Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Support
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
G
gitlab-ce
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Issues
0
Issues
0
List
Boards
Labels
Milestones
Merge Requests
1
Merge Requests
1
Analytics
Analytics
Repository
Value Stream
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Create a new issue
Commits
Issue Boards
Open sidebar
nexedi
gitlab-ce
Commits
8b287679
Commit
8b287679
authored
May 18, 2018
by
Rémy Coutable
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
Minimize CE/EE difference in Gitlab::Auth::LDAP::Access
Signed-off-by:
Rémy Coutable
<
remy@rymai.me
>
parent
dfdbf198
Changes
2
Show whitespace changes
Inline
Side-by-side
Showing
2 changed files
with
43 additions
and
11 deletions
+43
-11
lib/gitlab/auth/ldap/access.rb
lib/gitlab/auth/ldap/access.rb
+31
-10
spec/lib/gitlab/auth/ldap/access_spec.rb
spec/lib/gitlab/auth/ldap/access_spec.rb
+12
-1
No files found.
lib/gitlab/auth/ldap/access.rb
View file @
8b287679
...
@@ -6,7 +6,7 @@ module Gitlab
...
@@ -6,7 +6,7 @@ module Gitlab
module
Auth
module
Auth
module
LDAP
module
LDAP
class
Access
class
Access
attr_reader
:provider
,
:user
attr_reader
:provider
,
:user
,
:ldap_identity
def
self
.
open
(
user
,
&
block
)
def
self
.
open
(
user
,
&
block
)
Gitlab
::
Auth
::
LDAP
::
Adapter
.
open
(
user
.
ldap_identity
.
provider
)
do
|
adapter
|
Gitlab
::
Auth
::
LDAP
::
Adapter
.
open
(
user
.
ldap_identity
.
provider
)
do
|
adapter
|
...
@@ -14,9 +14,12 @@ module Gitlab
...
@@ -14,9 +14,12 @@ module Gitlab
end
end
end
end
def
self
.
allowed?
(
user
)
def
self
.
allowed?
(
user
,
options
=
{}
)
self
.
open
(
user
)
do
|
access
|
self
.
open
(
user
)
do
|
access
|
# Whether user is allowed, or not, we should update
# permissions to keep things clean
if
access
.
allowed?
if
access
.
allowed?
access
.
update_user
Users
::
UpdateService
.
new
(
user
,
user:
user
,
last_credential_check_at:
Time
.
now
).
execute
Users
::
UpdateService
.
new
(
user
,
user:
user
,
last_credential_check_at:
Time
.
now
).
execute
true
true
...
@@ -29,7 +32,8 @@ module Gitlab
...
@@ -29,7 +32,8 @@ module Gitlab
def
initialize
(
user
,
adapter
=
nil
)
def
initialize
(
user
,
adapter
=
nil
)
@adapter
=
adapter
@adapter
=
adapter
@user
=
user
@user
=
user
@provider
=
user
.
ldap_identity
.
provider
@ldap_identity
=
user
.
ldap_identity
@provider
=
adapter
&
.
provider
||
ldap_identity
&
.
provider
end
end
def
allowed?
def
allowed?
...
@@ -40,7 +44,7 @@ module Gitlab
...
@@ -40,7 +44,7 @@ module Gitlab
end
end
# Block user in GitLab if he/she was blocked in AD
# Block user in GitLab if he/she was blocked in AD
if
Gitlab
::
Auth
::
LDAP
::
Person
.
disabled_via_active_directory?
(
user
.
ldap_identity
.
extern_uid
,
adapter
)
if
Gitlab
::
Auth
::
LDAP
::
Person
.
disabled_via_active_directory?
(
ldap_identity
.
extern_uid
,
adapter
)
block_user
(
user
,
'is disabled in Active Directory'
)
block_user
(
user
,
'is disabled in Active Directory'
)
false
false
else
else
...
@@ -64,27 +68,44 @@ module Gitlab
...
@@ -64,27 +68,44 @@ module Gitlab
Gitlab
::
Auth
::
LDAP
::
Config
.
new
(
provider
)
Gitlab
::
Auth
::
LDAP
::
Config
.
new
(
provider
)
end
end
def
find_ldap_user
Gitlab
::
Auth
::
LDAP
::
Person
.
find_by_dn
(
ldap_identity
.
extern_uid
,
adapter
)
end
def
ldap_user
def
ldap_user
@ldap_user
||=
Gitlab
::
Auth
::
LDAP
::
Person
.
find_by_dn
(
user
.
ldap_identity
.
extern_uid
,
adapter
)
return
unless
provider
@ldap_user
||=
find_ldap_user
end
end
def
block_user
(
user
,
reason
)
def
block_user
(
user
,
reason
)
user
.
ldap_block
user
.
ldap_block
if
provider
Gitlab
::
AppLogger
.
info
(
"LDAP account
\"
#{
ldap_identity
.
extern_uid
}
\"
#{
reason
}
, "
\
"blocking Gitlab user
\"
#{
user
.
name
}
\"
(
#{
user
.
email
}
)"
)
else
Gitlab
::
AppLogger
.
info
(
Gitlab
::
AppLogger
.
info
(
"LDAP account
\"
#{
user
.
ldap_identity
.
extern_uid
}
\"
#{
reason
}
, "
\
"Account is not provided by LDAP
, "
\
"blocking Gitlab user
\"
#{
user
.
name
}
\"
(
#{
user
.
email
}
)"
"blocking Gitlab user
\"
#{
user
.
name
}
\"
(
#{
user
.
email
}
)"
)
)
end
end
end
def
unblock_user
(
user
,
reason
)
def
unblock_user
(
user
,
reason
)
user
.
activate
user
.
activate
Gitlab
::
AppLogger
.
info
(
Gitlab
::
AppLogger
.
info
(
"LDAP account
\"
#{
user
.
ldap_identity
.
extern_uid
}
\"
#{
reason
}
, "
\
"LDAP account
\"
#{
ldap_identity
.
extern_uid
}
\"
#{
reason
}
, "
\
"unblocking Gitlab user
\"
#{
user
.
name
}
\"
(
#{
user
.
email
}
)"
"unblocking Gitlab user
\"
#{
user
.
name
}
\"
(
#{
user
.
email
}
)"
)
)
end
end
def
update_user
# no-op in CE
end
end
end
end
end
end
end
...
...
spec/lib/gitlab/auth/ldap/access_spec.rb
View file @
8b287679
...
@@ -8,6 +8,7 @@ describe Gitlab::Auth::LDAP::Access do
...
@@ -8,6 +8,7 @@ describe Gitlab::Auth::LDAP::Access do
describe
'.allowed?'
do
describe
'.allowed?'
do
it
'updates the users `last_credential_check_at'
do
it
'updates the users `last_credential_check_at'
do
allow
(
access
).
to
receive
(
:update_user
)
expect
(
access
).
to
receive
(
:allowed?
)
{
true
}
expect
(
access
).
to
receive
(
:allowed?
)
{
true
}
expect
(
described_class
).
to
receive
(
:open
).
and_yield
(
access
)
expect
(
described_class
).
to
receive
(
:open
).
and_yield
(
access
)
...
@@ -16,12 +17,21 @@ describe Gitlab::Auth::LDAP::Access do
...
@@ -16,12 +17,21 @@ describe Gitlab::Auth::LDAP::Access do
end
end
end
end
describe
'#find_ldap_user'
do
it
'finds a user by dn first'
do
expect
(
Gitlab
::
Auth
::
LDAP
::
Person
).
to
receive
(
:find_by_dn
).
and_return
(
:ldap_user
)
access
.
find_ldap_user
end
end
describe
'#allowed?'
do
describe
'#allowed?'
do
subject
{
access
.
allowed?
}
subject
{
access
.
allowed?
}
context
'when the user cannot be found'
do
context
'when the user cannot be found'
do
before
do
before
do
allow
(
Gitlab
::
Auth
::
LDAP
::
Person
).
to
receive
(
:find_by_dn
).
and_return
(
nil
)
allow
(
Gitlab
::
Auth
::
LDAP
::
Person
).
to
receive
(
:find_by_dn
).
and_return
(
nil
)
allow
(
Gitlab
::
Auth
::
LDAP
::
Person
).
to
receive
(
:find_by_email
).
and_return
(
nil
)
end
end
it
{
is_expected
.
to
be_falsey
}
it
{
is_expected
.
to
be_falsey
}
...
@@ -54,7 +64,7 @@ describe Gitlab::Auth::LDAP::Access do
...
@@ -54,7 +64,7 @@ describe Gitlab::Auth::LDAP::Access do
end
end
end
end
context
'and has no disabled flag in active diretory'
do
context
'and has no disabled flag in active dire
c
tory'
do
before
do
before
do
allow
(
Gitlab
::
Auth
::
LDAP
::
Person
).
to
receive
(
:disabled_via_active_directory?
).
and_return
(
false
)
allow
(
Gitlab
::
Auth
::
LDAP
::
Person
).
to
receive
(
:disabled_via_active_directory?
).
and_return
(
false
)
end
end
...
@@ -100,6 +110,7 @@ describe Gitlab::Auth::LDAP::Access do
...
@@ -100,6 +110,7 @@ describe Gitlab::Auth::LDAP::Access do
context
'when user cannot be found'
do
context
'when user cannot be found'
do
before
do
before
do
allow
(
Gitlab
::
Auth
::
LDAP
::
Person
).
to
receive
(
:find_by_dn
).
and_return
(
nil
)
allow
(
Gitlab
::
Auth
::
LDAP
::
Person
).
to
receive
(
:find_by_dn
).
and_return
(
nil
)
allow
(
Gitlab
::
Auth
::
LDAP
::
Person
).
to
receive
(
:find_by_email
).
and_return
(
nil
)
end
end
it
{
is_expected
.
to
be_falsey
}
it
{
is_expected
.
to
be_falsey
}
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment