Merge branch 'feature/ldap_user_filter' of /home/git/repositories/gitlab/gitlab-ee

09b1f305 · Dmitriy Zaporozhets · 1fd0639a · 172eb64d · 09b1f305 · 09b1f305
Commit 09b1f305 authored Oct 01, 2013 by Dmitriy Zaporozhets
5 changed files
--- a/app/controllers/application_controller.rb
+++ b/app/controllers/application_controller.rb
@@ -159,10 +159,15 @@ class ApplicationController < ActionController::Base

  def ldap_security_check
    if current_user && current_user.ldap_user? && current_user.requires_ldap_check?
-      Gitlab::LDAP::Access.new.update_permissions(current_user)
-
-      current_user.last_credential_check_at = Time.now
-      current_user.save
+      if gitlab_ldap_access.allowed?(current_user)
+        gitlab_ldap_access.update_permissions(current_user)
+        current_user.last_credential_check_at = Time.now
+        current_user.save
+      else
+        sign_out current_user
+        flash[:alert] = "Access denied for your LDAP account."
+        redirect_to new_user_session_path
+      end
    end
  end

@@ -170,4 +175,8 @@ class ApplicationController < ActionController::Base
    filters = cookies['event_filter'].split(',') if cookies['event_filter'].present?
    @event_filter ||= EventFilter.new(filters)
  end
+
+  def gitlab_ldap_access
+    Gitlab::LDAP::Access.new
+  end
 end
--- a/app/controllers/omniauth_callbacks_controller.rb
+++ b/app/controllers/omniauth_callbacks_controller.rb
@@ -20,8 +20,14 @@ class OmniauthCallbacksController < Devise::OmniauthCallbacksController
    # if the authentication to LDAP was successful.
    @user = Gitlab::LDAP::User.find_or_create(oauth)
    @user.remember_me = true if @user.persisted?
-    Gitlab::LDAP::Access.new.update_permissions(@user)
-    sign_in_and_redirect(@user)
+
+    if gitlab_ldap_access.allowed?(@user)
+      gitlab_ldap_access.update_permissions(@user)
+      sign_in_and_redirect(@user)
+    else
+      flash[:alert] = "Access denied for your LDAP account."
+      redirect_to new_user_session_path
+    end
  end

  private

--- a/config/gitlab.yml.example
+++ b/config/gitlab.yml.example
@@ -114,6 +114,12 @@ production: &base
    #
    base: ''

+    # Filter LDAP users
+    #
+    #   Ex. (employeeType=developer)
+    #
+    user_filter: ''
+
    # Base where we can search for groups
    #
    #   Ex. ou=Groups,dc=gitlab,dc=example

--- a/lib/gitlab/ldap/access.rb
+++ b/lib/gitlab/ldap/access.rb
@@ -7,6 +7,12 @@
 module Gitlab
  module LDAP
    class Access
+      def allowed?(user)
+        !!Gitlab::LDAP::Person.find_by_dn(user.extern_uid)
+      rescue
+        false
+      end
+
      def update_permissions(user)
        # Skip updating group permissions
        # if instance does not use group_base setting

--- a/lib/gitlab/ldap/adapter.rb
+++ b/lib/gitlab/ldap/adapter.rb
@@ -69,6 +69,16 @@ module Gitlab
          }
        end

+        if config['user_filter'].present?
+          user_filter = Net::LDAP::Filter.construct(config['user_filter'])
+
+          options[:filter] = if options[:filter]
+                               Net::LDAP::Filter.join(options[:filter], user_filter)
+                             else
+                               user_filter
+                             end
+        end
+
        entries = ldap.search(options).select do |entry|
          entry.respond_to? config.uid
        end