[webui] fix LDAP login

src/api/app/controllers/application_controller.rb

@@ -93,74 +93,6 @@ class UnregisteredUserError < APIException
     setup 403
   end
 
-  def extract_ldap_user
-    # Reject empty passwords to prevent LDAP lockouts.
-    return if @passwd.blank?
-
-    begin
-      require 'ldap'
-      logger.debug( "Using LDAP to find #{@login}" )
-      ldap_info = UserLdapStrategy.find_with_ldap( @login, @passwd )
-    rescue LoadError
-      logger.warn "ldap_mode selected but 'ruby-ldap' module not installed."
-      ldap_info = nil # now fall through as if we'd not found a user
-    rescue Exception
-      logger.debug "#{@login} not found in LDAP."
-      ldap_info = nil # now fall through as if we'd not found a user
-    end
-
-    if ldap_info
-      # We've found an ldap authenticated user - find or create an OBS userDB entry.
-      logger.debug "User.find_by_login( #{@login} )"
-      @http_user = User.find_by_login( @login )
-      if @http_user
-        # Check for ldap updates
-        if @http_user.email != ldap_info[0]
-          @http_user.email = ldap_info[0]
-          @http_user.save
-        end
-      else
-        if ::Configuration.registration == "deny"
-          logger.debug( "No user found in database, creation disabled" )
-          @http_user=nil
-          raise AuthenticationRequiredError.new "User '#{login}' does not exist<br>#{errstr}"
-        end
-        logger.debug( "No user found in database, creating" )
-        logger.debug( "Email: #{ldap_info[0]}" )
-        logger.debug( "Name : #{ldap_info[1]}" )
-        # Generate and store a fake pw in the OBS DB that no-one knows
-        chars = ["A".."Z", "a".."z", "0".."9"].collect { |r| r.to_a }.join
-        fakepw = (1..24).collect { chars[rand(chars.size)] }.pack('a'*24)
-        newuser = User.create(
-            :login => @login,
-            :password => fakepw,
-            :password_confirmation => fakepw,
-            :email => ldap_info[0] )
-        unless newuser.errors.empty?
-          errstr = String.new
-          logger.debug("Creating User failed with: ")
-          newuser.errors.full_messages.each do |msg|
-            errstr = errstr+msg
-            logger.debug(msg)
-          end
-          @http_user=nil
-          raise AuthenticationRequiredError.new "Cannot create ldap userid: '#{login}' on OBS<br>#{errstr}"
-        end
-        newuser.realname = ldap_info[1]
-        newuser.state = User::STATES['confirmed']
-        newuser.state = User::STATES['unconfirmed'] if ::Configuration.registration == "confirmation"
-        newuser.adminnote = "User created via LDAP"
-
-        logger.debug( "saving new user..." )
-        newuser.save
-
-        @http_user = newuser
-      end
-    else
-      logger.debug( "User not found with LDAP, falling back to database" )
-    end
-  end
-
   def extract_proxy_user
     @auth_method = :proxy
     proxy_user = request.env['HTTP_X_USERNAME']
@@ -235,13 +167,7 @@ def extract_user
 
       extract_basic_auth_user
 
-      if CONFIG['ldap_mode'] == :on
-        extract_ldap_user
-      end
-
-      if @login && !@http_user
-        @http_user = User.find_with_credentials @login, @passwd
-      end
+      @http_user = User.find_with_credentials @login, @passwd if @login
     end
 
     if !@http_user && session[:login]

src/api/app/models/user.rb

@@ -220,7 +220,69 @@ def state=(value)
   # in the database. Returns the user or nil if he could not be found
   def self.find_with_credentials(login, password)
     # Find user
-    user = User.where(login: login).first
+    user = find_by_login(login)
+
+    if CONFIG['ldap_mode'] == :on
+      begin
+        require 'ldap'
+        logger.debug( "Using LDAP to find #{login}" )
+        ldap_info = UserLdapStrategy.find_with_ldap( login, password )
+      rescue LoadError
+        logger.warn "ldap_mode selected but 'ruby-ldap' module not installed."
+        ldap_info = nil # now fall through as if we'd not found a user
+      rescue Exception
+        logger.debug "#{login} not found in LDAP."
+        ldap_info = nil # now fall through as if we'd not found a user
+      end
+
+      return nil unless ldap_info
+
+      # We've found an ldap authenticated user - find or create an OBS userDB entry.
+      if user
+        # Check for ldap updates
+        if user.email != ldap_info[0] || user.realname != ldap_info[1]
+          user.email = ldap_info[0]
+          user.realname = ldap_info[1]
+          user.save
+        end
+        user.login_failure_count = user.login_failure_count + 1
+        self.execute_without_timestamps { user.save! }
+        return user
+      end
+
+      # still in LDAP mode, user authentificated, but not existing in OBS yet
+      if ::Configuration.registration == "deny"
+        logger.debug( "No user found in database, creation disabled" )
+        return nil
+      end
+      logger.debug( "No user found in database, creating" )
+      logger.debug( "Email: #{ldap_info[0]}" )
+      logger.debug( "Name : #{ldap_info[1]}" )
+      # Generate and store a fake pw in the OBS DB that no-one knows
+      chars = ["A".."Z", "a".."z", "0".."9"].collect { |r| r.to_a }.join
+      password = (1..24).collect { chars[rand(chars.size)] }.pack('a'*24)
+      user = User.create(
+          :login => login,
+          :password => password,
+          :password_confirmation => password,
+          :email => ldap_info[0] )
+      unless user.errors.empty?
+        errstr = String.new
+        logger.debug("Creating User failed with: ")
+        user.errors.full_messages.each do |msg|
+          errstr = errstr+msg
+          logger.debug(msg)
+        end
+        logger.info("Cannot create ldap userid: '#{login}' on OBS<br>#{errstr}")
+        return nil
+      end
+      user.realname = ldap_info[1]
+      user.state = User::STATES['confirmed']
+      user.state = User::STATES['unconfirmed'] if ::Configuration.registration == "confirmation"
+      user.adminnote = "User created via LDAP"
+      logger.debug( "saving new user..." )
+      user.save
+    end
 
     # If the user could be found and the passwords equal then return the user
     if user && user.password_equals?(password)

src/api/app/models/user_ldap_strategy.rb

@@ -424,7 +424,7 @@ def self.find_with_ldap(login, password)
       else
         user_filter = "(#{CONFIG['ldap_search_attr']}=#{login})"
       end
-      Rails.logger.debug("Search for #{user_filter}")
+      Rails.logger.debug("Search for #{CONFIG['ldap_search_base']} #{user_filter}")
       begin
         ldap_con.search(CONFIG['ldap_search_base'], LDAP::LDAP_SCOPE_SUBTREE, user_filter) do |entry|
           user = entry.to_hash

src/api/test/unit/code_quality_test.rb

@@ -94,7 +94,8 @@ def setup
       'SearchController#find_attribute'                                         => 97.33,
       'SourceController#project_command_copy'                                   => 140.04,
       'SourceController#update_project_meta'                                    => 100.07,
-      'UserLdapStrategy::find_with_ldap'                                        => 119.04,
+      'UserLdapStrategy::find_with_ldap'                                        => 122.14,
+      'User::find_with_credentials'                                             => 131.43, 
       'UserLdapStrategy::render_grouplist_ldap'                                 => 100.3,
       'Webui::DriverUpdateController#save'                                      => 91.69,
       'Webui::PackageController#submit_request'                                 => 95.89,