Commit 6ab5127b authored by Marin Jankovski's avatar Marin Jankovski

Merge branch 'master' into group_membership_lock

Conflicts:
	db/schema.rb
parents fd872522 db49b2d8
...@@ -3,25 +3,24 @@ v 7.6.0 ...@@ -3,25 +3,24 @@ v 7.6.0
- New rugged version - New rugged version
- Add CRON=1 backup setting for quiet backups - Add CRON=1 backup setting for quiet backups
- Fix failing wiki restore - Fix failing wiki restore
-
- Add optional Sidekiq MemoryKiller middleware (enabled via SIDEKIQ_MAX_RSS env variable) - Add optional Sidekiq MemoryKiller middleware (enabled via SIDEKIQ_MAX_RSS env variable)
-
-
- Monokai highlighting style now more faithful to original design (Mark Riedesel) - Monokai highlighting style now more faithful to original design (Mark Riedesel)
- Create project with repository in synchrony - Create project with repository in synchrony
- Added ability to create empty repo or import existing one if project does not have repository - Added ability to create empty repo or import existing one if project does not have repository
-
-
- Reactivate highlight.js language autodetection - Reactivate highlight.js language autodetection
- Mobile UI improvements - Mobile UI improvements
-
- Change maximum avatar file size from 100KB to 200KB - Change maximum avatar file size from 100KB to 200KB
- - Strict validation for snippet file names
- Enable Markdown preview for issues, merge requests, milestones, and notes (Vinnie Okada) - Enable Markdown preview for issues, merge requests, milestones, and notes (Vinnie Okada)
- In the docker directory is a container template based on the Omnibus packages. - In the docker directory is a container template based on the Omnibus packages.
- Update Sidekiq to version 2.17.8 - Update Sidekiq to version 2.17.8
- Add author filter to project issues and merge requests pages - Add author filter to project issues and merge requests pages
- Atom feed for user activity - Atom feed for user activity
- Support multiple omniauth providers for the same user
- Rendering cross reference in issue title and tooltip for merge request
- Show username in comments
- Possibility to create Milestones or Labels when Issues are disabled
- Fix bug with showing gpg signature in tag
v 7.5.2 v 7.5.2
- Don't log Sidekiq arguments by default - Don't log Sidekiq arguments by default
......
...@@ -5,6 +5,7 @@ v 7.6.0 ...@@ -5,6 +5,7 @@ v 7.6.0
- Added member lock for groups to disallow membership additions on project level - Added member lock for groups to disallow membership additions on project level
- Rebase on merge request. Introduced merge request option to rebase before merging - Rebase on merge request. Introduced merge request option to rebase before merging
- Better message for failed pushes because of git hooks - Better message for failed pushes because of git hooks
- Kerberos support for web interface and git HTTP
v 7.5.3 v 7.5.3
- Only set up Sidetiq from a Sidekiq server process (fixes Redis::InheritedError) - Only set up Sidetiq from a Sidekiq server process (fixes Redis::InheritedError)
......
...@@ -142,3 +142,17 @@ Please ensure you support the feature you contribute through all of these steps. ...@@ -142,3 +142,17 @@ Please ensure you support the feature you contribute through all of these steps.
1. [Markdown](http://www.cirosantilli.com/markdown-styleguide) 1. [Markdown](http://www.cirosantilli.com/markdown-styleguide)
This is also the style used by linting tools such as [RuboCop](https://github.com/bbatsov/rubocop), [PullReview](https://www.pullreview.com/) and [Hound CI](https://houndci.com). This is also the style used by linting tools such as [RuboCop](https://github.com/bbatsov/rubocop), [PullReview](https://www.pullreview.com/) and [Hound CI](https://houndci.com).
## Code of conduct
As contributors and maintainers of this project, we pledge to respect all people who contribute through reporting issues, posting feature requests, updating documentation, submitting pull requests or patches, and other activities.
We are committed to making participation in this project a harassment-free experience for everyone, regardless of level of experience, gender, gender identity and expression, sexual orientation, disability, personal appearance, body size, race, age, or religion.
Examples of unacceptable behavior by participants include the use of sexual language or imagery, derogatory comments or personal attacks, trolling, public or private harassment, insults, or other unprofessional conduct.
Project maintainers have the right and responsibility to remove, edit, or reject comments, commits, code, wiki edits, issues, and other contributions that are not aligned to this Code of Conduct. Project maintainers who do not follow the Code of Conduct may be removed from the project team.
Instances of abusive, harassing, or otherwise unacceptable behavior can be
reported by emailing contact@gitlab.com
This Code of Conduct is adapted from the [Contributor Covenant](http:contributor-covenant.org), version 1.0.0, available at [http://contributor-covenant.org/version/1/0/0/](http://contributor-covenant.org/version/1/0/0/)
...@@ -28,6 +28,7 @@ gem 'omniauth-google-oauth2' ...@@ -28,6 +28,7 @@ gem 'omniauth-google-oauth2'
gem 'omniauth-twitter' gem 'omniauth-twitter'
gem 'omniauth-github' gem 'omniauth-github'
gem 'omniauth-shibboleth' gem 'omniauth-shibboleth'
gem 'omniauth-kerberos'
# Extracting information from a git repository # Extracting information from a git repository
# Provide access to Gitlab::Git library # Provide access to Gitlab::Git library
......
...@@ -323,6 +323,11 @@ GEM ...@@ -323,6 +323,11 @@ GEM
omniauth-google-oauth2 (0.2.5) omniauth-google-oauth2 (0.2.5)
omniauth (> 1.0) omniauth (> 1.0)
omniauth-oauth2 (~> 1.1) omniauth-oauth2 (~> 1.1)
omniauth-kerberos (0.2.0)
omniauth-multipassword
timfel-krb5-auth (~> 0.8)
omniauth-multipassword (0.4.1)
omniauth (~> 1.0)
omniauth-oauth (1.0.1) omniauth-oauth (1.0.1)
oauth oauth
omniauth (~> 1.0) omniauth (~> 1.0)
...@@ -536,6 +541,7 @@ GEM ...@@ -536,6 +541,7 @@ GEM
thread_safe (0.3.4) thread_safe (0.3.4)
tilt (1.4.1) tilt (1.4.1)
timers (1.1.0) timers (1.1.0)
timfel-krb5-auth (0.8)
tinder (1.9.3) tinder (1.9.3)
eventmachine (~> 1.0) eventmachine (~> 1.0)
faraday (~> 0.8) faraday (~> 0.8)
...@@ -661,6 +667,7 @@ DEPENDENCIES ...@@ -661,6 +667,7 @@ DEPENDENCIES
omniauth (~> 1.1.3) omniauth (~> 1.1.3)
omniauth-github omniauth-github
omniauth-google-oauth2 omniauth-google-oauth2
omniauth-kerberos
omniauth-shibboleth omniauth-shibboleth
omniauth-twitter omniauth-twitter
org-ruby (= 0.9.9) org-ruby (= 0.9.9)
......
...@@ -104,3 +104,10 @@ This merge request has been closed because a request for more information has no ...@@ -104,3 +104,10 @@ This merge request has been closed because a request for more information has no
### Accepting merge requests ### Accepting merge requests
Is there a request on [the feature request forum](http://feedback.gitlab.com/forums/176466-general) that is similar to this? If so, can you make a comment with a link to it? Please be aware that new functionality that is not marked [accepting merge/pull requests](http://feedback.gitlab.com/forums/176466-general/status/796455) on the forum might not make it into GitLab. You might be asked to make changes and even after implementing them your feature might still be declined. If you want to reduce the chance of this happening please have a discussion in the forum first. Is there a request on [the feature request forum](http://feedback.gitlab.com/forums/176466-general) that is similar to this? If so, can you make a comment with a link to it? Please be aware that new functionality that is not marked [accepting merge/pull requests](http://feedback.gitlab.com/forums/176466-general/status/796455) on the forum might not make it into GitLab. You might be asked to make changes and even after implementing them your feature might still be declined. If you want to reduce the chance of this happening please have a discussion in the forum first.
### Only accepting merge requests with green tests
We can only accept a merge request if all the tests are green. I've just
restarted the build. When the tests are still not passing after this restart and
you're sure that is does not have anything to do with your code changes, please
rebase with master to see if that solves the issue.
class OmniauthCallbacksController < Devise::OmniauthCallbacksController class OmniauthCallbacksController < Devise::OmniauthCallbacksController
protect_from_forgery except: :kerberos
Gitlab.config.omniauth.providers.each do |provider| Gitlab.config.omniauth.providers.each do |provider|
define_method provider['name'] do define_method provider['name'] do
handle_omniauth handle_omniauth
......
...@@ -68,7 +68,7 @@ class Projects::SnippetsController < Projects::ApplicationController ...@@ -68,7 +68,7 @@ class Projects::SnippetsController < Projects::ApplicationController
@snippet.content, @snippet.content,
type: 'text/plain; charset=utf-8', type: 'text/plain; charset=utf-8',
disposition: 'inline', disposition: 'inline',
filename: @snippet.file_name filename: @snippet.sanitized_file_name
) )
end end
......
...@@ -79,7 +79,7 @@ class SnippetsController < ApplicationController ...@@ -79,7 +79,7 @@ class SnippetsController < ApplicationController
@snippet.content, @snippet.content,
type: 'text/plain; charset=utf-8', type: 'text/plain; charset=utf-8',
disposition: 'inline', disposition: 'inline',
filename: @snippet.file_name filename: @snippet.sanitized_file_name
) )
end end
......
...@@ -3,6 +3,14 @@ module OauthHelper ...@@ -3,6 +3,14 @@ module OauthHelper
Gitlab.config.ldap.enabled Gitlab.config.ldap.enabled
end end
def kerberos_enabled?
enabled_oauth_providers.include?(:kerberos)
end
def standard_login_form_only?
ldap_enabled? || kerberos_enabled?
end
def default_providers def default_providers
[:twitter, :github, :google_oauth2, :ldap] [:twitter, :github, :google_oauth2, :ldap]
end end
...@@ -13,11 +21,13 @@ module OauthHelper ...@@ -13,11 +21,13 @@ module OauthHelper
def enabled_social_providers def enabled_social_providers
enabled_oauth_providers.select do |name| enabled_oauth_providers.select do |name|
[:twitter, :github, :google_oauth2].include?(name.to_sym) [:twitter, :github, :google_oauth2, :kerberos].include?(name.to_sym)
end end
end end
def additional_providers def additional_providers
enabled_oauth_providers.reject{|provider| provider.to_s.starts_with?('ldap')} enabled_oauth_providers.reject do |provider|
provider.to_s.starts_with?('ldap') || provider == :kerberos
end
end end
end end
...@@ -10,12 +10,12 @@ class Commit ...@@ -10,12 +10,12 @@ class Commit
# Used to prevent 500 error on huge commits by suppressing diff # Used to prevent 500 error on huge commits by suppressing diff
# #
# User can force display of diff above this size # User can force display of diff above this size
DIFF_SAFE_FILES = 100 DIFF_SAFE_FILES = 100 unless defined?(DIFF_SAFE_FILES)
DIFF_SAFE_LINES = 5000 DIFF_SAFE_LINES = 5000 unless defined?(DIFF_SAFE_LINES)
# Commits above this size will not be rendered in HTML # Commits above this size will not be rendered in HTML
DIFF_HARD_LIMIT_FILES = 1000 DIFF_HARD_LIMIT_FILES = 1000 unless defined?(DIFF_HARD_LIMIT_FILES)
DIFF_HARD_LIMIT_LINES = 50000 DIFF_HARD_LIMIT_LINES = 50000 unless defined?(DIFF_HARD_LIMIT_LINES)
class << self class << self
def decorate(commits) def decorate(commits)
......
...@@ -502,6 +502,6 @@ class Note < ActiveRecord::Base ...@@ -502,6 +502,6 @@ class Note < ActiveRecord::Base
end end
def editable? def editable?
!system !read_attribute(:system)
end end
end end
...@@ -5,7 +5,7 @@ class ProjectWiki ...@@ -5,7 +5,7 @@ class ProjectWiki
'Markdown' => :markdown, 'Markdown' => :markdown,
'RDoc' => :rdoc, 'RDoc' => :rdoc,
'AsciiDoc' => :asciidoc 'AsciiDoc' => :asciidoc
} } unless defined?(MARKUPS)
class CouldNotCreateWikiError < StandardError; end class CouldNotCreateWikiError < StandardError; end
......
...@@ -29,7 +29,9 @@ class Snippet < ActiveRecord::Base ...@@ -29,7 +29,9 @@ class Snippet < ActiveRecord::Base
validates :author, presence: true validates :author, presence: true
validates :title, presence: true, length: { within: 0..255 } validates :title, presence: true, length: { within: 0..255 }
validates :file_name, presence: true, length: { within: 0..255 } validates :file_name, presence: true, length: { within: 0..255 },
format: { with: Gitlab::Regex.path_regex,
message: Gitlab::Regex.path_regex_message }
validates :content, presence: true validates :content, presence: true
validates :visibility_level, inclusion: { in: Gitlab::VisibilityLevel.values } validates :visibility_level, inclusion: { in: Gitlab::VisibilityLevel.values }
...@@ -62,6 +64,10 @@ class Snippet < ActiveRecord::Base ...@@ -62,6 +64,10 @@ class Snippet < ActiveRecord::Base
file_name file_name
end end
def sanitized_file_name
file_name.gsub(/[^a-zA-Z0-9_\-\.]+/, '')
end
def mode def mode
nil nil
end end
...@@ -72,7 +78,7 @@ class Snippet < ActiveRecord::Base ...@@ -72,7 +78,7 @@ class Snippet < ActiveRecord::Base
def visibility_level_field def visibility_level_field
visibility_level visibility_level
end end
class << self class << self
def search(query) def search(query)
......
= form_tag(user_omniauth_callback_path(provider), id: 'new_kerberos_user' ) do
= text_field_tag :username, nil, {class: "form-control top", placeholder: "Kerberos Login", autofocus: "autofocus"}
= password_field_tag :password, nil, {class: "form-control bottom", placeholder: "Password"}
%br/
= button_tag "Kerberos Sign in", class: "btn-save btn"
\ No newline at end of file
...@@ -2,18 +2,26 @@ ...@@ -2,18 +2,26 @@
.login-heading .login-heading
%h3 Sign in %h3 Sign in
.login-body .login-body
- if ldap_enabled? - if standard_login_form_only?
%ul.nav.nav-tabs %ul.nav.nav-tabs
- @ldap_servers.each_with_index do |server, i| - if ldap_enabled?
%li{class: (:active if i.zero?)} - @ldap_servers.each_with_index do |server, i|
= link_to server['label'], "#tab-#{server['provider_name']}", 'data-toggle' => 'tab' %li{class: (:active if i.zero?)}
= link_to server['label'], "#tab-#{server['provider_name']}", 'data-toggle' => 'tab'
- if kerberos_enabled?
%li{class: (:active unless ldap_enabled?)}
= link_to "Kerberos", "#tab-kerberos", 'data-toggle' => 'tab'
- if gitlab_config.signin_enabled - if gitlab_config.signin_enabled
%li %li
= link_to 'Standard', '#tab-signin', 'data-toggle' => 'tab' = link_to 'Standard', '#tab-signin', 'data-toggle' => 'tab'
.tab-content .tab-content
- @ldap_servers.each_with_index do |server, i| - if ldap_enabled?
%div.tab-pane{id: "tab-#{server['provider_name']}", class: (:active if i.zero?)} - @ldap_servers.each_with_index do |server, i|
= render 'devise/sessions/new_ldap', provider: server['provider_name'] %div.tab-pane{id: "tab-#{server['provider_name']}", class: (:active if i.zero?)}
= render 'devise/sessions/new_ldap', provider: server['provider_name']
- if kerberos_enabled?
%div#tab-kerberos.tab-pane{class: (:active unless ldap_enabled?)}
= render 'devise/sessions/new_kerberos', provider: :kerberos
- if gitlab_config.signin_enabled - if gitlab_config.signin_enabled
%div#tab-signin.tab-pane %div#tab-signin.tab-pane
= render 'devise/sessions/new_base' = render 'devise/sessions/new_base'
......
...@@ -262,9 +262,9 @@ ActiveRecord::Schema.define(version: 20141212124604) do ...@@ -262,9 +262,9 @@ ActiveRecord::Schema.define(version: 20141212124604) do
t.datetime "updated_at" t.datetime "updated_at"
t.string "type" t.string "type"
t.string "description", default: "", null: false t.string "description", default: "", null: false
t.string "avatar"
t.string "ldap_cn" t.string "ldap_cn"
t.integer "ldap_access" t.integer "ldap_access"
t.string "avatar"
t.boolean "membership_lock", default: false t.boolean "membership_lock", default: false
end end
...@@ -326,8 +326,8 @@ ActiveRecord::Schema.define(version: 20141212124604) do ...@@ -326,8 +326,8 @@ ActiveRecord::Schema.define(version: 20141212124604) do
t.boolean "archived", default: false, null: false t.boolean "archived", default: false, null: false
t.string "import_status" t.string "import_status"
t.float "repository_size", default: 0.0 t.float "repository_size", default: 0.0
t.text "merge_requests_template"
t.integer "star_count", default: 0, null: false t.integer "star_count", default: 0, null: false
t.text "merge_requests_template"
t.boolean "merge_requests_rebase_enabled", default: false t.boolean "merge_requests_rebase_enabled", default: false
end end
......
...@@ -54,7 +54,7 @@ up-to-date and install it. ...@@ -54,7 +54,7 @@ up-to-date and install it.
Install the required packages (needed to compile Ruby and native extensions to Ruby gems): Install the required packages (needed to compile Ruby and native extensions to Ruby gems):
sudo apt-get install -y build-essential zlib1g-dev libyaml-dev libssl-dev libgdbm-dev libreadline-dev libncurses5-dev libffi-dev curl openssh-server redis-server checkinstall libxml2-dev libxslt-dev libcurl4-openssl-dev libicu-dev logrotate python-docutils pkg-config cmake sudo apt-get install -y build-essential zlib1g-dev libyaml-dev libssl-dev libgdbm-dev libreadline-dev libncurses5-dev libffi-dev curl openssh-server redis-server checkinstall libxml2-dev libxslt-dev libcurl4-openssl-dev libicu-dev logrotate python-docutils pkg-config cmake libkrb5-dev
Make sure you have the right version of Git installed Make sure you have the right version of Git installed
......
...@@ -10,6 +10,7 @@ See the documentation below for details on how to configure these services. ...@@ -10,6 +10,7 @@ See the documentation below for details on how to configure these services.
- [OmniAuth](omniauth.md) Sign in via Twitter, GitHub, and Google via OAuth. - [OmniAuth](omniauth.md) Sign in via Twitter, GitHub, and Google via OAuth.
- [Jenkins](jenkins.md) Integrate with the Jenkins CI - [Jenkins](jenkins.md) Integrate with the Jenkins CI
- [Slack](slack.md) Integrate with the Slack chat service - [Slack](slack.md) Integrate with the Slack chat service
- [Kerberos](kerberos.md) Integrate with Kerberos
## Project services ## Project services
......
# Kerberos integration
GitLab can be configured to allow your users to sign with their Kerberos credentials.
Kerberos integration can be enabled as a regular omniauth provider, edit [gitlab.rb (omnibus-gitlab)`](https://gitlab.com/gitlab-org/omnibus-gitlab/blob/master/README.md#omniauth-google-twitter-github-login) or [gitlab.yml (source installations)](https://gitlab.com/gitlab-org/gitlab-ce/blob/master/config/gitlab.yml.example) on your GitLab server and restart GitLab. You only need to specify the provider name. For example:
```
{ name: 'kerberos'}
```
You still need to configure your system for Kerberos usage, such as specifying realms. GitLab will make use of the system's Kerberos settings.
The first time a user signs in with Kerberos credentials, GitLab will create a new GitLab user associated with the email, which is built from the kerberos username and realm. Existing GitLab users can go to profile > account and attach a Kerberos account.
## HTTP git access
A linked Kerberos account enables you to `git pull` and `git push` using your Kerberos account, as well as your standard GitLab credentials.
\ No newline at end of file
...@@ -137,7 +137,7 @@ with the name of your bucket: ...@@ -137,7 +137,7 @@ with the name of your bucket:
Please be informed that a backup does not store your configuration files. Please be informed that a backup does not store your configuration files.
If you use an Omnibus package please see the [instructions in the readme to backup your configuration](https://gitlab.com/gitlab-org/omnibus-gitlab/blob/master/README.md#backup-and-restore-omnibus-gitlab-configuration). If you use an Omnibus package please see the [instructions in the readme to backup your configuration](https://gitlab.com/gitlab-org/omnibus-gitlab/blob/master/README.md#backup-and-restore-omnibus-gitlab-configuration).
If you have a cookbook installation there should be a copy of your configuration in Chef. If you have a cookbook installation there should be a copy of your configuration in Chef.
If you have a manual installation please consider backing up your gitlab.yml file and any SSL keys and certificates. If you have a manual installation please consider backing up your `gitlab.yml` file, any SSL keys and certificates, and your [SSH host keys](https://superuser.com/questions/532040/copy-ssh-keys-from-one-server-to-another-server/532079#532079).
## Restore a previously created backup ## Restore a previously created backup
......
...@@ -71,21 +71,10 @@ There are new configuration options available for gitlab.yml. View them with the ...@@ -71,21 +71,10 @@ There are new configuration options available for gitlab.yml. View them with the
git diff origin/7-4-stable:config/gitlab.yml.example origin/7-5-stable:config/gitlab.yml.example git diff origin/7-4-stable:config/gitlab.yml.example origin/7-5-stable:config/gitlab.yml.example
``` ```
#### Change timeout for unicorn #### Change Nginx settings
```
# set timeout to 60
sudo -u git -H editor config/unicorn.rb
```
#### Change nginx https settings
* HTTPS setups: Make `/etc/nginx/sites-available/gitlab-ssl` the same as https://gitlab.com/gitlab-org/gitlab-ce/blob/7-5-stable/lib/support/nginx/gitlab-ssl but with your setting
#### MySQL Databases: Update database.yml config file
* Add `collation: utf8_general_ci` to config/database.yml as seen in [config/database.yml.mysql](config/database.yml.mysql)
* HTTP setups: Make `/etc/nginx/sites-available/gitlab` the same as [`lib/support/nginx/gitlab`](/lib/support/nginx/gitlab) but with your settings
* HTTPS setups: Make `/etc/nginx/sites-available/gitlab-ssl` the same as [`lib/support/nginx/gitlab-ssl`](/lib/support/nginx/gitlab-ssl) but with your setting
### 6. Start application ### 6. Start application
...@@ -104,82 +93,6 @@ To make sure you didn't miss anything run a more thorough check with: ...@@ -104,82 +93,6 @@ To make sure you didn't miss anything run a more thorough check with:
If all items are green, then congratulations upgrade is complete! If all items are green, then congratulations upgrade is complete!
### 8. Optional optimizations for GitLab setups with MySQL databases
Only applies if running MySQL database created with GitLab 6.7 or earlier. If you are not experiencing any issues you may not need the following instructions however following them will bring your database in line with the latest recommended installation configuration and help avoid future issues. Be sure to follow these directions exactly. These directions should be safe for any MySQL instance but to be sure make a current MySQL database backup beforehand.
```
# Stop GitLab
sudo service gitlab stop
# Secure your MySQL installation (added in GitLab 6.2)
sudo mysql_secure_installation
# Login to MySQL
mysql -u root -p
# do not type the 'mysql>', this is part of the prompt
# Convert all tables to use the InnoDB storage engine (added in GitLab 6.8)
SELECT CONCAT('ALTER TABLE gitlabhq_production.', table_name, ' ENGINE=InnoDB;') AS 'Copy & run these SQL statements:' FROM information_schema.tables WHERE table_schema = 'gitlabhq_production' AND `ENGINE` <> 'InnoDB' AND `TABLE_TYPE` = 'BASE TABLE';
# If previous query returned results, copy & run all outputed SQL statements
# Convert all tables to correct character set
SET foreign_key_checks = 0;
SELECT CONCAT('ALTER TABLE gitlabhq_production.', table_name, ' CONVERT TO CHARACTER SET utf8 COLLATE utf8_general_ci;') AS 'Copy & run these SQL statements:' FROM information_schema.tables WHERE table_schema = 'gitlabhq_production' AND `TABLE_COLLATION` <> 'utf8_unicode_ci' AND `TABLE_TYPE` = 'BASE TABLE';
# If previous query returned results, copy & run all outputed SQL statements
# turn foreign key checks back on
SET foreign_key_checks = 1;
# Find MySQL users
mysql> SELECT user FROM mysql.user WHERE user LIKE '%git%';
# If git user exists and gitlab user does not exist
# you are done with the database cleanup tasks
mysql> \q
# If both users exist skip to Delete gitlab user
# Create new user for GitLab (changed in GitLab 6.4)
# change $password in the command below to a real password you pick
mysql> CREATE USER 'git'@'localhost' IDENTIFIED BY '$password';
# Grant the git user necessary permissions on the database
mysql> GRANT SELECT, INSERT, UPDATE, DELETE, CREATE, DROP, INDEX, ALTER, LOCK TABLES ON `gitlabhq_production`.* TO 'git'@'localhost';
# Delete the old gitlab user
mysql> DELETE FROM mysql.user WHERE user='gitlab';
# Quit the database session
mysql> \q
# Try connecting to the new database with the new user
sudo -u git -H mysql -u git -p -D gitlabhq_production
# Type the password you replaced $password with earlier
# You should now see a 'mysql>' prompt
# Quit the database session
mysql> \q
# Update database configuration details
# See config/database.yml.mysql for latest recommended configuration details
# Remove the reaping_frequency setting line if it exists (removed in GitLab 6.8)
# Set production -> pool: 10 (updated in GitLab 5.3)
# Set production -> username: git
# Set production -> password: the password your replaced $password with earlier
sudo -u git -H editor /home/git/gitlab/config/database.yml
# Run thorough check
sudo -u git -H bundle exec rake gitlab:check RAILS_ENV=production
```
## Things went south? Revert to previous version (7.4) ## Things went south? Revert to previous version (7.4)
### 1. Revert the code to the previous version ### 1. Revert the code to the previous version
......
...@@ -45,6 +45,8 @@ sudo -u git -H git checkout v2.2.0 ...@@ -45,6 +45,8 @@ sudo -u git -H git checkout v2.2.0
### 4. Install libs, migrations, etc. ### 4. Install libs, migrations, etc.
```bash ```bash
sudo apt-get install libkrb5-dev
cd /home/git/gitlab cd /home/git/gitlab
# MySQL installations (note: the line below states '--without ... postgres') # MySQL installations (note: the line below states '--without ... postgres')
......
...@@ -54,6 +54,29 @@ Triggered when you push to the repository except when pushing tags. ...@@ -54,6 +54,29 @@ Triggered when you push to the repository except when pushing tags.
} }
``` ```
## Tag events
Triggered when you create (or delete) tags to the repository.
**Request body:**
```json
{
"ref": "refs/tags/v1.0.0",
"before": "0000000000000000000000000000000000000000",
"after": "82b3d5ae55f7080f1e6022629cdb57bfae7cccc7",
"user_id": 1,
"user_name": "John Smith",
"project_id": 1,
"repository": {
"name": "jsmith",
"url": "ssh://git@example.com/jsmith/example.git",
"description": "",
"homepage": "http://example.com/jsmith/example"
}
}
```
## Issues events ## Issues events
Triggered when a new issue is created or an existing issue was updated/closed/reopened. Triggered when a new issue is created or an existing issue was updated/closed/reopened.
......
...@@ -39,7 +39,7 @@ After creating this run GitLab: ...@@ -39,7 +39,7 @@ After creating this run GitLab:
sudo docker run --detach --name gitlab_app --publish 8080:80 --publish 2222:22 --volumes-from gitlab_data gitlab_image sudo docker run --detach --name gitlab_app --publish 8080:80 --publish 2222:22 --volumes-from gitlab_data gitlab_image
``` ```
It might take a while before the docker container is responding to queries. You can follow the configuration process with `docker logs -f gitlab`. It might take a while before the docker container is responding to queries. You can follow the configuration process with `docker logs -f gitlab_app`.
You can then go to `http://localhost:8080/` (or `http://192.168.59.103:8080/` if you use boot2docker). You can then go to `http://localhost:8080/` (or `http://192.168.59.103:8080/` if you use boot2docker).
You can login with username `root` and password `5iveL!fe`. You can login with username `root` and password `5iveL!fe`.
......
...@@ -2,6 +2,11 @@ module Gitlab ...@@ -2,6 +2,11 @@ module Gitlab
class Auth class Auth
def find(login, password) def find(login, password)
user = User.by_login(login) user = User.by_login(login)
if Devise.omniauth_providers.include?(:kerberos)
kerberos_user = Gitlab::Kerberos::Authentication.login(login, password)
return kerberos_user if kerberos_user
end
# If no user is found, or it's an LDAP server, try LDAP. # If no user is found, or it's an LDAP server, try LDAP.
# LDAP users are only authenticated via LDAP # LDAP users are only authenticated via LDAP
......
require "krb5_auth"
# This calls helps to authenticate to Kerberos by providing username and password
module Gitlab
module Kerberos
class Authentication
def self.login(login, password)
return unless Devise.omniauth_providers.include?(:kerberos)
return unless login.present? && password.present?
auth = new(login, password)
auth.login
end
def initialize(login, password)
@login = login
@password = password
@krb5 = ::Krb5Auth::Krb5.new
end
def valid?
@krb5.get_init_creds_password(@login, @password)
rescue ::Krb5Auth::Krb5::Exception
false
end
def login
valid? && find_by_login(@login)
end
private
def find_by_login(login)
identity = ::Identity.
where(provider: :kerberos).
where('lower(extern_uid) = ?', login).last
identity && identity.user
end
end
end
end
...@@ -17,15 +17,19 @@ namespace :gitlab do ...@@ -17,15 +17,19 @@ namespace :gitlab do
# Clone if needed # Clone if needed
unless File.directory?(target_dir) unless File.directory?(target_dir)
sh(*%W(git clone #{args.repo} #{target_dir})) system(*%W(git clone -- #{args.repo} #{target_dir}))
end end
# Make sure we're on the right tag # Make sure we're on the right tag
Dir.chdir(target_dir) do Dir.chdir(target_dir) do
# First try to checkout without fetching # First try to checkout without fetching
# to avoid stalling tests if the Internet is down. # to avoid stalling tests if the Internet is down.
reset = "git reset --hard $(git describe #{args.tag} || git describe origin/#{args.tag})" reseted = reset_to_commit(args)
sh "#{reset} || git fetch origin && #{reset}"
unless reseted
system(*%W(git fetch origin))
reset_to_commit(args)
end
config = { config = {
user: user, user: user,
...@@ -54,7 +58,7 @@ namespace :gitlab do ...@@ -54,7 +58,7 @@ namespace :gitlab do
File.open("config.yml", "w+") {|f| f.puts config.to_yaml} File.open("config.yml", "w+") {|f| f.puts config.to_yaml}
# Launch installation process # Launch installation process
sh "bin/install" system(*%W(bin/install))
end end
# Required for debian packaging with PKGR: Setup .ssh/environment with # Required for debian packaging with PKGR: Setup .ssh/environment with
...@@ -118,5 +122,16 @@ namespace :gitlab do ...@@ -118,5 +122,16 @@ namespace :gitlab do
puts "Quitting...".red puts "Quitting...".red
exit 1 exit 1
end end
def reset_to_commit(args)
tag, status = Gitlab::Popen.popen(%W(git describe -- #{args.tag}))
unless status.zero?
tag, status = Gitlab::Popen.popen(%W(git describe -- origin/#{args.tag}))
end
tag = tag.strip
system(*%W(git reset --hard #{tag}))
end
end end
...@@ -5,10 +5,14 @@ FactoryGirl.define do ...@@ -5,10 +5,14 @@ FactoryGirl.define do
Faker::Lorem.sentence Faker::Lorem.sentence
end end
sequence :name, aliases: [:file_name] do sequence :name do
Faker::Name.name Faker::Name.name
end end
sequence :file_name do
Faker::Internet.user_name
end
sequence(:url) { Faker::Internet.uri('http') } sequence(:url) { Faker::Internet.uri('http') }
factory :user, aliases: [:author, :assignee, :owner, :creator] do factory :user, aliases: [:author, :assignee, :owner, :creator] do
......
...@@ -17,4 +17,16 @@ describe OauthHelper do ...@@ -17,4 +17,16 @@ describe OauthHelper do
helper.additional_providers.should == [] helper.additional_providers.should == []
end end
end end
describe "kerberos_enabled?" do
it 'returns true' do
allow(helper).to receive(:enabled_oauth_providers) { [:twitter, :github, :kerberos] }
helper.kerberos_enabled?.should be_true
end
it 'returns false' do
allow(helper).to receive(:enabled_oauth_providers) { [:twitter, :ldapmain] }
helper.kerberos_enabled?.should be_false
end
end
end end
\ No newline at end of file
...@@ -35,6 +35,17 @@ describe Gitlab::Auth do ...@@ -35,6 +35,17 @@ describe Gitlab::Auth do
expect( gl_auth.find(username, password) ).to_not eql user expect( gl_auth.find(username, password) ).to_not eql user
end end
context "with kerberos" do
before { Devise.stub(omniauth_providers: [:kerberos]) }
it "finds user" do
Gitlab::Kerberos::Authentication.stub(valid?: true)
Gitlab::Kerberos::Authentication.stub(email: user.email)
expect( gl_auth.find(username, password) ).to eql user
end
end
context "with ldap enabled" do context "with ldap enabled" do
before { Gitlab::LDAP::Config.stub(enabled?: true) } before { Gitlab::LDAP::Config.stub(enabled?: true) }
......
require 'spec_helper'
describe Gitlab::Kerberos::Authentication do
let(:klass) { Gitlab::Kerberos::Authentication }
let(:user) { create(:omniauth_user, provider: :kerberos, extern_uid: 'gitlab') }
let(:login) { 'john' }
let(:password) { 'password' }
describe :login do
before do
Devise.stub(omniauth_providers: [:kerberos])
end
it "finds the user if authentication is successful" do
kerberos_realm = user.email.sub(/.*@/, '')
::Krb5Auth::Krb5.any_instance.stub(get_init_creds_password: true)
::Krb5Auth::Krb5.any_instance.stub(get_default_realm: kerberos_realm)
expect(klass.login('gitlab', password)).to be_true
end
it "returns false if there is no such user in kerberos" do
kerberos_login = "some-login"
kerberos_realm = user.email.sub(/.*@/, '')
::Krb5Auth::Krb5.any_instance.stub(get_init_creds_password: true)
::Krb5Auth::Krb5.any_instance.stub(get_default_realm: kerberos_realm)
expect(klass.login(kerberos_login, password)).to be_false
end
end
end
\ No newline at end of file
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment