diff options
| author | Douwe Maan <douwe@gitlab.com> | 2016-07-01 22:24:49 +0000 |
|---|---|---|
| committer | Douwe Maan <douwe@gitlab.com> | 2016-07-01 22:24:49 +0000 |
| commit | fc3402b7eaa9e9839ac2b7087d9582f518b0bf96 (patch) | |
| tree | e3f4cd223ebdd3a17614aba74e997043e966326d /app | |
| parent | d1c94f034bbf688248f46482b941fe673940c6b0 (diff) | |
| parent | 4bcad1cbddca92e27c19a1c6c0872a01ef318f69 (diff) | |
| download | gitlab-ce-fc3402b7eaa9e9839ac2b7087d9582f518b0bf96.tar.gz | |
Merge branch 'git-http-kerberos-ce' into 'master'
Groundwork for Kerberos SPNEGO (EE feature)
Refactor Projecst::GitHttpController to allow Kerberos integration in GitLab EE.
Companion to https://gitlab.com/gitlab-org/gitlab-ee/merge_requests/509
See merge request !5037
Diffstat (limited to 'app')
| -rw-r--r-- | app/controllers/projects/git_http_controller.rb | 39 | ||||
| -rw-r--r-- | app/helpers/kerberos_spnego_helper.rb | 9 |
2 files changed, 44 insertions, 4 deletions
diff --git a/app/controllers/projects/git_http_controller.rb b/app/controllers/projects/git_http_controller.rb index f907d63258b..62c3fa8de53 100644 --- a/app/controllers/projects/git_http_controller.rb +++ b/app/controllers/projects/git_http_controller.rb @@ -1,4 +1,9 @@ +# This file should be identical in GitLab Community Edition and Enterprise Edition + class Projects::GitHttpController < Projects::ApplicationController + include ActionController::HttpAuthentication::Basic + include KerberosSpnegoHelper + attr_reader :user # Git clients will not know what authenticity token to send along @@ -40,9 +45,12 @@ class Projects::GitHttpController < Projects::ApplicationController private def authenticate_user - return if project && project.public? && upload_pack? + if project && project.public? && upload_pack? + return # Allow access + end - authenticate_or_request_with_http_basic do |login, password| + if allow_basic_auth? && basic_auth_provided? + login, password = user_name_and_password(request) auth_result = Gitlab::Auth.find_for_git_client(login, password, project: project, ip: request.ip) if auth_result.type == :ci && upload_pack? @@ -53,8 +61,31 @@ class Projects::GitHttpController < Projects::ApplicationController @user = auth_result.user end - ci? || user + if ci? || user + return # Allow access + end + elsif allow_kerberos_spnego_auth? && spnego_provided? + @user = find_kerberos_user + + if user + send_final_spnego_response + return # Allow access + end end + + send_challenges + render plain: "HTTP Basic: Access denied\n", status: 401 + end + + def basic_auth_provided? + has_basic_credentials?(request) + end + + def send_challenges + challenges = [] + challenges << 'Basic realm="GitLab"' if allow_basic_auth? + challenges << spnego_challenge if allow_kerberos_spnego_auth? + headers['Www-Authenticate'] = challenges.join("\n") if challenges.any? end def ensure_project_found! @@ -120,7 +151,7 @@ class Projects::GitHttpController < Projects::ApplicationController end def render_not_found - render text: 'Not Found', status: :not_found + render plain: 'Not Found', status: :not_found end def ci? diff --git a/app/helpers/kerberos_spnego_helper.rb b/app/helpers/kerberos_spnego_helper.rb new file mode 100644 index 00000000000..f5b0aa7549a --- /dev/null +++ b/app/helpers/kerberos_spnego_helper.rb @@ -0,0 +1,9 @@ +module KerberosSpnegoHelper + def allow_basic_auth? + true # different behavior in GitLab Enterprise Edition + end + + def allow_kerberos_spnego_auth? + false # different behavior in GitLab Enterprise Edition + end +end |