Commit b1ff8e31 authored by Dmitriy Zaporozhets's avatar Dmitriy Zaporozhets

Add ldap check in application_controller and internal api

Signed-off-by: default avatarDmitriy Zaporozhets <dmitriy.zaporozhets@gmail.com>
parent 0fdab6a7
...@@ -6,6 +6,7 @@ class ApplicationController < ActionController::Base ...@@ -6,6 +6,7 @@ class ApplicationController < ActionController::Base
before_filter :check_password_expiration before_filter :check_password_expiration
around_filter :set_current_user_for_thread around_filter :set_current_user_for_thread
before_filter :add_abilities before_filter :add_abilities
before_filter :ldap_security_check
before_filter :dev_tools if Rails.env == 'development' before_filter :dev_tools if Rails.env == 'development'
before_filter :default_headers before_filter :default_headers
before_filter :add_gon_variables before_filter :add_gon_variables
...@@ -179,11 +180,29 @@ class ApplicationController < ActionController::Base ...@@ -179,11 +180,29 @@ class ApplicationController < ActionController::Base
end end
end end
def ldap_security_check
if current_user && current_user.ldap_user? && current_user.requires_ldap_check?
if gitlab_ldap_access.allowed?(current_user)
gitlab_ldap_access.update_permissions(current_user)
current_user.last_credential_check_at = Time.now
current_user.save
else
sign_out current_user
flash[:alert] = "Access denied for your LDAP account."
redirect_to new_user_session_path
end
end
end
def event_filter def event_filter
filters = cookies['event_filter'].split(',') if cookies['event_filter'].present? filters = cookies['event_filter'].split(',') if cookies['event_filter'].present?
@event_filter ||= EventFilter.new(filters) @event_filter ||= EventFilter.new(filters)
end end
def gitlab_ldap_access
Gitlab::LDAP::Access.new
end
# JSON for infinite scroll via Pager object # JSON for infinite scroll via Pager object
def pager_json(partial, count) def pager_json(partial, count)
html = render_to_string( html = render_to_string(
......
...@@ -121,7 +121,6 @@ production: &base ...@@ -121,7 +121,6 @@ production: &base
ldap: ldap:
enabled: false enabled: false
host: '_your_ldap_server' host: '_your_ldap_server'
base: '_the_base_where_you_search_for_users'
port: 636 port: 636
uid: 'sAMAccountName' uid: 'sAMAccountName'
method: 'ssl' # "tls" or "ssl" or "plain" method: 'ssl' # "tls" or "ssl" or "plain"
...@@ -138,6 +137,20 @@ production: &base ...@@ -138,6 +137,20 @@ production: &base
# disable this setting, because the userPrincipalName contains an '@'. # disable this setting, because the userPrincipalName contains an '@'.
allow_username_or_email_login: true allow_username_or_email_login: true
# Base where we can search for users
#
# Ex. ou=People,dc=gitlab,dc=example
#
base: ''
# Filter LDAP users
#
# Format: RFC 4515
# Ex. (employeeType=developer)
#
user_filter: ''
## OmniAuth settings ## OmniAuth settings
omniauth: omniauth:
# Allow login via Twitter, Google, etc. using OmniAuth providers # Allow login via Twitter, Google, etc. using OmniAuth providers
......
...@@ -35,8 +35,14 @@ module API ...@@ -35,8 +35,14 @@ module API
user = key.user user = key.user
return false if user.blocked? return false if user.blocked?
if Gitlab.config.ldap.enabled if Gitlab.config.ldap.enabled
return false if user.ldap_user? && Gitlab::LDAP::User.blocked?(user.extern_uid) if user.ldap_user?
# Check if LDAP user exists and match LDAP user_filter
unless Gitlab::LDAP::Access.new.allowed?(user)
return false
end
end
end end
action = case git_cmd action = case git_cmd
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment