Merge branch 'feature/oauth-support'

Changelog.md

@@ -1,6 +1,11 @@
 # Changelog
 
 **latest**
+- added OAUTH_BLOCK_AUTO_CREATED_USERS configuration option
+- added OAUTH_ALLOW_SSO configuration option
+- added github oauth configuration support
+- added twitter oauth configuration support
+- added google oauth configuration support
 - added support for jira issue tracker
 - added support for redmine issue tracker
 - update to gitlab-shell 1.9.7

README.md

@@ -35,6 +35,10 @@
       - [Installing Trusted SSL Server Certificates](#installing-trusted-ssl-server-certificates)
     - [Putting it all together](#putting-it-all-together)
     - [Run under sub URI](#run-under-sub-uri)
+    - [OmniAuth Integration](#omniauth-integration)
+      - [Google](#google)
+      - [Twitter](#twitter)
+      - [GitHub](#github)
     - [External Issue Trackers](#external-issue-trackers)
       - [Redmine](#redmine)
       - [Jira](#jira)
@@ -627,6 +631,36 @@ docker run --name=gitlab -d \
 
 When you change the sub URI path, you need to recompile all precompiled assets. This can be done with either deleting tmp/cache/VERSION file under data store, or just `rm -Rf /PATH/TO/DATA_STORE/tmp`. After cleaning up cache files, restart the container.
 
+### OmniAuth Integration
+
+GitLab leverages OmniAuth to allow users to sign in using Twitter, GitHub, and other popular services. Configuring OmniAuth does not prevent standard GitLab authentication or LDAP (if configured) from continuing to work. Users can choose to sign in using any of the configured mechanisms.
+
+Refer to the GitLab [documentation](http://doc.gitlab.com/ce/integration/omniauth.html) for additional information.
+
+#### Google
+
+To enable the Google OAuth2 OmniAuth provider you must register your application with Google. Google will generate a client ID and secret key for you to use. Please refer to the GitLab [documentation](http://doc.gitlab.com/ce/integration/google.html) for the procedure to generate the client ID and secret key with google.
+
+Once you have the client ID and secret keys generated, configure them using the `OAUTH_GOOGLE_API_KEY` and `OAUTH_GOOGLE_APP_SECRET` environment variables respectively.
+
+For example, if your client ID is `xxx.apps.googleusercontent.com` and client secret key is `yyy`, then adding `-e 'OAUTH_GOOGLE_API_KEY=xxx.apps.googleusercontent.com' -e 'OAUTH_GOOGLE_APP_SECRET=yyy'` to the docker run command enables support for Google OAuth.
+
+#### Twitter
+
+To enable the Twitter OAuth2 OmniAuth provider you must register your application with Twitter. Twitter will generate a API key and secret for you to use. Please refer to the GitLab [documentation](http://doc.gitlab.com/ce/integration/twitter.html) for the procedure to generate the API key and secret with twitter.
+
+Once you have the API key and secret generated, configure them using the `OAUTH_TWITTER_API_KEY` and `OAUTH_TWITTER_APP_SECRET` environment variables respectively.
+
+For example, if your API key is `xxx` and the API secret key is `yyy`, then adding `-e 'OAUTH_TWITTER_API_KEY=xxx' -e 'OAUTH_TWITTER_APP_SECRET=yyy'` to the docker run command enables support for Twitter OAuth.
+
+#### GitHub
+
+To enable the GitHub OAuth2 OmniAuth provider you must register your application with GitHub. GitHub will generate a Client ID and secret for you to use. Please refer to the GitLab [documentation](http://doc.gitlab.com/ce/integration/github.html) for the procedure to generate the Client ID and secret with github.
+
+Once you have the Client ID and secret generated, configure them using the `OAUTH_GITHUB_API_KEY` and `OAUTH_GITHUB_APP_SECRET` environment variables respectively.
+
+For example, if your Client ID is `xxx` and the Client secret is `yyy`, then adding `-e 'OAUTH_GITHUB_API_KEY=xxx' -e 'OAUTH_GITHUB_APP_SECRET=yyy'` to the docker run command enables support for GitHub OAuth.
+
 ### External Issue Trackers
 
 GitLab can be configured to use third party issue trackers such as Redmine and Atlassian Jira. Use of third party issue trackers have to be configured on a per project basis from the project settings page. This means that the GitLab's issue tracker is always the default tracker unless specified otherwise.
@@ -698,6 +732,14 @@ Below is the complete list of available options that can be used to customize yo
 - **LDAP_ALLOW_USERNAME_OR_EMAIL_LOGIN**: If enabled, GitLab will ignore everything after the first '@' in the LDAP username submitted by the user on login. Defaults to false if LDAP_UID is userPrincipalName, else true.
 - **LDAP_BASE**: Base where we can search for users. No default.
 - **LDAP_USER_FILTER**: Filter LDAP users. No default.
+- **OAUTH_ALLOW_SSO**: This allows users to login without having a user account first. User accounts will be created automatically when authentication was successful. Defaults to false.
+- **OAUTH_BLOCK_AUTO_CREATED_USERS**: Locks down those users until they have been cleared by the admin. Defaults to true.
+- **OAUTH_GOOGLE_API_KEY**: Google App Client ID. No defaults.
+- **OAUTH_GOOGLE_APP_SECRET**: Google App Client Secret. No defaults.
+- **OAUTH_TWITTER_API_KEY**: Twitter App API key. No defaults.
+- **OAUTH_TWITTER_APP_SECRET**: Twitter App API secret. No defaults.
+- **OAUTH_GITHUB_API_KEY**: GitHub App Client ID. No defaults.
+- **OAUTH_GITHUB_APP_SECRET**: GitHub App Client secret. No defaults.
 - **REDMINE_URL**: Location of the redmine server, e.g. `-e 'REDMINE_URL=https://redmine.example.com'`. No defaults.
 
 # Maintenance

assets/config/gitlabhq/gitlab.yml

@@ -161,14 +161,14 @@ production: &base
   ## OmniAuth settings
   omniauth:
     # Allow login via Twitter, Google, etc. using OmniAuth providers
-    enabled: false
+    enabled: {{OAUTH_ENABLED}}
 
     # CAUTION!
     # This allows users to login without having a user account first (default: false).
     # User accounts will be created automatically when authentication was successful.
-    allow_single_sign_on: false
+    allow_single_sign_on: {{OAUTH_ALLOW_SSO}}
     # Locks down those users until they have been cleared by the admin (default: true).
-    block_auto_created_users: true
+    block_auto_created_users: {{OAUTH_BLOCK_AUTO_CREATED_USERS}}
 
     ## Auth providers
     # Uncomment the following lines and fill in the data of the auth provider you want to use
@@ -178,14 +178,14 @@ production: &base
     # arguments, followed by optional 'args' which can be either a hash or an array.
     # Documentation for this is available at http://doc.gitlab.com/ce/integration/omniauth.html
     providers:
-      # - { name: 'google_oauth2', app_id: 'YOUR APP ID',
-      #     app_secret: 'YOUR APP SECRET',
-      #     args: { access_type: 'offline', approval_prompt: '' } }
-      # - { name: 'twitter', app_id: 'YOUR APP ID',
-      #     app_secret: 'YOUR APP SECRET'}
-      # - { name: 'github', app_id: 'YOUR APP ID',
-      #     app_secret: 'YOUR APP SECRET',
-      #     args: { scope: 'user:email' } }
+      - { name: 'google_oauth2', app_id: '{{OAUTH_GOOGLE_API_KEY}}',
+          app_secret: '{{OAUTH_GOOGLE_APP_SECRET}}',
+          args: { access_type: 'offline', approval_prompt: '{{OAUTH_GOOGLE_APPROVAL_PROMPT}}' } }
+      - { name: 'twitter', app_id: '{{OAUTH_TWITTER_API_KEY}}',
+          app_secret: '{{OAUTH_TWITTER_APP_SECRET}}'}
+      - { name: 'github', app_id: '{{OAUTH_GITHUB_API_KEY}}',
+          app_secret: '{{OAUTH_GITHUB_APP_SECRET}}',
+          args: { scope: '{{OAUTH_GITHUB_SCOPE}}' } }
 
 
 

assets/init

@@ -72,6 +72,18 @@ LDAP_USER_FILTER=${LDAP_USER_FILTER:-}
 REDMINE_URL=${REDMINE_URL:-}
 JIRA_URL=${JIRA_URL:-}
 
+OAUTH_ALLOW_SSO=${OAUTH_ALLOW_SSO:-false}
+OAUTH_BLOCK_AUTO_CREATED_USERS=${OAUTH_BLOCK_AUTO_CREATED_USERS:-true}
+
+OAUTH_GOOGLE_API_KEY=${OAUTH_GOOGLE_API_KEY:-}
+OAUTH_GOOGLE_APP_SECRET=${OAUTH_GOOGLE_APP_SECRET:-}
+
+OAUTH_TWITTER_API_KEY=${OAUTH_TWITTER_API_KEY:-}
+OAUTH_TWITTER_APP_SECRET=${OAUTH_TWITTER_APP_SECRET:-}
+
+OAUTH_GITHUB_API_KEY=${OAUTH_GITHUB_API_KEY:-}
+OAUTH_GITHUB_APP_SECRET=${OAUTH_GITHUB_APP_SECRET:-}
+
 # is a redis container linked?
 if [ -n "${REDISIO_PORT_6379_TCP_ADDR}" ]; then
 	REDIS_HOST=${REDIS_HOST:-${REDISIO_PORT_6379_TCP_ADDR}}
@@ -416,6 +428,47 @@ else
 	sudo -u git -H sed '/new_issue_url: "{{JIRA_URL}}/d' -i /home/git/gitlab/config/gitlab.yml
 fi
 
+# apply oauth configuration
+
+# google
+if [ -n "${OAUTH_GOOGLE_API_KEY}" -a -n "${OAUTH_GOOGLE_APP_SECRET}" ]; then
+	OAUTH_ENABLED=true
+	sudo -u git -H sed 's/{{OAUTH_GOOGLE_API_KEY}}/'"${OAUTH_GOOGLE_API_KEY}"'/' -i /home/git/gitlab/config/gitlab.yml
+	sudo -u git -H sed 's/{{OAUTH_GOOGLE_APP_SECRET}}/'"${OAUTH_GOOGLE_APP_SECRET}"'/' -i /home/git/gitlab/config/gitlab.yml
+	sudo -u git -H sed 's/{{OAUTH_GOOGLE_APPROVAL_PROMPT}}//' -i /home/git/gitlab/config/gitlab.yml
+else
+	sudo -u git -H sed '/{{OAUTH_GOOGLE_API_KEY}}/d' -i /home/git/gitlab/config/gitlab.yml
+	sudo -u git -H sed '/{{OAUTH_GOOGLE_APP_SECRET}}/d' -i /home/git/gitlab/config/gitlab.yml
+	sudo -u git -H sed '/{{OAUTH_GOOGLE_APPROVAL_PROMPT}}/d' -i /home/git/gitlab/config/gitlab.yml
+fi
+
+# twitter
+if [ -n "${OAUTH_TWITTER_API_KEY}" -a -n "${OAUTH_TWITTER_APP_SECRET}" ]; then
+	OAUTH_ENABLED=true
+	sudo -u git -H sed 's/{{OAUTH_TWITTER_API_KEY}}/'"${OAUTH_TWITTER_API_KEY}"'/' -i /home/git/gitlab/config/gitlab.yml
+	sudo -u git -H sed 's/{{OAUTH_TWITTER_APP_SECRET}}/'"${OAUTH_TWITTER_APP_SECRET}"'/' -i /home/git/gitlab/config/gitlab.yml
+else
+	sudo -u git -H sed '/{{OAUTH_TWITTER_API_KEY}}/d' -i /home/git/gitlab/config/gitlab.yml
+	sudo -u git -H sed '/{{OAUTH_TWITTER_APP_SECRET}}/d' -i /home/git/gitlab/config/gitlab.yml
+fi
+
+# github
+if [ -n "${OAUTH_GITHUB_API_KEY}" -a -n "${OAUTH_GITHUB_APP_SECRET}" ]; then
+	OAUTH_ENABLED=true
+	sudo -u git -H sed 's/{{OAUTH_GITHUB_API_KEY}}/'"${OAUTH_GITHUB_API_KEY}"'/' -i /home/git/gitlab/config/gitlab.yml
+	sudo -u git -H sed 's/{{OAUTH_GITHUB_APP_SECRET}}/'"${OAUTH_GITHUB_APP_SECRET}"'/' -i /home/git/gitlab/config/gitlab.yml
+	sudo -u git -H sed 's/{{OAUTH_GITHUB_SCOPE}}/user:email/' -i /home/git/gitlab/config/gitlab.yml
+else
+	sudo -u git -H sed '/{{OAUTH_GITHUB_API_KEY}}/d' -i /home/git/gitlab/config/gitlab.yml
+	sudo -u git -H sed '/{{OAUTH_GITHUB_APP_SECRET}}/d' -i /home/git/gitlab/config/gitlab.yml
+	sudo -u git -H sed '/{{OAUTH_GITHUB_SCOPE}}/d' -i /home/git/gitlab/config/gitlab.yml
+fi
+
+OAUTH_ENABLED=${OAUTH_ENABLED:-false}
+sudo -u git -H sed 's/{{OAUTH_ENABLED}}/'"${OAUTH_ENABLED}"'/' -i /home/git/gitlab/config/gitlab.yml
+sudo -u git -H sed 's/{{OAUTH_ALLOW_SSO}}/'"${OAUTH_ALLOW_SSO}"'/' -i /home/git/gitlab/config/gitlab.yml
+sudo -u git -H sed 's/{{OAUTH_BLOCK_AUTO_CREATED_USERS}}/'"${OAUTH_BLOCK_AUTO_CREATED_USERS}"'/' -i /home/git/gitlab/config/gitlab.yml
+
 # configure relative_url_root
 if [ ${GITLAB_RELATIVE_URL_ROOT} ]; then
 	sudo -u git -H sed 's,# config.relative_url_root = "/gitlab",config.relative_url_root = "'${GITLAB_RELATIVE_URL_ROOT}'",' -i /home/git/gitlab/config/application.rb