Kerberos: username as identifier

doc/integration/README.md

@@ -10,7 +10,7 @@ See the documentation below for details on how to configure these services.
 - [OmniAuth](omniauth.md) Sign in via Twitter, GitHub, and Google via OAuth.
 - [Jenkins](jenkins.md) Integrate with the Jenkins CI
 - [Slack](slack.md) Integrate with the Slack chat service
-- [Kerberos](kerberos.md) Integrate with the Slack chat service
+- [Kerberos](kerberos.md) Integrate with Kerberos
 
 ## Project services
 

doc/integration/kerberos.md

@@ -9,7 +9,7 @@ Kerberos integration can be enabled as a regular omniauth provider, edit [gitlab
 
 You still need to configure your system for Kerberos usage, such as specifying realms. GitLab will make use of the system's Kerberos settings.
 
-The first time a user signs in with Kerberos credentials, GitLab will create a new GitLab user associated with the email, which is built from the kerberos username and realm. This also means that the system realm you want to use and the email addresses of existing GitLab users should match, meaning the domain part of the email addresses and the realm should match. Existing GitLab users can go to profile > account and attach a Kerberos account. If the email and realm match, the Kerberos account will be linked to the user.
+The first time a user signs in with Kerberos credentials, GitLab will create a new GitLab user associated with the email, which is built from the kerberos username and realm. Existing GitLab users can go to profile > account and attach a Kerberos account.
 
 ## HTTP git access
 

lib/gitlab/kerberos/authentication.rb

@@ -25,11 +25,16 @@ module Gitlab
       end
 
       def login
-        valid? && User.find_by(email: email)
+        valid? && find_by_login(@login)
       end
 
-      def email
-        @login + "@" + @krb5.get_default_realm.downcase
+      private
+
+      def find_by_login(login)
+        identity = ::Identity.
+          where(provider: :kerberos).
+          where('lower(extern_uid) = ?', login).last
+        identity && identity.user
       end
     end
   end

spec/lib/gitlab/kerberos/authentication_spec.rb

@@ -2,7 +2,7 @@ require 'spec_helper'
 
 describe Gitlab::Kerberos::Authentication do
   let(:klass) { Gitlab::Kerberos::Authentication }
-  let(:user) { create(:user) }
+  let(:user) { create(:omniauth_user, provider: :kerberos, extern_uid: 'gitlab') }
   let(:login) { 'john' }
   let(:password) { 'password' }
 
@@ -12,12 +12,11 @@ describe Gitlab::Kerberos::Authentication do
     end
 
     it "finds the user if authentication is successful" do
-      kerberos_login = user.email.sub(/@.*/, '')
       kerberos_realm = user.email.sub(/.*@/, '')
       ::Krb5Auth::Krb5.any_instance.stub(get_init_creds_password: true)
       ::Krb5Auth::Krb5.any_instance.stub(get_default_realm: kerberos_realm)
 
-      expect(klass.login(kerberos_login, password)).to be_true
+      expect(klass.login('gitlab', password)).to be_true
     end
 
     it "returns false if there is no such user in kerberos" do
@@ -28,14 +27,5 @@ describe Gitlab::Kerberos::Authentication do
 
       expect(klass.login(kerberos_login, password)).to be_false
     end
-
-    it "returns false if kerberos user is valid but system has wrong realm" do
-      kerberos_login = user.email.sub(/@.*/, '')
-      kerberos_realm = "some-realm.com"
-      ::Krb5Auth::Krb5.any_instance.stub(get_init_creds_password: true)
-      ::Krb5Auth::Krb5.any_instance.stub(get_default_realm: kerberos_realm)
-
-      expect(klass.login(kerberos_login, password)).to be_false
-    end
   end
 end
\ No newline at end of file