oauth: expose cas3 oauth configuration options

Changelog.md

@@ -6,6 +6,7 @@ This file only reflects the changes that are made in this image. Please refer to
 - gitlab-shell: upgrade to v.2.6.10
 - gitlab-workhorse: upgrade to v0.6.1
 - gitlab: upgrade to CE v8.4.0
+- oauth: expose cas3 oauth configuration options
 
 **8.3.4**
 - gitlab-workhorse: upgrade to v0.5.4

README.md

@@ -638,6 +638,12 @@ GitLab leverages OmniAuth to allow users to sign in using Twitter, GitHub, and o
 
 Refer to the GitLab [documentation](http://doc.gitlab.com/ce/integration/omniauth.html) for additional information.
 
+#### CAS3
+
+To enable the CAS OmniAuth provider you must register your application with your CAS instance. This requires the service URL GitLab will supply to CAS. It should be something like: https://git.example.com:443/users/auth/cas3/callback?url. By default handling for SLO is enabled, you only need to configure CAS for backchannel logout.
+
+For example, if your cas server url is `https://sso.example.com`, then adding `--env 'OAUTH_CAS3_SERVER=https://sso.example.com'` to the docker run command enables support for CAS3 OAuth. Please refer to [Available Configuration Parameters](#available-configuration-parameters) for additional CAS3 configuration parameters.
+
 #### Google
 
 To enable the Google OAuth2 OmniAuth provider you must register your application with Google. Google will generate a client ID and secret key for you to use. Please refer to the GitLab [documentation](http://doc.gitlab.com/ce/integration/google.html) for the procedure to generate the client ID and secret key with google.
@@ -855,6 +861,12 @@ Below is the complete list of available options that can be used to customize yo
 - **OAUTH_ALLOW_SSO**: This allows users to login without having a user account first. User accounts will be created automatically when authentication was successful. Defaults to `false`.
 - **OAUTH_BLOCK_AUTO_CREATED_USERS**: Locks down those users until they have been cleared by the admin. Defaults to `true`.
 - **OAUTH_AUTO_LINK_LDAP_USER**: Look up new users in LDAP servers. If a match is found (same uid), automatically link the omniauth identity with the LDAP account. Defaults to `false`.
+- **OAUTH_CAS3_LABEL**: The "Sign in with" button label. Defaults to "cas3".
+- **OAUTH_CAS3_SERVER**: CAS3 server URL. No defaults.
+- **OAUTH_CAS3_DISABLE_SSL_VERIFICATION**: Disable CAS3 SSL verification. Defaults to `false`.
+- **OAUTH_CAS3_LOGIN_URL**: CAS3 login URL. Defaults to `/cas/login`
+- **OAUTH_CAS3_VALIDATE_URL**: CAS3 validation URL. Defaults to `/cas/p3/serviceValidate`
+- **OAUTH_CAS3_LOGOUT_URL**: CAS3 logout URL. Defaults to `/cas/logout`
 - **OAUTH_GOOGLE_API_KEY**: Google App Client ID. No defaults.
 - **OAUTH_GOOGLE_APP_SECRET**: Google App Client Secret. No defaults.
 - **OAUTH_GOOGLE_RESTRICT_DOMAIN**: Google App restricted domain. No defaults.

assets/runtime/config/gitlabhq/gitlab.yml

@@ -302,14 +302,14 @@ production: &base
     # Documentation for this is available at http://doc.gitlab.com/ce/integration/omniauth.html
     providers:
       # See omniauth-cas3 for more configuration details
-      # - { name: 'cas3',
-      #     label: 'cas3',
-      #     args: {
-      #             url: 'https://sso.example.com',
-      #             disable_ssl_verification: false,
-      #             login_url: '/cas/login',
-      #             service_validate_url: '/cas/p3/serviceValidate',
-      #             logout_url: '/cas/logout'} }
+      - { name: 'cas3',
+          label: '{{OAUTH_CAS3_LABEL}}',
+          args: {
+                  url: '{{OAUTH_CAS3_SERVER}}',
+                  disable_ssl_verification: {{OAUTH_CAS3_DISABLE_SSL_VERIFICATION}},
+                  login_url: '{{OAUTH_CAS3_LOGIN_URL}}',
+                  service_validate_url: '{{OAUTH_CAS3_VALIDATE_URL}}',
+                  logout_url: '{{OAUTH_CAS3_LOGOUT_URL}}'} }
       - { name: 'github',
           label: 'GitHub',
           app_id: '{{OAUTH_GITHUB_API_KEY}}',

assets/runtime/env-defaults

@@ -264,6 +264,14 @@ OAUTH_SAML_IDP_CERT_FINGERPRINT=${OAUTH_SAML_IDP_CERT_FINGERPRINT:-}
 OAUTH_SAML_IDP_SSO_TARGET_URL=${OAUTH_SAML_IDP_SSO_TARGET_URL:-}
 OAUTH_SAML_NAME_IDENTIFIER_FORMAT=${OAUTH_SAML_NAME_IDENTIFIER_FORMAT:-urn:oasis:names:tc:SAML:2.0:nameid-format:transient}
 
+### CAS3
+OAUTH_CAS3_LABEL=${OAUTH_CAS3_LABEL:-cas3}
+OAUTH_CAS3_SERVER=${OAUTH_CAS3_SERVER:-}
+OAUTH_CAS3_DISABLE_SSL_VERIFICATION=${OAUTH_CAS3_DISABLE_SSL_VERIFICATION:-false}
+OAUTH_CAS3_LOGIN_URL=${OAUTH_CAS3_LOGIN_URL:-/cas/login}
+OAUTH_CAS3_VALIDATE_URL=${OAUTH_CAS3_VALIDATE_URL:-/cas/p3/serviceValidate}
+OAUTH_CAS3_LOGOUT_URL=${OAUTH_CAS3_LOGOUT_URL:-/cas/logout}
+
 ## ANALYTICS
 
 ### GOOGLE

assets/runtime/functions

@@ -402,6 +402,22 @@ gitlab_configure_ldap() {
     LDAP_LABEL
 }
 
+gitlab_configure_oauth_cas3() {
+  if [[ -n ${OAUTH_CAS3_SERVER} ]]; then
+    echo "Configuring gitlab::oauth::cas3..."
+    OAUTH_ENABLED=${OAUTH_ENABLED:-true}
+    update_template ${GITLAB_CONFIG} \
+      OAUTH_CAS3_LABEL \
+      OAUTH_CAS3_SERVER \
+      OAUTH_CAS3_DISABLE_SSL_VERIFICATION \
+      OAUTH_CAS3_LOGIN_URL \
+      OAUTH_CAS3_VALIDATE_URL \
+      OAUTH_CAS3_LOGOUT_URL
+  else
+    exec_as_git sed -i "/name: 'cas3'/,/{{OAUTH_CAS3_LOGOUT_URL}}/d" ${GITLAB_CONFIG}
+  fi
+}
+
 gitlab_configure_oauth_google() {
   if [[ -n ${OAUTH_GOOGLE_API_KEY} && -n ${OAUTH_GOOGLE_APP_SECRET} ]]; then
     echo "Configuring gitlab::oauth::google..."
@@ -516,6 +532,7 @@ gitlab_configure_oauth_crowd() {
 gitlab_configure_oauth() {
   echo "Configuring gitlab::oauth..."
 
+  gitlab_configure_oauth_cas3
   gitlab_configure_oauth_google
   gitlab_configure_oauth_facebook
   gitlab_configure_oauth_twitter
@@ -533,7 +550,7 @@ gitlab_configure_oauth() {
     OAUTH_AUTO_LINK_LDAP_USER
 
   case ${OAUTH_AUTO_SIGN_IN_WITH_PROVIDER} in
-    google_oauth2|facebook|twitter|github|gitlab|bitbucket|saml|crowd)
+    cas3|google_oauth2|facebook|twitter|github|gitlab|bitbucket|saml|crowd)
       update_template ${GITLAB_CONFIG} OAUTH_AUTO_SIGN_IN_WITH_PROVIDER
       ;;
     *)