Commit 63c6f30aba95398f732876f94f1fba1f8ed19622
1 parent
a3645b5b
Exists in
master
and in
4 other branches
Fix ldap auth for http push
Showing
2 changed files
with
54 additions
and
26 deletions
Show diff stats
lib/gitlab/auth.rb
| @@ -70,5 +70,24 @@ module Gitlab | @@ -70,5 +70,24 @@ module Gitlab | ||
| 70 | def log | 70 | def log |
| 71 | Gitlab::AppLogger | 71 | Gitlab::AppLogger |
| 72 | end | 72 | end |
| 73 | + | ||
| 74 | + def ldap_auth(login, password) | ||
| 75 | + # Check user against LDAP backend if user is not authenticated | ||
| 76 | + # Only check with valid login and password to prevent anonymous bind results | ||
| 77 | + return nil unless ldap_conf.enabled && !login.blank? && !password.blank? | ||
| 78 | + | ||
| 79 | + ldap = OmniAuth::LDAP::Adaptor.new(ldap_conf) | ||
| 80 | + ldap_user = ldap.bind_as( | ||
| 81 | + filter: Net::LDAP::Filter.eq(ldap.uid, login), | ||
| 82 | + size: 1, | ||
| 83 | + password: password | ||
| 84 | + ) | ||
| 85 | + | ||
| 86 | + User.find_by_extern_uid_and_provider(ldap_user.dn, 'ldap') if ldap_user | ||
| 87 | + end | ||
| 88 | + | ||
| 89 | + def ldap_conf | ||
| 90 | + @ldap_conf ||= Gitlab.config.ldap | ||
| 91 | + end | ||
| 73 | end | 92 | end |
| 74 | end | 93 | end |
lib/gitlab/backend/grack_auth.rb
| @@ -32,20 +32,11 @@ module Grack | @@ -32,20 +32,11 @@ module Grack | ||
| 32 | if @auth.provided? | 32 | if @auth.provided? |
| 33 | # Authentication with username and password | 33 | # Authentication with username and password |
| 34 | login, password = @auth.credentials | 34 | login, password = @auth.credentials |
| 35 | - self.user = User.find_by_email(login) || User.find_by_username(login) | ||
| 36 | - | ||
| 37 | - # If the provided login was not a known email or username | ||
| 38 | - # then user is nil | ||
| 39 | - if user.nil? | ||
| 40 | - # Second chance - try LDAP authentication | ||
| 41 | - return false unless Gitlab.config.ldap.enabled | ||
| 42 | - ldap_auth(login,password) | ||
| 43 | - return false unless !user.nil? | ||
| 44 | - else | ||
| 45 | - return false unless user.valid_password?(password) | ||
| 46 | - end | ||
| 47 | - | ||
| 48 | - Gitlab::ShellEnv.set_env(user) | 35 | + |
| 36 | + @user = authenticate(login, password) | ||
| 37 | + return false unless @user | ||
| 38 | + | ||
| 39 | + Gitlab::ShellEnv.set_env(@user) | ||
| 49 | end | 40 | end |
| 50 | 41 | ||
| 51 | # Git upload and receive | 42 | # Git upload and receive |
| @@ -58,21 +49,35 @@ module Grack | @@ -58,21 +49,35 @@ module Grack | ||
| 58 | end | 49 | end |
| 59 | end | 50 | end |
| 60 | 51 | ||
| 52 | + def authenticate(login, password) | ||
| 53 | + user = User.find_by_email(login) || User.find_by_username(login) | ||
| 54 | + | ||
| 55 | + # If the provided login was not a known email or username | ||
| 56 | + # then user is nil | ||
| 57 | + if user.nil? || user.ldap_user? | ||
| 58 | + # Second chance - try LDAP authentication | ||
| 59 | + return nil unless ldap_conf.enabled | ||
| 60 | + | ||
| 61 | + auth = Gitlab::Auth.new | ||
| 62 | + auth.ldap_auth(login, password) | ||
| 63 | + else | ||
| 64 | + return user if user.valid_password?(password) | ||
| 65 | + end | ||
| 66 | + end | ||
| 67 | + | ||
| 61 | def ldap_auth(login, password) | 68 | def ldap_auth(login, password) |
| 62 | # Check user against LDAP backend if user is not authenticated | 69 | # Check user against LDAP backend if user is not authenticated |
| 63 | # Only check with valid login and password to prevent anonymous bind results | 70 | # Only check with valid login and password to prevent anonymous bind results |
| 64 | - gl = Gitlab.config | ||
| 65 | - if gl.ldap.enabled && !login.blank? && !password.blank? | ||
| 66 | - ldap = OmniAuth::LDAP::Adaptor.new(gl.ldap) | ||
| 67 | - ldap_user = ldap.bind_as( | ||
| 68 | - filter: Net::LDAP::Filter.eq(ldap.uid, login), | ||
| 69 | - size: 1, | ||
| 70 | - password: password | ||
| 71 | - ) | ||
| 72 | - if ldap_user | ||
| 73 | - self.user = User.find_by_extern_uid_and_provider(ldap_user.dn, 'ldap') | ||
| 74 | - end | ||
| 75 | - end | 71 | + return nil unless ldap_conf.enabled && !login.blank? && !password.blank? |
| 72 | + | ||
| 73 | + ldap = OmniAuth::LDAP::Adaptor.new(ldap_conf) | ||
| 74 | + ldap_user = ldap.bind_as( | ||
| 75 | + filter: Net::LDAP::Filter.eq(ldap.uid, login), | ||
| 76 | + size: 1, | ||
| 77 | + password: password | ||
| 78 | + ) | ||
| 79 | + | ||
| 80 | + User.find_by_extern_uid_and_provider(ldap_user.dn, 'ldap') if ldap_user | ||
| 76 | end | 81 | end |
| 77 | 82 | ||
| 78 | def validate_get_request | 83 | def validate_get_request |
| @@ -139,5 +144,9 @@ module Grack | @@ -139,5 +144,9 @@ module Grack | ||
| 139 | abilities | 144 | abilities |
| 140 | end | 145 | end |
| 141 | end | 146 | end |
| 147 | + | ||
| 148 | + def ldap_conf | ||
| 149 | + @ldap_conf ||= Gitlab.config.ldap | ||
| 150 | + end | ||
| 142 | end# Auth | 151 | end# Auth |
| 143 | end# Grack | 152 | end# Grack |