From dda73fc1e3551bf28c366b4342258a96541b2860 Mon Sep 17 00:00:00 2001 From: Devin Smith Date: Sat, 23 Aug 2014 11:25:34 -0500 Subject: [PATCH 1/2] added google oauth hd config to allow for restricted domain. (see https://github.com/gitlabhq/gitlabhq/issues/1635) --- assets/config/gitlabhq/gitlab.yml | 2 +- assets/init | 2 ++ 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/assets/config/gitlabhq/gitlab.yml b/assets/config/gitlabhq/gitlab.yml index a9e2697e..74decd3b 100644 --- a/assets/config/gitlabhq/gitlab.yml +++ b/assets/config/gitlabhq/gitlab.yml @@ -181,7 +181,7 @@ production: &base providers: - { name: 'google_oauth2', app_id: '{{OAUTH_GOOGLE_API_KEY}}', app_secret: '{{OAUTH_GOOGLE_APP_SECRET}}', - args: { access_type: 'offline', approval_prompt: '{{OAUTH_GOOGLE_APPROVAL_PROMPT}}' } } + args: { access_type: 'offline', approval_prompt: '{{OAUTH_GOOGLE_APPROVAL_PROMPT}}', hd: '{{OAUTH_GOOGLE_HD}}' } } - { name: 'twitter', app_id: '{{OAUTH_TWITTER_API_KEY}}', app_secret: '{{OAUTH_TWITTER_APP_SECRET}}'} - { name: 'github', app_id: '{{OAUTH_GITHUB_API_KEY}}', diff --git a/assets/init b/assets/init index bb1904fc..5f689aad 100755 --- a/assets/init +++ b/assets/init @@ -435,10 +435,12 @@ if [ -n "${OAUTH_GOOGLE_API_KEY}" -a -n "${OAUTH_GOOGLE_APP_SECRET}" ]; then OAUTH_ENABLED=true sudo -u git -H sed 's/{{OAUTH_GOOGLE_API_KEY}}/'"${OAUTH_GOOGLE_API_KEY}"'/' -i /home/git/gitlab/config/gitlab.yml sudo -u git -H sed 's/{{OAUTH_GOOGLE_APP_SECRET}}/'"${OAUTH_GOOGLE_APP_SECRET}"'/' -i /home/git/gitlab/config/gitlab.yml + sudo -u git -H sed 's/{{OAUTH_GOOGLE_HD}}/'"${OAUTH_GOOGLE_HD}"'/' -i /home/git/gitlab/config/gitlab.yml sudo -u git -H sed 's/{{OAUTH_GOOGLE_APPROVAL_PROMPT}}//' -i /home/git/gitlab/config/gitlab.yml else sudo -u git -H sed '/{{OAUTH_GOOGLE_API_KEY}}/d' -i /home/git/gitlab/config/gitlab.yml sudo -u git -H sed '/{{OAUTH_GOOGLE_APP_SECRET}}/d' -i /home/git/gitlab/config/gitlab.yml + sudo -u git -H sed '/{{OAUTH_GOOGLE_HD}}/d' -i /home/git/gitlab/config/gitlab.yml sudo -u git -H sed '/{{OAUTH_GOOGLE_APPROVAL_PROMPT}}/d' -i /home/git/gitlab/config/gitlab.yml fi From d29f49c28ca90e2931a0fd8ca053770840b9dd7f Mon Sep 17 00:00:00 2001 From: Devin Smith Date: Sat, 23 Aug 2014 12:02:54 -0500 Subject: [PATCH 2/2] updated README.md, using OAUTH_GOOGLE_RESTRICT_DOMAIN instead of OAUTH_GOOGLE_HD --- README.md | 3 +++ assets/config/gitlabhq/gitlab.yml | 2 +- assets/init | 4 ++-- 3 files changed, 6 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index 91815008..e87004b6 100644 --- a/README.md +++ b/README.md @@ -646,6 +646,8 @@ Once you have the client ID and secret keys generated, configure them using the For example, if your client ID is `xxx.apps.googleusercontent.com` and client secret key is `yyy`, then adding `-e 'OAUTH_GOOGLE_API_KEY=xxx.apps.googleusercontent.com' -e 'OAUTH_GOOGLE_APP_SECRET=yyy'` to the docker run command enables support for Google OAuth. +You can also restrict logins to a single domain by adding `-e 'OAUTH_GOOGLE_RESTRICT_DOMAIN=example.com'`. This is particularly useful when combined with `-e 'OAUTH_ALLOW_SSO=true'` and `-e 'OAUTH_BLOCK_AUTO_CREATED_USERS=false'`. + #### Twitter To enable the Twitter OAuth2 OmniAuth provider you must register your application with Twitter. Twitter will generate a API key and secret for you to use. Please refer to the GitLab [documentation](http://doc.gitlab.com/ce/integration/twitter.html) for the procedure to generate the API key and secret with twitter. @@ -737,6 +739,7 @@ Below is the complete list of available options that can be used to customize yo - **OAUTH_BLOCK_AUTO_CREATED_USERS**: Locks down those users until they have been cleared by the admin. Defaults to true. - **OAUTH_GOOGLE_API_KEY**: Google App Client ID. No defaults. - **OAUTH_GOOGLE_APP_SECRET**: Google App Client Secret. No defaults. +- **OAUTH_GOOGLE_RESTRICT_DOMAIN**: Google App restricted domain. No defaults. - **OAUTH_TWITTER_API_KEY**: Twitter App API key. No defaults. - **OAUTH_TWITTER_APP_SECRET**: Twitter App API secret. No defaults. - **OAUTH_GITHUB_API_KEY**: GitHub App Client ID. No defaults. diff --git a/assets/config/gitlabhq/gitlab.yml b/assets/config/gitlabhq/gitlab.yml index 74decd3b..0a8f689f 100644 --- a/assets/config/gitlabhq/gitlab.yml +++ b/assets/config/gitlabhq/gitlab.yml @@ -181,7 +181,7 @@ production: &base providers: - { name: 'google_oauth2', app_id: '{{OAUTH_GOOGLE_API_KEY}}', app_secret: '{{OAUTH_GOOGLE_APP_SECRET}}', - args: { access_type: 'offline', approval_prompt: '{{OAUTH_GOOGLE_APPROVAL_PROMPT}}', hd: '{{OAUTH_GOOGLE_HD}}' } } + args: { access_type: 'offline', approval_prompt: '{{OAUTH_GOOGLE_APPROVAL_PROMPT}}', hd: '{{OAUTH_GOOGLE_RESTRICT_DOMAIN}}' } } - { name: 'twitter', app_id: '{{OAUTH_TWITTER_API_KEY}}', app_secret: '{{OAUTH_TWITTER_APP_SECRET}}'} - { name: 'github', app_id: '{{OAUTH_GITHUB_API_KEY}}', diff --git a/assets/init b/assets/init index 5f689aad..f5c03778 100755 --- a/assets/init +++ b/assets/init @@ -435,12 +435,12 @@ if [ -n "${OAUTH_GOOGLE_API_KEY}" -a -n "${OAUTH_GOOGLE_APP_SECRET}" ]; then OAUTH_ENABLED=true sudo -u git -H sed 's/{{OAUTH_GOOGLE_API_KEY}}/'"${OAUTH_GOOGLE_API_KEY}"'/' -i /home/git/gitlab/config/gitlab.yml sudo -u git -H sed 's/{{OAUTH_GOOGLE_APP_SECRET}}/'"${OAUTH_GOOGLE_APP_SECRET}"'/' -i /home/git/gitlab/config/gitlab.yml - sudo -u git -H sed 's/{{OAUTH_GOOGLE_HD}}/'"${OAUTH_GOOGLE_HD}"'/' -i /home/git/gitlab/config/gitlab.yml + sudo -u git -H sed 's/{{OAUTH_GOOGLE_RESTRICT_DOMAIN}}/'"${OAUTH_GOOGLE_RESTRICT_DOMAIN}"'/' -i /home/git/gitlab/config/gitlab.yml sudo -u git -H sed 's/{{OAUTH_GOOGLE_APPROVAL_PROMPT}}//' -i /home/git/gitlab/config/gitlab.yml else sudo -u git -H sed '/{{OAUTH_GOOGLE_API_KEY}}/d' -i /home/git/gitlab/config/gitlab.yml sudo -u git -H sed '/{{OAUTH_GOOGLE_APP_SECRET}}/d' -i /home/git/gitlab/config/gitlab.yml - sudo -u git -H sed '/{{OAUTH_GOOGLE_HD}}/d' -i /home/git/gitlab/config/gitlab.yml + sudo -u git -H sed '/{{OAUTH_GOOGLE_RESTRICT_DOMAIN}}/d' -i /home/git/gitlab/config/gitlab.yml sudo -u git -H sed '/{{OAUTH_GOOGLE_APPROVAL_PROMPT}}/d' -i /home/git/gitlab/config/gitlab.yml fi