Commit 7ec1cfd5 authored by Dmitriy Zaporozhets's avatar Dmitriy Zaporozhets

Merge pull request #3758 from fredowski/master

Authenticate LDAP users in the grack module - fixed problems - tested code
parents acb65516 20a88f5c
require_relative 'shell_env' require_relative 'shell_env'
require 'omniauth-ldap'
module Grack module Grack
class Auth < Rack::Auth::Basic class Auth < Rack::Auth::Basic
...@@ -32,7 +33,17 @@ module Grack ...@@ -32,7 +33,17 @@ module Grack
# Authentication with username and password # Authentication with username and password
login, password = @auth.credentials login, password = @auth.credentials
self.user = User.find_by_email(login) || User.find_by_username(login) self.user = User.find_by_email(login) || User.find_by_username(login)
return false unless user.try(:valid_password?, password)
# If the provided login was not a known email or username
# then user is nil
if user.nil?
# Second chance - try LDAP authentication
return false unless Gitlab.config.ldap.enabled
ldap_auth(login,password)
return false unless !user.nil?
else
return false unless user.valid_password?(password)
end
Gitlab::ShellEnv.set_env(user) Gitlab::ShellEnv.set_env(user)
end end
...@@ -47,6 +58,23 @@ module Grack ...@@ -47,6 +58,23 @@ module Grack
end end
end end
def ldap_auth(login, password)
# Check user against LDAP backend if user is not authenticated
# Only check with valid login and password to prevent anonymous bind results
gl = Gitlab.config
if gl.ldap.enabled && !login.blank? && !password.blank?
ldap = OmniAuth::LDAP::Adaptor.new(gl.ldap)
ldap_user = ldap.bind_as(
filter: Net::LDAP::Filter.eq(ldap.uid, login),
size: 1,
password: password
)
if ldap_user
self.user = User.find_by_extern_uid_and_provider(ldap_user.dn, 'ldap')
end
end
end
def validate_get_request def validate_get_request
project.public || can?(user, :download_code, project) project.public || can?(user, :download_code, project)
end end
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment