Commit 7ec1cfd5f5775f176b3bf9f55ac712d332b4c2e3
Exists in
master
and in
4 other branches
Merge pull request #3758 from fredowski/master
Authenticate LDAP users in the grack module - fixed problems - tested code
Showing
1 changed file
with
29 additions
and
1 deletions
Show diff stats
lib/gitlab/backend/grack_auth.rb
1 | require_relative 'shell_env' | 1 | require_relative 'shell_env' |
2 | +require 'omniauth-ldap' | ||
2 | 3 | ||
3 | module Grack | 4 | module Grack |
4 | class Auth < Rack::Auth::Basic | 5 | class Auth < Rack::Auth::Basic |
@@ -32,8 +33,18 @@ module Grack | @@ -32,8 +33,18 @@ module Grack | ||
32 | # Authentication with username and password | 33 | # Authentication with username and password |
33 | login, password = @auth.credentials | 34 | login, password = @auth.credentials |
34 | self.user = User.find_by_email(login) || User.find_by_username(login) | 35 | self.user = User.find_by_email(login) || User.find_by_username(login) |
35 | - return false unless user.try(:valid_password?, password) | ||
36 | 36 | ||
37 | + # If the provided login was not a known email or username | ||
38 | + # then user is nil | ||
39 | + if user.nil? | ||
40 | + # Second chance - try LDAP authentication | ||
41 | + return false unless Gitlab.config.ldap.enabled | ||
42 | + ldap_auth(login,password) | ||
43 | + return false unless !user.nil? | ||
44 | + else | ||
45 | + return false unless user.valid_password?(password) | ||
46 | + end | ||
47 | + | ||
37 | Gitlab::ShellEnv.set_env(user) | 48 | Gitlab::ShellEnv.set_env(user) |
38 | end | 49 | end |
39 | 50 | ||
@@ -47,6 +58,23 @@ module Grack | @@ -47,6 +58,23 @@ module Grack | ||
47 | end | 58 | end |
48 | end | 59 | end |
49 | 60 | ||
61 | + def ldap_auth(login, password) | ||
62 | + # Check user against LDAP backend if user is not authenticated | ||
63 | + # Only check with valid login and password to prevent anonymous bind results | ||
64 | + gl = Gitlab.config | ||
65 | + if gl.ldap.enabled && !login.blank? && !password.blank? | ||
66 | + ldap = OmniAuth::LDAP::Adaptor.new(gl.ldap) | ||
67 | + ldap_user = ldap.bind_as( | ||
68 | + filter: Net::LDAP::Filter.eq(ldap.uid, login), | ||
69 | + size: 1, | ||
70 | + password: password | ||
71 | + ) | ||
72 | + if ldap_user | ||
73 | + self.user = User.find_by_extern_uid_and_provider(ldap_user.dn, 'ldap') | ||
74 | + end | ||
75 | + end | ||
76 | + end | ||
77 | + | ||
50 | def validate_get_request | 78 | def validate_get_request |
51 | project.public || can?(user, :download_code, project) | 79 | project.public || can?(user, :download_code, project) |
52 | end | 80 | end |