Add omniauth_kerberos_spnego

76633c04 · Jacob Vosmaer · 174b48e7 · 76633c04 · 76633c04 · 76633c04
Commit 76633c04 authored Jul 12, 2016 by Jacob Vosmaer
6 changed files
--- a/app/controllers/omniauth_kerberos_spnego_controller.rb
+++ b/app/controllers/omniauth_kerberos_spnego_controller.rb
+class OmniauthKerberosSpnegoController < ApplicationController
+  include KerberosSpnegoHelper
+
+  skip_before_action :authenticate_user!
+
+  def negotiate
+    if spnego_provided? && (krb_principal = spnego_credentials!(spnego_token))
+      session[:kerberos_spnego_principal_name] = krb_principal
+      send_final_spnego_response
+      redirect_to user_kerberos_spnego_omniauth_callback_path
+      return
+    end
+
+    headers['Www-Authenticate'] = spnego_challenge
+    render 'errors/kerberos_denied.html.haml', layout: 'errors', status: 401
+  end
+end
--- a/app/helpers/kerberos_spnego_helper.rb
+++ b/app/helpers/kerberos_spnego_helper.rb
@@ -42,7 +42,6 @@ module KerberosSpnegoHelper
  end

  def find_kerberos_user
-    spnego_token = Base64.strict_decode64(auth_param(request))
    krb_principal = spnego_credentials!(spnego_token)
    return unless krb_principal

@@ -77,4 +76,8 @@ module KerberosSpnegoHelper
    Rails.logger.error "#{self.class.name}: failed to process Negotiate/Kerberos authentication: #{ex.message}"
    false
  end
+
+  def spnego_token
+    Base64.strict_decode64(auth_param(request))
+  end
 end
--- a/app/views/errors/kerberos_denied.html.haml
+++ b/app/views/errors/kerberos_denied.html.haml
+- page_title "Kerberos SPNEGO access denied"
+%h1 401
+%h3 Kerberos SPNEGO authentication failed
+%hr
+%p Return to the
+  = succeed "." do
+    = link_to new_user_session_path, 'sign-in page'
--- a/config/initializers/omniauth.rb
+++ b/config/initializers/omniauth.rb
@@ -14,6 +14,11 @@ if Gitlab::LDAP::Config.enabled?
  end
 end

+if Gitlab.config.kerberos.enabled
+  require 'omniauth/strategies/kerberos_spnego'
+  Gitlab.config.omniauth.providers << { 'name' => 'kerberos_spnego' }
+end
+
 OmniAuth.config.full_host = Settings.gitlab['base_url']
 OmniAuth.config.allowed_request_methods = [:post]
 # In case of auto sign-in, the GET method is used (users don't get to click on a button)

--- a/config/routes.rb
+++ b/config/routes.rb
@@ -498,6 +498,7 @@ Rails.application.routes.draw do
  devise_scope :user do
    get '/users/auth/:provider/omniauth_error' => 'omniauth_callbacks#omniauth_error', as: :omniauth_error
    get '/users/almost_there' => 'confirmations#almost_there'
+    get '/users/auth/kerberos_spnego/negotiate' => 'omniauth_kerberos_spnego#negotiate'
  end

  root to: "root#index"

--- a/lib/omniauth/strategies/kerberos_spnego.rb
+++ b/lib/omniauth/strategies/kerberos_spnego.rb
+require 'omniauth'
+
+module OmniAuth
+  module Strategies
+    class KerberosSpnego
+      include OmniAuth::Strategy
+      include Gitlab::Routing.url_helpers
+
+      option :name, 'kerberos_spnego'
+
+      uid { username }
+
+      info do
+        { username: username, email: email }
+      end
+
+      def username
+        principal_name.split('@')[0]
+      end
+
+      def email
+        username + '@' + principal_name.split('@')[1].downcase
+      end
+
+      def principal_name
+        return @principal_name if defined?(@principal_name)
+
+        @principal_name = session.delete(:kerberos_spnego_principal_name)
+      end
+
+      def request_phase
+        redirect users_auth_kerberos_spnego_negotiate_path
+      end
+    end
+  end
+end