diff --git a/app/helpers/kerberos_spnego_helper.rb b/app/helpers/kerberos_spnego_helper.rb index be133017ae15d878f9585c8918f5599eceefe868..fd2a772e0d17fdd0871979860f8ce980931d1666 100644 --- a/app/helpers/kerberos_spnego_helper.rb +++ b/app/helpers/kerberos_spnego_helper.rb @@ -45,7 +45,8 @@ def find_kerberos_user krb_principal = spnego_credentials!(spnego_token) return unless krb_principal - identity = ::Identity.find_by(provider: :kerberos, extern_uid: krb_principal) + # Use `iwhere` to facilitate case-insensitive identity lookup + identity = ::Identity.iwhere(provider: :kerberos, extern_uid: krb_principal).first identity&.user end diff --git a/changelogs/unreleased-ee/spnego_case_insensitive.yml b/changelogs/unreleased-ee/spnego_case_insensitive.yml new file mode 100644 index 0000000000000000000000000000000000000000..56e098930886b7d9cba759cd6b5e708e7de8700e --- /dev/null +++ b/changelogs/unreleased-ee/spnego_case_insensitive.yml @@ -0,0 +1,5 @@ +--- +title: Use case-insensitive lookup for Kerberos Spnego identity. +merge_request: +author: +type: fixed diff --git a/spec/requests/git_http_spec.rb b/spec/requests/git_http_spec.rb index 0c754a745fa8633ad525e6e671e9512b1e307c97..0a5a24994ce3504e7333bb17e882874e0c6bedfd 100644 --- a/spec/requests/git_http_spec.rb +++ b/spec/requests/git_http_spec.rb @@ -735,6 +735,17 @@ def attempt_login(include_password) end end + context 'when character case differs' do + it 'responds with status 200 OK' do + allow_any_instance_of(Projects::GitHttpController).to receive(:spnego_credentials!).and_return("caseinsensitivelogin@FOO.COM") + user.identities.create!(provider: "kerberos", extern_uid: "CASEINSENSITIVELOGIN@FOO.COM") + + download(path, env) do |response| + expect(response).to have_http_status(:ok) + end + end + end + it "complies with RFC4559" do allow_any_instance_of(Projects::GitHttpController).to receive(:spnego_response_token).and_return("opaque_response_token") download(path, env) do |response|