Class: Gitlab::Auth::Ldap::Authentication

Inherits:

OAuth::Authentication

• Object
• OAuth::Authentication
• Gitlab::Auth::Ldap::Authentication

Defined in:

lib/gitlab/auth/ldap/authentication.rb

Instance Attribute Summary

Attributes inherited from OAuth::Authentication

#provider, #user

Class Method Summary

• .login(login, password) ⇒ Object
• .providers ⇒ Object

Instance Method Summary

• #adapter ⇒ Object
• #config ⇒ Object
• #login(login, password) ⇒ Object
• #user_filter(login) ⇒ Object

Methods inherited from OAuth::Authentication

#initialize

Constructor Details

This class inherits a constructor from Gitlab::Auth::OAuth::Authentication

Class Method Details

.login(login, password) ⇒ Object

# File 'lib/gitlab/auth/ldap/authentication.rb', line 13

def self.login(login, password)
  return unless Gitlab::Auth::Ldap::Config.enabled?
  return unless login.present? && password.present?

  # return found user that was authenticated by first provider for given login credentials
  providers.find do |provider|
    auth = new(provider)
    break auth.user if auth.login(login, password) # true will exit the loop
  end
end

.providers ⇒ Object

# File 'lib/gitlab/auth/ldap/authentication.rb', line 24

def self.providers
  Gitlab::Auth::Ldap::Config.providers
end

Instance Method Details

#adapter ⇒ Object

# File 'lib/gitlab/auth/ldap/authentication.rb', line 39

def adapter
  OmniAuth::LDAP::Adaptor.new(config.omniauth_options)
end

#config ⇒ Object

# File 'lib/gitlab/auth/ldap/authentication.rb', line 43

def config
  Gitlab::Auth::Ldap::Config.new(provider)
end

#login(login, password) ⇒ Object

# File 'lib/gitlab/auth/ldap/authentication.rb', line 28

def login(login, password)
  result = adapter.bind_as(
    filter: user_filter(login),
    size: 1,
    password: password
  )
  return unless result

  @user = Gitlab::Auth::Ldap::User.find_by_uid_and_provider(result.dn, provider)
end

#user_filter(login) ⇒ Object

# File 'lib/gitlab/auth/ldap/authentication.rb', line 47

def user_filter(login)
  # Allow LDAP users to authenticate by using their GitLab username in case
  # their LDAP username does not match GitLab username or
  # their LDAP username collide with another user's GitLab username.
  # See https://gitlab.com/gitlab-org/gitlab/-/merge_requests/186848
  uid = if user && user.ldap_user?
          ::Gitlab::Auth::Ldap::Person.find_by_dn(
            user.ldap_identity.extern_uid,
            Gitlab::Auth::Ldap::Adapter.new(provider)
          )&.uid
        end

  uid ||= login

  filter = Net::LDAP::Filter.equals(config.uid, uid)

  # Apply LDAP user filter if present
  if config.user_filter.present?
    filter = Net::LDAP::Filter.join(filter, config.constructed_user_filter)
  end

  filter
end