Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Support
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
G
gitlab-ce
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Issues
0
Issues
0
List
Boards
Labels
Milestones
Merge Requests
0
Merge Requests
0
Analytics
Analytics
Repository
Value Stream
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Create a new issue
Commits
Issue Boards
Open sidebar
Kazuhiko Shiozaki
gitlab-ce
Commits
e7df3f51
Commit
e7df3f51
authored
Mar 10, 2016
by
Jacob Vosmaer
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
Move method to User
parent
0223b58f
Changes
5
Show whitespace changes
Inline
Side-by-side
Showing
5 changed files
with
22 additions
and
15 deletions
+22
-15
app/controllers/application_controller.rb
app/controllers/application_controller.rb
+1
-1
app/models/user.rb
app/models/user.rb
+7
-0
lib/gitlab/exclusive_lease.rb
lib/gitlab/exclusive_lease.rb
+12
-1
lib/gitlab/ldap/access.rb
lib/gitlab/ldap/access.rb
+0
-10
lib/gitlab/user_access.rb
lib/gitlab/user_access.rb
+2
-3
No files found.
app/controllers/application_controller.rb
View file @
e7df3f51
...
@@ -246,7 +246,7 @@ class ApplicationController < ActionController::Base
...
@@ -246,7 +246,7 @@ class ApplicationController < ActionController::Base
def
ldap_security_check
def
ldap_security_check
if
current_user
&&
current_user
.
requires_ldap_check?
if
current_user
&&
current_user
.
requires_ldap_check?
return
unless
Gitlab
::
LDAP
::
Access
.
try_lock_user
(
current_user
)
return
unless
current_user
.
try_obtain_ldap_lease
unless
Gitlab
::
LDAP
::
Access
.
allowed?
(
current_user
)
unless
Gitlab
::
LDAP
::
Access
.
allowed?
(
current_user
)
sign_out
current_user
sign_out
current_user
...
...
app/models/user.rb
View file @
e7df3f51
...
@@ -612,6 +612,13 @@ class User < ActiveRecord::Base
...
@@ -612,6 +612,13 @@ class User < ActiveRecord::Base
end
end
end
end
def
try_obtain_ldap_lease
# After obtaining this lease LDAP checks will be blocked for 600 seconds
# (10 minutes) for this user.
lease
=
Gitlab
::
ExclusiveLease
.
new
(
"user_ldap_check:
#{
id
}
"
,
timeout:
600
)
lease
.
try_obtain
end
def
solo_owned_groups
def
solo_owned_groups
@solo_owned_groups
||=
owned_groups
.
select
do
|
group
|
@solo_owned_groups
||=
owned_groups
.
select
do
|
group
|
group
.
owners
==
[
self
]
group
.
owners
==
[
self
]
...
...
lib/gitlab/exclusive_lease.rb
View file @
e7df3f51
...
@@ -8,14 +8,25 @@ module Gitlab
...
@@ -8,14 +8,25 @@ module Gitlab
# servers. It is a 'cheap' alternative to using SQL queries and updates:
# servers. It is a 'cheap' alternative to using SQL queries and updates:
# you do not need to change the SQL schema to start using
# you do not need to change the SQL schema to start using
# ExclusiveLease.
# ExclusiveLease.
#
# It is important to choose the timeout wisely. If the timeout is very
# high (1 hour) then the throughput of your operation gets very low (at
# most once an hour). If the timeout is lower than how long your
# operation may take then you cannot count on exclusivity. For example,
# if the timeout is 10 seconds and you do an operation which may take 20
# seconds then two overlapping operations may hold a lease at the
# same time.
#
class
ExclusiveLease
class
ExclusiveLease
def
initialize
(
key
,
timeout
)
def
initialize
(
key
,
timeout
:
)
@key
,
@timeout
=
key
,
timeout
@key
,
@timeout
=
key
,
timeout
end
end
# Try to obtain the lease. Return true on succes,
# Try to obtain the lease. Return true on succes,
# false if the lease is already taken.
# false if the lease is already taken.
def
try_obtain
def
try_obtain
# This is expected to be atomic because we are talking to a
# single-threaded Redis server.
!!
redis
.
set
(
redis_key
,
redis_value
,
nx:
true
,
ex:
@timeout
)
!!
redis
.
set
(
redis_key
,
redis_value
,
nx:
true
,
ex:
@timeout
)
end
end
...
...
lib/gitlab/ldap/access.rb
View file @
e7df3f51
...
@@ -7,16 +7,6 @@ module Gitlab
...
@@ -7,16 +7,6 @@ module Gitlab
class
Access
class
Access
attr_reader
:provider
,
:user
attr_reader
:provider
,
:user
# This timeout acts as a throttle on LDAP user checks. Its value of 600
# seconds (10 minutes) means that after calling try_lock_user for user
# janedoe, no new LDAP checks can start for that user for the next 10
# minutes.
LEASE_TIMEOUT
=
600
def
self
.
try_lock_user
(
user
)
Gitlab
::
ExclusiveLease
.
new
(
"user_ldap_check:
#{
user
.
id
}
"
,
LEASE_TIMEOUT
).
try_obtain
end
def
self
.
open
(
user
,
&
block
)
def
self
.
open
(
user
,
&
block
)
Gitlab
::
LDAP
::
Adapter
.
open
(
user
.
ldap_identity
.
provider
)
do
|
adapter
|
Gitlab
::
LDAP
::
Adapter
.
open
(
user
.
ldap_identity
.
provider
)
do
|
adapter
|
block
.
call
(
self
.
new
(
user
,
adapter
))
block
.
call
(
self
.
new
(
user
,
adapter
))
...
...
lib/gitlab/user_access.rb
View file @
e7df3f51
...
@@ -3,9 +3,8 @@ module Gitlab
...
@@ -3,9 +3,8 @@ module Gitlab
def
self
.
allowed?
(
user
)
def
self
.
allowed?
(
user
)
return
false
if
user
.
blocked?
return
false
if
user
.
blocked?
if
user
.
requires_ldap_check?
&&
Gitlab
::
LDAP
::
Access
.
try_lock_user
(
user
)
if
user
.
requires_ldap_check?
&&
user
.
try_obtain_ldap_lease
return
Gitlab
::
LDAP
::
Access
.
allowed?
(
user
)
return
false
unless
Gitlab
::
LDAP
::
Access
.
allowed?
(
user
)
end
end
end
true
true
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment