Make SSH keys synchronisation with LDAP not delete keys added by users.

This is done by using a separate LDAPKey model (inherited from Key)
for storing SSH keys which came from LDAP.
These keys can be viewed from user profile, but they can not be deleted.

Signed-off-by: Oleg Girko <oleg.girko@jollamobile.com> (+2 squashed commits)
Squashed commits:
[52b3816] Made SSH key synchronisation with LDAP configurable.

Now it can be turned on or off using configuration option
sync_ssh_keys in ldap section.
The default is off to preserve compatibility with old behaviour.
Signed-off-by: Oleg Girko <oleg.girko@jollamobile.com>
[02f988d] Synchronise LDAP users SSH keys from LDAP automatically.

SSH public keys are synchronised from sshPublicKey LDAP attribute
upon login attempt and during regular LDAP security checks.
New keys are added, old keys not present in LDAP are deleted.

Signed-off-by: Oleg Girko <oleg.girko@jollamobile.com> (+1 squashed commit)
Squashed commits:
[f087fbc] Make Gitlab::LDAP::Person.entry method public.

This is needed to allow access control methods to access
arbitrary LDAP attributes.
Signed-off-by: Oleg Girko <oleg.girko@jollamobile.com>

app/controllers/profiles/keys_controller.rb

@@ -26,7 +26,7 @@ class Profiles::KeysController < ApplicationController
 
   def destroy
     @key = current_user.keys.find(params[:id])
-    @key.destroy
+    @key.destroy unless @key.is_a? LDAPKey
 
     respond_to do |format|
       format.html { redirect_to profile_keys_url }

app/models/ldap_key.rb

+# == Schema Information
+#
+# Table name: keys
+#
+#  id         :integer          not null, primary key
+#  user_id    :integer
+#  created_at :datetime
+#  updated_at :datetime
+#  key        :text
+#  title      :string(255)
+#  identifier :string(255)
+#  type       :string(255)
+#
+
+class LDAPKey < Key
+end

app/views/profiles/keys/index.html.haml

@@ -14,7 +14,7 @@
   .panel-heading
     SSH Keys (#{@keys.count})
   %ul.well-list#keys-table
-    = render @keys
+    = render partial: "key", collection: @keys
     - if @keys.blank?
       %li
         .nothing-here-block There are no SSH keys with access to your account.

config/gitlab.yml.example

@@ -168,6 +168,9 @@ production: &base
     #
     admin_group: ''
 
+    # Allow synchronising SSH public keys with LDAP
+    sync_ssh_keys: false
+
   ## OmniAuth settings
   omniauth:
     # Allow login via Twitter, Google, etc. using OmniAuth providers

lib/gitlab/ldap/access.rb

@@ -24,13 +24,38 @@ module Gitlab
       end
 
       def update_permissions(user)
+        # Get LDAP user entry
+        ldap_user = Gitlab::LDAP::Person.find_by_dn(user.extern_uid)
+
+        if Gitlab.config.ldap['sync_ssh_keys']
+          if ldap_user.entry.respond_to?(:sshpublickey)
+            sshkeys = ldap_user.entry.sshpublickey
+          else
+            sshkeys = []
+          end
+          sshkeys.each do |key|
+            k = user.keys.find_by_key(key)
+            if k && !k.is_a?(LDAPKey)
+              k.destroy
+              k = nil
+            end
+            unless k
+              k = LDAPKey.new(title: "LDAP Key", key: key)
+              k.save
+              user.keys << k
+            end
+          end
+          user.keys.all.each do |k|
+            if k.is_a?(LDAPKey) && !sshkeys.include?(k.key)
+              k.destroy
+            end
+          end
+        end
+
         # Skip updating group permissions
         # if instance does not use group_base setting
         return true unless Gitlab.config.ldap['group_base'].present?
 
-        # Get LDAP user entry
-        ldap_user = Gitlab::LDAP::Person.find_by_dn(user.extern_uid, adapter)
-
         # Get all GitLab groups with activated LDAP
         groups = ::Group.where('ldap_cn IS NOT NULL')
 

lib/gitlab/ldap/person.rb

@@ -46,12 +46,12 @@ module Gitlab
         entry.dn
       end
 
-      private
-
       def entry
         @entry
       end
 
+      private
+
       def adapter
         @adapter ||= Gitlab::LDAP::Adapter.new
       end