summaryrefslogtreecommitdiff
path: root/lib
diff options
context:
space:
mode:
authorDrew Blessing <drew@gitlab.com>2017-01-24 11:12:49 -0600
committerDrew Blessing <drew@gitlab.com>2017-01-30 13:05:47 -0600
commit29414ab0438583c7401e94a74a613497874b5e4e (patch)
tree8a6cbfabb629620eed7eec24b8d9129426ae2f01 /lib
parentb78d06b78143b16dccc5d5afaa8796473b68bea1 (diff)
downloadgitlab-ce-29414ab0438583c7401e94a74a613497874b5e4e.tar.gz
Reduce hits to LDAP on Git HTTP auth by reordering auth mechanisms
We accept half a dozen different authentication mechanisms for Git over HTTP. Fairly high in the list we were checking user password, which would also query LDAP. In the case of LFS, OAuth tokens or personal access tokens, we were unnecessarily hitting LDAP when the authentication will not succeed. This was causing some LDAP/AD systems to lock the account. Now, user password authentication is the last mechanism tried since it's the most expensive.
Diffstat (limited to 'lib')
-rw-r--r--lib/gitlab/auth.rb11
1 files changed, 8 insertions, 3 deletions
diff --git a/lib/gitlab/auth.rb b/lib/gitlab/auth.rb
index 8dda65c71ef..f638905a1e0 100644
--- a/lib/gitlab/auth.rb
+++ b/lib/gitlab/auth.rb
@@ -10,13 +10,16 @@ module Gitlab
def find_for_git_client(login, password, project:, ip:)
raise "Must provide an IP for rate limiting" if ip.nil?
+ # `user_with_password_for_git` should be the last check
+ # because it's the most expensive, especially when LDAP
+ # is enabled.
result =
service_request_check(login, password, project) ||
build_access_token_check(login, password) ||
- user_with_password_for_git(login, password) ||
- oauth_access_token_check(login, password) ||
lfs_token_check(login, password) ||
+ oauth_access_token_check(login, password) ||
personal_access_token_check(login, password) ||
+ user_with_password_for_git(login, password) ||
Gitlab::Auth::Result.new
rate_limit!(ip, success: result.success?, login: login)
@@ -143,7 +146,9 @@ module Gitlab
read_authentication_abilities
end
- Result.new(actor, nil, token_handler.type, authentication_abilities) if Devise.secure_compare(token_handler.token, password)
+ if Devise.secure_compare(token_handler.token, password)
+ Gitlab::Auth::Result.new(actor, nil, token_handler.type, authentication_abilities)
+ end
end
def build_access_token_check(login, password)