LDAP Authentification with grack for https push - fixed password check

Friedrich Beckmann
1 parent df96c079
Showing 1 changed file with 25 additions and 1 deletions Show diff stats
lib/gitlab/backend/grack_auth.rb
 require_relative 'shell_env'
+require 'omniauth-ldap'
 module Grack
   class Auth < Rack::Auth::Basic
@@ -32,8 +33,14 @@ module Grack
         # Authentication with username and password
         login, password = @auth.credentials
         self.user = User.find_by_email(login) || User.find_by_username(login)
-        return false unless user.try(:valid_password?, password)
+        if user.nil?
+          ldap_auth(login,password)
+          return false unless !user.nil?
+        else
+          return false unless user.valid_password?(password);
+        end
+           
         Gitlab::ShellEnv.set_env(user)
       end
@@ -47,6 +54,23 @@ module Grack
       end
     end
+    def ldap_auth(login, password)
+      # Check user against LDAP backend if user is not authenticated
+      # Only check with valid login and password to prevent anonymous bind results
+      gl = Gitlab.config
+      if gl.ldap.enabled && !login.blank? && !password.blank?
+        ldap = OmniAuth::LDAP::Adaptor.new(gl.ldap)
+        ldap_user = ldap.bind_as(
+          filter: Net::LDAP::Filter.eq(ldap.uid, login),
+          size: 1,
+          password: password
+        )
+        if ldap_user
+          self.user = User.find_by_extern_uid_and_provider(ldap_user.dn, 'ldap')
+        end
+      end
+    end
+
     def validate_get_request
       project.public || can?(user, :download_code, project)
     end
1	require_relative 'shell_env'	1	require_relative 'shell_env'
		2	+require 'omniauth-ldap'
2		3
3	module Grack	4	module Grack
4	class Auth < Rack::Auth::Basic	5	class Auth < Rack::Auth::Basic
	@@ -32,8 +33,14 @@ module Grack		@@ -32,8 +33,14 @@ module Grack
32	# Authentication with username and password	33	# Authentication with username and password
33	login, password = @auth.credentials	34	login, password = @auth.credentials
34	self.user = User.find_by_email(login) \|\| User.find_by_username(login)	35	self.user = User.find_by_email(login) \|\| User.find_by_username(login)
35	- return false unless user.try(:valid_password?, password)
36		36
		37	+ if user.nil?
		38	+ ldap_auth(login,password)
		39	+ return false unless !user.nil?
		40	+ else
		41	+ return false unless user.valid_password?(password);
		42	+ end
		43	+
37	Gitlab::ShellEnv.set_env(user)	44	Gitlab::ShellEnv.set_env(user)
38	end	45	end
39		46
	@@ -47,6 +54,23 @@ module Grack		@@ -47,6 +54,23 @@ module Grack
47	end	54	end
48	end	55	end
49		56
		57	+ def ldap_auth(login, password)
		58	+ # Check user against LDAP backend if user is not authenticated
		59	+ # Only check with valid login and password to prevent anonymous bind results
		60	+ gl = Gitlab.config
		61	+ if gl.ldap.enabled && !login.blank? && !password.blank?
		62	+ ldap = OmniAuth::LDAP::Adaptor.new(gl.ldap)
		63	+ ldap_user = ldap.bind_as(
		64	+ filter: Net::LDAP::Filter.eq(ldap.uid, login),
		65	+ size: 1,
		66	+ password: password
		67	+ )
		68	+ if ldap_user
		69	+ self.user = User.find_by_extern_uid_and_provider(ldap_user.dn, 'ldap')
		70	+ end
		71	+ end
		72	+ end
		73	+
50	def validate_get_request	74	def validate_get_request
51	project.public \|\| can?(user, :download_code, project)	75	project.public \|\| can?(user, :download_code, project)
52	end	76	end