Merge branch 'ldap-code' into 'master'

LDAP code from EE

Merge branch 'ldap-code' into 'master'
LDAP code from EE
Dmitriy Zaporozhets
2 parents 92a92846 c6d39a14
Showing 11 changed files with 243 additions and 56 deletions Show diff stats
app/controllers/application_controller.rb
app/models/user.rb
config/gitlab.yml.example
db/migrate/20130809124851_add_permission_check_to_user.rb
db/schema.rb
lib/api/internal.rb
lib/gitlab/ldap/access.rb
lib/gitlab/ldap/adapter.rb
lib/gitlab/ldap/person.rb
lib/gitlab/ldap/user.rb
spec/lib/gitlab/ldap/ldap_user_auth_spec.rb
@@ -6,6 +6,7 @@ class ApplicationController &lt; ActionController::Base
   before_filter :check_password_expiration
   around_filter :set_current_user_for_thread
   before_filter :add_abilities
+  before_filter :ldap_security_check
   before_filter :dev_tools if Rails.env == 'development'
   before_filter :default_headers
   before_filter :add_gon_variables
@@ -179,11 +180,28 @@ class ApplicationController &lt; ActionController::Base
     end
   end
+  def ldap_security_check
+    if current_user && current_user.requires_ldap_check?
+      if gitlab_ldap_access.allowed?(current_user)
+        current_user.last_credential_check_at = Time.now
+        current_user.save
+      else
+        sign_out current_user
+        flash[:alert] = "Access denied for your LDAP account."
+        redirect_to new_user_session_path
+      end
+    end
+  end
+
   def event_filter
     filters = cookies['event_filter'].split(',') if cookies['event_filter'].present?
     @event_filter ||= EventFilter.new(filters)
   end
+  def gitlab_ldap_access
+    Gitlab::LDAP::Access.new
+  end
+
   # JSON for infinite scroll via Pager object
   def pager_json(partial, count)
     html = render_to_string(
@@ -185,7 +185,7 @@ class User &lt; ActiveRecord::Base
         where(conditions).first
       end
     end
-    
+
     def find_for_commit(email, name)
       # Prefer email match over name match
       User.where(email: email).first ||
@@ -275,7 +275,9 @@ class User &lt; ActiveRecord::Base
   # Projects user has access to
   def authorized_projects
     @authorized_projects ||= begin
-                               project_ids = (personal_projects.pluck(:id) + groups_projects.pluck(:id) + projects.pluck(:id)).uniq
+                               project_ids = personal_projects.pluck(:id)
+                               project_ids += groups_projects.pluck(:id)
+                               project_ids += projects.pluck(:id).uniq
                                Project.where(id: project_ids).joins(:namespace).order('namespaces.name ASC')
                              end
   end
@@ -406,6 +408,14 @@ class User &lt; ActiveRecord::Base
     end
   end
+  def requires_ldap_check?
+    if ldap_user?
+      !last_credential_check_at || (last_credential_check_at + 1.hour) < Time.now
+    else
+      false
+    end
+  end
+
   def solo_owned_groups
     @solo_owned_groups ||= owned_groups.select do |group|
       group.owners == [self]
@@ -121,7 +121,6 @@ production: &amp;base
   ldap:
     enabled: false
     host: '_your_ldap_server'
-    base: '_the_base_where_you_search_for_users'
     port: 636
     uid: 'sAMAccountName'
     method: 'ssl' # "tls" or "ssl" or "plain"
@@ -138,6 +137,20 @@ production: &amp;base
     # disable this setting, because the userPrincipalName contains an '@'.
     allow_username_or_email_login: true
+    # Base where we can search for users
+    #
+    #   Ex. ou=People,dc=gitlab,dc=example
+    #
+    base: ''
+
+    # Filter LDAP users
+    #
+    #   Format: RFC 4515
+    #   Ex. (employeeType=developer)
+    #
+    user_filter: ''
+
+
   ## OmniAuth settings
   omniauth:
     # Allow login via Twitter, Google, etc. using OmniAuth providers
@@ -0,0 +1,5 @@
+class AddPermissionCheckToUser < ActiveRecord::Migration
+  def change
+    add_column :users, :last_credential_check_at, :datetime
+  end
+end
@@ -76,8 +76,8 @@ ActiveRecord::Schema.define(version: 20140304005354) do
     t.integer  "assignee_id"
     t.integer  "author_id"
     t.integer  "project_id"
-    t.datetime "created_at",               null: false
-    t.datetime "updated_at",               null: false
+    t.datetime "created_at"
+    t.datetime "updated_at"
     t.integer  "position",     default: 0
     t.string   "branch_name"
     t.text     "description"
@@ -95,8 +95,8 @@ ActiveRecord::Schema.define(version: 20140304005354) do
   create_table "keys", force: true do |t|
     t.integer  "user_id"
-    t.datetime "created_at",  null: false
-    t.datetime "updated_at",  null: false
+    t.datetime "created_at"
+    t.datetime "updated_at"
     t.text     "key"
     t.string   "title"
     t.string   "type"
@@ -123,8 +123,8 @@ ActiveRecord::Schema.define(version: 20140304005354) do
     t.integer  "author_id"
     t.integer  "assignee_id"
     t.string   "title"
-    t.datetime "created_at",        null: false
-    t.datetime "updated_at",        null: false
+    t.datetime "created_at"
+    t.datetime "updated_at"
     t.integer  "milestone_id"
     t.string   "state"
     t.string   "merge_status"
@@ -176,8 +176,8 @@ ActiveRecord::Schema.define(version: 20140304005354) do
     t.text     "note"
     t.string   "noteable_type"
     t.integer  "author_id"
-    t.datetime "created_at",                    null: false
-    t.datetime "updated_at",                    null: false
+    t.datetime "created_at"
+    t.datetime "updated_at"
     t.integer  "project_id"
     t.string   "attachment"
     t.string   "line_code"
@@ -199,8 +199,8 @@ ActiveRecord::Schema.define(version: 20140304005354) do
     t.string   "name"
     t.string   "path"
     t.text     "description"
-    t.datetime "created_at",                                null: false
-    t.datetime "updated_at",                                null: false
+    t.datetime "created_at"
+    t.datetime "updated_at"
     t.integer  "creator_id"
     t.boolean  "issues_enabled",         default: true,     null: false
     t.boolean  "wall_enabled",           default: true,     null: false
@@ -252,8 +252,8 @@ ActiveRecord::Schema.define(version: 20140304005354) do
     t.text     "content",    limit: 2147483647
     t.integer  "author_id",                                    null: false
     t.integer  "project_id"
-    t.datetime "created_at",                                   null: false
-    t.datetime "updated_at",                                   null: false
+    t.datetime "created_at"
+    t.datetime "updated_at"
     t.string   "file_name"
     t.datetime "expires_at"
     t.boolean  "private",                       default: true, null: false
@@ -275,45 +275,42 @@ ActiveRecord::Schema.define(version: 20140304005354) do
     t.datetime "created_at"
   end
-  add_index "taggings", ["tag_id"], name: "index_taggings_on_tag_id", using: :btree
-  add_index "taggings", ["taggable_id", "taggable_type", "context"], name: "index_taggings_on_taggable_id_and_taggable_type_and_context", using: :btree
-
   create_table "tags", force: true do |t|
     t.string "name"
   end
   create_table "users", force: true do |t|
-    t.string   "email",                  default: "",    null: false
-    t.string   "encrypted_password",     default: "",    null: false
+    t.string   "email",                                default: "",    null: false
+    t.string   "encrypted_password",       limit: 128, default: "",    null: false
     t.string   "reset_password_token"
     t.datetime "reset_password_sent_at"
     t.datetime "remember_created_at"
-    t.integer  "sign_in_count",          default: 0
+    t.integer  "sign_in_count",                        default: 0
     t.datetime "current_sign_in_at"
     t.datetime "last_sign_in_at"
     t.string   "current_sign_in_ip"
     t.string   "last_sign_in_ip"
-    t.datetime "created_at",                             null: false
-    t.datetime "updated_at",                             null: false
+    t.datetime "created_at"
+    t.datetime "updated_at"
     t.string   "name"
-    t.boolean  "admin",                  default: false, null: false
-    t.integer  "projects_limit",         default: 10
-    t.string   "skype",                  default: "",    null: false
-    t.string   "linkedin",               default: "",    null: false
-    t.string   "twitter",                default: "",    null: false
+    t.boolean  "admin",                                default: false, null: false
+    t.integer  "projects_limit",                       default: 10
+    t.string   "skype",                                default: "",    null: false
+    t.string   "linkedin",                             default: "",    null: false
+    t.string   "twitter",                              default: "",    null: false
     t.string   "authentication_token"
-    t.integer  "theme_id",               default: 1,     null: false
+    t.integer  "theme_id",                             default: 1,     null: false
     t.string   "bio"
-    t.integer  "failed_attempts",        default: 0
+    t.integer  "failed_attempts",                      default: 0
     t.datetime "locked_at"
     t.string   "extern_uid"
     t.string   "provider"
     t.string   "username"
-    t.boolean  "can_create_group",       default: true,  null: false
-    t.boolean  "can_create_team",        default: true,  null: false
+    t.boolean  "can_create_group",                     default: true,  null: false
+    t.boolean  "can_create_team",                      default: true,  null: false
     t.string   "state"
-    t.integer  "color_scheme_id",        default: 1,     null: false
-    t.integer  "notification_level",     default: 1,     null: false
+    t.integer  "color_scheme_id",                      default: 1,     null: false
+    t.integer  "notification_level",                   default: 1,     null: false
     t.datetime "password_expires_at"
     t.integer  "created_by_id"
     t.string   "avatar"
@@ -321,15 +318,15 @@ ActiveRecord::Schema.define(version: 20140304005354) do
     t.datetime "confirmed_at"
     t.datetime "confirmation_sent_at"
     t.string   "unconfirmed_email"
-    t.boolean  "hide_no_ssh_key",        default: false
-    t.string   "website_url",            default: "",    null: false
+    t.boolean  "hide_no_ssh_key",                      default: false
+    t.string   "website_url",                          default: "",    null: false
+    t.datetime "last_credential_check_at"
   end
   add_index "users", ["admin"], name: "index_users_on_admin", using: :btree
   add_index "users", ["authentication_token"], name: "index_users_on_authentication_token", unique: true, using: :btree
   add_index "users", ["confirmation_token"], name: "index_users_on_confirmation_token", unique: true, using: :btree
   add_index "users", ["email"], name: "index_users_on_email", unique: true, using: :btree
-  add_index "users", ["extern_uid", "provider"], name: "index_users_on_extern_uid_and_provider", unique: true, using: :btree
   add_index "users", ["name"], name: "index_users_on_name", using: :btree
   add_index "users", ["reset_password_token"], name: "index_users_on_reset_password_token", unique: true, using: :btree
   add_index "users", ["username"], name: "index_users_on_username", using: :btree
@@ -348,8 +345,8 @@ ActiveRecord::Schema.define(version: 20140304005354) do
   create_table "users_projects", force: true do |t|
     t.integer  "user_id",                        null: false
     t.integer  "project_id",                     null: false
-    t.datetime "created_at",                     null: false
-    t.datetime "updated_at",                     null: false
+    t.datetime "created_at"
+    t.datetime "updated_at"
     t.integer  "project_access",     default: 0, null: false
     t.integer  "notification_level", default: 3, null: false
   end
@@ -361,8 +358,8 @@ ActiveRecord::Schema.define(version: 20140304005354) do
   create_table "web_hooks", force: true do |t|
     t.string   "url"
     t.integer  "project_id"
-    t.datetime "created_at",                                    null: false
-    t.datetime "updated_at",                                    null: false
+    t.datetime "created_at"
+    t.datetime "updated_at"
     t.string   "type",                  default: "ProjectHook"
     t.integer  "service_id"
     t.boolean  "push_events",           default: true,          null: false
@@ -35,8 +35,14 @@ module API
           user = key.user
           return false if user.blocked?
+
           if Gitlab.config.ldap.enabled
-            return false if user.ldap_user? && Gitlab::LDAP::User.blocked?(user.extern_uid)
+            if user.ldap_user?
+              # Check if LDAP user exists and match LDAP user_filter
+              unless Gitlab::LDAP::Access.new.allowed?(user)
+                return false
+              end
+            end
           end
           action = case git_cmd
@@ -0,0 +1,11 @@
+module Gitlab
+  module LDAP
+    class Access
+      def allowed?(user)
+        !!Gitlab::LDAP::Person.find_by_dn(user.extern_uid)
+      rescue
+        false
+      end
+    end
+  end
+end
@@ -0,0 +1,72 @@
+module Gitlab
+  module LDAP
+    class Adapter
+      attr_reader :ldap
+
+      def initialize
+        encryption = config['method'].to_s == 'ssl' ? :simple_tls : nil
+
+        options = {
+          host: config['host'],
+          port: config['port'],
+          encryption: encryption
+        }
+
+        auth_options = {
+          auth: {
+            method: :simple,
+            username: config['bind_dn'],
+            password: config['password']
+          }
+        }
+
+        if config['password'] || config['bind_dn']
+          options.merge!(auth_options)
+        end
+
+        @ldap = Net::LDAP.new(options)
+      end
+
+      def users(field, value)
+        if field.to_sym == :dn
+          options = {
+            base: value
+          }
+        else
+          options = {
+            base: config['base'],
+            filter: Net::LDAP::Filter.eq(field, value)
+          }
+        end
+
+        if config['user_filter'].present?
+          user_filter = Net::LDAP::Filter.construct(config['user_filter'])
+
+          options[:filter] = if options[:filter]
+                               Net::LDAP::Filter.join(options[:filter], user_filter)
+                             else
+                               user_filter
+                             end
+        end
+
+        entries = ldap.search(options).select do |entry|
+          entry.respond_to? config.uid
+        end
+
+        entries.map do |entry|
+          Gitlab::LDAP::Person.new(entry)
+        end
+      end
+
+      def user(*args)
+        users(*args).first
+      end
+
+      private
+
+      def config
+        @config ||= Gitlab.config.ldap
+      end
+    end
+  end
+end
@@ -0,0 +1,48 @@
+module Gitlab
+  module LDAP
+    class Person
+      def self.find_by_uid(uid)
+        Gitlab::LDAP::Adapter.new.user(config.uid, uid)
+      end
+
+      def self.find_by_dn(dn)
+        Gitlab::LDAP::Adapter.new.user('dn', dn)
+      end
+
+      def initialize(entry)
+        Rails.logger.debug { "Instantiating #{self.class.name} with LDIF:\n#{entry.to_ldif}" }
+        @entry = entry
+      end
+
+      def name
+        entry.cn.first
+      end
+
+      def uid
+        entry.send(config.uid).first
+      end
+
+      def username
+        uid
+      end
+
+      def dn
+        entry.dn
+      end
+
+      private
+
+      def entry
+        @entry
+      end
+
+      def adapter
+        @adapter ||= Gitlab::LDAP::Adapter.new
+      end
+
+      def config
+        @config ||= Gitlab.config.ldap
+      end
+    end
+  end
+end
@@ -13,8 +13,8 @@ module Gitlab
         def find_or_create(auth)
           @auth = auth
-          if uid.blank? || email.blank?
-            raise_error("Account must provide an uid and email address")
+          if uid.blank? || email.blank? || username.blank?
+            raise_error("Account must provide a dn, uid and email address")
           end
           user = find(auth)
@@ -62,8 +62,16 @@ module Gitlab
           return nil unless ldap_conf.enabled && login.present? && password.present?
           ldap = OmniAuth::LDAP::Adaptor.new(ldap_conf)
+          filter = Net::LDAP::Filter.eq(ldap.uid, login)
+
+          # Apply LDAP user filter if present
+          if ldap_conf['user_filter'].present?
+            user_filter = Net::LDAP::Filter.construct(ldap_conf['user_filter'])
+            filter = Net::LDAP::Filter.join(filter, user_filter)
+          end
+
           ldap_user = ldap.bind_as(
-            filter: Net::LDAP::Filter.eq(ldap.uid, login),
+            filter: filter,
             size: 1,
             password: password
           )
@@ -71,22 +79,20 @@ module Gitlab
           find_by_uid(ldap_user.dn) if ldap_user
         end
-        # Check LDAP user existance by dn. User in git over ssh check
-        #
-        # It covers 2 cases:
-        # * when ldap account was removed
-        # * when ldap account was deactivated by change of OU membership in 'dn'
-        def blocked?(dn)
-          ldap = OmniAuth::LDAP::Adaptor.new(ldap_conf)
-          ldap.connection.search(base: dn, scope: Net::LDAP::SearchScope_BaseObject, size: 1).blank?
-        end
-
         private
         def find_by_uid(uid)
           model.where(provider: provider, extern_uid: uid).last
         end
+        def username
+          (auth.info.nickname || samaccountname).to_s.force_encoding("utf-8")
+        end
+
+        def samaccountname
+          (auth.extra[:raw_info][:samaccountname] || []).first
+        end
+
         def provider
           'ldap'
         end
@@ -9,7 +9,8 @@ describe Gitlab::LDAP do
     @info = double(
       uid: '12djsak321',
       name: 'John',
-      email: 'john@mail.com'
+      email: 'john@mail.com',
+      nickname: 'john'
     )
   end
	@@ -6,6 +6,7 @@ class ApplicationController < ActionController::Base		@@ -6,6 +6,7 @@ class ApplicationController < ActionController::Base
6	before_filter :check_password_expiration	6	before_filter :check_password_expiration
7	around_filter :set_current_user_for_thread	7	around_filter :set_current_user_for_thread
8	before_filter :add_abilities	8	before_filter :add_abilities
		9	+ before_filter :ldap_security_check
9	before_filter :dev_tools if Rails.env == 'development'	10	before_filter :dev_tools if Rails.env == 'development'
10	before_filter :default_headers	11	before_filter :default_headers
11	before_filter :add_gon_variables	12	before_filter :add_gon_variables
	@@ -179,11 +180,28 @@ class ApplicationController < ActionController::Base		@@ -179,11 +180,28 @@ class ApplicationController < ActionController::Base
179	end	180	end
180	end	181	end
181		182
		183	+ def ldap_security_check
		184	+ if current_user && current_user.requires_ldap_check?
		185	+ if gitlab_ldap_access.allowed?(current_user)
		186	+ current_user.last_credential_check_at = Time.now
		187	+ current_user.save
		188	+ else
		189	+ sign_out current_user
		190	+ flash[:alert] = "Access denied for your LDAP account."
		191	+ redirect_to new_user_session_path
		192	+ end
		193	+ end
		194	+ end
		195	+
182	def event_filter	196	def event_filter
183	filters = cookies['event_filter'].split(',') if cookies['event_filter'].present?	197	filters = cookies['event_filter'].split(',') if cookies['event_filter'].present?
184	@event_filter \|\|= EventFilter.new(filters)	198	@event_filter \|\|= EventFilter.new(filters)
185	end	199	end
186		200
		201	+ def gitlab_ldap_access
		202	+ Gitlab::LDAP::Access.new
		203	+ end
		204	+
187	# JSON for infinite scroll via Pager object	205	# JSON for infinite scroll via Pager object
188	def pager_json(partial, count)	206	def pager_json(partial, count)
189	html = render_to_string(	207	html = render_to_string(
	@@ -121,7 +121,6 @@ production: &base		@@ -121,7 +121,6 @@ production: &base
121	ldap:	121	ldap:
122	enabled: false	122	enabled: false
123	host: '_your_ldap_server'	123	host: '_your_ldap_server'
124	- base: '_the_base_where_you_search_for_users'
125	port: 636	124	port: 636
126	uid: 'sAMAccountName'	125	uid: 'sAMAccountName'
127	method: 'ssl' # "tls" or "ssl" or "plain"	126	method: 'ssl' # "tls" or "ssl" or "plain"
	@@ -138,6 +137,20 @@ production: &base		@@ -138,6 +137,20 @@ production: &base
138	# disable this setting, because the userPrincipalName contains an '@'.	137	# disable this setting, because the userPrincipalName contains an '@'.
139	allow_username_or_email_login: true	138	allow_username_or_email_login: true
140		139
		140	+ # Base where we can search for users
		141	+ #
		142	+ # Ex. ou=People,dc=gitlab,dc=example
		143	+ #
		144	+ base: ''
		145	+
		146	+ # Filter LDAP users
		147	+ #
		148	+ # Format: RFC 4515
		149	+ # Ex. (employeeType=developer)
		150	+ #
		151	+ user_filter: ''
		152	+
		153	+
141	## OmniAuth settings	154	## OmniAuth settings
142	omniauth:	155	omniauth:
143	# Allow login via Twitter, Google, etc. using OmniAuth providers	156	# Allow login via Twitter, Google, etc. using OmniAuth providers
@@ -0,0 +1,5 @@		@@ -0,0 +1,5 @@
	1	+class AddPermissionCheckToUser < ActiveRecord::Migration
	2	+ def change
	3	+ add_column :users, :last_credential_check_at, :datetime
	4	+ end
	5	+end
@@ -0,0 +1,11 @@		@@ -0,0 +1,11 @@
	1	+module Gitlab
	2	+ module LDAP
	3	+ class Access
	4	+ def allowed?(user)
	5	+ !!Gitlab::LDAP::Person.find_by_dn(user.extern_uid)
	6	+ rescue
	7	+ false
	8	+ end
	9	+ end
	10	+ end
	11	+end
@@ -0,0 +1,72 @@		@@ -0,0 +1,72 @@
	1	+module Gitlab
	2	+ module LDAP
	3	+ class Adapter
	4	+ attr_reader :ldap
	5	+
	6	+ def initialize
	7	+ encryption = config['method'].to_s == 'ssl' ? :simple_tls : nil
	8	+
	9	+ options = {
	10	+ host: config['host'],
	11	+ port: config['port'],
	12	+ encryption: encryption
	13	+ }
	14	+
	15	+ auth_options = {
	16	+ auth: {
	17	+ method: :simple,
	18	+ username: config['bind_dn'],
	19	+ password: config['password']
	20	+ }
	21	+ }
	22	+
	23	+ if config['password'] \|\| config['bind_dn']
	24	+ options.merge!(auth_options)
	25	+ end
	26	+
	27	+ @ldap = Net::LDAP.new(options)
	28	+ end
	29	+
	30	+ def users(field, value)
	31	+ if field.to_sym == :dn
	32	+ options = {
	33	+ base: value
	34	+ }
	35	+ else
	36	+ options = {
	37	+ base: config['base'],
	38	+ filter: Net::LDAP::Filter.eq(field, value)
	39	+ }
	40	+ end
	41	+
	42	+ if config['user_filter'].present?
	43	+ user_filter = Net::LDAP::Filter.construct(config['user_filter'])
	44	+
	45	+ options[:filter] = if options[:filter]
	46	+ Net::LDAP::Filter.join(options[:filter], user_filter)
	47	+ else
	48	+ user_filter
	49	+ end
	50	+ end
	51	+
	52	+ entries = ldap.search(options).select do \|entry\|
	53	+ entry.respond_to? config.uid
	54	+ end
	55	+
	56	+ entries.map do \|entry\|
	57	+ Gitlab::LDAP::Person.new(entry)
	58	+ end
	59	+ end
	60	+
	61	+ def user(*args)
	62	+ users(*args).first
	63	+ end
	64	+
	65	+ private
	66	+
	67	+ def config
	68	+ @config \|\|= Gitlab.config.ldap
	69	+ end
	70	+ end
	71	+ end
	72	+end
@@ -0,0 +1,48 @@		@@ -0,0 +1,48 @@
	1	+module Gitlab
	2	+ module LDAP
	3	+ class Person
	4	+ def self.find_by_uid(uid)
	5	+ Gitlab::LDAP::Adapter.new.user(config.uid, uid)
	6	+ end
	7	+
	8	+ def self.find_by_dn(dn)
	9	+ Gitlab::LDAP::Adapter.new.user('dn', dn)
	10	+ end
	11	+
	12	+ def initialize(entry)
	13	+ Rails.logger.debug { "Instantiating #{self.class.name} with LDIF:\n#{entry.to_ldif}" }
	14	+ @entry = entry
	15	+ end
	16	+
	17	+ def name
	18	+ entry.cn.first
	19	+ end
	20	+
	21	+ def uid
	22	+ entry.send(config.uid).first
	23	+ end
	24	+
	25	+ def username
	26	+ uid
	27	+ end
	28	+
	29	+ def dn
	30	+ entry.dn
	31	+ end
	32	+
	33	+ private
	34	+
	35	+ def entry
	36	+ @entry
	37	+ end
	38	+
	39	+ def adapter
	40	+ @adapter \|\|= Gitlab::LDAP::Adapter.new
	41	+ end
	42	+
	43	+ def config
	44	+ @config \|\|= Gitlab.config.ldap
	45	+ end
	46	+ end
	47	+ end
	48	+end