LDAP Authentification with grack for https push - fixed password check

228baa80 · Friedrich Beckmann · df96c079 · 228baa80
Commit 228baa80 authored Apr 27, 2013 by Friedrich Beckmann
Hide whitespace changes
Inline Side-by-side

Showing with 25 additions and 1 deletion

lib/gitlab/backend/grack_auth.rb lib/gitlab/backend/grack_auth.rb +25 -1

No files found.
--- a/lib/gitlab/backend/grack_auth.rb
+++ b/lib/gitlab/backend/grack_auth.rb
 require_relative 'shell_env'
+require 'omniauth-ldap'

 module Grack
  class Auth < Rack::Auth::Basic
@@ -32,8 +33,14 @@ module Grack
        # Authentication with username and password
        login, password = @auth.credentials
        self.user = User.find_by_email(login) || User.find_by_username(login)
-        return false unless user.try(:valid_password?, password)

+        if user.nil?
+          ldap_auth(login,password)
+          return false unless !user.nil?
+        else
+          return false unless user.valid_password?(password);
+        end
+           
        Gitlab::ShellEnv.set_env(user)
      end

@@ -47,6 +54,23 @@ module Grack
      end
    end

+    def ldap_auth(login, password)
+      # Check user against LDAP backend if user is not authenticated
+      # Only check with valid login and password to prevent anonymous bind results
+      gl = Gitlab.config
+      if gl.ldap.enabled && !login.blank? && !password.blank?
+        ldap = OmniAuth::LDAP::Adaptor.new(gl.ldap)
+        ldap_user = ldap.bind_as(
+          filter: Net::LDAP::Filter.eq(ldap.uid, login),
+          size: 1,
+          password: password
+        )
+        if ldap_user
+          self.user = User.find_by_extern_uid_and_provider(ldap_user.dn, 'ldap')
+        end
+      end
+    end
+
    def validate_get_request
      project.public || can?(user, :download_code, project)
    end