Commit 6fd29312 authored by Dmitriy Zaporozhets's avatar Dmitriy Zaporozhets

Merge branch 'ldap_connection_reuse' into 'master'

Ldap Connection Reuse
parents b89e698d 239f6a27
v 6.7.0
- Improve LDAP sign-in speed by reusing connections
v 6.5.0 v 6.5.0
- Add reset permissions button to Group#members page - Add reset permissions button to Group#members page
......
...@@ -183,14 +183,16 @@ class ApplicationController < ActionController::Base ...@@ -183,14 +183,16 @@ class ApplicationController < ActionController::Base
def ldap_security_check def ldap_security_check
if current_user && current_user.ldap_user? && current_user.requires_ldap_check? if current_user && current_user.ldap_user? && current_user.requires_ldap_check?
if gitlab_ldap_access.allowed?(current_user) gitlab_ldap_access do |access|
gitlab_ldap_access.update_permissions(current_user) if access.allowed?(current_user)
current_user.last_credential_check_at = Time.now access.update_permissions(current_user)
current_user.save current_user.last_credential_check_at = Time.now
else current_user.save
sign_out current_user else
flash[:alert] = "Access denied for your LDAP account." sign_out current_user
redirect_to new_user_session_path flash[:alert] = "Access denied for your LDAP account."
redirect_to new_user_session_path
end
end end
end end
end end
...@@ -200,8 +202,8 @@ class ApplicationController < ActionController::Base ...@@ -200,8 +202,8 @@ class ApplicationController < ActionController::Base
@event_filter ||= EventFilter.new(filters) @event_filter ||= EventFilter.new(filters)
end end
def gitlab_ldap_access def gitlab_ldap_access(&block)
Gitlab::LDAP::Access.new Gitlab::LDAP::Access.open { |access| block.call(access) }
end end
# JSON for infinite scroll via Pager object # JSON for infinite scroll via Pager object
......
...@@ -21,12 +21,14 @@ class OmniauthCallbacksController < Devise::OmniauthCallbacksController ...@@ -21,12 +21,14 @@ class OmniauthCallbacksController < Devise::OmniauthCallbacksController
@user = Gitlab::LDAP::User.find_or_create(oauth) @user = Gitlab::LDAP::User.find_or_create(oauth)
@user.remember_me = true if @user.persisted? @user.remember_me = true if @user.persisted?
if gitlab_ldap_access.allowed?(@user) gitlab_ldap_access do |access|
gitlab_ldap_access.update_permissions(@user) if access.allowed?(@user)
sign_in_and_redirect(@user) access.update_permissions(@user)
else sign_in_and_redirect(@user)
flash[:alert] = "Access denied for your LDAP account." else
redirect_to new_user_session_path flash[:alert] = "Access denied for your LDAP account."
redirect_to new_user_session_path
end
end end
end end
......
...@@ -7,8 +7,20 @@ ...@@ -7,8 +7,20 @@
module Gitlab module Gitlab
module LDAP module LDAP
class Access class Access
attr_reader :adapter
def self.open(&block)
Gitlab::LDAP::Adapter.open do |adapter|
block.call(self.new(adapter))
end
end
def initialize(adapter=nil)
@adapter = adapter
end
def allowed?(user) def allowed?(user)
!!Gitlab::LDAP::Person.find_by_dn(user.extern_uid) !!Gitlab::LDAP::Person.find_by_dn(user.extern_uid, adapter)
rescue rescue
false false
end end
...@@ -19,13 +31,13 @@ module Gitlab ...@@ -19,13 +31,13 @@ module Gitlab
return true unless Gitlab.config.ldap['group_base'].present? return true unless Gitlab.config.ldap['group_base'].present?
# Get LDAP user entry # Get LDAP user entry
ldap_user = Gitlab::LDAP::Person.find_by_dn(user.extern_uid) ldap_user = Gitlab::LDAP::Person.find_by_dn(user.extern_uid, adapter)
# Get all GitLab groups with activated LDAP # Get all GitLab groups with activated LDAP
groups = ::Group.where('ldap_cn IS NOT NULL') groups = ::Group.where('ldap_cn IS NOT NULL')
# Get LDAP groups based on cn from GitLab groups # Get LDAP groups based on cn from GitLab groups
ldap_groups = groups.pluck(:ldap_cn).map { |cn| Gitlab::LDAP::Group.find_by_cn(cn) } ldap_groups = groups.pluck(:ldap_cn).map { |cn| Gitlab::LDAP::Group.find_by_cn(cn, adapter) }
ldap_groups = ldap_groups.compact.uniq ldap_groups = ldap_groups.compact.uniq
# Iterate over ldap groups and check user membership # Iterate over ldap groups and check user membership
......
...@@ -9,7 +9,17 @@ module Gitlab ...@@ -9,7 +9,17 @@ module Gitlab
class Adapter class Adapter
attr_reader :ldap attr_reader :ldap
def initialize def self.open(&block)
Net::LDAP.open(adapter_options) do |ldap|
block.call(self.new(ldap))
end
end
def self.config
Gitlab.config.ldap
end
def self.adapter_options
encryption = config['method'].to_s == 'ssl' ? :simple_tls : nil encryption = config['method'].to_s == 'ssl' ? :simple_tls : nil
options = { options = {
...@@ -29,8 +39,12 @@ module Gitlab ...@@ -29,8 +39,12 @@ module Gitlab
if config['password'] || config['bind_dn'] if config['password'] || config['bind_dn']
options.merge!(auth_options) options.merge!(auth_options)
end end
options
end
@ldap = Net::LDAP.new(options) def initialize(ldap=nil)
@ldap = ldap || Net::LDAP.new(self.class.adapter_options)
end end
# Get LDAP groups from ou=Groups # Get LDAP groups from ou=Groups
...@@ -95,7 +109,7 @@ module Gitlab ...@@ -95,7 +109,7 @@ module Gitlab
private private
def config def config
@config ||= Gitlab.config.ldap @config ||= self.class.config
end end
end end
end end
......
...@@ -7,8 +7,9 @@ ...@@ -7,8 +7,9 @@
module Gitlab module Gitlab
module LDAP module LDAP
class Group class Group
def self.find_by_cn(cn) def self.find_by_cn(cn, adapter=nil)
Gitlab::LDAP::Adapter.new.group(cn) adapter ||= Gitlab::LDAP::Adapter.new
adapter.group(cn)
end end
def initialize(entry) def initialize(entry)
......
...@@ -7,12 +7,14 @@ ...@@ -7,12 +7,14 @@
module Gitlab module Gitlab
module LDAP module LDAP
class Person class Person
def self.find_by_uid(uid) def self.find_by_uid(uid, adapter=nil)
Gitlab::LDAP::Adapter.new.user(config.uid, uid) adapter ||= Gitlab::LDAP::Adapter.new
adapter.user(config.uid, uid)
end end
def self.find_by_dn(dn) def self.find_by_dn(dn, adapter=nil)
Gitlab::LDAP::Adapter.new.user('dn', dn) adapter ||= Gitlab::LDAP::Adapter.new
adapter.user('dn', dn)
end end
def initialize(entry) def initialize(entry)
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment