Commit 721758e8 authored by Dmitriy Zaporozhets's avatar Dmitriy Zaporozhets

Merge branch 'feature/ldap_groups' of /home/git/repositories/gitlab/gitlab-ee

parents fc6e2cdb 073e8b67
......@@ -30,6 +30,7 @@ gem 'gitlab-grack', '~> 1.0.1', require: 'grack'
# LDAP Auth
gem 'gitlab_omniauth-ldap', '1.0.3', require: "omniauth-ldap"
gem 'net-ldap'
# Syntax highlighter
gem "gitlab-pygments.rb", '~> 0.3.2', require: 'pygments.rb'
......
......@@ -591,6 +591,7 @@ DEPENDENCIES
minitest (~> 4.7.0)
modernizr (= 2.6.2)
mysql2
net-ldap
omniauth (~> 1.1.3)
omniauth-github
omniauth-google-oauth2
......
......@@ -21,6 +21,9 @@ class OmniauthCallbacksController < Devise::OmniauthCallbacksController
if @user.persisted?
@user.remember_me = true
end
Gitlab::LDAP::Access.new.update_permissions(@user)
sign_in_and_redirect @user
end
......
......@@ -19,6 +19,8 @@ class Group < Namespace
has_many :project_group_links, dependent: :destroy
has_many :shared_projects, through: :project_group_links, source: 'project'
attr_accessible :ldap_cn
after_create :add_owner
def human_name
......
......@@ -26,6 +26,12 @@
%li It will change web url for access group and group projects.
%li It will change the git path to repositories under this group.
.clearfix
= f.label :ldap_cn do
LDAP Group cn
.input
= f.text_field :ldap_cn, class: "xxlarge left"
.form-actions
= f.submit 'Save changes', class: "btn btn-primary"
= link_to 'Cancel', admin_groups_path, class: "btn btn-cancel"
......@@ -9,6 +9,8 @@
= link_to '#tab-projects', 'data-toggle' => 'tab' do
%i.icon-folder-close
Projects
%li
= link_to 'LDAP', '#tab-ldap', 'data-toggle' => 'tab'
%li
= link_to 'Transfer', '#tab-transfer', 'data-toggle' => 'tab'
%li
......@@ -65,6 +67,20 @@
- if @group.projects.blank?
%p.nothing_here_message This group has no projects yet
.tab-pane#tab-ldap
.ui-box
.title LDAP group settings
%div.form-holder
= form_for @group do |f|
.clearfix
= f.label :ldap_cn do
LDAP Group cn
.input
= f.text_field :ldap_cn, placeholder: "Ex. QA group", class: "xxlarge left"
.form-actions
= f.submit 'Save group', class: "btn btn-save"
.tab-pane#tab-transfer
.ui-box.ui-box-danger
.title Transfer group
......
......@@ -91,7 +91,6 @@ production: &base
ldap:
enabled: false
host: '_your_ldap_server'
base: '_the_base_where_you_search_for_users'
port: 636
uid: 'sAMAccountName'
method: 'ssl' # "ssl" or "plain"
......@@ -99,6 +98,19 @@ production: &base
password: '_the_password_of_the_bind_user'
allow_username_or_email_login: true
# Base where we can search for users
#
# Ex. ou=People,dc=gitlab,dc=example
#
base: ''
# Base where we can search for groups
#
# Ex. ou=Groups,dc=gitlab,dc=example
#
group_base: ''
## OmniAuth settings
omniauth:
# Allow login via Twitter, Google, etc. using OmniAuth providers
......
class AddLdapSettingsToGroup < ActiveRecord::Migration
def change
add_column :namespaces, :ldap_cn, :string, null: true
end
end
......@@ -11,7 +11,7 @@
#
# It's strongly recommended to check this file into your version control system.
ActiveRecord::Schema.define(:version => 20130711063759) do
ActiveRecord::Schema.define(:version => 20130802124933) do
create_table "deploy_keys_projects", :force => true do |t|
t.integer "deploy_key_id", :null => false
......@@ -129,6 +129,7 @@ ActiveRecord::Schema.define(:version => 20130711063759) do
t.datetime "updated_at", :null => false
t.string "type"
t.string "description", :default => "", :null => false
t.string "ldap_cn"
end
add_index "namespaces", ["name"], :name => "index_namespaces_on_name"
......
#-------------------------------------------------------------------
#
# The GitLab Enterprise Edition (EE) license
#
# Copyright (c) 2013 GitLab.com
#
# All Rights Reserved. No part of this software may be reproduced without
# prior permission of GitLab.com. By using this software you agree to be
# bound by the GitLab Enterprise Support Subscription Terms.
#
#-------------------------------------------------------------------
module Gitlab
module LDAP
class Access
def update_permissions(user)
ldap_user = Gitlab::LDAP::Person.find(user.extern_uid)
ldap_groups = ldap_user.groups
ldap_groups_cn = ldap_groups.map(&:name)
groups = ::Group.where(ldap_cn: ldap_groups_cn)
# First lets add user to new groups
groups.each do |group|
group.add_users([user.id], UsersGroup::DEVELOPER)
end
# Remove groups with LDAP if user lost access to it
user.authorized_groups.where('ldap_cn IS NOT NULL').each do |group|
if ldap_groups_cn.include?(group.ldap_cn)
# ok user still in group
else
# user lost access to this group in ldap
membership = group.users_groups.where(user_id: user.id).last
membership.destroy if membership
end
end
end
end
end
end
#-------------------------------------------------------------------
#
# The GitLab Enterprise Edition (EE) license
#
# Copyright (c) 2013 GitLab.com
#
# All Rights Reserved. No part of this software may be reproduced without
# prior permission of GitLab.com. By using this software you agree to be
# bound by the GitLab Enterprise Support Subscription Terms.
#
#-------------------------------------------------------------------
module Gitlab
module LDAP
class Adapter
attr_reader :ldap
def initialize
options = {
host: config['host'],
port: config['port'],
}
auth_options = {
auth: {
method: config['method'],
username: config['bind_dn'],
password: config['password']
}
}
if config['password'] || config['bind_dn']
options.merge!(auth_options)
end
@ldap = Net::LDAP.new(options)
end
# Get LDAP groups from ou=Groups
#
# cn - filter groups by name
#
# Ex.
# groups("dev*") # return all groups start with 'dev'
#
def groups(cn = "*")
options = {
base: config['group_base'],
filter: Net::LDAP::Filter.eq("cn", cn)
}
ldap.search(options).map do |entry|
Gitlab::LDAP::Group.new(entry)
end
end
def users(uid = "*")
options = {
base: config['base'],
filter: Net::LDAP::Filter.eq("uid", uid)
}
entries = ldap.search(options).select do |entry|
entry.respond_to? :uid
end
entries.map do |entry|
Gitlab::LDAP::Person.new(entry)
end
end
def user(uid)
users(uid).first
end
private
def config
@config ||= Gitlab.config.ldap
end
end
end
end
#-------------------------------------------------------------------
#
# The GitLab Enterprise Edition (EE) license
#
# Copyright (c) 2013 GitLab.com
#
# All Rights Reserved. No part of this software may be reproduced without
# prior permission of GitLab.com. By using this software you agree to be
# bound by the GitLab Enterprise Support Subscription Terms.
#
#-------------------------------------------------------------------
module Gitlab
module LDAP
class Group
def initialize(entry)
@entry = entry
end
def name
entry.cn.join(" ")
end
def path
name.parameterize
end
def members
member_uids.map do |uid|
adapter.user(uid)
end.compact
end
def member_uids
if entry.respond_to? :memberuid
entry.memberuid
else
member_dns.map do |dn|
$1 if dn =~ /uid=([a-zA-Z0-9.-]+)/
end
end.compact
end
private
def member_dns
if entry.respond_to? :member
entry.member
elsif entry.respond_to? :uniquemember
entry.uniquemember
elsif entry.respond_to? :memberof
entry.memberof
else
raise 'Unsupported member attribute'
end
end
def entry
@entry
end
def adapter
@adapter ||= Gitlab::LDAP::Adapter.new
end
end
end
end
#-------------------------------------------------------------------
#
# The GitLab Enterprise Edition (EE) license
#
# Copyright (c) 2013 GitLab.com
#
# All Rights Reserved. No part of this software may be reproduced without
# prior permission of GitLab.com. By using this software you agree to be
# bound by the GitLab Enterprise Support Subscription Terms.
#
#-------------------------------------------------------------------
module Gitlab
module LDAP
class Person
def self.find(user_uid)
uid = if user_uid =~ /uid=([a-zA-Z0-9.-]+)/
$1
else
user_uid
end
Gitlab::LDAP::Adapter.new.user(uid)
end
def initialize(entry)
@entry = entry
end
def name
entry.cn.join(" ")
end
def uid
entry.uid.join(" ")
end
def username
uid
end
def groups
adapter.groups.select do |group|
group.member_uids.include?(uid)
end
end
private
def entry
@entry
end
def adapter
@adapter ||= Gitlab::LDAP::Adapter.new
end
end
end
end
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment