Imre (Admin) authored 5 years ago and James Lopez committed 5 years ago

By not triggering the callback:
- ActiveSession lookup keys are not cleaned
- Devise also misses its hook related to session cleanup

Adds two methods for us to extend in EE:
- OmniauthCallbacksController#link_identity
- GroupPolicy#lookup_access_level!

- Externalize strings in controllers
- Update PO file

We can extend the policy in EE for additional behavior

SAML and OAuth failures should cause a message to be presented, as well
as logging that an attempt was made. These were incorrectly prevented by
the CSRF check on POST endpoints such as SAML.

In addition we were using a NullSession forgery protection, which made
testing more difficult and could have allowed account linking to take
place if a CSRF was ever needed but not present.

Replacing inline JS with ES 2015 functions included in pages/sessions/new. Also applying suggested server-side syntax improvements to OmniAuthCallbacksController.

If window.location contains a URL fragment, append the fragment to all sign-in forms, the sign-up form, and all button based providers.

Enables frozen string for the following:

* app/controllers/*.rb
* app/controllers/admin/**/*.rb
* app/controllers/boards/**/*.rb
* app/controllers/ci/**/*.rb
* app/controllers/concerns/**/*.rb

Partially addresses #47424.

Since Rails 5.0 the `protect_from_forgery` callback doesn't run first by
default anymore. [1]

Instead it gets inserted into callbacks chain where callbacks get
called in order.

This commit forces the callback to run first.

[1]: https://github.com/rails/rails/commit/39794037817703575c35a75f1961b01b83791191

Moves LDAP to its own controller with tests
Provides path forward for implementing GroupSaml

Tracks the number of failed attempts made by a user trying to authenticate with any external authentication method

James Lopez authored 6 years ago and Mark Fletcher committed 6 years ago

[10.6] Fix GitLab Auth0 integration signs in the wrong user

See merge request gitlab/gitlabhq!2354

[10.3] Prevent login with disabled OAuth providers

See merge request gitlab/gitlabhq!2296

(cherry picked from commit 4936650427ffc88e6ee927aedbb2c724d24b094c)

a0f9d222 Prevents login with disabled OAuth providers

This avoids loading the `OmniAuthCallbacksController` at boot time so
it doesn't mess up the `before_action`-chain

- Don't use `request.env['omniauth.params']` if it isn't present.

- Remove the `saml` section from the `gitlab.yml` test section. Some tests
  depend on this section not being initially present, so it can be overridden
  in the test. This MR doesn't add any tests for SAML, so we didn't really need
  this in the first place anyway.

- Clean up the test -> omniauth section of `gitlab.yml`

- Pass a `remember_me` query parameter along with the initial OAuth request, and
  pick this parameter up during the omniauth callback from
  request.env['omniauth.params']`.

- For 2FA-based login, copy the `remember_me` param from `omniauth.params` to
  `params`, which the 2FA process will pick up.

- For non-2FA-based login, simply call the `remember_me` devise method to set
  the session cookie.

This reverts merge request !11963

- Don't use `request.env['omniauth.params']` if it isn't present.

- Remove the `saml` section from the `gitlab.yml` test section. Some tests
  depend on this section not being initially present, so it can be overridden
  in the test. This MR doesn't add any tests for SAML, so we didn't really need
  this in the first place anyway.

- Clean up the test -> omniauth section of `gitlab.yml`

- Pass a `remember_me` query parameter along with the initial OAuth request, and
  pick this parameter up during the omniauth callback from
  request.env['omniauth.params']`

- For 2FA-based login, copy the `remember_me` param from `omniauth.params` to
  `params`, which the 2FA process will pick up.

- For non-2FA-based login, simply call the `remember_me` devise method to set
  the session cookie.

This reverts commit cb10b725c8929b8b4460f89c9d96c773af39ba6b.