Commit 9326d896 authored by Maxime Besson's avatar Maxime Besson Committed by Rémy Coutable

Allow manual bypass of auto_sign_in_with_provider

This commit lets a user bypass the automatic signin on the login form,
in order to login with a technical (admin, etc) account

Closes #3786
Signed-off-by: default avatarRémy Coutable <remy@rymai.me>
parent 1e8dbd46
...@@ -90,7 +90,7 @@ class SessionsController < Devise::SessionsController ...@@ -90,7 +90,7 @@ class SessionsController < Devise::SessionsController
# Prevent a 'you are already signed in' message directly after signing: # Prevent a 'you are already signed in' message directly after signing:
# we should never redirect to '/users/sign_in' after signing in successfully. # we should never redirect to '/users/sign_in' after signing in successfully.
unless redirect_path == new_user_session_path unless URI(redirect_path).path == new_user_session_path
store_location_for(:redirect, redirect_path) store_location_for(:redirect, redirect_path)
end end
end end
...@@ -103,6 +103,10 @@ class SessionsController < Devise::SessionsController ...@@ -103,6 +103,10 @@ class SessionsController < Devise::SessionsController
provider = Gitlab.config.omniauth.auto_sign_in_with_provider provider = Gitlab.config.omniauth.auto_sign_in_with_provider
return unless provider.present? return unless provider.present?
# If a "auto_sign_in" query parameter is set to a falsy value, don't auto sign-in.
# Otherwise, the default is to auto sign-in.
return if Gitlab::Utils.to_boolean(params[:auto_sign_in]) == false
# Auto sign in with an Omniauth provider only if the standard "you need to sign-in" alert is # Auto sign in with an Omniauth provider only if the standard "you need to sign-in" alert is
# registered or no alert at all. In case of another alert (such as a blocked user), it is safer # registered or no alert at all. In case of another alert (such as a blocked user), it is safer
# to do nothing to prevent redirection loops with certain Omniauth providers. # to do nothing to prevent redirection loops with certain Omniauth providers.
......
---
title: Allow manual bypass of auto_sign_in_with_provider with a new param
merge_request: 10187
author: Maxime Besson
...@@ -201,6 +201,9 @@ Please keep in mind that every sign in attempt will be redirected to the SAML se ...@@ -201,6 +201,9 @@ Please keep in mind that every sign in attempt will be redirected to the SAML se
so you will not be able to sign in using local credentials. Make sure that at least one so you will not be able to sign in using local credentials. Make sure that at least one
of the SAML users has admin permissions. of the SAML users has admin permissions.
You may also bypass the auto signin feature by browsing to
https://gitlab.example.com/users/sign_in?auto_sign_in=false.
### `attribute_statements` ### `attribute_statements`
>**Note:** >**Note:**
......
require 'spec_helper' require 'spec_helper'
describe SessionsController do describe SessionsController do
describe '#new' do
before do
@request.env['devise.mapping'] = Devise.mappings[:user]
end
context 'when auto sign-in is enabled' do
before do
stub_omniauth_setting(auto_sign_in_with_provider: :saml)
allow(controller).to receive(:omniauth_authorize_path).with(:user, :saml).
and_return('/saml')
end
context 'and no auto_sign_in param is passed' do
it 'redirects to :omniauth_authorize_path' do
get(:new)
expect(response).to have_http_status(302)
expect(response).to redirect_to('/saml')
end
end
context 'and auto_sign_in=false param is passed' do
it 'responds with 200' do
get(:new, auto_sign_in: 'false')
expect(response).to have_http_status(200)
end
end
end
end
describe '#create' do describe '#create' do
before do before do
@request.env['devise.mapping'] = Devise.mappings[:user] @request.env['devise.mapping'] = Devise.mappings[:user]
......
...@@ -186,7 +186,7 @@ describe Projects::ImportService, services: true do ...@@ -186,7 +186,7 @@ describe Projects::ImportService, services: true do
} }
) )
allow(Gitlab.config.omniauth).to receive(:providers).and_return([provider]) stub_omniauth_setting(providers: [provider])
end end
end end
end end
...@@ -28,6 +28,6 @@ module ImportSpecHelper ...@@ -28,6 +28,6 @@ module ImportSpecHelper
app_id: 'asd123', app_id: 'asd123',
app_secret: 'asd123' app_secret: 'asd123'
) )
allow(Gitlab.config.omniauth).to receive(:providers).and_return([provider]) stub_omniauth_setting(providers: [provider])
end end
end end
...@@ -25,6 +25,10 @@ module StubConfiguration ...@@ -25,6 +25,10 @@ module StubConfiguration
allow(Gitlab.config.mattermost).to receive_messages(messages) allow(Gitlab.config.mattermost).to receive_messages(messages)
end end
def stub_omniauth_setting(messages)
allow(Gitlab.config.omniauth).to receive_messages(messages)
end
private private
# Modifies stubbed messages to also stub possible predicate versions # Modifies stubbed messages to also stub possible predicate versions
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment