Allow manual bypass of auto_sign_in_with_provider

This commit lets a user bypass the automatic signin on the login form,
in order to login with a technical (admin, etc) account

Closes #3786

Signed-off-by: Rémy Coutable <remy@rymai.me>

app/controllers/sessions_controller.rb

@@ -90,7 +90,7 @@ class SessionsController < Devise::SessionsController
 
     # Prevent a 'you are already signed in' message directly after signing:
     # we should never redirect to '/users/sign_in' after signing in successfully.
-    unless redirect_path == new_user_session_path
+    unless URI(redirect_path).path == new_user_session_path
       store_location_for(:redirect, redirect_path)
     end
   end
@@ -103,6 +103,10 @@ class SessionsController < Devise::SessionsController
     provider = Gitlab.config.omniauth.auto_sign_in_with_provider
     return unless provider.present?
 
+    # If a "auto_sign_in" query parameter is set to a falsy value, don't auto sign-in.
+    # Otherwise, the default is to auto sign-in.
+    return if Gitlab::Utils.to_boolean(params[:auto_sign_in]) == false
+
     # Auto sign in with an Omniauth provider only if the standard "you need to sign-in" alert is
     # registered or no alert at all. In case of another alert (such as a blocked user), it is safer
     # to do nothing to prevent redirection loops with certain Omniauth providers.

changelogs/unreleased/mabes-gitlab-ce-bypass-auto-login.yml

@@ -0,0 +1,4 @@
+---
+title: Allow manual bypass of auto_sign_in_with_provider with a new param
+merge_request: 10187
+author: Maxime Besson

doc/integration/saml.md

@@ -201,6 +201,9 @@ Please keep in mind that every sign in attempt will be redirected to the SAML se
 so you will not be able to sign in using local credentials. Make sure that at least one
 of the SAML users has admin permissions.
 
+You may also bypass the auto signin feature by browsing to
+https://gitlab.example.com/users/sign_in?auto_sign_in=false.
+
 ### `attribute_statements`
 
 >**Note:**

spec/controllers/sessions_controller_spec.rb

@@ -1,6 +1,37 @@
 require 'spec_helper'
 
 describe SessionsController do
+  describe '#new' do
+    before do
+      @request.env['devise.mapping'] = Devise.mappings[:user]
+    end
+
+    context 'when auto sign-in is enabled' do
+      before do
+        stub_omniauth_setting(auto_sign_in_with_provider: :saml)
+        allow(controller).to receive(:omniauth_authorize_path).with(:user, :saml).
+          and_return('/saml')
+      end
+
+      context 'and no auto_sign_in param is passed' do
+        it 'redirects to :omniauth_authorize_path' do
+          get(:new)
+
+          expect(response).to have_http_status(302)
+          expect(response).to redirect_to('/saml')
+        end
+      end
+
+      context 'and auto_sign_in=false param is passed' do
+        it 'responds with 200' do
+          get(:new, auto_sign_in: 'false')
+
+          expect(response).to have_http_status(200)
+        end
+      end
+    end
+  end
+
   describe '#create' do
     before do
       @request.env['devise.mapping'] = Devise.mappings[:user]

spec/services/projects/import_service_spec.rb

@@ -186,7 +186,7 @@ describe Projects::ImportService, services: true do
         }
       )
 
-      allow(Gitlab.config.omniauth).to receive(:providers).and_return([provider])
+      stub_omniauth_setting(providers: [provider])
     end
   end
 end

spec/support/import_spec_helper.rb

@@ -28,6 +28,6 @@ module ImportSpecHelper
       app_id: 'asd123',
       app_secret: 'asd123'
     )
-    allow(Gitlab.config.omniauth).to receive(:providers).and_return([provider])
+    stub_omniauth_setting(providers: [provider])
   end
 end

spec/support/stub_configuration.rb

@@ -25,6 +25,10 @@ module StubConfiguration
     allow(Gitlab.config.mattermost).to receive_messages(messages)
   end
 
+  def stub_omniauth_setting(messages)
+    allow(Gitlab.config.omniauth).to receive_messages(messages)
+  end
+
   private
 
   # Modifies stubbed messages to also stub possible predicate versions