diff options
author | Markus Koller <markus-koller@gmx.ch> | 2017-11-23 13:16:14 +0000 |
---|---|---|
committer | Douwe Maan <douwe@gitlab.com> | 2017-11-23 13:16:14 +0000 |
commit | 257fd5713485a05460a9170190100643199a7e48 (patch) | |
tree | afaaddcdc16ac407d72b7b4c0e96d951a141c268 /lib/gitlab/auth.rb | |
parent | a6cafbcbe8d6802a81055c3469312f889cd73c9a (diff) | |
download | gitlab-ce-257fd5713485a05460a9170190100643199a7e48.tar.gz |
Allow password authentication to be disabled entirely
Diffstat (limited to 'lib/gitlab/auth.rb')
-rw-r--r-- | lib/gitlab/auth.rb | 14 |
1 files changed, 10 insertions, 4 deletions
diff --git a/lib/gitlab/auth.rb b/lib/gitlab/auth.rb index cbbc51db99e..9670207a105 100644 --- a/lib/gitlab/auth.rb +++ b/lib/gitlab/auth.rb @@ -34,7 +34,7 @@ module Gitlab rate_limit!(ip, success: result.success?, login: login) Gitlab::Auth::UniqueIpsLimiter.limit_user!(result.actor) - return result if result.success? || current_application_settings.password_authentication_enabled? || Gitlab::LDAP::Config.enabled? + return result if result.success? || authenticate_using_internal_or_ldap_password? # If sign-in is disabled and LDAP is not configured, recommend a # personal access token on failed auth attempts @@ -45,6 +45,10 @@ module Gitlab # Avoid resource intensive login checks if password is not provided return unless password.present? + # Nothing to do here if internal auth is disabled and LDAP is + # not configured + return unless authenticate_using_internal_or_ldap_password? + Gitlab::Auth::UniqueIpsLimiter.limit_user! do user = User.by_login(login) @@ -52,10 +56,8 @@ module Gitlab # LDAP users are only authenticated via LDAP if user.nil? || user.ldap_user? # Second chance - try LDAP authentication - return unless Gitlab::LDAP::Config.enabled? - Gitlab::LDAP::Authentication.login(login, password) - else + elsif current_application_settings.password_authentication_enabled_for_git? user if user.active? && user.valid_password?(password) end end @@ -84,6 +86,10 @@ module Gitlab private + def authenticate_using_internal_or_ldap_password? + current_application_settings.password_authentication_enabled_for_git? || Gitlab::LDAP::Config.enabled? + end + def service_request_check(login, password, project) matched_login = /(?<service>^[a-zA-Z]*-ci)-token$/.match(login) |