Commit b1ff8e31b1717c1abbaa3db88da77aef48b51c4e
1 parent
0fdab6a7
Exists in
spb-stable
and in
3 other branches
Add ldap check in application_controller and internal api
Signed-off-by: Dmitriy Zaporozhets <dmitriy.zaporozhets@gmail.com>
Showing
3 changed files
with
40 additions
and
2 deletions
Show diff stats
app/controllers/application_controller.rb
| @@ -6,6 +6,7 @@ class ApplicationController < ActionController::Base | @@ -6,6 +6,7 @@ class ApplicationController < ActionController::Base | ||
| 6 | before_filter :check_password_expiration | 6 | before_filter :check_password_expiration |
| 7 | around_filter :set_current_user_for_thread | 7 | around_filter :set_current_user_for_thread |
| 8 | before_filter :add_abilities | 8 | before_filter :add_abilities |
| 9 | + before_filter :ldap_security_check | ||
| 9 | before_filter :dev_tools if Rails.env == 'development' | 10 | before_filter :dev_tools if Rails.env == 'development' |
| 10 | before_filter :default_headers | 11 | before_filter :default_headers |
| 11 | before_filter :add_gon_variables | 12 | before_filter :add_gon_variables |
| @@ -179,11 +180,29 @@ class ApplicationController < ActionController::Base | @@ -179,11 +180,29 @@ class ApplicationController < ActionController::Base | ||
| 179 | end | 180 | end |
| 180 | end | 181 | end |
| 181 | 182 | ||
| 183 | + def ldap_security_check | ||
| 184 | + if current_user && current_user.ldap_user? && current_user.requires_ldap_check? | ||
| 185 | + if gitlab_ldap_access.allowed?(current_user) | ||
| 186 | + gitlab_ldap_access.update_permissions(current_user) | ||
| 187 | + current_user.last_credential_check_at = Time.now | ||
| 188 | + current_user.save | ||
| 189 | + else | ||
| 190 | + sign_out current_user | ||
| 191 | + flash[:alert] = "Access denied for your LDAP account." | ||
| 192 | + redirect_to new_user_session_path | ||
| 193 | + end | ||
| 194 | + end | ||
| 195 | + end | ||
| 196 | + | ||
| 182 | def event_filter | 197 | def event_filter |
| 183 | filters = cookies['event_filter'].split(',') if cookies['event_filter'].present? | 198 | filters = cookies['event_filter'].split(',') if cookies['event_filter'].present? |
| 184 | @event_filter ||= EventFilter.new(filters) | 199 | @event_filter ||= EventFilter.new(filters) |
| 185 | end | 200 | end |
| 186 | 201 | ||
| 202 | + def gitlab_ldap_access | ||
| 203 | + Gitlab::LDAP::Access.new | ||
| 204 | + end | ||
| 205 | + | ||
| 187 | # JSON for infinite scroll via Pager object | 206 | # JSON for infinite scroll via Pager object |
| 188 | def pager_json(partial, count) | 207 | def pager_json(partial, count) |
| 189 | html = render_to_string( | 208 | html = render_to_string( |
config/gitlab.yml.example
| @@ -121,7 +121,6 @@ production: &base | @@ -121,7 +121,6 @@ production: &base | ||
| 121 | ldap: | 121 | ldap: |
| 122 | enabled: false | 122 | enabled: false |
| 123 | host: '_your_ldap_server' | 123 | host: '_your_ldap_server' |
| 124 | - base: '_the_base_where_you_search_for_users' | ||
| 125 | port: 636 | 124 | port: 636 |
| 126 | uid: 'sAMAccountName' | 125 | uid: 'sAMAccountName' |
| 127 | method: 'ssl' # "tls" or "ssl" or "plain" | 126 | method: 'ssl' # "tls" or "ssl" or "plain" |
| @@ -138,6 +137,20 @@ production: &base | @@ -138,6 +137,20 @@ production: &base | ||
| 138 | # disable this setting, because the userPrincipalName contains an '@'. | 137 | # disable this setting, because the userPrincipalName contains an '@'. |
| 139 | allow_username_or_email_login: true | 138 | allow_username_or_email_login: true |
| 140 | 139 | ||
| 140 | + # Base where we can search for users | ||
| 141 | + # | ||
| 142 | + # Ex. ou=People,dc=gitlab,dc=example | ||
| 143 | + # | ||
| 144 | + base: '' | ||
| 145 | + | ||
| 146 | + # Filter LDAP users | ||
| 147 | + # | ||
| 148 | + # Format: RFC 4515 | ||
| 149 | + # Ex. (employeeType=developer) | ||
| 150 | + # | ||
| 151 | + user_filter: '' | ||
| 152 | + | ||
| 153 | + | ||
| 141 | ## OmniAuth settings | 154 | ## OmniAuth settings |
| 142 | omniauth: | 155 | omniauth: |
| 143 | # Allow login via Twitter, Google, etc. using OmniAuth providers | 156 | # Allow login via Twitter, Google, etc. using OmniAuth providers |
lib/api/internal.rb
| @@ -35,8 +35,14 @@ module API | @@ -35,8 +35,14 @@ module API | ||
| 35 | user = key.user | 35 | user = key.user |
| 36 | 36 | ||
| 37 | return false if user.blocked? | 37 | return false if user.blocked? |
| 38 | + | ||
| 38 | if Gitlab.config.ldap.enabled | 39 | if Gitlab.config.ldap.enabled |
| 39 | - return false if user.ldap_user? && Gitlab::LDAP::User.blocked?(user.extern_uid) | 40 | + if user.ldap_user? |
| 41 | + # Check if LDAP user exists and match LDAP user_filter | ||
| 42 | + unless Gitlab::LDAP::Access.new.allowed?(user) | ||
| 43 | + return false | ||
| 44 | + end | ||
| 45 | + end | ||
| 40 | end | 46 | end |
| 41 | 47 | ||
| 42 | action = case git_cmd | 48 | action = case git_cmd |