Commit edaaac2f authored by Oleg Girko's avatar Oleg Girko Committed by Marvin Frick

Make SSH keys synchronisation with LDAP not delete keys added by users.

This is done by using a separate LDAPKey model (inherited from Key)
for storing SSH keys which came from LDAP.
These keys can be viewed from user profile, but they can not be deleted.

Signed-off-by: Oleg Girko <oleg.girko@jollamobile.com> (+2 squashed commits)
Squashed commits:
[52b3816] Made SSH key synchronisation with LDAP configurable.

Now it can be turned on or off using configuration option
sync_ssh_keys in ldap section.
The default is off to preserve compatibility with old behaviour.
Signed-off-by: default avatarOleg Girko <oleg.girko@jollamobile.com>
[02f988d] Synchronise LDAP users SSH keys from LDAP automatically.

SSH public keys are synchronised from sshPublicKey LDAP attribute
upon login attempt and during regular LDAP security checks.
New keys are added, old keys not present in LDAP are deleted.

Signed-off-by: Oleg Girko <oleg.girko@jollamobile.com> (+1 squashed commit)
Squashed commits:
[f087fbc] Make Gitlab::LDAP::Person.entry method public.

This is needed to allow access control methods to access
arbitrary LDAP attributes.
Signed-off-by: default avatarOleg Girko <oleg.girko@jollamobile.com>
parent 2a79e0e2
......@@ -26,7 +26,7 @@ class Profiles::KeysController < ApplicationController
def destroy
@key = current_user.keys.find(params[:id])
@key.destroy
@key.destroy unless @key.is_a? LDAPKey
respond_to do |format|
format.html { redirect_to profile_keys_url }
......
# == Schema Information
#
# Table name: keys
#
# id :integer not null, primary key
# user_id :integer
# created_at :datetime
# updated_at :datetime
# key :text
# title :string(255)
# identifier :string(255)
# type :string(255)
#
class LDAPKey < Key
end
......@@ -14,7 +14,7 @@
.panel-heading
SSH Keys (#{@keys.count})
%ul.well-list#keys-table
= render @keys
= render partial: "key", collection: @keys
- if @keys.blank?
%li
.nothing-here-block There are no SSH keys with access to your account.
......
......@@ -168,6 +168,9 @@ production: &base
#
admin_group: ''
# Allow synchronising SSH public keys with LDAP
sync_ssh_keys: false
## OmniAuth settings
omniauth:
# Allow login via Twitter, Google, etc. using OmniAuth providers
......
......@@ -24,13 +24,38 @@ module Gitlab
end
def update_permissions(user)
# Get LDAP user entry
ldap_user = Gitlab::LDAP::Person.find_by_dn(user.extern_uid)
if Gitlab.config.ldap['sync_ssh_keys']
if ldap_user.entry.respond_to?(:sshpublickey)
sshkeys = ldap_user.entry.sshpublickey
else
sshkeys = []
end
sshkeys.each do |key|
k = user.keys.find_by_key(key)
if k && !k.is_a?(LDAPKey)
k.destroy
k = nil
end
unless k
k = LDAPKey.new(title: "LDAP Key", key: key)
k.save
user.keys << k
end
end
user.keys.all.each do |k|
if k.is_a?(LDAPKey) && !sshkeys.include?(k.key)
k.destroy
end
end
end
# Skip updating group permissions
# if instance does not use group_base setting
return true unless Gitlab.config.ldap['group_base'].present?
# Get LDAP user entry
ldap_user = Gitlab::LDAP::Person.find_by_dn(user.extern_uid, adapter)
# Get all GitLab groups with activated LDAP
groups = ::Group.where('ldap_cn IS NOT NULL')
......
......@@ -46,12 +46,12 @@ module Gitlab
entry.dn
end
private
def entry
@entry
end
private
def adapter
@adapter ||= Gitlab::LDAP::Adapter.new
end
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment