gitlab-org--gitlab-foss/lib/gitlab/backend/grack_auth.rb

require_relative 'shell_env'
require 'omniauth-ldap'

module Grack
  class Auth < Rack::Auth::Basic
    attr_accessor :user, :project

    def call(env)
      @env = env
      @request = Rack::Request.new(env)
      @auth = Request.new(env)

      # Need this patch due to the rails mount
      @env['PATH_INFO'] = @request.path
      @env['SCRIPT_NAME'] = ""

      return render_not_found unless project
      return unauthorized unless project.public || @auth.provided?
      return bad_request if @auth.provided? && !@auth.basic?

      if valid?
        if @auth.provided?
          @env['REMOTE_USER'] = @auth.username
        end
        return @app.call(env)
      else
        unauthorized
      end
    end

    def valid?
      if @auth.provided?
        # Authentication with username and password
        login, password = @auth.credentials
        self.user = User.find_by_email(login) || User.find_by_username(login)

        # If the provided login was not a known email or username
        # then user is nil
        if user.nil? 
          # Second chance - try LDAP authentication
          return false unless Gitlab.config.ldap.enabled         
          ldap_auth(login,password)
          return false unless !user.nil?
        else
          return false unless user.valid_password?(password)
        end
           
        Gitlab::ShellEnv.set_env(user)
      end

      # Git upload and receive
      if @request.get?
        validate_get_request
      elsif @request.post?
        validate_post_request
      else
        false
      end
    end

    def ldap_auth(login, password)
      # Check user against LDAP backend if user is not authenticated
      # Only check with valid login and password to prevent anonymous bind results
      gl = Gitlab.config
      if gl.ldap.enabled && !login.blank? && !password.blank?
        ldap = OmniAuth::LDAP::Adaptor.new(gl.ldap)
        ldap_user = ldap.bind_as(
          filter: Net::LDAP::Filter.eq(ldap.uid, login),
          size: 1,
          password: password
        )
        if ldap_user
          self.user = User.find_by_extern_uid_and_provider(ldap_user.dn, 'ldap')
        end
      end
    end

    def validate_get_request
      validate_request(@request.params['service'])
    end

    def validate_post_request
      validate_request(File.basename(@request.path))
    end

    def validate_request(service)
      if service == 'git-upload-pack'
        project.public || can?(user, :download_code, project)
      elsif service == 'git-receive-pack'
        action = if project.protected_branch?(current_ref)
                   :push_code_to_protected_branches
                 else
                   :push_code
                 end

        can?(user, action, project)
      else
        false
      end
    end

    def can?(object, action, subject)
      abilities.allowed?(object, action, subject)
    end

    def current_ref
      if @env["HTTP_CONTENT_ENCODING"] =~ /gzip/
        input = Zlib::GzipReader.new(@request.body).read
      else
        input = @request.body.read
      end
      # Need to reset seek point
      @request.body.rewind
      /refs\/heads\/([\w\.-]+)/n.match(input.force_encoding('ascii-8bit')).to_a.last
    end

    def project
      unless instance_variable_defined? :@project
        # Find project by PATH_INFO from env
        if m = /^\/([\w\.\/-]+)\.git/.match(@request.path_info).to_a
          @project = Project.find_with_namespace(m.last)
        end
      end
      return @project
    end

    PLAIN_TYPE = {"Content-Type" => "text/plain"}

    def render_not_found
      [404, PLAIN_TYPE, ["Not Found"]]
    end

    protected

    def abilities
      @abilities ||= begin
                       abilities = Six.new
                       abilities << Ability
                       abilities
                     end
    end
  end# Auth
end# Grack
require missing lib 2013-02-14 13:25:55 +00:00			`require_relative 'shell_env'`
LDAP Authentification with grack for https push - fixed password check 2013-04-27 20:20:26 +00:00			`require 'omniauth-ldap'`
require missing lib 2013-02-14 13:25:55 +00:00
mount grack to git, u can 'git clone http://localhost/git/xx.git' now 2012-06-29 03:30:31 +00:00			`module Grack`
			`class Auth < Rack::Auth::Basic`
Security for online editor. Replace dev_access?, master_access? with can? method usage 2012-10-21 09:12:14 +00:00			`attr_accessor :user, :project`
mount grack to git, u can 'git clone http://localhost/git/xx.git' now 2012-06-29 03:30:31 +00:00
Public HTTP clones and remove auth request for public projects 2013-01-14 14:46:55 +00:00			`def call(env)`
			`@env = env`
			`@request = Rack::Request.new(env)`
			`@auth = Request.new(env)`
Public git read-only access via http 2013-01-10 18:17:57 +00:00
Public HTTP clones and remove auth request for public projects 2013-01-14 14:46:55 +00:00			`# Need this patch due to the rails mount`
			`@env['PATH_INFO'] = @request.path`
			`@env['SCRIPT_NAME'] = ""`
Fix http push with namespaces. Allow use of username as login 2012-11-26 09:23:08 +00:00
Public HTTP clones and remove auth request for public projects 2013-01-14 14:46:55 +00:00			`return render_not_found unless project`
			`return unauthorized unless project.public \|\| @auth.provided?`
			`return bad_request if @auth.provided? && !@auth.basic?`
Fix http push with namespaces. Allow use of username as login 2012-11-26 09:23:08 +00:00
Public HTTP clones and remove auth request for public projects 2013-01-14 14:46:55 +00:00			`if valid?`
			`if @auth.provided?`
			`@env['REMOTE_USER'] = @auth.username`
			`end`
			`return @app.call(env)`
			`else`
			`unauthorized`
			`end`
			`end`
fix a npe, and need a patch for path_info 2012-06-29 13:40:23 +00:00
Public HTTP clones and remove auth request for public projects 2013-01-14 14:46:55 +00:00			`def valid?`
			`if @auth.provided?`
			`# Authentication with username and password`
			`login, password = @auth.credentials`
			`self.user = User.find_by_email(login) \|\| User.find_by_username(login)`
Fix http push with namespaces. Allow use of username as login 2012-11-26 09:23:08 +00:00
LDAP authentication in grack - check ldap conf before call / added comment 2013-04-29 20:26:03 +00:00			`# If the provided login was not a known email or username`
			`# then user is nil`
			`if user.nil?`
			`# Second chance - try LDAP authentication`
			`return false unless Gitlab.config.ldap.enabled`
LDAP Authentification with grack for https push - fixed password check 2013-04-27 20:20:26 +00:00			`ldap_auth(login,password)`
			`return false unless !user.nil?`
			`else`
LDAP authentication in grack - check ldap conf before call / added comment 2013-04-29 20:26:03 +00:00			`return false unless user.valid_password?(password)`
LDAP Authentification with grack for https push - fixed password check 2013-04-27 20:20:26 +00:00			`end`

Gitlab::ShellEnv added 2013-02-14 13:17:43 +00:00			`Gitlab::ShellEnv.set_env(user)`
Public HTTP clones and remove auth request for public projects 2013-01-14 14:46:55 +00:00			`end`
bypass gitolite update hook, and set an GL_USER variable. 2012-07-02 08:44:45 +00:00
integrate with gitlabhq authority 2012-06-29 07:43:15 +00:00			`# Git upload and receive`
use high level api and compatibility with Passenger 2012-09-17 10:36:23 +00:00			`if @request.get?`
Security for online editor. Replace dev_access?, master_access? with can? method usage 2012-10-21 09:12:14 +00:00			`validate_get_request`
use high level api and compatibility with Passenger 2012-09-17 10:36:23 +00:00			`elsif @request.post?`
Security for online editor. Replace dev_access?, master_access? with can? method usage 2012-10-21 09:12:14 +00:00			`validate_post_request`
implements protected branches to smart http protocal 2012-06-29 10:11:37 +00:00			`else`
			`false`
integrate with gitlabhq authority 2012-06-29 07:43:15 +00:00			`end`
Security for online editor. Replace dev_access?, master_access? with can? method usage 2012-10-21 09:12:14 +00:00			`end`

LDAP Authentification with grack for https push - fixed password check 2013-04-27 20:20:26 +00:00			`def ldap_auth(login, password)`
			`# Check user against LDAP backend if user is not authenticated`
			`# Only check with valid login and password to prevent anonymous bind results`
			`gl = Gitlab.config`
			`if gl.ldap.enabled && !login.blank? && !password.blank?`
			`ldap = OmniAuth::LDAP::Adaptor.new(gl.ldap)`
			`ldap_user = ldap.bind_as(`
			`filter: Net::LDAP::Filter.eq(ldap.uid, login),`
			`size: 1,`
			`password: password`
			`)`
			`if ldap_user`
			`self.user = User.find_by_extern_uid_and_provider(ldap_user.dn, 'ldap')`
			`end`
			`end`
			`end`

Security for online editor. Replace dev_access?, master_access? with can? method usage 2012-10-21 09:12:14 +00:00			`def validate_get_request`
fix http push 401 2013-04-19 08:43:54 +00:00			`validate_request(@request.params['service'])`
Security for online editor. Replace dev_access?, master_access? with can? method usage 2012-10-21 09:12:14 +00:00			`end`

			`def validate_post_request`
fix http push 401 2013-04-19 08:43:54 +00:00			`validate_request(File.basename(@request.path))`
			`end`

			`def validate_request(service)`
			`if service == 'git-upload-pack'`
Public HTTP clones and remove auth request for public projects 2013-01-14 14:46:55 +00:00			`project.public \|\| can?(user, :download_code, project)`
fix http push 401 2013-04-19 08:43:54 +00:00			`elsif service == 'git-receive-pack'`
Security for online editor. Replace dev_access?, master_access? with can? method usage 2012-10-21 09:12:14 +00:00			`action = if project.protected_branch?(current_ref)`
			`:push_code_to_protected_branches`
			`else`
			`:push_code`
			`end`

			`can?(user, action, project)`
			`else`
			`false`
			`end`
			`end`
implements protected branches to smart http protocal 2012-06-29 10:11:37 +00:00
Fix git over HTTP 2012-10-22 15:45:42 +00:00			`def can?(object, action, subject)`
			`abilities.allowed?(object, action, subject)`
			`end`

implements protected branches to smart http protocal 2012-06-29 10:11:37 +00:00			`def current_ref`
			`if @env["HTTP_CONTENT_ENCODING"] =~ /gzip/`
fix git push body bigger than 112k problem 2012-08-25 07:24:21 +00:00			`input = Zlib::GzipReader.new(@request.body).read`
implements protected branches to smart http protocal 2012-06-29 10:11:37 +00:00			`else`
fix git push body bigger than 112k problem 2012-08-25 07:24:21 +00:00			`input = @request.body.read`
implements protected branches to smart http protocal 2012-06-29 10:11:37 +00:00			`end`
fix git push body bigger than 112k problem 2012-08-25 07:24:21 +00:00			`# Need to reset seek point`
			`@request.body.rewind`
better fix for encoding error 2013-05-03 03:31:23 +00:00			`/refs\/heads\/([\w\.-]+)/n.match(input.force_encoding('ascii-8bit')).to_a.last`
implements protected branches to smart http protocal 2012-06-29 10:11:37 +00:00			`end`
Fix git over HTTP 2012-10-22 15:45:42 +00:00
Public HTTP clones and remove auth request for public projects 2013-01-14 14:46:55 +00:00			`def project`
			`unless instance_variable_defined? :@project`
			`# Find project by PATH_INFO from env`
			`if m = /^\/([\w\.\/-]+)\.git/.match(@request.path_info).to_a`
			`@project = Project.find_with_namespace(m.last)`
			`end`
			`end`
			`return @project`
			`end`

			`PLAIN_TYPE = {"Content-Type" => "text/plain"}`

			`def render_not_found`
			`[404, PLAIN_TYPE, ["Not Found"]]`
			`end`

Fix git over HTTP 2012-10-22 15:45:42 +00:00			`protected`

			`def abilities`
			`@abilities \|\|= begin`
			`abilities = Six.new`
			`abilities << Ability`
			`abilities`
			`end`
			`end`
integrate with gitlabhq authority 2012-06-29 07:43:15 +00:00			`end# Auth`
			`end# Grack`