00
redirect_to new_user_session_path
end
Audit log for user authentication
2015-07-03 07:54:50 -04:00
def log_audit_event(user, options = {})
Enable Style/DotPosition Rubocop :cop:
2017-06-21 09:48:12 -04:00
AuditEventService.new(user, user, options)
.for_authentication.security_event
Audit log for user authentication
2015-07-03 07:54:50 -04:00
end
Implement "remember me" for OAuth-based login. - Pass a `remember_me` query parameter along with the initial OAuth request, and pick this parameter up during the omniauth callback from request.env['omniauth.params']`. - For 2FA-based login, copy the `remember_me` param from `omniauth.params` to `params`, which the 2FA process will pick up. - For non-2FA-based login, simply call the `remember_me` devise method to set the session cookie.
2017-06-07 04:45:34 -04:00
Refactor OmniauthCallbacksController to remove duplication Moves LDAP to its own controller with tests Provides path forward for implementing GroupSaml
2018-04-18 10:03:27 -04:00
def set_remember_me(user)
return unless remember_me?
if user.two_factor_enabled?
params[:remember_me] = '1'
else
remember_me(user)
end
end
Implement "remember me" for OAuth-based login. - Pass a `remember_me` query parameter along with the initial OAuth request, and pick this parameter up during the omniauth callback from request.env['omniauth.params']`. - For 2FA-based login, copy the `remember_me` param from `omniauth.params` to `params`, which the 2FA process will pick up. - For non-2FA-based login, simply call the `remember_me` devise method to set the session cookie.
2017-06-07 04:45:34 -04:00
def remember_me?
request_params = request.env['omniauth.params']
Fix build for !11963. - Don't use `request.env['omniauth.params']` if it isn't present. - Remove the `saml` section from the `gitlab.yml` test section. Some tests depend on this section not being initially present, so it can be overridden in the test. This MR doesn't add any tests for SAML, so we didn't really need this in the first place anyway. - Clean up the test -> omniauth section of `gitlab.yml`
2017-07-03 15:37:37 -04:00
(request_params['remember_me'] == '1') if request_params.present?
Implement "remember me" for OAuth-based login. - Pass a `remember_me` query parameter along with the initial OAuth request, and pick this parameter up during the omniauth callback from request.env['omniauth.params']`. - For 2FA-based login, copy the `remember_me` param from `omniauth.params` to `params`, which the 2FA process will pick up. - For non-2FA-based login, simply call the `remember_me` devise method to set the session cookie.
2017-06-07 04:45:34 -04:00
end
Preserve URL fragment across sign-in and sign-up redirects If window.location contains a URL fragment, append the fragment to all sign-in forms, the sign-up form, and all button based providers.
2018-05-22 16:04:19 -04:00
def store_redirect_fragment(redirect_fragment)
key = stored_location_key_for(:user)
location = session[key]
Addressing peer review feedback. Replacing inline JS with ES 2015 functions included in pages/sessions/new. Also applying suggested server-side syntax improvements to OmniAuthCallbacksController.
2018-06-04 17:28:18 -04:00
if uri = parse_uri(location)
Preserve URL fragment across sign-in and sign-up redirects If window.location contains a URL fragment, append the fragment to all sign-in forms, the sign-up form, and all button based providers.
2018-05-22 16:04:19 -04:00
uri.fragment = redirect_fragment
store_location_for(:user, uri.to_s)
end
end
Add latest changes from gitlab-org/gitlab@master
2019-12-11 07:08:10 -05:00
Add latest changes from gitlab-org/gitlab@master
2020-03-13 08:09:22 -04:00
def admin_mode_flow(auth_user_class)
auth_user = build_auth_user(auth_user_class)
return fail_admin_mode_invalid_credentials unless omniauth_identity_matches_current_user?
if current_user.two_factor_enabled? && !auth_user.bypass_two_factor?
admin_mode_prompt_for_two_factor(current_user)
else
# Can only reach here if the omniauth identity matches current user
# and current_user is an admin that requested admin mode
Add latest changes from gitlab-org/gitlab@master
2019-12-11 07:08:10 -05:00
current_user_mode.enable_admin_mode!(skip_password_validation: true)
redirect_to stored_location_for(:redirect) || admin_root_path, notice: _('Admin mode enabled')
end
end
def omniauth_identity_matches_current_user?
current_user.matches_identity?(oauth['provider'], oauth['uid'])
end
def fail_admin_mode_invalid_credentials
redirect_to new_admin_session_path, alert: _('Invalid login or password')
end
LDAP done
2012-01-28 08:23:17 -05:00
end
Add latest changes from gitlab-org/gitlab@master
2019-09-13 09:26:31 -04:00
OmniauthCallbacksController.prepend_if_ee('EE::OmniauthCallbacksController')
Copy permalink