From 212503aa78e0ecf5fd65882b4ab816a5e38ef680 Mon Sep 17 00:00:00 2001
From: Drew Blessing <drew@gitlab.com>
Date: Mon, 2 Oct 2017 15:09:05 -0500
Subject: [PATCH 1/2] Use case-insensitive lookup for Kerberos Spnego identity.

Clients can send the Kerberos username/principal in any case - the
Kerberos server itself does not care. However, GitLab stores
the Kerberos username/principal as extern_uid in a case-sensitive
format. This change uses an `iwhere` statement rather than
`find_by` so it doesn't matter how the client send the
username/principal.
---
 app/helpers/kerberos_spnego_helper.rb                | 3 ++-
 changelogs/unreleased-ee/spnego_case_insensitive.yml | 5 +++++
 2 files changed, 7 insertions(+), 1 deletion(-)
 create mode 100644 changelogs/unreleased-ee/spnego_case_insensitive.yml

diff --git a/app/helpers/kerberos_spnego_helper.rb b/app/helpers/kerberos_spnego_helper.rb
index be133017ae15d8..fd2a772e0d17fd 100644
--- a/app/helpers/kerberos_spnego_helper.rb
+++ b/app/helpers/kerberos_spnego_helper.rb
@@ -45,7 +45,8 @@ def find_kerberos_user
     krb_principal = spnego_credentials!(spnego_token)
     return unless krb_principal
 
-    identity = ::Identity.find_by(provider: :kerberos, extern_uid: krb_principal)
+    # Use `iwhere` to facilitate case-insensitive identity lookup
+    identity = ::Identity.iwhere(provider: :kerberos, extern_uid: krb_principal).first
     identity&.user
   end
 
diff --git a/changelogs/unreleased-ee/spnego_case_insensitive.yml b/changelogs/unreleased-ee/spnego_case_insensitive.yml
new file mode 100644
index 00000000000000..56e098930886b7
--- /dev/null
+++ b/changelogs/unreleased-ee/spnego_case_insensitive.yml
@@ -0,0 +1,5 @@
+---
+title: Use case-insensitive lookup for Kerberos Spnego identity.
+merge_request:
+author:
+type: fixed
-- 
GitLab


From 2f942d1e3eed4fbf85ed13798dd8ee61244cc41f Mon Sep 17 00:00:00 2001
From: Drew Blessing <drew@gitlab.com>
Date: Mon, 2 Oct 2017 16:56:19 -0500
Subject: [PATCH 2/2] Add tests

---
 spec/requests/git_http_spec.rb | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/spec/requests/git_http_spec.rb b/spec/requests/git_http_spec.rb
index 0c754a745fa863..0a5a24994ce350 100644
--- a/spec/requests/git_http_spec.rb
+++ b/spec/requests/git_http_spec.rb
@@ -735,6 +735,17 @@ def attempt_login(include_password)
                 end
               end
 
+              context 'when character case differs' do
+                it 'responds with status 200 OK' do
+                  allow_any_instance_of(Projects::GitHttpController).to receive(:spnego_credentials!).and_return("caseinsensitivelogin@FOO.COM")
+                  user.identities.create!(provider: "kerberos", extern_uid: "CASEINSENSITIVELOGIN@FOO.COM")
+
+                  download(path, env) do |response|
+                    expect(response).to have_http_status(:ok)
+                  end
+                end
+              end
+
               it "complies with RFC4559" do
                 allow_any_instance_of(Projects::GitHttpController).to receive(:spnego_response_token).and_return("opaque_response_token")
                 download(path, env) do |response|
-- 
GitLab