Commit f7ccbfca authored by Drew Blessing's avatar Drew Blessing

Merge branch '212848' into 'master'

#212848 Removed UltraAuth integration for OmniAuth

Closes #212848

See merge request gitlab-org/gitlab!29330
parents 5bc95c97 82441efa
...@@ -44,7 +44,6 @@ gem 'omniauth-twitter', '~> 1.4' ...@@ -44,7 +44,6 @@ gem 'omniauth-twitter', '~> 1.4'
gem 'omniauth_crowd', '~> 2.2.0' gem 'omniauth_crowd', '~> 2.2.0'
gem 'omniauth-authentiq', '~> 0.3.3' gem 'omniauth-authentiq', '~> 0.3.3'
gem 'omniauth_openid_connect', '~> 0.3.3' gem 'omniauth_openid_connect', '~> 0.3.3'
gem "omniauth-ultraauth", '~> 0.0.2'
gem 'omniauth-salesforce', '~> 1.0.5' gem 'omniauth-salesforce', '~> 1.0.5'
gem 'rack-oauth2', '~> 1.9.3' gem 'rack-oauth2', '~> 1.9.3'
gem 'jwt', '~> 2.1.0' gem 'jwt', '~> 2.1.0'
......
...@@ -722,8 +722,6 @@ GEM ...@@ -722,8 +722,6 @@ GEM
omniauth-twitter (1.4.0) omniauth-twitter (1.4.0)
omniauth-oauth (~> 1.1) omniauth-oauth (~> 1.1)
rack rack
omniauth-ultraauth (0.0.2)
omniauth_openid_connect (~> 0.3.0)
omniauth_crowd (2.2.3) omniauth_crowd (2.2.3)
activesupport activesupport
nokogiri (>= 1.4.4) nokogiri (>= 1.4.4)
...@@ -1317,7 +1315,6 @@ DEPENDENCIES ...@@ -1317,7 +1315,6 @@ DEPENDENCIES
omniauth-saml (~> 1.10) omniauth-saml (~> 1.10)
omniauth-shibboleth (~> 1.3.0) omniauth-shibboleth (~> 1.3.0)
omniauth-twitter (~> 1.4) omniauth-twitter (~> 1.4)
omniauth-ultraauth (~> 0.0.2)
omniauth_crowd (~> 2.2.0) omniauth_crowd (~> 2.2.0)
omniauth_openid_connect (~> 0.3.3) omniauth_openid_connect (~> 0.3.3)
org-ruby (~> 0.9.12) org-ruby (~> 0.9.12)
......
...@@ -23,8 +23,7 @@ module EnforcesTwoFactorAuthentication ...@@ -23,8 +23,7 @@ module EnforcesTwoFactorAuthentication
def two_factor_authentication_required? def two_factor_authentication_required?
Gitlab::CurrentSettings.require_two_factor_authentication? || Gitlab::CurrentSettings.require_two_factor_authentication? ||
current_user.try(:require_two_factor_authentication_from_group?) || current_user.try(:require_two_factor_authentication_from_group?)
current_user.try(:ultraauth_user?)
end end
def current_user_requires_two_factor? def current_user_requires_two_factor?
......
...@@ -954,11 +954,11 @@ class User < ApplicationRecord ...@@ -954,11 +954,11 @@ class User < ApplicationRecord
end end
def allow_password_authentication_for_web? def allow_password_authentication_for_web?
Gitlab::CurrentSettings.password_authentication_enabled_for_web? && !ldap_user? && !ultraauth_user? Gitlab::CurrentSettings.password_authentication_enabled_for_web? && !ldap_user?
end end
def allow_password_authentication_for_git? def allow_password_authentication_for_git?
Gitlab::CurrentSettings.password_authentication_enabled_for_git? && !ldap_user? && !ultraauth_user? Gitlab::CurrentSettings.password_authentication_enabled_for_git? && !ldap_user?
end end
def can_change_username? def can_change_username?
...@@ -1046,14 +1046,6 @@ class User < ApplicationRecord ...@@ -1046,14 +1046,6 @@ class User < ApplicationRecord
end end
end end
def ultraauth_user?
if identities.loaded?
identities.find { |identity| Gitlab::Auth::OAuth::Provider.ultraauth_provider?(identity.provider) && !identity.extern_uid.nil? }
else
identities.exists?(["provider = ? AND extern_uid IS NOT NULL", "ultraauth"])
end
end
def ldap_identity def ldap_identity
@ldap_identity ||= identities.find_by(["provider LIKE ?", "ldap%"]) @ldap_identity ||= identities.find_by(["provider LIKE ?", "ldap%"])
end end
......
---
title: Removed UltraAuth integration for OmniAuth
merge_request: 29330
author: Kartikey Tanna
type: removed
# frozen_string_literal: true
class RemoveUltraauthProviderFromIdentities < ActiveRecord::Migration[6.0]
include Gitlab::Database::MigrationHelpers
DOWNTIME = false
disable_ddl_transaction!
def up
add_concurrent_index :identities, :provider
execute "DELETE FROM identities WHERE provider = 'ultraauth'"
remove_concurrent_index :identities, :provider
end
def down
end
end
...@@ -13883,6 +13883,7 @@ COPY "schema_migrations" (version) FROM STDIN; ...@@ -13883,6 +13883,7 @@ COPY "schema_migrations" (version) FROM STDIN;
20200506125731 20200506125731
20200506154421 20200506154421
20200507221434 20200507221434
20200508021128
20200508050301 20200508050301
20200508091106 20200508091106
20200511080113 20200511080113
......
...@@ -32,4 +32,3 @@ providers: ...@@ -32,4 +32,3 @@ providers:
- [Shibboleth](../../integration/shibboleth.md) - [Shibboleth](../../integration/shibboleth.md)
- [Smartcard](smartcard.md) **(PREMIUM ONLY)** - [Smartcard](smartcard.md) **(PREMIUM ONLY)**
- [Twitter](../../integration/twitter.md) - [Twitter](../../integration/twitter.md)
- [UltraAuth](../../integration/ultra_auth.md)
...@@ -34,7 +34,6 @@ contains some settings that are common for all providers. ...@@ -34,7 +34,6 @@ contains some settings that are common for all providers.
- [OAuth2Generic](oauth2_generic.md) - [OAuth2Generic](oauth2_generic.md)
- [JWT](../administration/auth/jwt.md) - [JWT](../administration/auth/jwt.md)
- [OpenID Connect](../administration/auth/oidc.md) - [OpenID Connect](../administration/auth/oidc.md)
- [UltraAuth](ultra_auth.md)
- [Salesforce](salesforce.md) - [Salesforce](salesforce.md)
- [AWS Cognito](../administration/auth/cognito.md) - [AWS Cognito](../administration/auth/cognito.md)
......
# UltraAuth OmniAuth Provider
You can integrate your GitLab instance with [UltraAuth](https://github.com/ultraauth) to enable users to perform secure biometric authentication to your GitLab instance with your UltraAuth account. Users have to perform the biometric authentication using their mobile device with fingerprint sensor.
## Create UltraAuth Application
To enable UltraAuth OmniAuth provider, you must use UltraAuth's credentials for your GitLab instance.
To get the credentials (a pair of Client ID and Client Secret), you must register an application on UltraAuth.
1. Sign in to [UltraAuth](https://app.ultraauth.com).
1. Navigate to **Create an App** and click on **Ruby on Rails**.
1. Scroll down the page that is displayed to locate the **Client ID** and **Client Secret**.
Keep this page open as you continue configuration.
![UltraAuth Credentials: OPENID_CLIENT_ID and OPENID_CLIENT_SECRET](img/ultra_auth_credentials.png)
1. Click on "Edit Callback URL" link.
![Edit UltraAuth Callback URL](img/ultra_auth_edit_callback_url_highlighted.png)
1. The callback URL will be `http(s)://<your_domain>/users/auth/ultraauth/callback`
![UltraAuth Callback URL](img/ultra_auth_edit_callback_url.png)
1. Select **Register application**.
1. On your GitLab server, open the configuration file.
For Omnibus package:
```shell
sudo editor /etc/gitlab/gitlab.rb
```
For installations from source:
```shell
cd /home/git/gitlab
sudo -u git -H editor config/gitlab.yml
```
1. See [Initial OmniAuth Configuration](omniauth.md#initial-omniauth-configuration) for initial settings.
1. Add the provider configuration:
For Omnibus package:
```ruby
gitlab_rails['omniauth_providers'] = [
{
"name" => "ultraauth",
"app_id" => "OPENID_CLIENT_ID",
"app_secret" => "OPENID_CLIENT_SECRET",
"args" => {
"client_options" => {
"redirect_uri" => "https://example.com/users/auth/ultraauth/callback"
}
}
}
]
```
For installation from source:
```yaml
- { name: 'ultraauth',
app_id: 'OPENID_CLIENT_ID',
app_secret: 'OPENID_CLIENT_SECRET',
args: {
client_options: {
redirect_uri: 'https://example.com/users/auth/ultraauth/callback'
}
}
}
```
__Replace `https://example.com/users/auth/ultraauth/callback` with your application's Callback URL.__
1. Change `OPENID_CLIENT_ID` to the Client ID from the UltraAuth application page.
1. Change `OPENID_CLIENT_SECRET` to the Client Secret from the UltraAuth application page.
1. Save the configuration file.
1. [Reconfigure GitLab](../administration/restart_gitlab.md#omnibus-gitlab-reconfigure) or [restart GitLab](../administration/restart_gitlab.md#installations-from-source) for the changes to take effect if you
installed GitLab via Omnibus or from source respectively.
On the sign in page, there should now be an UltraAuth icon below the regular sign in form.
Click the icon to begin the authentication process. UltraAuth will ask the user to sign in and authorize the GitLab application.
If everything goes well, the user will be returned to GitLab and will be signed in.
GitLab requires the email address of each new user. Once the user is logged in using UltraAuth, GitLab will redirect the user to the profile page where they will have to provide the email and verify the email. Password authentication will be disabled for UltraAuth users and two-factor authentication (2FA) will be enforced.
...@@ -41,10 +41,6 @@ module Gitlab ...@@ -41,10 +41,6 @@ module Gitlab
name.to_s.start_with?('ldap') name.to_s.start_with?('ldap')
end end
def self.ultraauth_provider?(name)
name.to_s.eql?('ultraauth')
end
def self.sync_profile_from_provider?(provider) def self.sync_profile_from_provider?(provider)
return true if ldap_provider?(provider) return true if ldap_provider?(provider)
......
...@@ -310,13 +310,6 @@ describe ApplicationController do ...@@ -310,13 +310,6 @@ describe ApplicationController do
expect(subject).to be_truthy expect(subject).to be_truthy
end end
it 'returns true if user has signed up using omniauth-ultraauth' do
user = create(:omniauth_user, provider: 'ultraauth')
allow(controller).to receive(:current_user).and_return(user)
expect(subject).to be_truthy
end
end end
describe '#two_factor_grace_period' do describe '#two_factor_grace_period' do
......
...@@ -2197,26 +2197,6 @@ describe User do ...@@ -2197,26 +2197,6 @@ describe User do
end end
end end
describe '#ultraauth_user?' do
it 'is true if provider is ultraauth' do
user = create(:omniauth_user, provider: 'ultraauth')
expect(user.ultraauth_user?).to be_truthy
end
it 'is false with othe provider' do
user = create(:omniauth_user, provider: 'not-ultraauth')
expect(user.ultraauth_user?).to be_falsey
end
it 'is false if no extern_uid is provided' do
user = create(:omniauth_user, extern_uid: nil)
expect(user.ldap_user?).to be_falsey
end
end
describe '#full_website_url' do describe '#full_website_url' do
let(:user) { create(:user) } let(:user) { create(:user) }
...@@ -3492,12 +3472,6 @@ describe User do ...@@ -3492,12 +3472,6 @@ describe User do
expect(user.allow_password_authentication_for_web?).to be_falsey expect(user.allow_password_authentication_for_web?).to be_falsey
end end
it 'returns false for ultraauth user' do
user = create(:omniauth_user, provider: 'ultraauth')
expect(user.allow_password_authentication_for_web?).to be_falsey
end
end end
describe '#allow_password_authentication_for_git?' do describe '#allow_password_authentication_for_git?' do
...@@ -3520,12 +3494,6 @@ describe User do ...@@ -3520,12 +3494,6 @@ describe User do
expect(user.allow_password_authentication_for_git?).to be_falsey expect(user.allow_password_authentication_for_git?).to be_falsey
end end
it 'returns false for ultraauth user' do
user = create(:omniauth_user, provider: 'ultraauth')
expect(user.allow_password_authentication_for_git?).to be_falsey
end
end end
describe '#assigned_open_merge_requests_count' do describe '#assigned_open_merge_requests_count' do
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment