Merge pull request #3758 from fredowski/master

Authenticate LDAP users in the grack module - fixed problems - tested code

Merge pull request #3758 from fredowski/master
Authenticate LDAP users in the grack module - fixed problems - tested code
Dmitriy Zaporozhets
2 parents acb65516 20a88f5c
Showing 1 changed file with 29 additions and 1 deletions Show diff stats
lib/gitlab/backend/grack_auth.rb
 require_relative 'shell_env'
+require 'omniauth-ldap'
  
 module Grack
   class Auth < Rack::Auth::Basic
@@ -32,8 +33,18 @@ module Grack
         # Authentication with username and password
         login, password = @auth.credentials
         self.user = User.find_by_email(login) || User.find_by_username(login)
-        return false unless user.try(:valid_password?, password)
  
+        # If the provided login was not a known email or username
+        # then user is nil
+        if user.nil? 
+          # Second chance - try LDAP authentication
+          return false unless Gitlab.config.ldap.enabled         
+          ldap_auth(login,password)
+          return false unless !user.nil?
+        else
+          return false unless user.valid_password?(password)
+        end
+           
         Gitlab::ShellEnv.set_env(user)
       end
  
@@ -47,6 +58,23 @@ module Grack
       end
     end
  
+    def ldap_auth(login, password)
+      # Check user against LDAP backend if user is not authenticated
+      # Only check with valid login and password to prevent anonymous bind results
+      gl = Gitlab.config
+      if gl.ldap.enabled && !login.blank? && !password.blank?
+        ldap = OmniAuth::LDAP::Adaptor.new(gl.ldap)
+        ldap_user = ldap.bind_as(
+          filter: Net::LDAP::Filter.eq(ldap.uid, login),
+          size: 1,
+          password: password
+        )
+        if ldap_user
+          self.user = User.find_by_extern_uid_and_provider(ldap_user.dn, 'ldap')
+        end
+      end
+    end
+
     def validate_get_request
       project.public || can?(user, :download_code, project)
     end
1	1	require_relative 'shell_env'
	2	+require 'omniauth-ldap'
2	3
3	4	module Grack
4	5	class Auth < Rack::Auth::Basic
...	...	@@ -32,8 +33,18 @@ module Grack
32	33	# Authentication with username and password
33	34	login, password = @auth.credentials
34	35	self.user = User.find_by_email(login) \|\| User.find_by_username(login)
35		- return false unless user.try(:valid_password?, password)
36	36
	37	+ # If the provided login was not a known email or username
	38	+ # then user is nil
	39	+ if user.nil?
	40	+ # Second chance - try LDAP authentication
	41	+ return false unless Gitlab.config.ldap.enabled
	42	+ ldap_auth(login,password)
	43	+ return false unless !user.nil?
	44	+ else
	45	+ return false unless user.valid_password?(password)
	46	+ end
	47	+
37	48	Gitlab::ShellEnv.set_env(user)
38	49	end
39	50
...	...	@@ -47,6 +58,23 @@ module Grack
47	58	end
48	59	end
49	60
	61	+ def ldap_auth(login, password)
	62	+ # Check user against LDAP backend if user is not authenticated
	63	+ # Only check with valid login and password to prevent anonymous bind results
	64	+ gl = Gitlab.config
	65	+ if gl.ldap.enabled && !login.blank? && !password.blank?
	66	+ ldap = OmniAuth::LDAP::Adaptor.new(gl.ldap)
	67	+ ldap_user = ldap.bind_as(
	68	+ filter: Net::LDAP::Filter.eq(ldap.uid, login),
	69	+ size: 1,
	70	+ password: password
	71	+ )
	72	+ if ldap_user
	73	+ self.user = User.find_by_extern_uid_and_provider(ldap_user.dn, 'ldap')
	74	+ end
	75	+ end
	76	+ end
	77	+
50	78	def validate_get_request
51	79	project.public \|\| can?(user, :download_code, project)
52	80	end
...	...