Merge branch 'master' into group_membership_lock

Conflicts:
	db/schema.rb

CHANGELOG

@@ -3,25 +3,24 @@ v 7.6.0
   - New rugged version
   - Add CRON=1 backup setting for quiet backups
   - Fix failing wiki restore
-  -
   - Add optional Sidekiq MemoryKiller middleware (enabled via SIDEKIQ_MAX_RSS env variable)
-  -
-  -
   - Monokai highlighting style now more faithful to original design (Mark Riedesel)
   - Create project with repository in synchrony
   - Added ability to create empty repo or import existing one if project does not have repository
-  -
-  -
   - Reactivate highlight.js language autodetection
   - Mobile UI improvements
-  -
   - Change maximum avatar file size from 100KB to 200KB
-  -
+  - Strict validation for snippet file names
   - Enable Markdown preview for issues, merge requests, milestones, and notes (Vinnie Okada)
   - In the docker directory is a container template based on the Omnibus packages.
   - Update Sidekiq to version 2.17.8
   - Add author filter to project issues and merge requests pages
   - Atom feed for user activity
+  - Support multiple omniauth providers for the same user
+  - Rendering cross reference in issue title and tooltip for merge request
+  - Show username in comments
+  - Possibility to create Milestones or Labels when Issues are disabled
+  - Fix bug with showing gpg signature in tag
 
 v 7.5.2
   - Don't log Sidekiq arguments by default

CHANGELOG-EE

@@ -5,6 +5,7 @@ v 7.6.0
   - Added member lock for groups to disallow membership additions on project level
   - Rebase on merge request. Introduced merge request option to rebase before merging
   - Better message for failed pushes because of git hooks
+  - Kerberos support for web interface and git HTTP
 
 v 7.5.3
   - Only set up Sidetiq from a Sidekiq server process (fixes Redis::InheritedError)

CONTRIBUTING.md

@@ -142,3 +142,17 @@ Please ensure you support the feature you contribute through all of these steps.
 1.  [Markdown](http://www.cirosantilli.com/markdown-styleguide)
 
 This is also the style used by linting tools such as [RuboCop](https://github.com/bbatsov/rubocop), [PullReview](https://www.pullreview.com/) and [Hound CI](https://houndci.com).
+
+## Code of conduct
+As contributors and maintainers of this project, we pledge to respect all people who contribute through reporting issues, posting feature requests, updating documentation, submitting pull requests or patches, and other activities.
+
+We are committed to making participation in this project a harassment-free experience for everyone, regardless of level of experience, gender, gender identity and expression, sexual orientation, disability, personal appearance, body size, race, age, or religion.
+
+Examples of unacceptable behavior by participants include the use of sexual language or imagery, derogatory comments or personal attacks, trolling, public or private harassment, insults, or other unprofessional conduct.
+
+Project maintainers have the right and responsibility to remove, edit, or reject comments, commits, code, wiki edits, issues, and other contributions that are not aligned to this Code of Conduct. Project maintainers who do not follow the Code of Conduct may be removed from the project team.
+
+Instances of abusive, harassing, or otherwise unacceptable behavior can be
+reported by emailing contact@gitlab.com
+
+This Code of Conduct is adapted from the [Contributor Covenant](http:contributor-covenant.org), version 1.0.0, available at [http://contributor-covenant.org/version/1/0/0/](http://contributor-covenant.org/version/1/0/0/)

Gemfile

@@ -28,6 +28,7 @@ gem 'omniauth-google-oauth2'
 gem 'omniauth-twitter'
 gem 'omniauth-github'
 gem 'omniauth-shibboleth'
+gem 'omniauth-kerberos'
 
 # Extracting information from a git repository
 # Provide access to Gitlab::Git library

Gemfile.lock

@@ -323,6 +323,11 @@ GEM
     omniauth-google-oauth2 (0.2.5)
       omniauth (> 1.0)
       omniauth-oauth2 (~> 1.1)
+    omniauth-kerberos (0.2.0)
+      omniauth-multipassword
+      timfel-krb5-auth (~> 0.8)
+    omniauth-multipassword (0.4.1)
+      omniauth (~> 1.0)
     omniauth-oauth (1.0.1)
       oauth
       omniauth (~> 1.0)
@@ -536,6 +541,7 @@ GEM
     thread_safe (0.3.4)
     tilt (1.4.1)
     timers (1.1.0)
+    timfel-krb5-auth (0.8)
     tinder (1.9.3)
       eventmachine (~> 1.0)
       faraday (~> 0.8)
@@ -661,6 +667,7 @@ DEPENDENCIES
   omniauth (~> 1.1.3)
   omniauth-github
   omniauth-google-oauth2
+  omniauth-kerberos
   omniauth-shibboleth
   omniauth-twitter
   org-ruby (= 0.9.9)

PROCESS.md

@@ -104,3 +104,10 @@ This merge request has been closed because a request for more information has no
 ### Accepting merge requests
 
 Is there a request on [the feature request forum](http://feedback.gitlab.com/forums/176466-general) that is similar to this? If so, can you make a comment with a link to it? Please be aware that new functionality that is not marked [accepting merge/pull requests](http://feedback.gitlab.com/forums/176466-general/status/796455) on the forum might not make it into GitLab. You might be asked to make changes and even after implementing them your feature might still be declined. If you want to reduce the chance of this happening please have a discussion in the forum first.
+
+### Only accepting merge requests with green tests
+
+We can only accept a merge request if all the tests are green. I've just
+restarted the build. When the tests are still not passing after this restart and
+you're sure that is does not have anything to do with your code changes, please
+rebase with master to see if that solves the issue.

app/controllers/omniauth_callbacks_controller.rb

 class OmniauthCallbacksController < Devise::OmniauthCallbacksController
+  protect_from_forgery except: :kerberos
   Gitlab.config.omniauth.providers.each do |provider|
     define_method provider['name'] do
       handle_omniauth

app/controllers/projects/snippets_controller.rb

@@ -68,7 +68,7 @@ class Projects::SnippetsController < Projects::ApplicationController
       @snippet.content,
       type: 'text/plain; charset=utf-8',
       disposition: 'inline',
-      filename: @snippet.file_name
+      filename: @snippet.sanitized_file_name
     )
   end
 

app/controllers/snippets_controller.rb

@@ -79,7 +79,7 @@ class SnippetsController < ApplicationController
       @snippet.content,
       type: 'text/plain; charset=utf-8',
       disposition: 'inline',
-      filename: @snippet.file_name
+      filename: @snippet.sanitized_file_name
     )
   end
 

app/helpers/oauth_helper.rb

@@ -3,6 +3,14 @@ module OauthHelper
     Gitlab.config.ldap.enabled
   end
 
+  def kerberos_enabled?
+    enabled_oauth_providers.include?(:kerberos)
+  end
+
+  def standard_login_form_only?
+    ldap_enabled? || kerberos_enabled?
+  end
+
   def default_providers
     [:twitter, :github, :google_oauth2, :ldap]
   end
@@ -13,11 +21,13 @@ module OauthHelper
 
   def enabled_social_providers
     enabled_oauth_providers.select do |name|
-      [:twitter, :github, :google_oauth2].include?(name.to_sym)
+      [:twitter, :github, :google_oauth2, :kerberos].include?(name.to_sym)
     end
   end
 
   def additional_providers
-    enabled_oauth_providers.reject{|provider| provider.to_s.starts_with?('ldap')}
+    enabled_oauth_providers.reject do |provider| 
+      provider.to_s.starts_with?('ldap') || provider == :kerberos
+    end
   end
 end

app/models/commit.rb

@@ -10,12 +10,12 @@ class Commit
   # Used to prevent 500 error on huge commits by suppressing diff
   #
   # User can force display of diff above this size
-  DIFF_SAFE_FILES  = 100
-  DIFF_SAFE_LINES  = 5000
+  DIFF_SAFE_FILES  = 100 unless defined?(DIFF_SAFE_FILES)
+  DIFF_SAFE_LINES  = 5000 unless defined?(DIFF_SAFE_LINES)
 
   # Commits above this size will not be rendered in HTML
-  DIFF_HARD_LIMIT_FILES = 1000
-  DIFF_HARD_LIMIT_LINES = 50000
+  DIFF_HARD_LIMIT_FILES = 1000 unless defined?(DIFF_HARD_LIMIT_FILES)
+  DIFF_HARD_LIMIT_LINES = 50000 unless defined?(DIFF_HARD_LIMIT_LINES)
 
   class << self
     def decorate(commits)

app/models/note.rb

@@ -502,6 +502,6 @@ class Note < ActiveRecord::Base
   end
 
   def editable?
-    !system
+    !read_attribute(:system)
   end
 end

app/models/project_wiki.rb

@@ -5,7 +5,7 @@ class ProjectWiki
     'Markdown' => :markdown,
     'RDoc'     => :rdoc,
     'AsciiDoc' => :asciidoc
-  }
+  } unless defined?(MARKUPS)
 
   class CouldNotCreateWikiError < StandardError; end
 

app/models/snippet.rb

@@ -29,7 +29,9 @@ class Snippet < ActiveRecord::Base
 
   validates :author, presence: true
   validates :title, presence: true, length: { within: 0..255 }
-  validates :file_name, presence: true, length: { within: 0..255 }
+  validates :file_name, presence: true, length: { within: 0..255 },
+            format: { with: Gitlab::Regex.path_regex,
+                      message: Gitlab::Regex.path_regex_message }
   validates :content, presence: true
   validates :visibility_level, inclusion: { in: Gitlab::VisibilityLevel.values }
 
@@ -62,6 +64,10 @@ class Snippet < ActiveRecord::Base
     file_name
   end
 
+  def sanitized_file_name
+    file_name.gsub(/[^a-zA-Z0-9_\-\.]+/, '')
+  end
+
   def mode
     nil
   end
@@ -72,7 +78,7 @@ class Snippet < ActiveRecord::Base
 
   def visibility_level_field
     visibility_level
-  end 
+  end
 
   class << self
     def search(query)

app/views/devise/sessions/_new_kerberos.html.haml

+= form_tag(user_omniauth_callback_path(provider), id: 'new_kerberos_user' ) do
+  = text_field_tag :username, nil, {class: "form-control top", placeholder: "Kerberos Login", autofocus: "autofocus"}
+  = password_field_tag :password, nil, {class: "form-control bottom", placeholder: "Password"}
+  %br/
+  = button_tag "Kerberos Sign in", class: "btn-save btn"
\ No newline at end of file

app/views/devise/sessions/new.html.haml

@@ -2,18 +2,26 @@
   .login-heading
     %h3 Sign in
   .login-body
-    - if ldap_enabled?
+    - if standard_login_form_only?
       %ul.nav.nav-tabs
-        - @ldap_servers.each_with_index do |server, i|
-          %li{class: (:active if i.zero?)}
-            = link_to server['label'], "#tab-#{server['provider_name']}", 'data-toggle' => 'tab'
+        - if ldap_enabled?
+          - @ldap_servers.each_with_index do |server, i|
+            %li{class: (:active if i.zero?)}
+              = link_to server['label'], "#tab-#{server['provider_name']}", 'data-toggle' => 'tab'
+        - if kerberos_enabled?
+          %li{class: (:active unless ldap_enabled?)}
+            = link_to "Kerberos", "#tab-kerberos", 'data-toggle' => 'tab'
         - if gitlab_config.signin_enabled
           %li
             = link_to 'Standard', '#tab-signin', 'data-toggle' => 'tab'
       .tab-content
-        - @ldap_servers.each_with_index do |server, i|
-          %div.tab-pane{id: "tab-#{server['provider_name']}", class: (:active if i.zero?)}
-            = render 'devise/sessions/new_ldap', provider: server['provider_name']
+        - if ldap_enabled?
+          - @ldap_servers.each_with_index do |server, i|
+            %div.tab-pane{id: "tab-#{server['provider_name']}", class: (:active if i.zero?)}
+              = render 'devise/sessions/new_ldap', provider: server['provider_name']
+        - if kerberos_enabled?
+          %div#tab-kerberos.tab-pane{class: (:active unless ldap_enabled?)}
+            = render 'devise/sessions/new_kerberos', provider: :kerberos
         - if gitlab_config.signin_enabled
           %div#tab-signin.tab-pane
             = render 'devise/sessions/new_base'

db/schema.rb

@@ -262,9 +262,9 @@ ActiveRecord::Schema.define(version: 20141212124604) do
     t.datetime "updated_at"
     t.string   "type"
     t.string   "description", default: "", null: false
+    t.string   "avatar"
     t.string   "ldap_cn"
     t.integer  "ldap_access"
-    t.string   "avatar"
     t.boolean  "membership_lock", default: false
   end
 
@@ -326,8 +326,8 @@ ActiveRecord::Schema.define(version: 20141212124604) do
     t.boolean  "archived",                      default: false,    null: false
     t.string   "import_status"
     t.float    "repository_size",               default: 0.0
-    t.text     "merge_requests_template"
     t.integer  "star_count",                    default: 0,        null: false
+    t.text     "merge_requests_template"
     t.boolean  "merge_requests_rebase_enabled", default: false
   end
 

doc/install/installation.md

@@ -54,7 +54,7 @@ up-to-date and install it.
 
 Install the required packages (needed to compile Ruby and native extensions to Ruby gems):
 
-    sudo apt-get install -y build-essential zlib1g-dev libyaml-dev libssl-dev libgdbm-dev libreadline-dev libncurses5-dev libffi-dev curl openssh-server redis-server checkinstall libxml2-dev libxslt-dev libcurl4-openssl-dev libicu-dev logrotate python-docutils pkg-config cmake
+    sudo apt-get install -y build-essential zlib1g-dev libyaml-dev libssl-dev libgdbm-dev libreadline-dev libncurses5-dev libffi-dev curl openssh-server redis-server checkinstall libxml2-dev libxslt-dev libcurl4-openssl-dev libicu-dev logrotate python-docutils pkg-config cmake libkrb5-dev
 
 Make sure you have the right version of Git installed
 

doc/integration/README.md

@@ -10,6 +10,7 @@ See the documentation below for details on how to configure these services.
 - [OmniAuth](omniauth.md) Sign in via Twitter, GitHub, and Google via OAuth.
 - [Jenkins](jenkins.md) Integrate with the Jenkins CI
 - [Slack](slack.md) Integrate with the Slack chat service
+- [Kerberos](kerberos.md) Integrate with Kerberos
 
 ## Project services
 

doc/integration/kerberos.md

+# Kerberos integration
+
+GitLab can be configured to allow your users to sign with their Kerberos credentials.
+Kerberos integration can be enabled as a regular omniauth provider, edit [gitlab.rb (omnibus-gitlab)`](https://gitlab.com/gitlab-org/omnibus-gitlab/blob/master/README.md#omniauth-google-twitter-github-login) or [gitlab.yml (source installations)](https://gitlab.com/gitlab-org/gitlab-ce/blob/master/config/gitlab.yml.example) on your GitLab server and restart GitLab. You only need to specify the provider name. For example:
+
+```
+{ name: 'kerberos'}
+```
+
+You still need to configure your system for Kerberos usage, such as specifying realms. GitLab will make use of the system's Kerberos settings.
+
+The first time a user signs in with Kerberos credentials, GitLab will create a new GitLab user associated with the email, which is built from the kerberos username and realm. Existing GitLab users can go to profile > account and attach a Kerberos account.
+
+## HTTP git access
+
+A linked Kerberos account enables you to `git pull` and `git push` using your Kerberos account, as well as your standard GitLab credentials.
\ No newline at end of file

doc/raketasks/backup_restore.md

@@ -137,7 +137,7 @@ with the name of your bucket:
 Please be informed that a backup does not store your configuration files.
 If you use an Omnibus package please see the [instructions in the readme to backup your configuration](https://gitlab.com/gitlab-org/omnibus-gitlab/blob/master/README.md#backup-and-restore-omnibus-gitlab-configuration).
 If you have a cookbook installation there should be a copy of your configuration in Chef.
-If you have a manual installation please consider backing up your gitlab.yml file and any SSL keys and certificates.
+If you have a manual installation please consider backing up your `gitlab.yml` file, any SSL keys and certificates, and your [SSH host keys](https://superuser.com/questions/532040/copy-ssh-keys-from-one-server-to-another-server/532079#532079).
 
 ## Restore a previously created backup
 

doc/update/7.4-to-7.5.md

@@ -71,21 +71,10 @@ There are new configuration options available for gitlab.yml. View them with the
 git diff origin/7-4-stable:config/gitlab.yml.example origin/7-5-stable:config/gitlab.yml.example
 ```
 
-#### Change timeout for unicorn
-
-```
-# set timeout to 60
-sudo -u git -H editor config/unicorn.rb
-```
-
-#### Change nginx https settings
-
-* HTTPS setups: Make `/etc/nginx/sites-available/gitlab-ssl` the same as https://gitlab.com/gitlab-org/gitlab-ce/blob/7-5-stable/lib/support/nginx/gitlab-ssl but with your setting
-
-#### MySQL Databases: Update database.yml config file
-
-* Add `collation: utf8_general_ci` to config/database.yml as seen in [config/database.yml.mysql](config/database.yml.mysql)
+#### Change Nginx settings
 
+* HTTP setups: Make `/etc/nginx/sites-available/gitlab` the same as [`lib/support/nginx/gitlab`](/lib/support/nginx/gitlab) but with your settings
+* HTTPS setups: Make `/etc/nginx/sites-available/gitlab-ssl` the same as [`lib/support/nginx/gitlab-ssl`](/lib/support/nginx/gitlab-ssl) but with your setting
 
 ### 6. Start application
 
@@ -104,82 +93,6 @@ To make sure you didn't miss anything run a more thorough check with:
 
 If all items are green, then congratulations upgrade is complete!
 
-
-### 8. Optional optimizations for GitLab setups with MySQL databases
-
-Only applies if running MySQL database created with GitLab 6.7 or earlier. If you are not experiencing any issues you may not need the following instructions however following them will bring your database in line with the latest recommended installation configuration and help avoid future issues. Be sure to follow these directions exactly. These directions should be safe for any MySQL instance but to be sure make a current MySQL database backup beforehand.
-
-```
-# Stop GitLab
-sudo service gitlab stop
-
-# Secure your MySQL installation (added in GitLab 6.2)
-sudo mysql_secure_installation
-
-# Login to MySQL
-mysql -u root -p
-
-# do not type the 'mysql>', this is part of the prompt
-
-# Convert all tables to use the InnoDB storage engine (added in GitLab 6.8)
-SELECT CONCAT('ALTER TABLE gitlabhq_production.', table_name, ' ENGINE=InnoDB;') AS 'Copy & run these SQL statements:' FROM information_schema.tables WHERE table_schema = 'gitlabhq_production' AND `ENGINE` <> 'InnoDB' AND `TABLE_TYPE` = 'BASE TABLE';
-
-# If previous query returned results, copy & run all outputed SQL statements
-
-# Convert all tables to correct character set
-SET foreign_key_checks = 0;
-SELECT CONCAT('ALTER TABLE gitlabhq_production.', table_name, ' CONVERT TO CHARACTER SET utf8 COLLATE utf8_general_ci;') AS 'Copy & run these SQL statements:' FROM information_schema.tables WHERE table_schema = 'gitlabhq_production' AND `TABLE_COLLATION` <> 'utf8_unicode_ci' AND `TABLE_TYPE` = 'BASE TABLE';
-
-# If previous query returned results, copy & run all outputed SQL statements
-
-# turn foreign key checks back on
-SET foreign_key_checks = 1;
-
-# Find MySQL users
-mysql> SELECT user FROM mysql.user WHERE user LIKE '%git%';
-
-# If git user exists and gitlab user does not exist
-# you are done with the database cleanup tasks
-mysql> \q
-
-# If both users exist skip to Delete gitlab user
-
-# Create new user for GitLab (changed in GitLab 6.4)
-# change $password in the command below to a real password you pick
-mysql> CREATE USER 'git'@'localhost' IDENTIFIED BY '$password';
-
-# Grant the git user necessary permissions on the database
-mysql> GRANT SELECT, INSERT, UPDATE, DELETE, CREATE, DROP, INDEX, ALTER, LOCK TABLES ON `gitlabhq_production`.* TO 'git'@'localhost';
-
-# Delete the old gitlab user
-mysql> DELETE FROM mysql.user WHERE user='gitlab';
-
-# Quit the database session
-mysql> \q
-
-# Try connecting to the new database with the new user
-sudo -u git -H mysql -u git -p -D gitlabhq_production
-
-# Type the password you replaced $password with earlier
-
-# You should now see a 'mysql>' prompt
-
-# Quit the database session
-mysql> \q
-
-# Update database configuration details
-# See config/database.yml.mysql for latest recommended configuration details
-#   Remove the reaping_frequency setting line if it exists (removed in GitLab 6.8)
-#   Set production -> pool: 10 (updated in GitLab 5.3)
-#   Set production -> username: git
-#   Set production -> password: the password your replaced $password with earlier
-sudo -u git -H editor /home/git/gitlab/config/database.yml
-
-# Run thorough check
-sudo -u git -H bundle exec rake gitlab:check RAILS_ENV=production
-```
-
-
 ## Things went south? Revert to previous version (7.4)
 
 ### 1. Revert the code to the previous version

doc/update/7.5-to-7.6.md

@@ -45,6 +45,8 @@ sudo -u git -H git checkout v2.2.0
 ### 4. Install libs, migrations, etc.
 
 ```bash
+sudo apt-get install libkrb5-dev
+
 cd /home/git/gitlab
 
 # MySQL installations (note: the line below states '--without ... postgres')

doc/web_hooks/web_hooks.md

@@ -54,6 +54,29 @@ Triggered when you push to the repository except when pushing tags.
 }
 ```
 
+## Tag events
+
+Triggered when you create (or delete) tags to the repository.
+
+**Request body:**
+
+```json
+{
+  "ref": "refs/tags/v1.0.0",
+  "before": "0000000000000000000000000000000000000000",
+  "after": "82b3d5ae55f7080f1e6022629cdb57bfae7cccc7",
+  "user_id": 1,
+  "user_name": "John Smith",
+  "project_id": 1,
+  "repository": {
+    "name": "jsmith",
+    "url": "ssh://git@example.com/jsmith/example.git",
+    "description": "",
+    "homepage": "http://example.com/jsmith/example"
+  }
+}
+```
+
 ## Issues events
 
 Triggered when a new issue is created or an existing issue was updated/closed/reopened.

docker/README.md

@@ -39,7 +39,7 @@ After creating this run GitLab:
 sudo docker run --detach --name gitlab_app --publish 8080:80 --publish 2222:22 --volumes-from gitlab_data gitlab_image
 ```
 
-It might take a while before the docker container is responding to queries. You can follow the configuration process with `docker logs -f gitlab`.
+It might take a while before the docker container is responding to queries. You can follow the configuration process with `docker logs -f gitlab_app`.
 
 You can then go to `http://localhost:8080/` (or `http://192.168.59.103:8080/` if you use boot2docker).
 You can login with username `root` and password `5iveL!fe`.

lib/gitlab/auth.rb

@@ -2,6 +2,11 @@ module Gitlab
   class Auth
     def find(login, password)
       user = User.by_login(login)
+  
+      if Devise.omniauth_providers.include?(:kerberos)
+        kerberos_user = Gitlab::Kerberos::Authentication.login(login, password)
+        return kerberos_user if kerberos_user
+      end
 
       # If no user is found, or it's an LDAP server, try LDAP.
       #   LDAP users are only authenticated via LDAP

lib/gitlab/kerberos/authentication.rb

+require "krb5_auth"
+# This calls helps to authenticate to Kerberos by providing username and password
+
+module Gitlab
+  module Kerberos
+    class Authentication
+      def self.login(login, password)
+        return unless Devise.omniauth_providers.include?(:kerberos)
+        return unless login.present? && password.present?
+
+        auth = new(login, password)
+        auth.login
+      end
+
+      def initialize(login, password)
+        @login = login
+        @password = password
+        @krb5 = ::Krb5Auth::Krb5.new
+      end
+
+      def valid?
+        @krb5.get_init_creds_password(@login, @password)
+      rescue ::Krb5Auth::Krb5::Exception
+        false
+      end
+
+      def login
+        valid? && find_by_login(@login)
+      end
+
+      private
+
+      def find_by_login(login)
+        identity = ::Identity.
+          where(provider: :kerberos).
+          where('lower(extern_uid) = ?', login).last
+        identity && identity.user
+      end
+    end
+  end
+end

lib/tasks/gitlab/shell.rake

@@ -17,15 +17,19 @@ namespace :gitlab do
 
       # Clone if needed
       unless File.directory?(target_dir)
-        sh(*%W(git clone #{args.repo} #{target_dir}))
+        system(*%W(git clone -- #{args.repo} #{target_dir}))
       end
 
       # Make sure we're on the right tag
       Dir.chdir(target_dir) do
         # First try to checkout without fetching
         # to avoid stalling tests if the Internet is down.
-        reset = "git reset --hard $(git describe #{args.tag} || git describe origin/#{args.tag})"
-        sh "#{reset} || git fetch origin && #{reset}"
+        reseted = reset_to_commit(args)
+
+        unless reseted
+          system(*%W(git fetch origin))
+          reset_to_commit(args)
+        end
 
         config = {
           user: user,
@@ -54,7 +58,7 @@ namespace :gitlab do
         File.open("config.yml", "w+") {|f| f.puts config.to_yaml}
 
         # Launch installation process
-        sh "bin/install"
+        system(*%W(bin/install))
       end
 
       # Required for debian packaging with PKGR: Setup .ssh/environment with
@@ -118,5 +122,16 @@ namespace :gitlab do
     puts "Quitting...".red
     exit 1
   end
+
+  def reset_to_commit(args)
+    tag, status = Gitlab::Popen.popen(%W(git describe -- #{args.tag}))
+
+    unless status.zero?
+      tag, status = Gitlab::Popen.popen(%W(git describe -- origin/#{args.tag}))
+    end
+
+    tag = tag.strip
+    system(*%W(git reset --hard #{tag}))
+  end
 end
 

spec/factories.rb

@@ -5,10 +5,14 @@ FactoryGirl.define do
     Faker::Lorem.sentence
   end
 
-  sequence :name, aliases: [:file_name] do
+  sequence :name do
     Faker::Name.name
   end
 
+  sequence :file_name do
+    Faker::Internet.user_name
+  end
+
   sequence(:url) { Faker::Internet.uri('http') }
 
   factory :user, aliases: [:author, :assignee, :owner, :creator] do

spec/helpers/oauth_helper_spec.rb

@@ -17,4 +17,16 @@ describe OauthHelper do
       helper.additional_providers.should == []
     end
   end
+
+  describe "kerberos_enabled?" do
+    it 'returns true' do
+      allow(helper).to receive(:enabled_oauth_providers) { [:twitter, :github, :kerberos] }
+      helper.kerberos_enabled?.should be_true
+    end
+
+    it 'returns false' do
+      allow(helper).to receive(:enabled_oauth_providers) { [:twitter, :ldapmain] }
+      helper.kerberos_enabled?.should be_false
+    end
+  end
 end
\ No newline at end of file

spec/lib/gitlab/auth_spec.rb

@@ -35,6 +35,17 @@ describe Gitlab::Auth do
       expect( gl_auth.find(username, password) ).to_not eql user
     end
 
+    context "with kerberos" do
+      before { Devise.stub(omniauth_providers: [:kerberos]) }
+
+      it "finds user" do
+        Gitlab::Kerberos::Authentication.stub(valid?: true)
+        Gitlab::Kerberos::Authentication.stub(email: user.email)
+        
+        expect( gl_auth.find(username, password) ).to eql user
+      end
+    end
+
     context "with ldap enabled" do
       before { Gitlab::LDAP::Config.stub(enabled?: true) }
 

spec/lib/gitlab/kerberos/authentication_spec.rb

+require 'spec_helper'
+
+describe Gitlab::Kerberos::Authentication do
+  let(:klass) { Gitlab::Kerberos::Authentication }
+  let(:user) { create(:omniauth_user, provider: :kerberos, extern_uid: 'gitlab') }
+  let(:login) { 'john' }
+  let(:password) { 'password' }
+
+  describe :login do
+    before do
+      Devise.stub(omniauth_providers: [:kerberos])
+    end
+
+    it "finds the user if authentication is successful" do
+      kerberos_realm = user.email.sub(/.*@/, '')
+      ::Krb5Auth::Krb5.any_instance.stub(get_init_creds_password: true)
+      ::Krb5Auth::Krb5.any_instance.stub(get_default_realm: kerberos_realm)
+
+      expect(klass.login('gitlab', password)).to be_true
+    end
+
+    it "returns false if there is no such user in kerberos" do
+      kerberos_login = "some-login"
+      kerberos_realm = user.email.sub(/.*@/, '')
+      ::Krb5Auth::Krb5.any_instance.stub(get_init_creds_password: true)
+      ::Krb5Auth::Krb5.any_instance.stub(get_default_realm: kerberos_realm)
+
+      expect(klass.login(kerberos_login, password)).to be_false
+    end
+  end
+end
\ No newline at end of file