Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Support
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
G
gitlab-ce
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Issues
0
Issues
0
List
Boards
Labels
Milestones
Merge Requests
0
Merge Requests
0
Analytics
Analytics
Repository
Value Stream
Wiki
Wiki
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Create a new issue
Commits
Issue Boards
Open sidebar
Kirill Smelkov
gitlab-ce
Commits
ffc28430
Commit
ffc28430
authored
Aug 13, 2014
by
Dmitriy Zaporozhets
Browse files
Options
Browse Files
Download
Plain Diff
Merge branch 'ldap/cache_check' into 'master'
Cache LDAP check everywhere See merge request !1008
parents
67c5d381
e0fea696
Changes
6
Show whitespace changes
Inline
Side-by-side
Showing
6 changed files
with
62 additions
and
24 deletions
+62
-24
app/controllers/application_controller.rb
app/controllers/application_controller.rb
+4
-9
app/controllers/omniauth_callbacks_controller.rb
app/controllers/omniauth_callbacks_controller.rb
+6
-7
app/models/user.rb
app/models/user.rb
+3
-1
lib/gitlab/ldap/access.rb
lib/gitlab/ldap/access.rb
+13
-0
lib/gitlab/user_access.rb
lib/gitlab/user_access.rb
+2
-7
spec/models/user_spec.rb
spec/models/user_spec.rb
+34
-0
No files found.
app/controllers/application_controller.rb
View file @
ffc28430
...
...
@@ -201,18 +201,13 @@ class ApplicationController < ActionController::Base
def
ldap_security_check
if
current_user
&&
current_user
.
requires_ldap_check?
gitlab_ldap_access
do
|
access
|
if
access
.
allowed?
(
current_user
)
current_user
.
last_credential_check_at
=
Time
.
now
current_user
.
save
else
unless
Gitlab
::
LDAP
::
Access
.
allowed?
(
current_user
)
sign_out
current_user
flash
[
:alert
]
=
"Access denied for your LDAP account."
redirect_to
new_user_session_path
end
end
end
end
def
event_filter
filters
=
cookies
[
'event_filter'
].
split
(
','
)
if
cookies
[
'event_filter'
].
present?
...
...
app/controllers/omniauth_callbacks_controller.rb
View file @
ffc28430
...
...
@@ -21,15 +21,14 @@ class OmniauthCallbacksController < Devise::OmniauthCallbacksController
@user
=
Gitlab
::
LDAP
::
User
.
find_or_create
(
oauth
)
@user
.
remember_me
=
true
if
@user
.
persisted?
gitlab_ldap_access
do
|
access
|
if
a
ccess
.
allowed?
(
@user
)
# Do additional LDAP checks for the user filter and EE features
if
Gitlab
::
LDAP
::
A
ccess
.
allowed?
(
@user
)
sign_in_and_redirect
(
@user
)
else
flash
[
:alert
]
=
"Access denied for your LDAP account."
redirect_to
new_user_session_path
end
end
end
def
omniauth_error
@provider
=
params
[
:provider
]
...
...
app/models/user.rb
View file @
ffc28430
...
...
@@ -414,7 +414,9 @@ class User < ActiveRecord::Base
end
def
requires_ldap_check?
if
ldap_user?
if
!
Gitlab
.
config
.
ldap
.
enabled
false
elsif
ldap_user?
!
last_credential_check_at
||
(
last_credential_check_at
+
1
.
hour
)
<
Time
.
now
else
false
...
...
lib/gitlab/ldap/access.rb
View file @
ffc28430
...
...
@@ -9,6 +9,19 @@ module Gitlab
end
end
def
self
.
allowed?
(
user
)
self
.
open
do
|
access
|
if
access
.
allowed?
(
user
)
# GitLab EE LDAP code goes here
user
.
last_credential_check_at
=
Time
.
now
user
.
save
true
else
false
end
end
end
def
initialize
(
adapter
=
nil
)
@adapter
=
adapter
end
...
...
lib/gitlab/user_access.rb
View file @
ffc28430
...
...
@@ -3,13 +3,8 @@ module Gitlab
def
self
.
allowed?
(
user
)
return
false
if
user
.
blocked?
if
Gitlab
.
config
.
ldap
.
enabled
if
user
.
ldap_user?
# Check if LDAP user exists and match LDAP user_filter
Gitlab
::
LDAP
::
Access
.
open
do
|
adapter
|
return
false
unless
adapter
.
allowed?
(
user
)
end
end
if
user
.
requires_ldap_check?
return
false
unless
Gitlab
::
LDAP
::
Access
.
allowed?
(
user
)
end
true
...
...
spec/models/user_spec.rb
View file @
ffc28430
...
...
@@ -312,6 +312,40 @@ describe User do
end
end
describe
:requires_ldap_check?
do
let
(
:user
)
{
User
.
new
}
it
'is false when LDAP is disabled'
do
# Create a condition which would otherwise cause 'true' to be returned
user
.
stub
(
ldap_user?:
true
)
user
.
last_credential_check_at
=
nil
expect
(
user
.
requires_ldap_check?
).
to
be_false
end
context
'when LDAP is enabled'
do
before
{
Gitlab
.
config
.
ldap
.
stub
(
enabled:
true
)
}
it
'is false for non-LDAP users'
do
user
.
stub
(
ldap_user?:
false
)
expect
(
user
.
requires_ldap_check?
).
to
be_false
end
context
'and when the user is an LDAP user'
do
before
{
user
.
stub
(
ldap_user?:
true
)
}
it
'is true when the user has never had an LDAP check before'
do
user
.
last_credential_check_at
=
nil
expect
(
user
.
requires_ldap_check?
).
to
be_true
end
it
'is true when the last LDAP check happened over 1 hour ago'
do
user
.
last_credential_check_at
=
2
.
hours
.
ago
expect
(
user
.
requires_ldap_check?
).
to
be_true
end
end
end
end
describe
'#full_website_url'
do
let
(
:user
)
{
create
(
:user
)
}
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment