Commit b1ff8e31b1717c1abbaa3db88da77aef48b51c4e
1 parent
0fdab6a7
Exists in
spb-stable
and in
3 other branches
Add ldap check in application_controller and internal api
Signed-off-by: Dmitriy Zaporozhets <dmitriy.zaporozhets@gmail.com>
Showing
3 changed files
with
40 additions
and
2 deletions
Show diff stats
app/controllers/application_controller.rb
| ... | ... | @@ -6,6 +6,7 @@ class ApplicationController < ActionController::Base |
| 6 | 6 | before_filter :check_password_expiration |
| 7 | 7 | around_filter :set_current_user_for_thread |
| 8 | 8 | before_filter :add_abilities |
| 9 | + before_filter :ldap_security_check | |
| 9 | 10 | before_filter :dev_tools if Rails.env == 'development' |
| 10 | 11 | before_filter :default_headers |
| 11 | 12 | before_filter :add_gon_variables |
| ... | ... | @@ -179,11 +180,29 @@ class ApplicationController < ActionController::Base |
| 179 | 180 | end |
| 180 | 181 | end |
| 181 | 182 | |
| 183 | + def ldap_security_check | |
| 184 | + if current_user && current_user.ldap_user? && current_user.requires_ldap_check? | |
| 185 | + if gitlab_ldap_access.allowed?(current_user) | |
| 186 | + gitlab_ldap_access.update_permissions(current_user) | |
| 187 | + current_user.last_credential_check_at = Time.now | |
| 188 | + current_user.save | |
| 189 | + else | |
| 190 | + sign_out current_user | |
| 191 | + flash[:alert] = "Access denied for your LDAP account." | |
| 192 | + redirect_to new_user_session_path | |
| 193 | + end | |
| 194 | + end | |
| 195 | + end | |
| 196 | + | |
| 182 | 197 | def event_filter |
| 183 | 198 | filters = cookies['event_filter'].split(',') if cookies['event_filter'].present? |
| 184 | 199 | @event_filter ||= EventFilter.new(filters) |
| 185 | 200 | end |
| 186 | 201 | |
| 202 | + def gitlab_ldap_access | |
| 203 | + Gitlab::LDAP::Access.new | |
| 204 | + end | |
| 205 | + | |
| 187 | 206 | # JSON for infinite scroll via Pager object |
| 188 | 207 | def pager_json(partial, count) |
| 189 | 208 | html = render_to_string( | ... | ... |
config/gitlab.yml.example
| ... | ... | @@ -121,7 +121,6 @@ production: &base |
| 121 | 121 | ldap: |
| 122 | 122 | enabled: false |
| 123 | 123 | host: '_your_ldap_server' |
| 124 | - base: '_the_base_where_you_search_for_users' | |
| 125 | 124 | port: 636 |
| 126 | 125 | uid: 'sAMAccountName' |
| 127 | 126 | method: 'ssl' # "tls" or "ssl" or "plain" |
| ... | ... | @@ -138,6 +137,20 @@ production: &base |
| 138 | 137 | # disable this setting, because the userPrincipalName contains an '@'. |
| 139 | 138 | allow_username_or_email_login: true |
| 140 | 139 | |
| 140 | + # Base where we can search for users | |
| 141 | + # | |
| 142 | + # Ex. ou=People,dc=gitlab,dc=example | |
| 143 | + # | |
| 144 | + base: '' | |
| 145 | + | |
| 146 | + # Filter LDAP users | |
| 147 | + # | |
| 148 | + # Format: RFC 4515 | |
| 149 | + # Ex. (employeeType=developer) | |
| 150 | + # | |
| 151 | + user_filter: '' | |
| 152 | + | |
| 153 | + | |
| 141 | 154 | ## OmniAuth settings |
| 142 | 155 | omniauth: |
| 143 | 156 | # Allow login via Twitter, Google, etc. using OmniAuth providers | ... | ... |
lib/api/internal.rb
| ... | ... | @@ -35,8 +35,14 @@ module API |
| 35 | 35 | user = key.user |
| 36 | 36 | |
| 37 | 37 | return false if user.blocked? |
| 38 | + | |
| 38 | 39 | if Gitlab.config.ldap.enabled |
| 39 | - return false if user.ldap_user? && Gitlab::LDAP::User.blocked?(user.extern_uid) | |
| 40 | + if user.ldap_user? | |
| 41 | + # Check if LDAP user exists and match LDAP user_filter | |
| 42 | + unless Gitlab::LDAP::Access.new.allowed?(user) | |
| 43 | + return false | |
| 44 | + end | |
| 45 | + end | |
| 40 | 46 | end |
| 41 | 47 | |
| 42 | 48 | action = case git_cmd | ... | ... |