Merge branch 'gitlab-next'

Changelog.md

@@ -2,6 +2,12 @@
 
 This file only reflects the changes that are made in this image. Please refer to the upstream GitLab [CHANGELOG](https://gitlab.com/gitlab-org/gitlab-ce/blob/master/CHANGELOG) for the list of changes in GitLab.
 
+**latest**
+- gitlab-shell: upgrade to v.2.6.10
+- gitlab-workhorse: upgrade to v0.6.1
+- gitlab: upgrade to CE v8.4.0
+- oauth: expose cas3 oauth configuration options
+
 **8.3.4**
 - gitlab-workhorse: upgrade to v0.5.4
 - gitlab: upgrade to CE v8.3.4

Dockerfile

@@ -1,9 +1,9 @@
 FROM sameersbn/ubuntu:14.04.20160121
 MAINTAINER sameer@damagehead.com
 
-ENV GITLAB_VERSION=8.3.4 \
-    GITLAB_SHELL_VERSION=2.6.9 \
-    GITLAB_WORKHORSE_VERSION=0.5.4 \
+ENV GITLAB_VERSION=8.4.0 \
+    GITLAB_SHELL_VERSION=2.6.10 \
+    GITLAB_WORKHORSE_VERSION=0.6.1 \
     GITLAB_USER="git" \
     GITLAB_HOME="/home/git" \
     GITLAB_LOG_DIR="/var/log/gitlab" \

README.md

@@ -638,6 +638,12 @@ GitLab leverages OmniAuth to allow users to sign in using Twitter, GitHub, and o
 
 Refer to the GitLab [documentation](http://doc.gitlab.com/ce/integration/omniauth.html) for additional information.
 
+#### CAS3
+
+To enable the CAS OmniAuth provider you must register your application with your CAS instance. This requires the service URL GitLab will supply to CAS. It should be something like: https://git.example.com:443/users/auth/cas3/callback?url. By default handling for SLO is enabled, you only need to configure CAS for backchannel logout.
+
+For example, if your cas server url is `https://sso.example.com`, then adding `--env 'OAUTH_CAS3_SERVER=https://sso.example.com'` to the docker run command enables support for CAS3 OAuth. Please refer to [Available Configuration Parameters](#available-configuration-parameters) for additional CAS3 configuration parameters.
+
 #### Google
 
 To enable the Google OAuth2 OmniAuth provider you must register your application with Google. Google will generate a client ID and secret key for you to use. Please refer to the GitLab [documentation](http://doc.gitlab.com/ce/integration/google.html) for the procedure to generate the client ID and secret key with google.
@@ -855,6 +861,12 @@ Below is the complete list of available options that can be used to customize yo
 - **OAUTH_ALLOW_SSO**: This allows users to login without having a user account first. User accounts will be created automatically when authentication was successful. Defaults to `false`.
 - **OAUTH_BLOCK_AUTO_CREATED_USERS**: Locks down those users until they have been cleared by the admin. Defaults to `true`.
 - **OAUTH_AUTO_LINK_LDAP_USER**: Look up new users in LDAP servers. If a match is found (same uid), automatically link the omniauth identity with the LDAP account. Defaults to `false`.
+- **OAUTH_CAS3_LABEL**: The "Sign in with" button label. Defaults to "cas3".
+- **OAUTH_CAS3_SERVER**: CAS3 server URL. No defaults.
+- **OAUTH_CAS3_DISABLE_SSL_VERIFICATION**: Disable CAS3 SSL verification. Defaults to `false`.
+- **OAUTH_CAS3_LOGIN_URL**: CAS3 login URL. Defaults to `/cas/login`
+- **OAUTH_CAS3_VALIDATE_URL**: CAS3 validation URL. Defaults to `/cas/p3/serviceValidate`
+- **OAUTH_CAS3_LOGOUT_URL**: CAS3 logout URL. Defaults to `/cas/logout`
 - **OAUTH_GOOGLE_API_KEY**: Google App Client ID. No defaults.
 - **OAUTH_GOOGLE_APP_SECRET**: Google App Client Secret. No defaults.
 - **OAUTH_GOOGLE_RESTRICT_DOMAIN**: Google App restricted domain. No defaults.

assets/build/install.sh

@@ -84,19 +84,17 @@ exec_as_git bundle install -j$(nproc) --deployment --without development test aw
 # make sure everything in ${GITLAB_HOME} is owned by ${GITLAB_USER} user
 chown -R ${GITLAB_USER}: ${GITLAB_HOME}
 
-# gitlab.yml and database.yml are required for `assets:precompile`
-exec_as_git cp ${GITLAB_INSTALL_DIR}/config/gitlab.yml.example ${GITLAB_INSTALL_DIR}/config/gitlab.yml
-exec_as_git cp ${GITLAB_INSTALL_DIR}/config/database.yml.mysql ${GITLAB_INSTALL_DIR}/config/database.yml
-
-echo "Compiling assets. Please be patient, this could take a while..."
-exec_as_git bundle exec rake assets:clean assets:precompile >/dev/null 2>&1
-
-# remove auto generated ${GITLAB_DATA_DIR}/config/secrets.yml
-rm -rf ${GITLAB_DATA_DIR}/config/secrets.yml
-
 exec_as_git mkdir -p ${GITLAB_INSTALL_DIR}/tmp/pids/ ${GITLAB_INSTALL_DIR}/tmp/sockets/
 chmod -R u+rwX ${GITLAB_INSTALL_DIR}/tmp
 
+# symlink ${GITLAB_INSTALL_DIR}/tmp/cache -> ${GITLAB_DATA_DIR}/tmp/cache
+rm -rf ${GITLAB_INSTALL_DIR}/tmp/cache
+exec_as_git ln -s ${GITLAB_DATA_DIR}/tmp/cache ${GITLAB_INSTALL_DIR}/tmp/cache
+
+# symlink ${GITLAB_INSTALL_DIR}/public/assets -> ${GITLAB_DATA_DIR}/tmp/public/assets
+rm -rf ${GITLAB_INSTALL_DIR}/public/assets
+exec_as_git ln -s ${GITLAB_DATA_DIR}/tmp/public/assets ${GITLAB_INSTALL_DIR}/public/assets
+
 # symlink ${GITLAB_HOME}/.ssh -> ${GITLAB_LOG_DIR}/gitlab
 rm -rf ${GITLAB_HOME}/.ssh
 exec_as_git ln -sf ${GITLAB_DATA_DIR}/.ssh ${GITLAB_HOME}/.ssh

assets/runtime/config/gitlab-shell/config.yml

@@ -7,7 +7,7 @@
 user: git
 
 # Url to gitlab instance. Used for api calls.
-# Default: http://localhost:8080/
+# Default: http://localhost:8080
 # You only have to change the default if you have configured Unicorn
 # to listen on a custom port, or if you have configured Unicorn to
 # only listen on a Unix domain socket. For Unix domain sockets use

assets/runtime/config/gitlabhq/gitlab.yml

@@ -4,8 +4,8 @@
 #
 ###########################  NOTE  #####################################
 # This file should not receive new settings. All configuration options #
-# that do not require an application restart are being moved to        #
-# ApplicationSetting model!                                            #
+# * are being moved to ApplicationSetting model!                       #
+# If a setting requires an application restart say so in that screen.  #
 # If you change this file in a Merge Request, please also create       #
 # a MR on https://gitlab.com/gitlab-org/omnibus-gitlab/merge_requests  #
 ########################################################################
@@ -301,6 +301,15 @@ production: &base
     # arguments, followed by optional 'args' which can be either a hash or an array.
     # Documentation for this is available at http://doc.gitlab.com/ce/integration/omniauth.html
     providers:
+      # See omniauth-cas3 for more configuration details
+      - { name: 'cas3',
+          label: '{{OAUTH_CAS3_LABEL}}',
+          args: {
+                  url: '{{OAUTH_CAS3_SERVER}}',
+                  disable_ssl_verification: {{OAUTH_CAS3_DISABLE_SSL_VERIFICATION}},
+                  login_url: '{{OAUTH_CAS3_LOGIN_URL}}',
+                  service_validate_url: '{{OAUTH_CAS3_VALIDATE_URL}}',
+                  logout_url: '{{OAUTH_CAS3_LOGOUT_URL}}'} }
       - { name: 'github',
           label: 'GitHub',
           app_id: '{{OAUTH_GITHUB_API_KEY}}',
@@ -339,6 +348,9 @@ production: &base
             application_name: '{{OAUTH_CROWD_APP_NAME}}',
             application_password: '{{OAUTH_CROWD_APP_PASSWORD}}' } }
 
+    # SSO maximum session duration in seconds. Defaults to CAS default of 8 hours.
+    # cas3:
+    #   session_duration: 28800
 
   # Shared file storage settings
   shared:

assets/runtime/config/nginx/gitlab

@@ -16,10 +16,6 @@
 ##
 ## See installation.md#using-https for additional HTTPS configuration details.
 
-upstream gitlab {
-  server unix:{{GITLAB_INSTALL_DIR}}/tmp/sockets/gitlab.socket fail_timeout=0;
-}
-
 upstream gitlab-workhorse {
   server unix:{{GITLAB_INSTALL_DIR}}/tmp/sockets/gitlab-workhorse.socket fail_timeout=0;
 }
@@ -64,33 +60,4 @@ server {
 
     proxy_pass http://gitlab-workhorse;
   }
-
-  ## If a static asset file is requested, then proxy passes the request to
-  ## the upsteam (gitlab unicorn).
-  ## As of 8.3.0 gitlab-workhorse does not properly generated the static assets
-  ## when relative_url is used
-  location {{GITLAB_RELATIVE_URL_ROOT__with_trailing_slash}}assets {
-    try_files $uri /index.html $uri.html @gitlab;
-  }
-
-  location @gitlab {
-    ## If you use HTTPS make sure you disable gzip compression
-    ## to be safe against BREACH attack.
-    # gzip off;
-
-    ## https://github.com/gitlabhq/gitlabhq/issues/694
-    ## Some requests take more than 30 seconds.
-    proxy_read_timeout       300;
-    proxy_connect_timeout    300;
-    proxy_redirect           off;
-    proxy_buffering          {{NGINX_PROXY_BUFFERING}};
-
-    proxy_set_header    Host                $http_host;
-    proxy_set_header    X-Real-IP           $remote_addr;
-    proxy_set_header    X-Forwarded-For     $proxy_add_x_forwarded_for;
-    proxy_set_header    X-Forwarded-Proto   {{NGINX_X_FORWARDED_PROTO}};
-    proxy_set_header    X-Frame-Options     SAMEORIGIN;
-
-    proxy_pass http://gitlab;
-  }
 }

assets/runtime/config/nginx/gitlab-ssl

@@ -20,10 +20,6 @@
 ##
 ## See installation.md#using-https for additional HTTPS configuration details.
 
-upstream gitlab {
-  server unix:{{GITLAB_INSTALL_DIR}}/tmp/sockets/gitlab.socket fail_timeout=0;
-}
-
 upstream gitlab-workhorse {
   server unix:{{GITLAB_INSTALL_DIR}}/tmp/sockets/gitlab-workhorse.socket fail_timeout=0;
 }
@@ -110,33 +106,4 @@ server {
     proxy_set_header    X-Forwarded-Proto   {{NGINX_X_FORWARDED_PROTO}};
     proxy_pass http://gitlab-workhorse;
   }
-
-  ## If a static asset file is requested, then proxy passes the request to
-  ## the upsteam (gitlab unicorn).
-  ## As of 8.3.0 gitlab-workhorse does not properly generated the static assets
-  ## when relative_url is used
-  location {{GITLAB_RELATIVE_URL_ROOT__with_trailing_slash}}assets {
-    try_files $uri /index.html $uri.html @gitlab;
-  }
-
-  location @gitlab {
-    ## If you use HTTPS make sure you disable gzip compression
-    ## to be safe against BREACH attack.
-    # gzip off;
-
-    ## https://github.com/gitlabhq/gitlabhq/issues/694
-    ## Some requests take more than 30 seconds.
-    proxy_read_timeout       300;
-    proxy_connect_timeout    300;
-    proxy_redirect           off;
-    proxy_buffering          {{NGINX_PROXY_BUFFERING}};
-
-    proxy_set_header    Host                $http_host;
-    proxy_set_header    X-Real-IP           $remote_addr;
-    proxy_set_header    X-Forwarded-For     $proxy_add_x_forwarded_for;
-    proxy_set_header    X-Forwarded-Proto   {{NGINX_X_FORWARDED_PROTO}};
-    proxy_set_header    X-Frame-Options     SAMEORIGIN;
-
-    proxy_pass http://gitlab;
-  }
 }

assets/runtime/env-defaults

@@ -264,6 +264,14 @@ OAUTH_SAML_IDP_CERT_FINGERPRINT=${OAUTH_SAML_IDP_CERT_FINGERPRINT:-}
 OAUTH_SAML_IDP_SSO_TARGET_URL=${OAUTH_SAML_IDP_SSO_TARGET_URL:-}
 OAUTH_SAML_NAME_IDENTIFIER_FORMAT=${OAUTH_SAML_NAME_IDENTIFIER_FORMAT:-urn:oasis:names:tc:SAML:2.0:nameid-format:transient}
 
+### CAS3
+OAUTH_CAS3_LABEL=${OAUTH_CAS3_LABEL:-cas3}
+OAUTH_CAS3_SERVER=${OAUTH_CAS3_SERVER:-}
+OAUTH_CAS3_DISABLE_SSL_VERIFICATION=${OAUTH_CAS3_DISABLE_SSL_VERIFICATION:-false}
+OAUTH_CAS3_LOGIN_URL=${OAUTH_CAS3_LOGIN_URL:-/cas/login}
+OAUTH_CAS3_VALIDATE_URL=${OAUTH_CAS3_VALIDATE_URL:-/cas/p3/serviceValidate}
+OAUTH_CAS3_LOGOUT_URL=${OAUTH_CAS3_LOGOUT_URL:-/cas/logout}
+
 ## ANALYTICS
 
 ### GOOGLE

assets/runtime/functions

@@ -402,6 +402,22 @@ gitlab_configure_ldap() {
     LDAP_LABEL
 }
 
+gitlab_configure_oauth_cas3() {
+  if [[ -n ${OAUTH_CAS3_SERVER} ]]; then
+    echo "Configuring gitlab::oauth::cas3..."
+    OAUTH_ENABLED=${OAUTH_ENABLED:-true}
+    update_template ${GITLAB_CONFIG} \
+      OAUTH_CAS3_LABEL \
+      OAUTH_CAS3_SERVER \
+      OAUTH_CAS3_DISABLE_SSL_VERIFICATION \
+      OAUTH_CAS3_LOGIN_URL \
+      OAUTH_CAS3_VALIDATE_URL \
+      OAUTH_CAS3_LOGOUT_URL
+  else
+    exec_as_git sed -i "/name: 'cas3'/,/{{OAUTH_CAS3_LOGOUT_URL}}/d" ${GITLAB_CONFIG}
+  fi
+}
+
 gitlab_configure_oauth_google() {
   if [[ -n ${OAUTH_GOOGLE_API_KEY} && -n ${OAUTH_GOOGLE_APP_SECRET} ]]; then
     echo "Configuring gitlab::oauth::google..."
@@ -516,6 +532,7 @@ gitlab_configure_oauth_crowd() {
 gitlab_configure_oauth() {
   echo "Configuring gitlab::oauth..."
 
+  gitlab_configure_oauth_cas3
   gitlab_configure_oauth_google
   gitlab_configure_oauth_facebook
   gitlab_configure_oauth_twitter
@@ -533,7 +550,7 @@ gitlab_configure_oauth() {
     OAUTH_AUTO_LINK_LDAP_USER
 
   case ${OAUTH_AUTO_SIGN_IN_WITH_PROVIDER} in
-    google_oauth2|facebook|twitter|github|gitlab|bitbucket|saml|crowd)
+    cas3|google_oauth2|facebook|twitter|github|gitlab|bitbucket|saml|crowd)
       update_template ${GITLAB_CONFIG} OAUTH_AUTO_SIGN_IN_WITH_PROVIDER
       ;;
     *)
@@ -1120,6 +1137,11 @@ migrate_database() {
 
     echo "Migrating database..."
     exec_as_git bundle exec rake db:migrate >/dev/null
+
+    if [[ ${DB_ADAPTER} == mysql2 ]]; then
+      exec_as_git bundle exec rake add_limits_mysql >/dev/null
+    fi
+
     echo "${GITLAB_VERSION}" > ${GITLAB_DATA_DIR}/tmp/VERSION
     rm -rf ${GITLAB_DATA_DIR}/tmp/GITLAB_RELATIVE_URL_ROOT # force cache cleanup
   fi
@@ -1127,6 +1149,14 @@ migrate_database() {
   # clear cache if relative_url has changed.
   [[ -f ${GITLAB_DATA_DIR}/tmp/GITLAB_RELATIVE_URL_ROOT ]] && CACHE_GITLAB_RELATIVE_URL_ROOT=$(cat ${GITLAB_DATA_DIR}/tmp/GITLAB_RELATIVE_URL_ROOT)
   if [[ ! -f ${GITLAB_DATA_DIR}/tmp/GITLAB_RELATIVE_URL_ROOT || ${GITLAB_RELATIVE_URL_ROOT} != ${CACHE_GITLAB_RELATIVE_URL_ROOT} ]]; then
+    # clear cached assets
+    rm -rf ${GITLAB_DATA_DIR}/tmp/cache ${GITLAB_DATA_DIR}/tmp/public/assets
+    mkdir -p ${GITLAB_DATA_DIR}/tmp/cache ${GITLAB_DATA_DIR}/tmp/public/assets
+    chown ${GITLAB_USER}: ${GITLAB_DATA_DIR}/tmp/cache ${GITLAB_DATA_DIR}/tmp/public/assets
+
+    echo "Compiling assets. Please be patient, this could take a while..."
+    exec_as_git bundle exec rake assets:clean assets:precompile >/dev/null 2>&1
+
     echo "Clearing cache..."
     exec_as_git bundle exec rake cache:clear >/dev/null 2>&1
     echo "${GITLAB_RELATIVE_URL_ROOT}" > ${GITLAB_DATA_DIR}/tmp/GITLAB_RELATIVE_URL_ROOT