Commit 7ec1cfd5f5775f176b3bf9f55ac712d332b4c2e3

Authored by Dmitriy Zaporozhets
2 parents acb65516 20a88f5c

Merge pull request #3758 from fredowski/master

Authenticate LDAP users in the grack module - fixed problems - tested code
Showing 1 changed file with 29 additions and 1 deletions   Show diff stats
lib/gitlab/backend/grack_auth.rb
1 require_relative 'shell_env' 1 require_relative 'shell_env'
  2 +require 'omniauth-ldap'
2 3
3 module Grack 4 module Grack
4 class Auth < Rack::Auth::Basic 5 class Auth < Rack::Auth::Basic
@@ -32,8 +33,18 @@ module Grack @@ -32,8 +33,18 @@ module Grack
32 # Authentication with username and password 33 # Authentication with username and password
33 login, password = @auth.credentials 34 login, password = @auth.credentials
34 self.user = User.find_by_email(login) || User.find_by_username(login) 35 self.user = User.find_by_email(login) || User.find_by_username(login)
35 - return false unless user.try(:valid_password?, password)  
36 36
  37 + # If the provided login was not a known email or username
  38 + # then user is nil
  39 + if user.nil?
  40 + # Second chance - try LDAP authentication
  41 + return false unless Gitlab.config.ldap.enabled
  42 + ldap_auth(login,password)
  43 + return false unless !user.nil?
  44 + else
  45 + return false unless user.valid_password?(password)
  46 + end
  47 +
37 Gitlab::ShellEnv.set_env(user) 48 Gitlab::ShellEnv.set_env(user)
38 end 49 end
39 50
@@ -47,6 +58,23 @@ module Grack @@ -47,6 +58,23 @@ module Grack
47 end 58 end
48 end 59 end
49 60
  61 + def ldap_auth(login, password)
  62 + # Check user against LDAP backend if user is not authenticated
  63 + # Only check with valid login and password to prevent anonymous bind results
  64 + gl = Gitlab.config
  65 + if gl.ldap.enabled && !login.blank? && !password.blank?
  66 + ldap = OmniAuth::LDAP::Adaptor.new(gl.ldap)
  67 + ldap_user = ldap.bind_as(
  68 + filter: Net::LDAP::Filter.eq(ldap.uid, login),
  69 + size: 1,
  70 + password: password
  71 + )
  72 + if ldap_user
  73 + self.user = User.find_by_extern_uid_and_provider(ldap_user.dn, 'ldap')
  74 + end
  75 + end
  76 + end
  77 +
50 def validate_get_request 78 def validate_get_request
51 project.public || can?(user, :download_code, project) 79 project.public || can?(user, :download_code, project)
52 end 80 end