15 get api('/events')

16

17 expect(response).to have_gitlab_http_status(401)

18 end

19 end

23 get api('/events?action=closed&target_type=issue&after=2016-12-1&before=2016-12-31', user)

24

25 expect(response).to have_gitlab_http_status(200)

26 expect(response).to include_pagination_headers

27 expect(json_response).to be_an Array

36 get api('/events?action=closed&target_type=issue&after=2016-12-1&before=2016-12-31', personal_access_token: token)

37

38 expect(response).to have_gitlab_http_status(200)

39 expect(response).to include_pagination_headers

40 expect(json_response).to be_an Array

19 * @property \Core\Template $template

20 * @property \Core\MemoryCache $memoryCache

21 * @property \Core\OAuth2 $oauth

22 * @property \Core\Router $router

23 * @property \Core\Lexer $lexer

24 * @property \Integration\BitbucketWebhook $bitbucketWebhook

25 * @property \Integration\GithubWebhook $githubWebhook

26 * @property \Integration\GitlabWebhook $gitlabWebhook

27 * @property \Integration\HipchatWebhook $hipchatWebhook

28 * @property \Integration\Jabber $jabber

3 require './spec/support/sidekiq_middleware'

4

5 class Gitlab::Seeder::ProductivityAnalytics

6 def initialize(project)

7 @project = project

136 end

137

138 Gitlab::Seeder.quiet do

139 flag = 'SEED_PRODUCTIVITY_ANALYTICS'

140

147 next unless project.repository_exists? && project.repository.commit('master')

148

149 seeder = Gitlab::Seeder::ProductivityAnalytics.new(project)

150 seeder.seed!

151 puts "Productivity analytics seeded for project #{project.full_path}"

42 # Helper Methods for Grape Endpoint

43 module HelperMethods

44 include Gitlab::Auth::UserAuthFinders

45

46 def find_current_user!

98 Gitlab::Auth::InsufficientScopeError]

99

100 base.__send__(:rescue_from, *error_classes, oauth2_bearer_token_error_handler) # rubocop:disable GitlabSecurity/PublicSend

101 end

102

105 response =

106 case e

107 when Gitlab::Auth::MissingTokenError

108 Rack::OAuth2::Server::Resource::Bearer::Unauthorized.new

130 when Gitlab::Auth::InsufficientScopeError

131 # FIXME: ForbiddenError (inherited from Bearer::Forbidden of Rack::Oauth2)

132 # does not include WWW-Authenticate header, which breaks the standard.

133 Rack::OAuth2::Server::Resource::Bearer::Forbidden.new(

53 unless value.nil?

54 value.each do |level|

55 unless Gitlab::VisibilityLevel.options.has_value?(level)

56 record.errors.add(attr, "'#{level}' is not a valid visibility level")

57 end

63 unless value.nil?

64 value.each do |source|

65 unless Gitlab::ImportSources.options.has_value?(source)

66 record.errors.add(attr, "'#{source}' is not a import source")

67 end

88 def self.create_from_defaults

89 create(

90 default_projects_limit: Settings.gitlab['default_projects_limit'],

91 default_branch_protection: Settings.gitlab['default_branch_protection'],

92 signup_enabled: Settings.gitlab['signup_enabled'],

93 signin_enabled: Settings.gitlab['signin_enabled'],

16 end

17

18 providers = [:github, :twitter, :bitbucket, :gitlab, :google_oauth2,

19 :facebook, :cas3, :auth0, :authentiq, :salesforce]

20

59

60 it 'when bypass-two-factor is enabled' do

61 allow(Gitlab.config.omniauth).to receive_messages(allow_bypass_two_factor: true)

62 login_via(provider.to_s, user, uid, remember_me: false, additional_info: additional_info)

63 expect(current_path).to eq root_path

65

66 it 'when bypass-two-factor is disabled' do

67 allow(Gitlab.config.omniauth).to receive_messages(allow_bypass_two_factor: false)

68 login_with_provider(provider, enter_two_factor: true, additional_info: additional_info)

69 expect(current_path).to eq root_path

6

7 log "github.com/Sirupsen/logrus"

8 oauth2google "golang.org/x/oauth2/google"

9 calendar "google.golang.org/api/calendar/v3"

10 oauth2api "google.golang.org/api/oauth2/v2"

15 "gitlab.com/rvaz/orgo/dropbox"

16 "gitlab.com/rvaz/orgo/google"

17 "gitlab.com/rvaz/orgo/web"

18 "gitlab.com/rvaz/orgo/work"

19 "golang.org/x/oauth2"

40 Endpoint: oauth2google.Endpoint,

41 Scopes: []string{calendar.CalendarScope, oauth2api.UserinfoEmailScope, oauth2api.UserinfoProfileScope},

42 }

43

2

3 class Projects::MilestonesController < Projects::ApplicationController

4 include Gitlab::Utils::StrongMemoize

5 include MilestoneActions

6

24 1. Fill in the required information

25 - Application type: "Web Application"

26 - Authorized JavaScript origins: This isn't really used by GitLab but go ahead and put 'https://gitlab.example.com' here.

27 - Authorized redirect URI: 'https://gitlab.example.com/users/auth/google_oauth2/callback'

33

34 ```sh

35 sudo editor /etc/gitlab/gitlab.rb

36 ```

37

78 installed GitLab via Omnibus or from source respectively.

79

80 On the sign in page there should now be a Google icon below the regular sign in form. Click the icon to begin the authentication process. Google will ask the user to sign in and authorize the GitLab application. If everything goes well the user will be returned to GitLab and will be signed in.

81

82 ## Further Configuration

92 [reconfigure]: ../administration/restart_gitlab.md#omnibus-gitlab-reconfigure

93 [restart GitLab]: ../administration/restart_gitlab.md#installations-from-source

94

5

6 def perform(raw)

7 return unless Gitlab::IncomingEmail.enabled?

8

9 begin

10 Gitlab::Email::Receiver.new(raw).execute

11 rescue => e

12 handle_failure(raw, e)

17

18 def handle_failure(raw, error)

19 Rails.logger.warn("Email can not be processed: #{error}\n\n#{raw}") # rubocop:disable Gitlab/RailsLogger

20

21 return unless raw.present?

23 build.update(user: create(:user))

24

25 expect(subject).to eq(Gitlab::Auth::Result.new(build.user, build.project, :build, build_authentication_abilities))

26 end

27 end

59

60 expect(gl_auth).to receive(:rate_limit!).with(ip, success: true, login: user.username)

61 expect(gl_auth.find_for_git_client(user.username, 'password', project: nil, ip: ip)).to eq(Gitlab::Auth::Result.new(user, nil, :gitlab_or_ldap, full_authentication_abilities))

62 end

63

74 key = create(:deploy_key)

75 ip = 'ip'

76 token = Gitlab::LfsToken.new(key).token

77

78 expect(gl_auth).to receive(:rate_limit!).with(ip, success: true, login: "lfs+deploy-key-#{key.id}")

88 expect(gl_auth).to receive(:rate_limit!).with(ip, success: true, login: 'oauth2')

89 expect(gl_auth.find_for_git_client("oauth2", token.token, project: nil, ip: ip)).to eq(Gitlab::Auth::Result.new(user, nil, :oauth, read_authentication_abilities))

90 end

91

23 build.update(user: create(:user))

24

25 expect(subject).to eq(Gitlab::Auth::Result.new(build.user, build.project, :build, build_authentication_abilities))

26 end

27 end

59

60 expect(gl_auth).to receive(:rate_limit!).with(ip, success: true, login: user.username)

61 expect(gl_auth.find_for_git_client(user.username, 'password', project: nil, ip: ip)).to eq(Gitlab::Auth::Result.new(user, nil, :gitlab_or_ldap, full_authentication_abilities))

62 end

63

74 key = create(:deploy_key)

75 ip = 'ip'

76 token = Gitlab::LfsToken.new(key).generate

77

78 expect(gl_auth).to receive(:rate_limit!).with(ip, success: true, login: "lfs+deploy-key-#{key.id}")

88 expect(gl_auth).to receive(:rate_limit!).with(ip, success: true, login: 'oauth2')

89 expect(gl_auth.find_for_git_client("oauth2", token.token, project: nil, ip: ip)).to eq(Gitlab::Auth::Result.new(user, nil, :oauth, read_authentication_abilities))

90 end

91

21

22 wiki = context.portable.wiki

23 url = data[:url].sub("://", "://oauth2:#{context.configuration.access_token}@")

24

25 Gitlab::UrlBlocker.validate!(url, allow_local_network: allow_local_requests?, allow_localhost: allow_local_requests?)

34 wiki_path = parent_path + ".wiki.git"

35 root = context.configuration.url

36 Gitlab::Utils.append_path(root, wiki_path)

37 end

38

39 def allow_local_requests?

40 Gitlab::CurrentSettings.allow_local_requests_from_web_hooks_and_services?

41 end

42

1 require 'spec_helper'

2

3 describe Gitlab::Auth, lib: true do

4 let(:gl_auth) { described_class }

5

14 expect(gl_auth).to receive(:rate_limit!).with(ip, success: true, login: 'gitlab-ci-token')

15 expect(gl_auth.find_for_git_client('gitlab-ci-token', token, project: project, ip: ip)).to eq(Gitlab::Auth::Result.new(nil, :ci))

16 end

17

21

22 expect(gl_auth).to receive(:rate_limit!).with(ip, success: true, login: user.username)

23 expect(gl_auth.find_for_git_client(user.username, 'password', project: nil, ip: ip)).to eq(Gitlab::Auth::Result.new(user, :gitlab_or_ldap))

24 end

25

32 expect(gl_auth).to receive(:rate_limit!).with(ip, success: true, login: 'oauth2')

33 expect(gl_auth.find_for_git_client("oauth2", token.token, project: nil, ip: ip)).to eq(Gitlab::Auth::Result.new(user, :oauth))

34 end

35

2 require_relative '../email_shared_blocks'

3

4 describe Gitlab::Email::Handler::CreateNoteHandler, lib: true do

5 include_context :email_shared_context

6 it_behaves_like :email_shared_examples

25

26 it "raises a UnknownIncomingEmail" do

27 expect { receiver.execute }.to raise_error(Gitlab::Email::UnknownIncomingEmail)

28 end

29 end

33

34 it "raises a SentNotificationNotFoundError" do

35 expect { receiver.execute }.to raise_error(Gitlab::Email::SentNotificationNotFoundError)

36 end

37 end

17 # See http://rubular.com/r/X3baHTbPO2

18 @help_index.gsub!(%r{(?<delim>\]\()(?!.+://)(?!/)(?<link>[^\)\(]+\))}) do

19 "#{$~[:delim]}#{Gitlab.config.gitlab.relative_url_root}/help/#{$~[:link]}"

20 end

21 end

108

109 def confirmed_by

110 ::Gitlab::Graphql::Loaders::BatchModelLoader.new(::User, object.confirmed_by_id).find

111 end

112

113 def resolved_by

114 ::Gitlab::Graphql::Loaders::BatchModelLoader.new(::User, object.resolved_by_id).find

115 end

116

117 def dismissed_by

118 ::Gitlab::Graphql::Loaders::BatchModelLoader.new(::User, object.dismissed_by_id).find

119 end

120

5 protect_from_forgery except: [:kerberos, :saml, :cas3]

6

7 Gitlab.config.omniauth.providers.each do |provider|

8 define_method provider['name'] do

9 handle_omniauth

11 end

12

13 if Gitlab::LDAP::Config.enabled?

14 Gitlab::LDAP::Config.available_servers.each do |server|

32 # if the authentication to LDAP was successful.

33 def ldap

34 ldap_user = Gitlab::LDAP::User.new(oauth)

35 ldap_user.save if ldap_user.changed? # will also save new users

36

63 end

64 else

65 saml_user = Gitlab::Saml::User.new(oauth)

66 saml_user.save if saml_user.changed?

67 @user = saml_user.gl_user

23 1. In the left sidebar under **APIS AND FEATURES**, click **OAuth 2.0 (3LO)**.

24

25 1. Enter the GitLab callback URL using the format `https://gitlab.example.com/users/auth/atlassian_oauth2/callback` and click **Save changes**.

26

27 1. Click **+ Add** in the left sidebar under **APIS AND FEATURES**.

41

42 ```shell

43 sudo editor /etc/gitlab/gitlab.rb

44 ```

45

80 1. Save the configuration file.

81

82 1. [Reconfigure](../restart_gitlab.md#omnibus-gitlab-reconfigure) or [restart GitLab](../restart_gitlab.md#installations-from-source) for the changes to take effect if you installed GitLab via Omnibus or from source respectively.

83

84 On the sign-in page there should now be an Atlassian icon below the regular sign in form. Click the icon to begin the authentication process.

1 ---

2 title: "Introducing tokens-pls, a Web Application to Test OAuth2 Code Flows"

3 description: "Announcing my new project, tokens-pls, which allows for easier manual testing with the OAuth2 code flow for Public Clients."

4 tags:

5 - indieauth

6 - oauth2

7 - token-pls

8 license_code: Apache-2.0

16 Since I've been working a bit more with Micropub and IndieAuth, I've always had cases where I've wanted to test things locally, which requires retrieving an access token.

17

18 Fortunately, the OAuth2 Authorization Code grant is pretty straightforward, so doing this locally with i.e. `curl` is an OK process to go through, as well as using a guided tool such as <span class="h-card"><a class="u-url" href="https://seblog.nl">Sebastiaan Andeweg</a></span>'s <a href="http://gimme-a-token.5eb.nl/">gimme-a-token.5eb.nl</a>.

19

20 However, with [Proof of Key Code Exchange (PKCE)](https://oauth.net/2/pkce/) support now a requirement of IndieAuth, gimme-a-token isn't applicable, and the logic to run this locally with `curl` is a bit more complex, so I looked to script it.

21

22 I was thinking of creating a small script to go through the OAuth2 flow locally, with me copying-and-pasting the callback URL with granted authorization code, but thought I'd think a bit better about making this as easy as possible.

23

24 I've created a Sinatra app, [tokens-pls](https://gitlab.com/jamietanna/tokens-pls) for this, which provides an easy tool for going through the Authorization Code flow for a [Public Client](https://tools.ietf.org/html/draft-ietf-oauth-v2-1-01#section-2.1), which is currently hosted on Heroku at [tokens-pls.herokuapp.com](https://tokens-pls.herokuapp.com).

20 - [Azure](microsoft/provider.md)

21 - [GitHub](github/provider.md)

22 - [GitLab](gitlab/provider.md)

23 - [Google](google/provider.md)

24 - [Okta](okta/provider.md)

109 ## Adding a custom authentication provider

110

111 There are generic authentication providers for OAuth2 and SAML. These can reduce

112 the amount of code needed to implement a custom authentication provider that

113 adheres to these standards.

24 - [Fix errors on pushing to an empty repository.](https://gitlab.com/gitlab-org/gitlab-ce/merge_requests/18462)

25 - [Update `doorkeeper` to 4.3.2 to fix GitLab OAuth authentication.](https://gitlab.com/gitlab-org/gitlab-ce/merge_requests/18543)

26 - [Ports `omniauth-jwt` gem onto GitLab OmniAuth Strategies suite.](https://gitlab.com/gitlab-org/gitlab-ce/merge_requests/18580)

29 - [Fix `file_store` for artifacts and lfs when saving.](https://gitlab.com/gitlab-org/gitlab-ce/merge_requests/18624)

30 - [Fix users not seeing labels from private groups when being a member of a child project.](https://gitlab.com/gitlab-org/gitlab-ce/merge_requests/18544)

31

32 Available in GitLab Starter, Premium, and Ultimate:

35 - [Geo: Admin page will not crash with 500 because of InvalidSignatureTimeError.](https://gitlab.com/gitlab-org/gitlab-ee/merge_requests/5495)

36 - [Fix DB LB errors when escaping input.](https://gitlab.com/gitlab-org/gitlab-ee/merge_requests/5481)

37

38 ## Omnibus GitLab

39 - [Add support for the -daemon-inplace-chroot command-line flag to GitLab Pages](https://gitlab.com/gitlab-org/omnibus-gitlab/merge_requests/2483)

40

41 ## Upgrade barometer

31 RegistryTypeJfrogArtifactory RegistryType = "jfrog-artifactory"

32 RegistryTypeQuay RegistryType = "quay"

33 RegistryTypeGitLab RegistryType = "gitlab"

34

35 RegistryTypeHelmHub RegistryType = "helm-hub"

38 context 'authenticated' do

39 def query_host(host)

40 jwt_token = JWT.encode({ 'iss' => 'gitlab-pages' }, Gitlab::Pages.secret, 'HS256')

41 headers = { Gitlab::Pages::INTERNAL_API_REQUEST_HEADER => jwt_token }

112 query_host(serverless_domain.uri.host)

113

114 expect(response).to have_gitlab_http_status(:ok)

115 expect(response).to match_response_schema('internal/serverless/virtual_domain')

116

181 'source' => {

182 'type' => 'file',

183 'path' => 'gitlab-org/gitlab-ce/public/'

184 }

185 }

196 allow(Settings.pages).to receive(:host).and_return('gitlab-pages.io')

197 allow(Gitlab.config.pages).to receive(:url).and_return("http://gitlab-pages.io")

198 end

199

35

36 if current_user.can?(:create_projects, target_namespace)

37 project = Gitlab::GitlabImport::ProjectCreator.new(repo, target_namespace, current_user, access_params).execute

38

39 if project.persisted?

50

51 def client

52 @client ||= Gitlab::GitlabImport::Client.new(session[:gitlab_access_token])

53 end

54

72

73 def access_params

74 { gitlab_access_token: session[:gitlab_access_token] }

75 end

76 end

1 # GitHub OAuth2 OmniAuth Provider

2

3 To enable the GitHub OmniAuth provider you must register your application with GitHub. GitHub will generate a client ID and secret key for you to use.

8 4. Select "Register new application".

9 5. Provide the required details.

10 * Application name: This can be anything. Consider something like "\<Organization\>'s GitLab" or "\<Your Name\>'s GitLab" or something else descriptive.

11 * Homepage URL: The URL to your GitLab installation. 'https://gitlab.company.com'

12 * Application description: Fill this in if you wish.

13 * Authorization callback URL: 'https://gitlab.company.com/users/auth/github/callback'

14 6. Select "Register application".

15 7. You should now see a Client ID and Client Secret near the top right of the page (see screenshot). Keep this page open as you continue configuration. 

36 14. Restart GitLab for the changes to take effect.

37

38 On the sign in page there should now be a GitHub icon below the regular sign in form. Click the icon to begin the authentication process. GitHub will ask the user to sign in and authorize the GitLab application. If everything goes well the user will be returned to GitLab and will be signed in.

39

12 - [Security Webcast with Yubico](https://about.gitlab.com/2016/08/31/gitlab-and-yubico-security-webcast/)

13 - **Integrations:**

14 - [GitLab as OAuth2 authentication service provider](../../integration/oauth_provider.md#introduction-to-oauth)

15 - [GitLab as OpenID Connect identity provider](../../integration/openid_connect_provider.md)

23 - [How to Configure LDAP with GitLab CE](../../administration/auth/how_to_configure_ldap_gitlab_ce/index.md)

24 - [How to Configure LDAP with GitLab EE](https://docs.gitlab.com/ee/articles/how_to_configure_ldap_gitlab_ee/)

25 - [Feature Highlight: LDAP Integration](https://about.gitlab.com/2014/07/10/feature-highlight-ldap-sync/)

32 - [SAML OmniAuth Provider](../../integration/saml.md)

33 - [Okta SSO provider](../../administration/auth/okta.md)

34 - [Kerberos integration (GitLab EE)](https://docs.gitlab.com/ee/integration/kerberos.html)

35

36 ## API

39 - [Personal access tokens](../../api/README.md#personal-access-tokens)

40 - [Impersonation tokens](../../api/README.md#impersonation-tokens)

41 - [GitLab as an OAuth2 provider](../../api/oauth2.md#gitlab-as-an-oauth2-provider)

42

43 ## Third-party resources

9 include PreviewMarkdown

10 include PaginatedCollection

11 include Gitlab::NoteableMetadata

12

13 skip_before_action :verify_authenticity_token,

2

3 import (

4 "gitlab.com/vafl/vafl/utils"

5 "golang.org/x/net/context"

6 "golang.org/x/oauth2"

19 func (u *User) InitializeService() {

20 ctx := context.Background()

21 client := oauth2.NewClient(ctx, oauth2.StaticTokenSource(&oauth2.Token{AccessToken: u.AccessToken}))

22

23 srv, err := classroom.New(client)

1 # GitLab Integration

2

3 GitLab integrates with multiple third-party services to allow external issue

4 trackers and external authentication.

5

9 - [External issue tracker](external-issue-tracker.md) Redmine, JIRA, etc.

10 - [LDAP](ldap.md) Set up sign in via LDAP

11 - [OmniAuth](omniauth.md) Sign in via Twitter, GitHub, GitLab.com, Google, Bitbucket, Facebook, Shibboleth, SAML, Crowd and Azure

12 - [SAML](saml.md) Configure GitLab as a SAML 2.0 Service Provider

13 - [CAS](cas.md) Configure GitLab to sign in using CAS

14 - [OAuth2 provider](oauth_provider.md) OAuth2 application creation

15 - [Gmail actions buttons](gmail_action_buttons_for_gitlab.md) Adds GitLab actions to messages

18 - [Koding](../administration/integration/koding.md) Configure Koding to use IDE integration

19

20 GitLab Enterprise Edition contains [advanced Jenkins support][jenkins].

21

22 [jenkins]: http://docs.gitlab.com/ee/integration/jenkins.html

8

9 1. Fill in the application details.

10 - Name: This can be anything. Consider something like `<Organization>'s GitLab` or `<Your Name>'s GitLab` or

11 something else descriptive.

12 - Description: Create a description.

13 - Website: The URL to your GitLab installation. `https://gitlab.example.com`

14 - Callback URL: `https://gitlab.example.com/users/auth/twitter/callback`

79 installed GitLab via Omnibus or from source respectively.

80

81 On the sign in page there should now be a Twitter icon below the regular sign in form. Click the icon to begin the authentication process. Twitter will ask the user to sign in and authorize the GitLab application. If everything goes well the user will be returned to GitLab and will be signed in.

82

83 [reconfigure]: ../administration/restart_gitlab.md#omnibus-gitlab-reconfigure

84 [restart GitLab]: ../administration/restart_gitlab.md#installations-from-source

85

1 module Gitlab

2 module Auth

3 Result = Struct.new(:user, :type)

24

25 if Devise.omniauth_providers.include?(:kerberos)

26 kerberos_user = Gitlab::Kerberos::Authentication.login(login, password)

27 return kerberos_user if kerberos_user

28 end

32 if user.nil? || user.ldap_user?

33 # Second chance - try LDAP authentication

34 return nil unless Gitlab::LDAP::Config.enabled?

35

36 Gitlab::LDAP::Authentication.login(login, password)

41

42 def rate_limit!(ip, success:, login:)

43 rate_limiter = Gitlab::Auth::IpRateLimiter.new(ip)

44 return unless rate_limiter.enabled?

45

15 get api('/events')

16

17 expect(response).to have_gitlab_http_status(401)

18 end

19 end

23 get api('/events?action=closed&target_type=issue&after=2016-12-1&before=2016-12-31', user)

24

25 expect(response).to have_gitlab_http_status(200)

26 expect(response).to include_pagination_headers

27 expect(json_response).to be_an Array

36 get api("/users/#{user.id}/events", other_user)

37

38 expect(response).to have_gitlab_http_status(200)

39 expect(json_response).to be_empty

40 end

34 it 'returns an absolute URL on that asset host' do

35 expect(sprite_icon_path)

36 .to eq ActionController::Base.helpers.image_path("icons.svg", host: Gitlab.config.gitlab.url)

37 end

38 end

94 end

95

96 it 'returns right icon name for google_oauth2 auth' do

97 icon_name = 'google_oauth2'

11 - [Security Webcast with Yubico](https://about.gitlab.com/2016/08/31/gitlab-and-yubico-security-webcast/)

12 - **Integrations:**

13 - [GitLab as OAuth2 authentication service provider](../../integration/oauth_provider.md#introduction-to-oauth)

14 - [GitLab as OpenID Connect identity provider](../../integration/openid_connect_provider.md)

22 - [How to Configure LDAP with GitLab CE](../../articles/how_to_configure_ldap_gitlab_ce/index.md)

23 - [How to Configure LDAP with GitLab EE](https://docs.gitlab.com/ee/articles/how_to_configure_ldap_gitlab_ee/)

24 - [Feature Highlight: LDAP Integration](https://about.gitlab.com/2014/07/10/feature-highlight-ldap-sync/)

31 - [SAML OmniAuth Provider](../../integration/saml.md)

32 - [Okta SSO provider](../../administration/auth/okta.md)

33 - [Kerberos integration (GitLab EE)](https://docs.gitlab.com/ee/integration/kerberos.html)

34

35 ## API

38 - [Private Tokens](../../api/README.md#private-tokens)

39 - [Impersonation tokens](../../api/README.md#impersonation-tokens)

40 - [GitLab as an OAuth2 provider](../../api/oauth2.md#gitlab-as-an-oauth2-provider)

41

42 ## Third-party resources

1 module AuthHelper

2 PROVIDERS_WITH_ICONS = %w(twitter github gitlab bitbucket google_oauth2 facebook azure_oauth2 authentiq).freeze

3 FORM_BASED_PROVIDERS = [/\Aldap/, 'crowd'].freeze

4

5 def ldap_enabled?

6 Gitlab::LDAP::Config.enabled?

7 end

8

9 def omniauth_enabled?

10 Gitlab.config.omniauth.enabled

11 end

12

16

17 def auth_providers

18 Gitlab::OAuth::Provider.providers

19 end

20

72 - Github (OAuth2)

73

74 - GitLab (OAuth2)

75

76 - Google (OAuth2)

78 - Hubic (OAuth2)

79

80 - Instagram (OAuth2)

81

82 - LinkedIn (OAuth, OAuth2)

131

132

133 Note: OAuth/OAuth2 support is built using a common code base, making it easy to add support for additional OAuth/OAuth2 providers. More will follow soon...

134

135

4 stage: Manage

5 group: Access

6 info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/engineering/ux/technical-writing/#assignments

7 ---

8

9 # GitLab authentication and authorization **(FREE SELF)**

10

11 GitLab integrates with the following external authentication and authorization

22 - [Facebook](../../integration/facebook.md)

23 - [GitHub](../../integration/github.md)

24 - [GitLab.com](../../integration/gitlab.md)

25 - [Google OAuth](../../integration/google.md)

26 - [JWT](jwt.md)

5

6 def perform(raw)

7 return unless Gitlab::IncomingEmail.enabled?

8

9 begin

10 Gitlab::Email::Receiver.new(raw).execute

11 rescue => e

12 handle_failure(raw, e)

24 reason =

25 case error

26 when Gitlab::Email::UnknownIncomingEmail

27 "We couldn't figure out what the email is for. Please create your issue or comment through the web interface."

28 when Gitlab::Email::SentNotificationNotFoundError

1 defmodule Assent.Strategy.GitlabTest do

2 use Assent.Test.OAuth2TestCase

3

4 alias Assent.Strategy.Gitlab

5

6 # From https://docs.gitlab.com/ee/api/users.html#list-current-user-for-normal-users

32 %{"provider" => "github", "extern_uid" => "2435223452345"},

33 %{"provider" => "bitbucket", "extern_uid" => "john_smith"},

34 %{"provider" => "google_oauth2", "extern_uid" => "8776128412476123468721346"}

35 ],

36 "can_create_group" => true,

50

51 test "authorize_url/2", %{config: config} do

52 assert {:ok, %{url: url}} = Gitlab.authorize_url(config)

53 assert url =~ "/oauth/authorize?client_id="

54 end

17 configApiRef,

18 githubAuthApiRef,

19 gitlabAuthApiRef,

20 googleAuthApiRef,

21 oauth2ApiRef,

57 />

58 )}

59 {providers.includes('gitlab') && (

60 <ProviderSettingsItem

61 title="Gitlab"

62 apiRef={gitlabAuthApiRef}

63 icon={Star}

64 />

78 />

79 )}

80 {providers.includes('oauth2') && (

81 <ProviderSettingsItem

82 title="YourOrg"

1 ## GitLab as OAuth2 authentication service provider

2

3 This document is about using GitLab as an OAuth authentication service provider to sign into other services.

4 If you want to use other OAuth authentication service providers to sign into GitLab please see the [OAuth2 client documentation](../api/oauth2.md)

5

6 OAuth2 provides client applications a 'secure delegated access' to server resources on behalf of a resource owner. Or you can allow users to sign in to your application with their GitLab.com account.

7 In fact OAuth allows to issue access token to third-party clients by an authorization server,

8 with the approval of the resource owner, or end-user.

9 Mostly, OAuth2 is using for SSO (Single sign-on). But you can find a lot of different usages for this functionality.

10 For example, our feature 'GitLab Importer' is using OAuth protocol to give an access to repositories without sharing user credentials to GitLab.com account.

11 Also GitLab.com application can be used for authentication to your GitLab instance if needed [GitLab OmniAuth](gitlab.md).

12

13 GitLab has two ways to add new OAuth2 application to an instance, you can add application as regular user and through admin area. So GitLab actually can have an instance-wide and a user-wide applications. There is no defferences between them except the different permission levels.

63 { error: true, message: _('Validations failed.'), service_response: @service.errors.full_messages.join(','), test_failed: false }

64 end

65 rescue Gitlab::HTTP::BlockedUrlError => e

66 { error: true, message: _('Test failed.'), service_response: e.message, test_failed: true }

67 end

30

31 ```

32 https://gitlab.example.com/users/auth/google_oauth2/callback

33 https://gitlab.example.com/-/google_api/auth/callback

56

57 ```shell

58 sudo editor /etc/gitlab/gitlab.rb

59 ```

60

69 1. Add the provider configuration:

70

71 For Omnibus GitLab:

72

73 ```ruby

119 [reconfigure]: ../administration/restart_gitlab.md#omnibus-gitlab-reconfigure

120 [restart GitLab]: ../administration/restart_gitlab.md#installations-from-source

121

3 require 'fast_spec_helper'

4

5 RSpec.describe Gitlab::APIAuthentication::Builder do

6 describe '#build' do

7 shared_examples 'builds the correct result' do |token_type:, sent_through:, builds:|

58 allow.token_types(:pat, :job, :deploy).sent_through(:http_basic, :oauth)

59 allow.token_types(:pat).sent_through(:http_private, :query_private)

60 allow.token_types(:oauth2).sent_through(:http_bearer, :query_access)

61 end

62

68 query_private: [:pat],

69

70 http_bearer: [:oauth2],

71 query_access: [:oauth2]

82

83 result[:data].presence || {}

84 rescue *Gitlab::HTTP::HTTP_ERRORS => e

85 { error: true, message: s_('Integrations|Connection failed. Please check your settings.'), service_response: e.message, test_failed: true }

86 end

11 - [Security Webcast with Yubico](https://about.gitlab.com/2016/08/31/gitlab-and-yubico-security-webcast/)

12 - **Integrations:**

13 - [GitLab as OAuth2 authentication service provider](../../integration/oauth_provider.md#introduction-to-oauth)

14

15 ## GitLab administrators

21 - [How to Configure LDAP with GitLab CE](../../articles/how_to_configure_ldap_gitlab_ce/index.md)

22 - [How to Configure LDAP with GitLab EE](https://docs.gitlab.com/ee/articles/how_to_configure_ldap_gitlab_ee/)

23 - [Feature Highlight: LDAP Integration](https://about.gitlab.com/2014/07/10/feature-highlight-ldap-sync/)

37 - [Private Tokens](../../api/README.md#private-tokens)

38 - [Impersonation tokens](../../api/README.md#impersonation-tokens)

39 - [GitLab as an OAuth2 provider](../../api/oauth2.md#gitlab-as-an-oauth2-provider)

40 - [GitLab Runner API - Authentication](../../api/ci/runners.md#authentication)

42 ## Third-party resources

43

44 - [Kanboard Plugin GitLab Authentication](https://kanboard.net/plugin/gitlab-auth)

45 - [Jenkins GitLab OAuth Plugin](https://wiki.jenkins-ci.org/display/JENKINS/GitLab+OAuth+Plugin)

6 include SessionHelpers

7

8 describe 'POST #create', :snowplow, :clean_gitlab_redis_sessions, :aggregate_failures do

9 let_it_be(:project) { create(:project, :public) }

10 let_it_be(:url) { project_google_cloud_revoke_oauth_index_path(project).to_s }

29 end

30

31 it 'redirects to Google OAuth2 authorize URL' do

32 sign_in(user)

33

40 context 'when revocation is successful' do

41 before do

42 stub_request(:post, "https://oauth2.googleapis.com/revoke")

43 .to_return(status: 200, body: "", headers: {})

44 end

73 - variable: server.env.DRONE_GITLAB_CLIENT

74 default: ""

75 description: "GitLab oauth2 client id"

76 type: string

77 required: true

78 label: GitLab OAuth2 Client ID

79 show_if: "server.env.DRONE_PROVIDER=gitlab"

81 - variable: server.env.DRONE_GITLAB_SECRET

82 default: ""

83 description: "GitLab oauth2 client secret"

84 type: string

85 required: true

86 label: GitLab OAuth2 Client Secret

87 show_if: "server.env.DRONE_PROVIDER=gitlab"

71 end

72

73 [:twitter, :facebook, :google_oauth2, :gitlab, :github, :bitbucket, :crowd, :auth0, :authentiq].each do |provider|

74 it "returns false if the provider is #{provider}" do

75 expect(helper.unlink_allowed?(provider)).to be true

30 end

31 get ':id/repository/branches' do

32 Gitlab::QueryLimiting.whitelist('https://gitlab.com/gitlab-org/gitlab-ce/issues/42329')

33

34 repository = user_project.repository

66 # Note: This API will be deprecated in favor of the protected branches API.

67 # Note: The internal data model moved from `developers_can_{merge,push}` to `allowed_to_{merge,push}`

68 # in `gitlab-org/gitlab-ce!5081`. The API interface has not been changed (to maintain compatibility),

69 # but it works with the changed data model to infer `developers_can_merge` and `developers_can_push`.

70 desc 'Protect a single branch' do

99 @ref = params[:ref] || @project.default_branch || 'master'

100

101 @badges = [Gitlab::Badge::Pipeline::Status,

102 Gitlab::Badge::Coverage::Report]

56

57 expect(gl_auth).to receive(:rate_limit!).with('ip', success: true, login: user.username)

58 expect(gl_auth.find_for_git_client(user.username, 'password', project: nil, ip: 'ip')).to eq(Gitlab::Auth::Result.new(user, nil, :gitlab_or_ldap, full_authentication_abilities))

59 end

60

142

143 expect(gl_auth.find_for_git_client(user.username, user.password, project: nil, ip: 'ip'))

144 .to eq(Gitlab::Auth::Result.new(user, nil, :gitlab_or_ldap, full_authentication_abilities))

145 end

146

153

154 expect(gl_auth.find_for_git_client(user.username, user.password, project: nil, ip: 'ip'))

155 .to eq(Gitlab::Auth::Result.new(user, nil, :gitlab_or_ldap, full_authentication_abilities))

156 end

157 end

51 format.html

52 format.json do

53 Gitlab::PollingInterval.set_header(response, interval: 10_000)

54

55 render json: BuildSerializer

1 # GitLab Integration

2

3 GitLab integrates with multiple third-party services to allow external issue

4 trackers and external authentication.

5

9 - [External issue tracker](external-issue-tracker.md) Redmine, JIRA, etc.

10 - [LDAP](ldap.md) Set up sign in via LDAP

11 - [OmniAuth](omniauth.md) Sign in via Twitter, GitHub, GitLab.com, Google, Bitbucket, Facebook, Shibboleth, SAML, Crowd, Azure and Authentiq ID

12 - [SAML](saml.md) Configure GitLab as a SAML 2.0 Service Provider

13 - [CAS](cas.md) Configure GitLab to sign in using CAS

14 - [OAuth2 provider](oauth_provider.md) OAuth2 application creation

15 - [Gmail actions buttons](gmail_action_buttons_for_gitlab.md) Adds GitLab actions to messages

19 - [PlantUML](../administration/integration/plantuml.md) Configure PlantUML to use diagrams in AsciiDoc documents.

20

21 GitLab Enterprise Edition contains [advanced Jenkins support][jenkins].

22

23 [jenkins]: http://docs.gitlab.com/ee/integration/jenkins.html

2 require_relative '../email_shared_blocks'

3

4 describe Gitlab::Email::Handler::CreateNoteHandler, lib: true do

5 include_context :email_shared_context

6 it_behaves_like :reply_processing_shared_examples

25

26 it "raises a UnknownIncomingEmail" do

27 expect { receiver.execute }.to raise_error(Gitlab::Email::UnknownIncomingEmail)

28 end

29 end

33

34 it "raises a SentNotificationNotFoundError" do

35 expect { receiver.execute }.to raise_error(Gitlab::Email::SentNotificationNotFoundError)

36 end

37 end

2 require_relative '../email_shared_blocks'

3

4 describe Gitlab::Email::Handler::CreateNoteHandler do

5 include_context :email_shared_context

6 it_behaves_like :reply_processing_shared_examples

25

26 it "raises a UnknownIncomingEmail" do

27 expect { receiver.execute }.to raise_error(Gitlab::Email::UnknownIncomingEmail)

28 end

29 end

33

34 it "raises a SentNotificationNotFoundError" do

35 expect { receiver.execute }.to raise_error(Gitlab::Email::SentNotificationNotFoundError)

36 end

37 end

11 - [Security Webcast with Yubico](https://about.gitlab.com/2016/08/31/gitlab-and-yubico-security-webcast/)

12 - **Integrations:**

13 - [GitLab as OAuth2 authentication service provider](../../integration/oauth_provider.md#introduction-to-oauth)

14

15 ## GitLab administrators

21 - [How to Configure LDAP with GitLab CE](../../articles/how_to_configure_ldap_gitlab_ce/index.md)

22 - [How to Configure LDAP with GitLab EE](https://docs.gitlab.com/articles/how_to_configure_ldap_gitlab_ee/)

23 - [Feature Highlight: LDAP Integration](https://about.gitlab.com/2014/07/10/feature-highlight-ldap-sync/)

37 - [Private Tokens](../../api/README.md#private-tokens)

38 - [Impersonation tokens](../../api/README.md#impersonation-tokens)

39 - [GitLab as an OAuth2 provider](../../api/oauth2.md#gitlab-as-an-oauth2-provider)

40 - [GitLab Runner API - Authentication](../../api/ci/runners.md#authentication)

42 ## Third-party resources

43

44 - [Kanboard Plugin GitLab Authentication](https://kanboard.net/plugin/gitlab-auth)

45 - [Jenkins GitLab OAuth Plugin](https://wiki.jenkins-ci.org/display/JENKINS/GitLab+OAuth+Plugin)

1 require "spec_helper"

2

3 describe Gitlab::Email::Receiver, lib: true do

4 before do

5 stub_incoming_email_setting(enabled: true, address: "reply+%{key}@appmail.adventuretime.ooo")

21

22 it "raises a SentNotificationNotFoundError" do

23 expect { receiver.execute }.to raise_error(Gitlab::Email::Receiver::SentNotificationNotFoundError)

24 end

25 end

29

30 it "raises a SentNotificationNotFoundError" do

31 expect { receiver.execute }.to raise_error(Gitlab::Email::Receiver::SentNotificationNotFoundError)

32 end

33 end

44 case .google: mapGoogle()

45 case .facebook: mapFacebook()

46 case .gitlab: mapGitLab()

47 case .github: mapGitHub()

48 case .linkedin: mapLinkedIn()

64 serverUrl = "https://accounts.google.com"

65 tokenPath = "/login/oauth/access_token"

66 authorizePath = "/o/oauth2/v2/auth"

67 buttonLabelText = "google"

68 buttonLabelColor = "#ffffff"

84 }

85

86 func mapGitLab() {

87 service = "gitlab"

88 scope = "read_user"

89

90 serverUrl = "https://gitlab.com"

91 tokenPath = "/oauth/token"

92 authorizePath = "/oauth/authorize"

61

62 def generate

63 Gitlab::IssuesLabels.generate(@project)

64

65 if params[:redirect] == 'issues'

127 end

128 rescue ActiveRecord::RecordInvalid => e

129 Gitlab::AppLogger.error "Failed to promote label \"#{@label.title}\" to group label"

130 Gitlab::AppLogger.error e

30

31 ```plaintext

32 https://gitlab.example.com/users/auth/google_oauth2/callback

33 https://gitlab.example.com/-/google_api/auth/callback

56

57 ```shell

58 sudo editor /etc/gitlab/gitlab.rb

59 ```

60

69 1. Add the provider configuration:

70

71 For Omnibus GitLab:

72

73 ```ruby

109

110 1. Save the configuration file.

111 1. [Reconfigure](../administration/restart_gitlab.md#omnibus-gitlab-reconfigure) or [restart GitLab](../administration/restart_gitlab.md#installations-from-source) for the changes to take effect if you

112 installed GitLab via Omnibus or from source respectively.

57 def track_events(result)

58 if result[:status] == :success

59 ::Gitlab::Tracking::IncidentManagement.track_from_params(

60 update_params[:incident_management_setting_attributes]

61 )

70 return unless external_url_previous_change[0].blank? && external_url_previous_change[1].present?

71

72 ::Gitlab::Tracking.event('project:operations:tracing', 'external_url_populated', user: current_user, project: project, namespace: project.namespace)

73 end

74

135 def permitted_project_params

136 project_params = {

137 incident_management_setting_attributes: ::Gitlab::Tracking::IncidentManagement.tracking_keys.keys,

138

139 metrics_setting_attributes: [:external_dashboard_url, :dashboard_timezone],

40 # Helper Methods for Grape Endpoint

41 module HelperMethods

42 include Gitlab::Auth::UserAuthFinders

43

44 def find_current_user!

46 return unless user

47

48 forbidden!('User is blocked') unless Gitlab::UserAccess.new(user).allowed? && user.can?(:access_api)

49

50 user

85 Gitlab::Auth::InsufficientScopeError]

86

87 base.__send__(:rescue_from, *error_classes, oauth2_bearer_token_error_handler) # rubocop:disable GitlabSecurity/PublicSend

88 end

89

92 response =

93 case e

94 when Gitlab::Auth::MissingTokenError

95 Rack::OAuth2::Server::Resource::Bearer::Unauthorized.new

3 require 'spec_helper'

4

5 RSpec.describe Gitlab::LegacyGithubImport::Client do

6 let(:token) { '123456' }

7 let(:github_provider) { Settingslogic.new('app_id' => 'asd123', 'app_secret' => 'asd123', 'name' => 'github', 'args' => { 'client_options' => {} }) }

11

12 before do

13 allow(Gitlab.config.omniauth).to receive(:providers).and_return([github_provider])

14 end

15

16 it 'convert OAuth2 client options to symbols' do

17 expect(client.client.options.keys).to all(be_kind_of(Symbol))

18 end

30

31 ```

32 https://gitlab.example.com/users/auth/google_oauth2/callback

33 https://gitlab.example.com/-/google_api/auth/callback

56

57 ```sh

58 sudo editor /etc/gitlab/gitlab.rb

59 ```

60

69 1. Add the provider configuration:

70

71 For Omnibus GitLab:

72

73 ```ruby

119 [reconfigure]: ../administration/restart_gitlab.md#omnibus-gitlab-reconfigure

120 [restart GitLab]: ../administration/restart_gitlab.md#installations-from-source

121

12 ## GitLab spoke

13

14 With the GitLab spoke in ServiceNow, you can automate actions for GitLab

15 projects, groups, users, issues, merge requests, branches, and repositories.

16

18 [GitLab spoke documentation](https://docs.servicenow.com/bundle/orlando-servicenow-platform/page/administer/integrationhub-store-spokes/concept/gitlab-spoke.html).

19

20 You must [configure GitLab as an OAuth2 authentication service provider](../../../integration/oauth_provider.md),

21 which involves creating an application and then providing the Application ID

22 and Secret in ServiceNow.

24 ## GitLab SCM and Continuous Integration for DevOps

25

26 In ServiceNow DevOps, you can integrate with GitLab repositories and GitLab CI/CD

27 to centralize your view of GitLab activity and your change management processes.

40 - [GitLab SCM and Continuous Integration for DevOps](https://store.servicenow.com/sn_appstore_store.do#!/store/application/54dc4eacdbc2dcd02805320b7c96191e/)

41 - [Model a GitLab CI pipeline in DevOps](https://docs.servicenow.com/bundle/paris-devops/page/product/enterprise-dev-ops/task/model-gitlab-pipeline-dev-ops.html).

42

118 end

119

120 describe 'rescue from Gitlab::Git::Storage::Inaccessible' do

121 controller(described_class) do

122 def index

123 raise Gitlab::Git::Storage::Inaccessible.new('broken', 100)

124 end

125 end

37

38 def realtime_changes

39 Gitlab::PollingInterval.set_header(response, interval: 3_000)

40

41 response = {

59 issuable.destroy

60 destroy_method = "destroy_#{issuable.class.name.underscore}".to_sym

61 TodoService.new.public_send(destroy_method, issuable, current_user) # rubocop:disable GitlabSecurity/PublicSend

62

63 name = issuable.human_class_name

8

9 def handle_omniauth

10 omniauth_flow(Gitlab::Auth::OAuth)

11 end

12

39

40 def saml

41 omniauth_flow(Gitlab::Auth::Saml)

42 end

43

108

109 def handle_service_ticket(provider, ticket)

110 Gitlab::Auth::OAuth::Session.create provider, ticket

111 session[:service_tickets] ||= {}

112 session[:service_tickets][provider] = ticket

7

8 resource :help do

9 get :oauth2

10 end

11

13 collection do

14 post :add

15 get :gitlab

16 end

17

40

41 def client

42 @client ||= OAuth2::Client.new(provider.app_id, provider.app_secret, options)

43 end

44

45 def connection

46 @connection ||= OAuth2::AccessToken.new(client, @token, refresh_token: @refresh_token, expires_at: @expires_at, expires_in: @expires_in)

47 end

48

58

59 def provider

60 Gitlab::Auth::OAuth::Provider.config_for('bitbucket')

61 end

62

1 module AuthHelper

2 PROVIDERS_WITH_ICONS = %w(twitter github gitlab bitbucket google_oauth2 facebook azure_oauth2).freeze

3 FORM_BASED_PROVIDERS = [/\Aldap/, 'kerberos', 'crowd'].freeze

4

5 def ldap_enabled?

6 Gitlab.config.ldap.enabled

7 end

8

12

13 def omniauth_enabled?

14 Gitlab.config.omniauth.enabled

15 end

16

20

21 def auth_providers

22 Gitlab::OAuth::Provider.providers

23 end

24

60 )

61

62 expect(response).to have_gitlab_http_status(:not_found)

63 end

64 end

78 )

79

80 expect(response).to have_gitlab_http_status(:not_found)

81 end

82 end

209 end

210

211 context 'but gitlab instance is not configured for google oauth2' do

212 before do

213 unconfigured_google_oauth2 = Struct.new(:app_id, :app_secret)

4 protect_from_forgery except: [:kerberos, :saml]

5

6 Gitlab.config.omniauth.providers.each do |provider|

7 define_method provider['name'] do

8 handle_omniauth

23 # if the authentication to LDAP was successful.

24 def ldap

25 @user = Gitlab::LDAP::User.new(oauth)

26 @user.save if @user.changed? # will also save new users

27 gl_user = @user.gl_user

53 redirect_to profile_account_path, notice: '认证方法已更新'

54 else

55 @user = Gitlab::OAuth::User.new(oauth)

56 @user.save

57

8

9 1. Fill in the application details.

10 - Name: This can be anything. Consider something like "\<Organization\>'s GitLab" or "\<Your Name\>'s GitLab" or

11 something else descriptive.

12 - Description: Create a description.

13 - Website: The URL to your GitLab installation. 'https://gitlab.example.com'

14 - Callback URL: 'https://gitlab.example.com/users/auth/twitter/callback'

35

36 ```sh

37 sudo editor /etc/gitlab/gitlab.rb

38 ```

39

77 1. Restart GitLab for the changes to take effect.

78

79 On the sign in page there should now be a Twitter icon below the regular sign in form. Click the icon to begin the authentication process. Twitter will ask the user to sign in and authorize the GitLab application. If everything goes well the user will be returned to GitLab and will be signed in.

80

5 protect_from_forgery except: [:kerberos, :saml, :cas3]

6

7 Gitlab.config.omniauth.providers.each do |provider|

8 define_method provider['name'] do

9 handle_omniauth

24 # if the authentication to LDAP was successful.

25 def ldap

26 ldap_user = Gitlab::LDAP::User.new(oauth)

27 ldap_user.save if ldap_user.changed? # will also save new users

28

56 end

57 else

58 saml_user = Gitlab::Saml::User.new(oauth)

59 saml_user.save if saml_user.changed?

60 @user = saml_user.gl_user

1 # GitLab Integration

2

3 GitLab integrates with multiple third-party services to allow external issue

12 - [OmniAuth](omniauth.md) Sign in via Twitter, GitHub, GitLab.com, Google, Bitbucket, Facebook, Shibboleth, SAML, Crowd and Azure

13 - [SAML](saml.md) Configure GitLab as a SAML 2.0 Service Provider

14 - [CAS](cas.md) Configure GitLab to sign in using CAS

15 - [Slack](slack.md) Integrate with the Slack chat service

16 - [Kerberos](kerberos.md) Integrate with Kerberos

17 - [OAuth2 provider](oauth_provider.md) OAuth2 application creation

18 - [Gmail actions buttons](gmail_action_buttons_for_gitlab.md) Adds GitLab actions to messages

19 - [reCAPTCHA](recaptcha.md) Configure GitLab to use Google reCAPTCHA for new users

20 - [Akismet](akismet.md) Configure Akismet to stop spam

21

22 GitLab Enterprise Edition contains [advanced Jenkins support][jenkins].

23

24 [jenkins]: http://doc.gitlab.com/ee/integration/jenkins.html

32 expires_in: expires_in,

33 refresh_token: refresh_token)

34 allow_any_instance_of(OAuth2::Client).

35 to receive(:get_token).and_return(access_token)

36 stub_omniauth_provider('bitbucket')

92

93 context "when the repository owner is the Bitbucket user" do

94 context "when the Bitbucket user and GitLab user's usernames match" do

95 it "takes the current user's namespace" do

96 expect(Gitlab::BitbucketImport::ProjectCreator).

102 end

103

104 context "when the Bitbucket user and GitLab user's usernames don't match" do

105 let(:bitbucket_username) { "someone_else" }

106

8

9 1. Fill in the application details.

10 - Name: This can be anything. Consider something like `<Organization>'s GitLab` or `<Your Name>'s GitLab` or

11 something else descriptive.

12 - Description: Create a description.

13 - Website: The URL to your GitLab installation. 'https://gitlab.example.com'

14 - Callback URL: 'https://gitlab.example.com/users/auth/twitter/callback'

35

36 ```sh

37 sudo editor /etc/gitlab/gitlab.rb

38 ```

39

77 1. Restart GitLab for the changes to take effect.

78

79 On the sign in page there should now be a Twitter icon below the regular sign in form. Click the icon to begin the authentication process. Twitter will ask the user to sign in and authorize the GitLab application. If everything goes well the user will be returned to GitLab and will be signed in.

80

1 # GitLab Integration

2

3 GitLab integrates with multiple third-party services to allow external issue

12 - [OmniAuth](omniauth.md) Sign in via Twitter, GitHub, GitLab.com, Google, Bitbucket, Facebook, Shibboleth, SAML, Crowd and Azure

13 - [SAML](saml.md) Configure GitLab as a SAML 2.0 Service Provider

14 - [CAS](cas.md) Configure GitLab to sign in using CAS

15 - [Slack](slack.md) Integrate with the Slack chat service

16 - [Kerberos](kerberos.md) Integrate with Kerberos

17 - [OAuth2 provider](oauth_provider.md) OAuth2 application creation

18 - [Gmail actions buttons](gmail_action_buttons_for_gitlab.md) Adds GitLab actions to messages

19 - [reCAPTCHA](recaptcha.md) Configure GitLab to use Google reCAPTCHA for new users

20 - [Akismet](akismet.md) Configure Akismet to stop spam

21

22 GitLab Enterprise Edition contains [advanced Jenkins support][jenkins].

23

24 [jenkins]: http://docs.gitlab.com/ee/integration/jenkins.html

1 # GitLab as OAuth2 authentication service provider

2

3 This document is about using GitLab as an OAuth authentication service provider

7

8 - Other OAuth authentication service providers to sign in to

9 GitLab, see the [OAuth2 client documentation](omniauth.md).

10 - The related API, see [Applications API](../api/applications.md).

11

19 OAuth is mostly used as a Single Sign-On service (SSO), but you can find a

20 lot of different uses for this functionality. For example, you can allow users

21 to sign in to your application with their GitLab.com account, or GitLab.com

22 can be used for authentication to your GitLab instance

33 applications. There is no difference between them except for the different

34 permission levels they are set (user/admin). The default callback URL is

35 `http://your-gitlab.example.com/users/auth/gitlab/callback`

36

37 ## Adding an application through the profile

1 module Gitlab

2 module GitlabImport

21 import_type: "gitlab",

22 import_source: repo["path_with_namespace"],

23 import_url: repo["http_url_to_repo"].sub("://", "://oauth2:#{@session_data[:gitlab_access_token]}@")

24 ).execute

25

1 module Gitlab

2 module OAuth

3 class Provider

4 LABELS = {

5 "github" => "GitHub",

6 "gitlab" => "GitLab.com",

7 "google_oauth2" => "Google"

23 name = name.to_s

24 if ldap_provider?(name)

25 Gitlab::LDAP::Config.new(name).options

26 else

27 Gitlab.config.omniauth.providers.find { |provider| provider.name == name }

1 module Gitlab

2 module GitlabImport

7

8 def initialize(access_token)

9 @client = ::OAuth2::Client.new(

10 config.app_id,

11 config.app_secret,

12 gitlab_options

13 )

14

72

73 def config

74 Gitlab.config.omniauth.providers.find{|provider| provider.name == "gitlab"}

75 end

76

31

32 if current_user.can?(:create_projects, @target_namespace)

33 @project = Gitlab::GitlabImport::ProjectCreator.new(repo, @target_namespace, current_user, access_params).execute

34 else

35 render 'unauthorized'

40

41 def client

42 @client ||= Gitlab::GitlabImport::Client.new(session[:gitlab_access_token])

43 end

44

62

63 def access_params

64 { gitlab_access_token: session[:gitlab_access_token] }

65 end

66 end

14 delete :unlink, params: { provider: 'github' }

15

16 expect(response).to have_gitlab_http_status(:not_found)

17 end

18

26 delete :unlink, params: { provider: provider.to_s }

27

28 expect(response).to have_gitlab_http_status(:found)

29 expect(user.reload.identities).to include(identity)

30 end

32 end

33

34 [:twitter, :facebook, :google_oauth2, :gitlab, :github, :bitbucket, :crowd, :auth0, :authentiq, :dingtalk, :alicloud].each do |provider|

35 describe "#{provider} provider" do

36 let(:user) { create(:omniauth_user, provider: provider.to_s) }

8 include RendersBlob

9 include PaginatedCollection

10 include Gitlab::NoteableMetadata

11

12 skip_before_action :verify_authenticity_token,

1 module Gitlab

2 module GitlabImport

7

8 def initialize(access_token)

9 @client = ::OAuth2::Client.new(

10 config.app_id,

11 config.app_secret,

12 gitlab_options

13 )

14

72

73 def config

74 Gitlab.config.omniauth.providers.find {|provider| provider.name == "gitlab"}

75 end

76

4 "github.com/gin-gonic/gin"

5 log "github.com/sirupsen/logrus"

6 "gitlab.127-0-0-1.fr/vx3r/wg-gen-web/auth"

7 "gitlab.127-0-0-1.fr/vx3r/wg-gen-web/core"

48

49 // get update user from token and add to server infos

50 oauth2Token := c.MustGet("oauth2Token").(*oauth2.Token)

51 oauth2Client := c.MustGet("oauth2Client").(auth.Auth)

52 user, err := oauth2Client.UserInfo(oauth2Token)

53 if err != nil {

54 log.WithFields(log.Fields{

55 "oauth2Token": oauth2Token,

56 "err": err,

57 }).Error("failed to get user with oauth token")

16 ## GitLab Community Edition and Enterprise Edition

17

18 - [Fix import handling errors in Bitbucket Server importer.](https://gitlab.com/gitlab-org/gitlab-ce/merge_requests/24499)

19 - [Adjusts suggestions unable to be applied.](https://gitlab.com/gitlab-org/gitlab-ce/merge_requests/24603)

20 - [Fix 500 errors with legacy appearance logos.](https://gitlab.com/gitlab-org/gitlab-ce/merge_requests/24615)

21 - [Fix form functionality for edit tag page.](https://gitlab.com/gitlab-org/gitlab-ce/merge_requests/24645)

22 - Update Workhorse to v8.0.2.

23 - [Downcase aliased OAuth2 callback providers.](https://gitlab.com/gitlab-org/gitlab-ce/merge_requests/24877)

24 - [Fix Detect Host Keys not working.](https://gitlab.com/gitlab-org/gitlab-ce/merge_requests/24884)

25 - [Changed external wiki query method to prevent attribute caching.](https://gitlab.com/gitlab-org/gitlab-ce/merge_requests/24907)

26

27 ## Upgrade barometer

11 - [Support for Universal 2nd Factor Authentication - YubiKeys](https://about.gitlab.com/2016/06/22/gitlab-adds-support-for-u2f/)

12 - [Security Webcast with Yubico](https://about.gitlab.com/2016/08/31/gitlab-and-yubico-security-webcast/)

13 - **Integrations:**

14 - [GitLab as OAuth2 authentication service provider](../../integration/oauth_provider.md#introduction-to-oauth)

21 - [Enforce Two-factor Authentication (2FA)](../../security/two_factor_authentication.md#enforce-two-factor-authentication-2fa)

22 - **Articles:**

23 - [How to Configure LDAP with GitLab CE](../../administration/auth/how_to_configure_ldap_gitlab_ce/index.md)

24 - [How to Configure LDAP with GitLab EE](../../administration/auth/how_to_configure_ldap_gitlab_ee/index.md)

32 - [SAML OmniAuth Provider](../../integration/saml.md)

33 - [Okta SSO provider](../../administration/auth/okta.md)

34 - [Kerberos integration (GitLab EE)](https://docs.gitlab.com/ee/integration/kerberos.html)

35

36 ## API

39 - [Private Tokens](../../api/README.md#private-tokens)

40 - [Impersonation tokens](../../api/README.md#impersonation-tokens)

41 - [GitLab as an OAuth2 provider](../../api/oauth2.md#gitlab-as-an-oauth2-provider)

42

43 ## Third-party resources

8

9 1. Fill in the application details.

10 - Name: This can be anything. Consider something like `<Organization>'s GitLab` or `<Your Name>'s GitLab` or

11 something else descriptive.

12 - Description: Create a description.

13 - Website: The URL to your GitLab installation. 'https://gitlab.example.com'

14 - Callback URL: 'https://gitlab.example.com/users/auth/twitter/callback'

78 installed GitLab via Omnibus or from source respectively.

79

80 On the sign in page there should now be a Twitter icon below the regular sign in form. Click the icon to begin the authentication process. Twitter will ask the user to sign in and authorize the GitLab application. If everything goes well the user will be returned to GitLab and will be signed in.

81

82 [reconfigure]: ../administration/restart_gitlab.md#omnibus-gitlab-reconfigure

83 [restart GitLab]: ../administration/restart_gitlab.md#installations-from-source

84

35 namespace = get_or_create_namespace || (render and return)

36

37 @project = Gitlab::GitlabImport::ProjectCreator.new(repo, namespace, current_user, access_params).execute

38 end

39

41

42 def client

43 @client ||= Gitlab::GitlabImport::Client.new(session[:gitlab_access_token])

44 end

45

63

64 def access_params

65 { gitlab_access_token: session[:gitlab_access_token] }

66 end

67 end

1 # Facebook OAuth2 OmniAuth Provider

2

3 To enable the Facebook OmniAuth provider you must register your application with Facebook. Facebook will generate an app ID and secret key for you to use.

9 1. Select the type "Website"

10

11 1. Enter a name for your app. This can be anything. Consider something like "&lt;Organization&gt;'s GitLab" or "&lt;Your Name&gt;'s GitLab" or

12 something else descriptive.

13

53

54 ```sh

55 sudo editor /etc/gitlab/gitlab.rb

56 ```

57

95 1. Restart GitLab for the changes to take effect.

96

97 On the sign in page there should now be a Facebook icon below the regular sign in form. Click the icon to begin the authentication process. Facebook will ask the user to sign in and authorize the GitLab application. If everything goes well the user will be returned to GitLab and will be signed in.

98

16

17 1. On the "App properties" page enter the needed URI's and click the "Complete" button.

18 - SIGN-IN URL: Enter the URL of your GitLab installation (e.g 'https://gitlab.mycompany.com/')

19 - APP ID URI: Enter the endpoint URL for Microsoft to use, just has to be unique (e.g 'https://mycompany.onmicrosoft.com/gitlab')

21 1. Select "Configure" in the top menu.

22

23 1. Add a "Reply URL" pointing to the Azure OAuth callback of your GitLab installation (e.g. https://gitlab.mycompany.com/users/auth/azure_oauth2/callback).

24

25 1. Create a "Client secret" by selecting a duration, the secret will be generated as soon as you click the "Save" button in the bottom menu..

36

37 ```sh

38 sudo editor /etc/gitlab/gitlab.rb

39 ```

40

81 1. Restart GitLab for the changes to take effect.

82

83 On the sign in page there should now be a Microsoft icon below the regular sign in form. Click the icon to begin the authentication process. Microsoft will ask the user to sign in and authorize the GitLab application. If everything goes well the user will be returned to GitLab and will be signed in.

84

31 *

32 * @access public

33 * @param string $gitlab_id Gitlab user id

34 * @return boolean

35 */

36 public function authenticate($gitlab_id)

37 {

38 $user = $this->user->getByGitlabId($gitlab_id);

39

40 if (! empty($user)) {

58 return $this->user->update(array(

59 'id' => $user_id,

60 'gitlab_id' => '',

61 ));

62 }

9 1. Select the type "Website"

10

11 1. Enter a name for your app. This can be anything. Consider something like "&lt;Organization&gt;'s GitLab" or "&lt;Your Name&gt;'s GitLab" or

12 something else descriptive.

13

53

54 ```sh

55 sudo editor /etc/gitlab/gitlab.rb

56 ```

57

96 installed GitLab via Omnibus or from source respectively.

97

98 On the sign in page there should now be a Facebook icon below the regular sign in form. Click the icon to begin the authentication process. Facebook will ask the user to sign in and authorize the GitLab application. If everything goes well the user will be returned to GitLab and will be signed in.

99

100 [reconfigure]: ../administration/restart_gitlab.md#omnibus-gitlab-reconfigure

101 [restart GitLab]: ../administration/restart_gitlab.md#installations-from-source

102

1 # GitLab Integration

2

3 GitLab integrates with multiple third-party services to allow external issue

12 - [OmniAuth](omniauth.md) Sign in via Twitter, GitHub, GitLab.com, Google, Bitbucket, Facebook, Shibboleth, SAML, Crowd and Azure

13 - [SAML](saml.md) Configure GitLab as a SAML 2.0 Service Provider

14 - [CAS](cas.md) Configure GitLab to sign in using CAS

15 - [Kerberos](kerberos.md) Integrate with Kerberos

16 - [OAuth2 provider](oauth_provider.md) OAuth2 application creation

17 - [Gmail actions buttons](gmail_action_buttons_for_gitlab.md) Adds GitLab actions to messages

18 - [reCAPTCHA](recaptcha.md) Configure GitLab to use Google reCAPTCHA for new users

19 - [Akismet](akismet.md) Configure Akismet to stop spam

20 - [Koding](koding.md) Configure Koding to use IDE integration

21

22 GitLab Enterprise Edition contains [advanced Jenkins support][jenkins].

23

24 [jenkins]: http://docs.gitlab.com/ee/integration/jenkins.html

3 require 'spec_helper'

4

5 describe Gitlab::GitlabImport::Client do

6 include ImportSpecHelper

7

10

11 before do

12 stub_omniauth_provider('gitlab')

13 end

14

15 it 'all OAuth2 client options are symbols' do

16 client.client.options.keys.each do |key|

17 expect(key).to be_kind_of(Symbol)