diff options
| author | Dmitriy Zaporozhets <dmitriy.zaporozhets@gmail.com> | 2013-05-24 20:36:28 +0300 |
|---|---|---|
| committer | Dmitriy Zaporozhets <dmitriy.zaporozhets@gmail.com> | 2013-05-24 20:36:28 +0300 |
| commit | 63c6f30aba95398f732876f94f1fba1f8ed19622 (patch) | |
| tree | 165c073db21174edb9b12c1db77574e36bc336dc /lib | |
| parent | a3645b5b4d86b385f870b73784acb79f824918ff (diff) | |
| download | gitlab-ce-63c6f30aba95398f732876f94f1fba1f8ed19622.tar.gz | |
Fix ldap auth for http push
Diffstat (limited to 'lib')
| -rw-r--r-- | lib/gitlab/auth.rb | 19 | ||||
| -rw-r--r-- | lib/gitlab/backend/grack_auth.rb | 61 |
2 files changed, 54 insertions, 26 deletions
diff --git a/lib/gitlab/auth.rb b/lib/gitlab/auth.rb index 78d2196fbbe..ff1d1b13cc9 100644 --- a/lib/gitlab/auth.rb +++ b/lib/gitlab/auth.rb @@ -70,5 +70,24 @@ module Gitlab def log Gitlab::AppLogger end + + def ldap_auth(login, password) + # Check user against LDAP backend if user is not authenticated + # Only check with valid login and password to prevent anonymous bind results + return nil unless ldap_conf.enabled && !login.blank? && !password.blank? + + ldap = OmniAuth::LDAP::Adaptor.new(ldap_conf) + ldap_user = ldap.bind_as( + filter: Net::LDAP::Filter.eq(ldap.uid, login), + size: 1, + password: password + ) + + User.find_by_extern_uid_and_provider(ldap_user.dn, 'ldap') if ldap_user + end + + def ldap_conf + @ldap_conf ||= Gitlab.config.ldap + end end end diff --git a/lib/gitlab/backend/grack_auth.rb b/lib/gitlab/backend/grack_auth.rb index 6a411aabcc6..4f3f7b02a5b 100644 --- a/lib/gitlab/backend/grack_auth.rb +++ b/lib/gitlab/backend/grack_auth.rb @@ -32,20 +32,11 @@ module Grack if @auth.provided? # Authentication with username and password login, password = @auth.credentials - self.user = User.find_by_email(login) || User.find_by_username(login) - - # If the provided login was not a known email or username - # then user is nil - if user.nil? - # Second chance - try LDAP authentication - return false unless Gitlab.config.ldap.enabled - ldap_auth(login,password) - return false unless !user.nil? - else - return false unless user.valid_password?(password) - end - - Gitlab::ShellEnv.set_env(user) + + @user = authenticate(login, password) + return false unless @user + + Gitlab::ShellEnv.set_env(@user) end # Git upload and receive @@ -58,21 +49,35 @@ module Grack end end + def authenticate(login, password) + user = User.find_by_email(login) || User.find_by_username(login) + + # If the provided login was not a known email or username + # then user is nil + if user.nil? || user.ldap_user? + # Second chance - try LDAP authentication + return nil unless ldap_conf.enabled + + auth = Gitlab::Auth.new + auth.ldap_auth(login, password) + else + return user if user.valid_password?(password) + end + end + def ldap_auth(login, password) # Check user against LDAP backend if user is not authenticated # Only check with valid login and password to prevent anonymous bind results - gl = Gitlab.config - if gl.ldap.enabled && !login.blank? && !password.blank? - ldap = OmniAuth::LDAP::Adaptor.new(gl.ldap) - ldap_user = ldap.bind_as( - filter: Net::LDAP::Filter.eq(ldap.uid, login), - size: 1, - password: password - ) - if ldap_user - self.user = User.find_by_extern_uid_and_provider(ldap_user.dn, 'ldap') - end - end + return nil unless ldap_conf.enabled && !login.blank? && !password.blank? + + ldap = OmniAuth::LDAP::Adaptor.new(ldap_conf) + ldap_user = ldap.bind_as( + filter: Net::LDAP::Filter.eq(ldap.uid, login), + size: 1, + password: password + ) + + User.find_by_extern_uid_and_provider(ldap_user.dn, 'ldap') if ldap_user end def validate_get_request @@ -139,5 +144,9 @@ module Grack abilities end end + + def ldap_conf + @ldap_conf ||= Gitlab.config.ldap + end end# Auth end# Grack |