Commit 8a799319 authored by Valery Sizov's avatar Valery Sizov

Kerberos support

parent c97baeb9
......@@ -28,6 +28,7 @@ gem 'omniauth-google-oauth2'
gem 'omniauth-twitter'
gem 'omniauth-github'
gem 'omniauth-shibboleth'
gem 'omniauth-kerberos'
# Extracting information from a git repository
# Provide access to Gitlab::Git library
......
......@@ -323,6 +323,11 @@ GEM
omniauth-google-oauth2 (0.2.5)
omniauth (> 1.0)
omniauth-oauth2 (~> 1.1)
omniauth-kerberos (0.2.0)
omniauth-multipassword
timfel-krb5-auth (~> 0.8)
omniauth-multipassword (0.4.1)
omniauth (~> 1.0)
omniauth-oauth (1.0.1)
oauth
omniauth (~> 1.0)
......@@ -536,6 +541,7 @@ GEM
thread_safe (0.3.4)
tilt (1.4.1)
timers (1.1.0)
timfel-krb5-auth (0.8)
tinder (1.9.3)
eventmachine (~> 1.0)
faraday (~> 0.8)
......@@ -661,6 +667,7 @@ DEPENDENCIES
omniauth (~> 1.1.3)
omniauth-github
omniauth-google-oauth2
omniauth-kerberos
omniauth-shibboleth
omniauth-twitter
org-ruby (= 0.9.9)
......
class OmniauthCallbacksController < Devise::OmniauthCallbacksController
protect_from_forgery except: :kerberos
Gitlab.config.omniauth.providers.each do |provider|
define_method provider['name'] do
handle_omniauth
......
......@@ -3,6 +3,14 @@ module OauthHelper
Gitlab.config.ldap.enabled
end
def kerberos_enabled?
enabled_oauth_providers.include?(:kerberos)
end
def standard_login_form_only?
ldap_enabled? || kerberos_enabled?
end
def default_providers
[:twitter, :github, :google_oauth2, :ldap]
end
......@@ -13,11 +21,13 @@ module OauthHelper
def enabled_social_providers
enabled_oauth_providers.select do |name|
[:twitter, :github, :google_oauth2].include?(name.to_sym)
[:twitter, :github, :google_oauth2, :kerberos].include?(name.to_sym)
end
end
def additional_providers
enabled_oauth_providers.reject{|provider| provider.to_s.starts_with?('ldap')}
enabled_oauth_providers.reject do |provider|
provider.to_s.starts_with?('ldap') || provider == :kerberos
end
end
end
= form_tag(user_omniauth_callback_path(provider), id: 'new_kerberos_user' ) do
= text_field_tag :username, nil, {class: "form-control top", placeholder: "Kerberos Login", autofocus: "autofocus"}
= password_field_tag :password, nil, {class: "form-control bottom", placeholder: "Password"}
%br/
= button_tag "Kerberos Sign in", class: "btn-save btn"
\ No newline at end of file
......@@ -2,18 +2,26 @@
.login-heading
%h3 Sign in
.login-body
- if ldap_enabled?
- if standard_login_form_only?
%ul.nav.nav-tabs
- @ldap_servers.each_with_index do |server, i|
%li{class: (:active if i.zero?)}
= link_to server['label'], "#tab-#{server['provider_name']}", 'data-toggle' => 'tab'
- if ldap_enabled?
- @ldap_servers.each_with_index do |server, i|
%li{class: (:active if i.zero?)}
= link_to server['label'], "#tab-#{server['provider_name']}", 'data-toggle' => 'tab'
- if kerberos_enabled?
%li{class: (:active unless ldap_enabled?)}
= link_to "Kerberos", "#tab-kerberos", 'data-toggle' => 'tab'
- if gitlab_config.signin_enabled
%li
= link_to 'Standard', '#tab-signin', 'data-toggle' => 'tab'
.tab-content
- @ldap_servers.each_with_index do |server, i|
%div.tab-pane{id: "tab-#{server['provider_name']}", class: (:active if i.zero?)}
= render 'devise/sessions/new_ldap', provider: server['provider_name']
- if ldap_enabled?
- @ldap_servers.each_with_index do |server, i|
%div.tab-pane{id: "tab-#{server['provider_name']}", class: (:active if i.zero?)}
= render 'devise/sessions/new_ldap', provider: server['provider_name']
- if kerberos_enabled?
%div#tab-kerberos.tab-pane{class: (:active unless ldap_enabled?)}
= render 'devise/sessions/new_kerberos', provider: :kerberos
- if gitlab_config.signin_enabled
%div#tab-signin.tab-pane
= render 'devise/sessions/new_base'
......
......@@ -2,6 +2,11 @@ module Gitlab
class Auth
def find(login, password)
user = User.by_login(login)
if Devise.omniauth_providers.include?(:kerberos)
kerberos_user = Gitlab::Kerberos::Authentication.login(login, password)
return kerberos_user if kerberos_user
end
# If no user is found, or it's an LDAP server, try LDAP.
# LDAP users are only authenticated via LDAP
......
require "krb5_auth"
# This calls helps to authenticate to Kerberos by providing username and password
module Gitlab
module Kerberos
class Authentication
def self.login(login, password)
return unless Devise.omniauth_providers.include?(:kerberos)
return unless login.present? && password.present?
auth = new(login, password)
auth.login
end
def initialize(login, password)
@login = login
@password = password
@krb5 = ::Krb5Auth::Krb5.new
end
def valid?
@krb5.get_init_creds_password(@login, @password)
rescue ::Krb5Auth::Krb5::Exception
false
end
def login
valid? && User.find_by(email: email)
end
def email
@login + "@" + @krb5.get_default_realm.downcase
end
end
end
end
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment