Download as
Browse Code »

Commit 63c6f30aba95398f732876f94f1fba1f8ed19622

Authored by Dmitriy Zaporozhets
1 parent a3645b5b
Exists in master and in 4 other branches 6-8-stable, 7-0-stable, 7-0-stable-spb, spb-stable

Fix ldap auth for http push

Showing 2 changed files with 54 additions and 26 deletions   Show diff stats
lib/gitlab/auth.rb
  Diff comments   View file @63c6f30
... ... @@ -70,5 +70,24 @@ module Gitlab
70 70 def log
71 71 Gitlab::AppLogger
72 72 end
  73 +
  74 + def ldap_auth(login, password)
  75 + # Check user against LDAP backend if user is not authenticated
  76 + # Only check with valid login and password to prevent anonymous bind results
  77 + return nil unless ldap_conf.enabled && !login.blank? && !password.blank?
  78 +
  79 + ldap = OmniAuth::LDAP::Adaptor.new(ldap_conf)
  80 + ldap_user = ldap.bind_as(
  81 + filter: Net::LDAP::Filter.eq(ldap.uid, login),
  82 + size: 1,
  83 + password: password
  84 + )
  85 +
  86 + User.find_by_extern_uid_and_provider(ldap_user.dn, 'ldap') if ldap_user
  87 + end
  88 +
  89 + def ldap_conf
  90 + @ldap_conf ||= Gitlab.config.ldap
  91 + end
73 92 end
74 93 end
... ...
lib/gitlab/backend/grack_auth.rb
  Diff comments   View file @63c6f30
... ... @@ -32,20 +32,11 @@ module Grack
32 32 if @auth.provided?
33 33 # Authentication with username and password
34 34 login, password = @auth.credentials
35   - self.user = User.find_by_email(login) || User.find_by_username(login)
36   -
37   - # If the provided login was not a known email or username
38   - # then user is nil
39   - if user.nil?
40   - # Second chance - try LDAP authentication
41   - return false unless Gitlab.config.ldap.enabled
42   - ldap_auth(login,password)
43   - return false unless !user.nil?
44   - else
45   - return false unless user.valid_password?(password)
46   - end
47   -
48   - Gitlab::ShellEnv.set_env(user)
  35 +
  36 + @user = authenticate(login, password)
  37 + return false unless @user
  38 +
  39 + Gitlab::ShellEnv.set_env(@user)
49 40 end
50 41  
51 42 # Git upload and receive
... ... @@ -58,21 +49,35 @@ module Grack
58 49 end
59 50 end
60 51  
  52 + def authenticate(login, password)
  53 + user = User.find_by_email(login) || User.find_by_username(login)
  54 +
  55 + # If the provided login was not a known email or username
  56 + # then user is nil
  57 + if user.nil? || user.ldap_user?
  58 + # Second chance - try LDAP authentication
  59 + return nil unless ldap_conf.enabled
  60 +
  61 + auth = Gitlab::Auth.new
  62 + auth.ldap_auth(login, password)
  63 + else
  64 + return user if user.valid_password?(password)
  65 + end
  66 + end
  67 +
61 68 def ldap_auth(login, password)
62 69 # Check user against LDAP backend if user is not authenticated
63 70 # Only check with valid login and password to prevent anonymous bind results
64   - gl = Gitlab.config
65   - if gl.ldap.enabled && !login.blank? && !password.blank?
66   - ldap = OmniAuth::LDAP::Adaptor.new(gl.ldap)
67   - ldap_user = ldap.bind_as(
68   - filter: Net::LDAP::Filter.eq(ldap.uid, login),
69   - size: 1,
70   - password: password
71   - )
72   - if ldap_user
73   - self.user = User.find_by_extern_uid_and_provider(ldap_user.dn, 'ldap')
74   - end
75   - end
  71 + return nil unless ldap_conf.enabled && !login.blank? && !password.blank?
  72 +
  73 + ldap = OmniAuth::LDAP::Adaptor.new(ldap_conf)
  74 + ldap_user = ldap.bind_as(
  75 + filter: Net::LDAP::Filter.eq(ldap.uid, login),
  76 + size: 1,
  77 + password: password
  78 + )
  79 +
  80 + User.find_by_extern_uid_and_provider(ldap_user.dn, 'ldap') if ldap_user
76 81 end
77 82  
78 83 def validate_get_request
... ... @@ -139,5 +144,9 @@ module Grack
139 144 abilities
140 145 end
141 146 end
  147 +
  148 + def ldap_conf
  149 + @ldap_conf ||= Gitlab.config.ldap
  150 + end
142 151 end# Auth
143 152 end# Grack
... ...