GitLab

Add a new "hash type" for invalid passwords, which is never equal to
normal passwords, but nevertheless can be changed without being known by
the user.

This "invalid" password can only be set by directly setting the password
hash type. When updating the password using update_password method, it will
always be upgrade it to the strongest hash type, sha256crypt.

To allow changing this "invalid" password to a normal one, stop
requiring a non-empty current password in the password change dialog
when changing a password from an "invalid" one. Don’t show the current
password box either, as it is not used anyway in this case, making
it better not to show it to avoid confusion.
Signed-off-by: Andrej Shadura <andrew.shadura@collabora.co.uk>

Gbp-Pq: Topic collabora/sso
Gbp-Pq: Name Mark-passwords-for-SSO-only-users-as-invalid-to-allow-cha.patch

Backports of upstream commits 5524ffc and 362bdc3 moved some validation
code into a validate method which was never called. A simple fix makes
this code run again.
Signed-off-by: Andrej Shadura <andrew.shadura@collabora.co.uk>

Gbp-Pq: Topic backports
Gbp-Pq: Name Unbreak-the-validators.patch

Signed-off-by: Andrej Shadura <andrew.shadura@collabora.co.uk>

Gbp-Pq: Topic collabora/sso
Gbp-Pq: Name Allow-passing-SSO-auth-configuration-as-a-secret.patch

Signed-off-by: Andrej Shadura <andrew.shadura@collabora.co.uk>

Gbp-Pq: Topic collabora
Gbp-Pq: Name Allow-changing-the-session-lifetime.patch

Signed-off-by: Andrej Shadura <andrew.shadura@collabora.co.uk>

Gbp-Pq: Topic collabora
Gbp-Pq: Name Install-and-configure-mstmp.patch

Signed-off-by: Andrej Shadura <andrew.shadura@collabora.co.uk>

Gbp-Pq: Topic collabora
Gbp-Pq: Name Clean-up-stale-pid-files-on-start.patch

Some providers set username or nickname to an email address.
For this reason, first collect the best possible user name we can find,
and only then fix it to match our requirements.
Signed-off-by: Andrej Shadura <andrew.shadura@collabora.co.uk>

Gbp-Pq: Topic collabora/sso
Gbp-Pq: Name Try-harder-to-derive-the-username-from-email-addresses.patch

The generator requires Python 3 and pyyaml
Signed-off-by: Andrej Shadura <andrew.shadura@collabora.co.uk>

Gbp-Pq: Topic collabora/sso
Gbp-Pq: Name Generate-the-SSO-config-from-the-environment-variables.patch

Signed-off-by: Andrej Shadura <andrew.shadura@collabora.co.uk>

Gbp-Pq: Topic collabora/sso
Gbp-Pq: Name Move-Docker-related-files-under-docker.patch

Gbp-Pq: Topic collabora/sso
Gbp-Pq: Name Split-docker-entrypoint.sh-into-three-separate-files.patch

Signed-off-by: Andrej Shadura <andrew.shadura@collabora.co.uk>

Gbp-Pq: Topic collabora/sso
Gbp-Pq: Name Preinstall-gems-for-Azure-OAuth2.patch

Signed-off-by: Andrej Shadura <andrew.shadura@collabora.co.uk>

Gbp-Pq: Topic collabora/sso
Gbp-Pq: Name Build-Docker-images-in-GitLab-CI.patch

Create a Docker image with a Debian package built from the current Git
source. This eliminates an extra round trip with a manual upload to OBS
and the package getting published and fetched from apt repos.
Unfortunately, doing this in a way compatible with what was previously
done requires some non-trivial hacks.

Since we want fairly recent OmniAuth gems, we install them from external
sources directly into the resulting Docker image.

ruby-faraday is used by the OAuth2 auth backend, but new versions
require newer Ruby than what stretch has, so we preinstall it from
packages to avoid pinning it.
Signed-off-by: Andrej Shadura <andrew.shadura@collabora.co.uk>

Gbp-Pq: Topic collabora/sso
Gbp-Pq: Name Build-a-Docker-image-with-the-Web-UI-only.patch

OmniAuth 2.x breaks CSRF, needs more investigation.
Signed-off-by: Andrej Shadura <andrew.shadura@collabora.co.uk>

Gbp-Pq: Topic collabora/sso
Gbp-Pq: Name Limit-OmniAuth-to-1.x-only.patch

Signed-off-by: Andrej Shadura <andrew.shadura@collabora.co.uk>

Gbp-Pq: Topic collabora/sso
Gbp-Pq: Name Implement-login-flow.patch

Signed-off-by: Andrej Shadura <andrew.shadura@collabora.co.uk>

Gbp-Pq: Topic collabora/sso
Gbp-Pq: Name Add-SSO-callback-to-allow-existing-users-log-in-with-an-e.patch

Signed-off-by: Andrej Shadura <andrew.shadura@collabora.co.uk>

Gbp-Pq: Topic collabora/sso
Gbp-Pq: Name user-model-add-find_with_omniauth-create_with_omniauth.patch

Signed-off-by: Andrej Shadura <andrew.shadura@collabora.co.uk>

Gbp-Pq: Topic collabora/sso
Gbp-Pq: Name Rename-create_ldap_user-to-create_external_user.patch

Signed-off-by: Andrej Shadura <andrew.shadura@collabora.co.uk>

Gbp-Pq: Topic collabora/sso
Gbp-Pq: Name Add-SSO-buttons-to-the-normal-login-page.patch

Signed-off-by: Andrej Shadura <andrew.shadura@collabora.co.uk>

Gbp-Pq: Topic collabora/sso
Gbp-Pq: Name Add-a-link-to-the-SSO-login-to-the-dropdown-login-box.patch

Signed-off-by: Andrej Shadura <andrew.shadura@collabora.co.uk>

Gbp-Pq: Topic collabora/sso
Gbp-Pq: Name Add-an-SSO-login-page-so-that-users-can-choose-between-pr.patch

Signed-off-by: Andrej Shadura <andrew.shadura@collabora.co.uk>

Gbp-Pq: Topic collabora/sso
Gbp-Pq: Name Parse-SSO-authentication-config-on-startup.patch

We already have a method for creating users with fake passwords. Let's
use it.

Cherry-picked from 86473a4bd4d6ccd03548d5496ce29238ed645e21

Gbp-Pq: Topic backports
Gbp-Pq: Name api-DRY-code-by-using-existing-methods.patch

Cherry-picked from 1c264f5992dbc0ac9f84eadb4092a19414d1da9a

Gbp-Pq: Topic backports
Gbp-Pq: Name webui-Drop-validation-of-user-s-email-address.patch

Cherry-pick from 7967fe46f376381386d93db57b27fa0f7c707978

Gbp-Pq: Topic backports
Gbp-Pq: Name api-Use-SecureRandom-to-generate-a-random-fake-password.patch

Add basic tests for the new method.

Cherry-picked from 51ac16ad4b4cc6b70bf4e095b5b1db9523755921

Gbp-Pq: Topic backports
Gbp-Pq: Name api-ci-Move-creation-of-user-with-fake-pw-to-model.patch

* Moves ldap related code into new method that handles creation of LDAP
users
* Cleans up setting attributes

Cherry-picked from b6d9a59f5c37380036a7ce3d031eaf6ce46836db

Gbp-Pq: Topic backports
Gbp-Pq: Name api-Refactor-creation-of-LDAP-users.patch

After a successful login OBS is updating user data fetched from the LDAP
instance. This simplifies the code a bit.

Cherry-picked from c349da0a87c69468adf8f895c57cd599ade92a3b

Gbp-Pq: Topic backports
Gbp-Pq: Name api-Refactor-updating-user-data-in-LDAP-mode.patch

Searching a users works differently in LDAP mode. This splits out the
LDAP related code.

Cherry-picked from cde81ee1bacf742dcce6099c8375ec4207bb8c80

Gbp-Pq: Topic backports
Gbp-Pq: Name api-Move-ldap-related-code-to-separate-method.patch

When a user logs in to OBS we mark the last login. For unknown reasons
we prevented the updated_at attribute to be updated when we run this
operation.
Since there is no good reason to do this, we drop the code.

Cherry-picked from 6d0e5b2048aa48eb1d272c8308be5f772ff87c25

Gbp-Pq: Topic backports
Gbp-Pq: Name api-Drop-code-that-prevents-updating-updated_at.patch

ActiveModel::Dirty provides a nice set of helper methods to track and
handle changes of attributes of a model.
This allows us to remove a number of custom code that previously was
taking care of this.

Cherry-picked from 7453160b33baa3d71370e4d4f94d4f88f71a8a5f

Gbp-Pq: Topic backports
Gbp-Pq: Name api-Use-ActiveModel-Dirty-in-user-model.patch

and drop the two methods that were storing them before.

Cherry-picked from a60da39a04c2eacc8bc2ced103234551970a42d9

Gbp-Pq: Topic backports
Gbp-Pq: Name api-Store-available-password-hashing-algorithms-in-consta.patch

Cherry-picked from 1b353118ebc6c1f7cea297509088e9cd15bdcdcb

Gbp-Pq: Topic backports
Gbp-Pq: Name webui-api-Update-code-documentation.patch

Partially cherry-picked from 362bdc3a13936dcf07c17ca24c6213975c5336c4

Gbp-Pq: Topic backports
Gbp-Pq: Name Simplify-password-validation.patch

DEPRECATION WARNING: Passing string to define callback is deprecated and will be removed in Rails 5.1 without replacement.

Partially cherry-picked from 04bbd1d1f876c8c9f3659f79f1a11f33ac35c07d

Gbp-Pq: Topic backports
Gbp-Pq: Name api-webui-Fix-deprecated-string-callback.patch

Was: [ci][api] Enable Rails/Validation rubocop cop

Checks for the use of old-style attribute validation macros.

Cherry-picked from 5524ffccb72a5f3c5ea3e255a0b76fe8b0225904

Gbp-Pq: Topic backports
Gbp-Pq: Name Replace-old-style-attribute-validation-macros-with-new-st.patch

Moves code that handles marking succeeded logins to a separate method.
This DRYs the code a bit.

Cherry-picked from: c311c8e7a6107e25813162f1f33793dd7aab2b8f

Gbp-Pq: Topic backports
Gbp-Pq: Name api-Move-shared-code-to-separate-method.patch

Non-logged-in users cannot directly access the login form, while they’re
supposed to be able to do this so that they can log in. Without this,
they can only use the JavaScript-powered form on the main page.
Signed-off-by: Andrej Shadura <andrew.shadura@collabora.co.uk>

Gbp-Pq: Topic backports
Gbp-Pq: Name Make-login-accessible-to-non-logged-in-users-so-that-they.patch

When a user tries to view a project's meta config, the rails
application actually recreates the XML from the database contents
using the project model.

It does this with the user id set in its context and applies normal
ACL rules.

This means that any data relating to a project the user does not have
at least read access to is missing from the model's internal data
structures, so <path…> elements that refer to unreadable projects
result in a method call on nil and a 500 error in the web UI.

This patch ameliorates that by checking that the relevant object
actually exists in the model before calling an accessor method on it,
and substituting 'HIDDEN' for the project's name if it does not.

This does mean that the user SHOULD NOT try and save said meta config
but that restriction is not enforced here.

Gbp-Pq: Topic collabora
Gbp-Pq: Name Suppress-a-500-error-in-the-web-UI-for-project-meta-confi.patch

The project model code path for this invalidates the cache before
returning.

Users now have different views of project meta config (references to
inaccessible projects, which were not permitted at all before, are now
elided to "HIDDEN" for users with insufficient access): This means
that the code path which provides the meta config to osc must also
invalidate the cache.

It's not clear that this particular config should be cached at all.
Possibly it should include the user context in the cache key instead
but in any case this is the least invasive way to make sure osc
returns the correct information for now.

Gbp-Pq: Topic collabora
Gbp-Pq: Name Invalidate-the-rails-cache-for-project-meta-xml-in-show_p.patch