gitlab.com/gitlab-org/gitlab-foss.git - Unnamed repository; edit this file 'description' to name the repository.

Age	Commit message (Collapse)	Author
2019-09-26	Merge branch 'security-sarcila-verify-saml-request-origin-12-1' into ↵	GitLab Release Tools Bot
	'12-1-stable' Check that SAML identity linking validates the origin of the request See merge request gitlab/gitlabhq!3376
2019-09-16	Validate that SAML requests are originated from gitlab	Sebastian Arcila Valenzuela
	If the request wasn't initiated by gitlab we shouldn't add the new identity to the user, and instead show that we weren't able to link the identity to the user. This should fix: https://gitlab.com/gitlab-org/gitlab-ce/issues/56509
2019-09-11	Add checking for email_verified key	Małgorzata Ksionek
	Fix rubocop offences and add changelog Add email_verified key for feature specs Add code review remarks Add code review remarks Fix specs
2019-05-06	CE changes for SSO web enforcement	James Edwards-Jones
	Adds two methods for us to extend in EE: - OmniauthCallbacksController#link_identity - GroupPolicy#lookup_access_level!
2019-04-08	Externalize strings in flash messages	Martin Wortschack
	- Externalize strings in controllers - Update PO file
2019-03-19	Move out link\unlink ability checks to a policy	Pavel Shutsin
	We can extend the policy in EE for additional behavior
2019-02-06	Backport build_auth_user for GroupSAML callback	James Edwards-Jones

2019-02-04	Avoid CSRF check on SAML failure endpoint	James Edwards-Jones
	SAML and OAuth failures should cause a message to be presented, as well as logging that an attempt was made. These were incorrectly prevented by the CSRF check on POST endpoints such as SAML. In addition we were using a NullSession forgery protection, which made testing more difficult and could have allowed account linking to take place if a CSRF was ever needed but not present.
2019-01-10	Addressing peer review feedback.	Scott Escue
	Replacing inline JS with ES 2015 functions included in pages/sessions/new. Also applying suggested server-side syntax improvements to OmniAuthCallbacksController.
2019-01-10	Preserve URL fragment across sign-in and sign-up redirects	Scott Escue
	If window.location contains a URL fragment, append the fragment to all sign-in forms, the sign-up form, and all button based providers.
2018-09-19	Enable frozen string in app/controllers/*/.rb	gfyoung
	Enables frozen string for the following: * app/controllers/.rb app/controllers/admin/*/.rb * app/controllers/boards/*/.rb * app/controllers/ci/*/.rb * app/controllers/concerns/*/.rb Partially addresses #47424.
2018-06-25	Honor saml assurance level to allow 2FA bypassing	Roger Rüttimann

2018-06-21	[Rails5] Force the `protect_from_forgery` callback run first	blackst0ne
	Since Rails 5.0 the `protect_from_forgery` callback doesn't run first by default anymore. [1] Instead it gets inserted into callbacks chain where callbacks get called in order. This commit forces the callback to run first. [1]: https://github.com/rails/rails/commit/39794037817703575c35a75f1961b01b83791191
2018-05-21	Backport helpers from GroupSAML failure messages	James Edwards-Jones

2018-05-04	Backport IdentityLinker#failed? from GroupSaml callback flow	James Edwards-Jones

2018-04-30	Exclude LDAP from OmniauthCallbackController base methods	James Edwards-Jones

2018-04-23	Replace define_method with alias_method in Omniauth Controllers	James Edwards-Jones

2018-04-23	Unify Saml::IdentityLinker and OAuth::IdentityLinker	James Edwards-Jones

2018-04-23	Show error on failed OAuth account link	James Edwards-Jones

2018-04-23	Refactor OmniauthCallbacksController to remove duplication	James Edwards-Jones
	Moves LDAP to its own controller with tests Provides path forward for implementing GroupSaml
2018-03-22	Writes specs	Tiago Botelho

2018-03-22	Tracks the number of failed attempts made by a user trying to authenticate ↵	Tiago Botelho
	with any external authentication method
2018-03-21	Merge branch 'fix/auth0-unsafe-login-10-6' into 'security-10-6'	James Lopez
	[10.6] Fix GitLab Auth0 integration signs in the wrong user See merge request gitlab/gitlabhq!2354
2018-02-28	Moved o_auth/saml/ldap modules under gitlab/auth	Horatiu Eugen Vlad

2018-02-02	use Gitlab::UserSettings directly as a singleton instead of ↵	Mario de la Ossa
	including/extending it
2018-01-17	Merge branch 'jej/fix-disabled-oauth-access-10-3' into 'security-10-3'	Robert Speicher
	[10.3] Prevent login with disabled OAuth providers See merge request gitlab/gitlabhq!2296 (cherry picked from commit 4936650427ffc88e6ee927aedbb2c724d24b094c) a0f9d222 Prevents login with disabled OAuth providers
2018-01-11	Adds Rubocop rule for line break around conditionals	🙈 jacopo beschi 🙉

2017-11-23	Allow password authentication to be disabled entirely	Markus Koller

2017-11-17	Changing OAuth lookup to be case insensitive	Francisco Javier López

2017-08-24	Define ldap methods at runtime	Bob Van Landuyt
	This avoids loading the `OmniAuthCallbacksController` at boot time so it doesn't mess up the `before_action`-chain
2017-08-15	Enable Layout/TrailingWhitespace cop and auto-correct offenses	Robert Speicher

2017-08-07	[EE Backport] Update log audit event in omniauth_callbacks_controller.rb	James Lopez

2017-07-06	Fix build for !11963.	Timothy Andrew
	- Don't use `request.env['omniauth.params']` if it isn't present. - Remove the `saml` section from the `gitlab.yml` test section. Some tests depend on this section not being initially present, so it can be overridden in the test. This MR doesn't add any tests for SAML, so we didn't really need this in the first place anyway. - Clean up the test -> omniauth section of `gitlab.yml`
2017-07-06	Implement "remember me" for OAuth-based login.	Timothy Andrew
	- Pass a `remember_me` query parameter along with the initial OAuth request, and pick this parameter up during the omniauth callback from request.env['omniauth.params']`. - For 2FA-based login, copy the `remember_me` param from `omniauth.params` to `params`, which the 2FA process will pick up. - For non-2FA-based login, simply call the `remember_me` devise method to set the session cookie.
2017-06-21	Enable Style/DotPosition Rubocop :cop:	Grzegorz Bizon

2017-05-05	Update design of auth error page	Annabel Dunstone Gray

2017-02-22	No more and/or	Douwe Maan

2017-02-20	Added support for Authentiq Back-Channel Logout	Alexandros Keramidas

2016-07-04	Added tests for 2FA check on OAuth request	Patricio Cano

2016-06-29	Add 2FA check to the OAuth authentication mechanism	Patricio Cano

2016-05-30	Enable Style/MethodDefParentheses rubocop cop	Grzegorz Bizon
	Use def with parentheses when there are parameters. See #17478
2016-04-08	Add missing proper nil and error handling to SAML login process.	Patricio Cano

2016-04-05	Avoid saving again if the user attributes haven't changed	Patricio Cano

2016-02-19	Decouple SAML authentication from the default Omniauth logic	Patricio Cano

2016-02-19	Revert "Merge branch 'saml-decoupling' into 'master' "	Douwe Maan
	This reverts commit c04e22fba8d130a58f498ff48127712d7dae17ee, reversing changes made to 0feab326d52222dc0ab5bd0a6b15dab297f44aa9.
2016-02-18	Decouple SAML authentication from the default Omniauth logic	Patricio Cano

2016-02-03	Support Two-factor Authentication for LDAP users	Robert Speicher
	Closes #12653
2016-01-28	Backport LDAP user assignment changes from EE	Robert Speicher
	See https://gitlab.com/gitlab-org/gitlab-ee/merge_requests/146
2015-12-15	add CAS authentication support	tduehr

2015-10-03	Fix rubocop warnings in app	Guilherme Garnier