Check if LDAP user was removed or blocked when use git over ssh

Dmitriy Zaporozhets
1 parent 2db94109
Showing 2 changed files with 11 additions and 0 deletions Show diff stats
lib/api/internal.rb
lib/gitlab/ldap/user.rb
@@ -35,6 +35,7 @@ module API
           user = key.user
           return false if user.blocked?
+          return false if user.ldap_user? && Gitlab::LDAP::User.blocked?(user.extern_uid)
           action = case git_cmd
                    when *DOWNLOAD_COMMANDS
@@ -71,6 +71,16 @@ module Gitlab
           find_by_uid(ldap_user.dn) if ldap_user
         end
+        # Check LDAP user existance by dn. User in git over ssh check
+        #
+        # It covers 2 cases:
+        # * when ldap account was removed
+        # * when ldap account was deactivated by change of OU membership in 'dn'
+        def blocked?(dn)
+          ldap = OmniAuth::LDAP::Adaptor.new(ldap_conf)
+          ldap.connection.search(base: dn, size: 1).blank?
+        end
+
         private
         def find_by_uid(uid)
	@@ -35,6 +35,7 @@ module API		@@ -35,6 +35,7 @@ module API
35	user = key.user	35	user = key.user
36		36
37	return false if user.blocked?	37	return false if user.blocked?
		38	+ return false if user.ldap_user? && Gitlab::LDAP::User.blocked?(user.extern_uid)
38		39
39	action = case git_cmd	40	action = case git_cmd
40	when *DOWNLOAD_COMMANDS	41	when *DOWNLOAD_COMMANDS
	@@ -71,6 +71,16 @@ module Gitlab		@@ -71,6 +71,16 @@ module Gitlab
71	find_by_uid(ldap_user.dn) if ldap_user	71	find_by_uid(ldap_user.dn) if ldap_user
72	end	72	end
73		73
		74	+ # Check LDAP user existance by dn. User in git over ssh check
		75	+ #
		76	+ # It covers 2 cases:
		77	+ # * when ldap account was removed
		78	+ # * when ldap account was deactivated by change of OU membership in 'dn'
		79	+ def blocked?(dn)
		80	+ ldap = OmniAuth::LDAP::Adaptor.new(ldap_conf)
		81	+ ldap.connection.search(base: dn, size: 1).blank?
		82	+ end
		83	+
74	private	84	private
75		85
76	def find_by_uid(uid)	86	def find_by_uid(uid)