Merge pull request #3758 from fredowski/master

Authenticate LDAP users in the grack module - fixed problems - tested code

Merge pull request #3758 from fredowski/master
Authenticate LDAP users in the grack module - fixed problems - tested code
Dmitriy Zaporozhets
2 parents acb65516 20a88f5c
Showing 1 changed file with 29 additions and 1 deletions Show diff stats
lib/gitlab/backend/grack_auth.rb
 require_relative 'shell_env'
+require 'omniauth-ldap'
 module Grack
   class Auth < Rack::Auth::Basic
@@ -32,8 +33,18 @@ module Grack
         # Authentication with username and password
         login, password = @auth.credentials
         self.user = User.find_by_email(login) || User.find_by_username(login)
-        return false unless user.try(:valid_password?, password)
+        # If the provided login was not a known email or username
+        # then user is nil
+        if user.nil? 
+          # Second chance - try LDAP authentication
+          return false unless Gitlab.config.ldap.enabled         
+          ldap_auth(login,password)
+          return false unless !user.nil?
+        else
+          return false unless user.valid_password?(password)
+        end
+           
         Gitlab::ShellEnv.set_env(user)
       end
@@ -47,6 +58,23 @@ module Grack
       end
     end
+    def ldap_auth(login, password)
+      # Check user against LDAP backend if user is not authenticated
+      # Only check with valid login and password to prevent anonymous bind results
+      gl = Gitlab.config
+      if gl.ldap.enabled && !login.blank? && !password.blank?
+        ldap = OmniAuth::LDAP::Adaptor.new(gl.ldap)
+        ldap_user = ldap.bind_as(
+          filter: Net::LDAP::Filter.eq(ldap.uid, login),
+          size: 1,
+          password: password
+        )
+        if ldap_user
+          self.user = User.find_by_extern_uid_and_provider(ldap_user.dn, 'ldap')
+        end
+      end
+    end
+
     def validate_get_request
       project.public || can?(user, :download_code, project)
     end
1	require_relative 'shell_env'	1	require_relative 'shell_env'
		2	+require 'omniauth-ldap'
2		3
3	module Grack	4	module Grack
4	class Auth < Rack::Auth::Basic	5	class Auth < Rack::Auth::Basic
	@@ -32,8 +33,18 @@ module Grack		@@ -32,8 +33,18 @@ module Grack
32	# Authentication with username and password	33	# Authentication with username and password
33	login, password = @auth.credentials	34	login, password = @auth.credentials
34	self.user = User.find_by_email(login) \|\| User.find_by_username(login)	35	self.user = User.find_by_email(login) \|\| User.find_by_username(login)
35	- return false unless user.try(:valid_password?, password)
36		36
		37	+ # If the provided login was not a known email or username
		38	+ # then user is nil
		39	+ if user.nil?
		40	+ # Second chance - try LDAP authentication
		41	+ return false unless Gitlab.config.ldap.enabled
		42	+ ldap_auth(login,password)
		43	+ return false unless !user.nil?
		44	+ else
		45	+ return false unless user.valid_password?(password)
		46	+ end
		47	+
37	Gitlab::ShellEnv.set_env(user)	48	Gitlab::ShellEnv.set_env(user)
38	end	49	end
39		50
	@@ -47,6 +58,23 @@ module Grack		@@ -47,6 +58,23 @@ module Grack
47	end	58	end
48	end	59	end
49		60
		61	+ def ldap_auth(login, password)
		62	+ # Check user against LDAP backend if user is not authenticated
		63	+ # Only check with valid login and password to prevent anonymous bind results
		64	+ gl = Gitlab.config
		65	+ if gl.ldap.enabled && !login.blank? && !password.blank?
		66	+ ldap = OmniAuth::LDAP::Adaptor.new(gl.ldap)
		67	+ ldap_user = ldap.bind_as(
		68	+ filter: Net::LDAP::Filter.eq(ldap.uid, login),
		69	+ size: 1,
		70	+ password: password
		71	+ )
		72	+ if ldap_user
		73	+ self.user = User.find_by_extern_uid_and_provider(ldap_user.dn, 'ldap')
		74	+ end
		75	+ end
		76	+ end
		77	+
50	def validate_get_request	78	def validate_get_request
51	project.public \|\| can?(user, :download_code, project)	79	project.public \|\| can?(user, :download_code, project)
52	end	80	end