Fix broken Git over HTTP clones with LDAP users

Due to a regression in !20608, the LDAP authenticator was not being used unless OmniAuth was enabled. This change allows the LDAP provider to be used if it is configured regardless of the OmniAuth setting. Closes #50579
2018-08-22 13:05:01 -07:00 · 2018-08-22 13:05:01 -07:00 · 7486d424b9
parent 0e9dc23d46
commit 7486d424b9
3 changed files with 48 additions and 0 deletions
--- a/changelogs/unreleased/sh-fix-broken-ldap-clones.yml
+++ b/changelogs/unreleased/sh-fix-broken-ldap-clones.yml
@ -0,0 +1,5 @@
+---
+title: Fix broken Git over HTTP clones with LDAP users
+merge_request: 21352
+author:
+type: fixed
--- a/lib/gitlab/auth/o_auth/provider.rb
+++ b/lib/gitlab/auth/o_auth/provider.rb
@ -29,6 +29,7 @@ module Gitlab

        def self.enabled?(name)
          return true if name == 'database'
+          return true if self.ldap_provider?(name) && providers.include?(name.to_sym)

          Gitlab::Auth.omniauth_enabled? && providers.include?(name.to_sym)
        end
--- a/spec/lib/gitlab/auth/o_auth/provider_spec.rb
+++ b/spec/lib/gitlab/auth/o_auth/provider_spec.rb
@ -1,6 +1,48 @@
 require 'spec_helper'

 describe Gitlab::Auth::OAuth::Provider do
+  describe '.enabled?' do
+    before do
+      allow(described_class).to receive(:providers).and_return([:ldapmain, :google_oauth2])
+    end
+
+    context 'when OmniAuth is disabled' do
+      before do
+        allow(Gitlab::Auth).to receive(:omniauth_enabled?).and_return(false)
+      end
+
+      it 'allows database auth' do
+        expect(described_class.enabled?('database')).to be_truthy
+      end
+
+      it 'allows LDAP auth' do
+        expect(described_class.enabled?('ldapmain')).to be_truthy
+      end
+
+      it 'does not allow other OmniAuth providers' do
+        expect(described_class.enabled?('google_oauth2')).to be_falsey
+      end
+    end
+
+    context 'when OmniAuth is enabled' do
+      before do
+        allow(Gitlab::Auth).to receive(:omniauth_enabled?).and_return(true)
+      end
+
+      it 'allows database auth' do
+        expect(described_class.enabled?('database')).to be_truthy
+      end
+
+      it 'allows LDAP auth' do
+        expect(described_class.enabled?('ldapmain')).to be_truthy
+      end
+
+      it 'allows other OmniAuth providers' do
+        expect(described_class.enabled?('google_oauth2')).to be_truthy
+      end
+    end
+  end
+
  describe '#config_for' do
    context 'for an LDAP provider' do
      context 'when the provider exists' do