Merge branch 'ldap-attributes' into 'master'

Allow configuration of LDAP attributes GitLab will use for the new user account.

Fixes #2412.

See merge request !1261

CHANGELOG

@@ -56,6 +56,7 @@ v 7.14.3
 
 v 7.14.2
   - Upgrade gitlab_git to 7.2.15 to fix `git blame` errors with ISO-encoded files (Stan Hu)
+  - Allow configuration of LDAP attributes GitLab will use for the new user account.
 
 v 7.14.1
   - Improve abuse reports management from admin area

config/gitlab.yml.example

@@ -159,7 +159,7 @@ production: &base
         method: 'plain' # "tls" or "ssl" or "plain"
         bind_dn: '_the_full_dn_of_the_user_you_will_bind_with'
         password: '_the_password_of_the_bind_user'
-
+          
         # This setting specifies if LDAP server is Active Directory LDAP server.
         # For non AD servers it skips the AD specific queries.
         # If your LDAP server is not AD, set this to false.
@@ -196,6 +196,26 @@ production: &base
         #
         user_filter: ''
 
+        # LDAP attributes that GitLab will use to create an account for the LDAP user.
+        # The specified attribute can either be the attribute name as a string (e.g. 'mail'),
+        # or an array of attribute names to try in order (e.g. ['mail', 'email']).
+        # Note that the user's LDAP login will always be the attribute specified as `uid` above.
+        attributes:
+          # The username will be used in paths for the user's own projects
+          # (like `gitlab.example.com/username/project`) and when mentioning
+          # them in issues, merge request and comments (like `@username`).
+          # If the attribute specified for `username` contains an email address, 
+          # the GitLab username will be the part of the email address before the '@'.
+          username: ['uid', 'userid', 'sAMAccountName']
+          email:    ['mail', 'email', 'userPrincipalName']
+
+          # If no full name could be found at the attribute specified for `name`,
+          # the full name is determined using the attributes specified for 
+          # `first_name` and `last_name`.
+          name:       'cn'
+          first_name: 'givenName'
+          last_name:  'sn'
+
       # GitLab EE only: add more LDAP servers
       # Choose an ID made of a-z and 0-9 . This ID will be stored in the database
       # so that GitLab can remember which LDAP server a user belongs to.

config/initializers/1_settings.rb

@@ -109,6 +109,7 @@ if Settings.ldap['enabled'] || Rails.env.test?
     server['block_auto_created_users'] = false if server['block_auto_created_users'].nil?
     server['allow_username_or_email_login'] = false if server['allow_username_or_email_login'].nil?
     server['active_directory'] = true if server['active_directory'].nil?
+    server['attributes'] = {} if server['attributes'].nil?
     server['provider_name'] ||= "ldap#{key}".downcase
     server['provider_class'] = OmniAuth::Utils.camelize(server['provider_name'])
   end

doc/integration/ldap.md

@@ -78,6 +78,26 @@ main: # 'main' is the GitLab 'provider ID' of this LDAP server
   #
   user_filter: ''
 
+  # LDAP attributes that GitLab will use to create an account for the LDAP user.
+  # The specified attribute can either be the attribute name as a string (e.g. 'mail'),
+  # or an array of attribute names to try in order (e.g. ['mail', 'email']).
+  # Note that the user's LDAP login will always be the attribute specified as `uid` above.
+  attributes:
+    # The username will be used in paths for the user's own projects
+    # (like `gitlab.example.com/username/project`) and when mentioning
+    # them in issues, merge request and comments (like `@username`).
+    # If the attribute specified for `username` contains an email address, 
+    # the GitLab username will be the part of the email address before the '@'.
+    username: ['uid', 'userid', 'sAMAccountName']
+    email:    ['mail', 'email', 'userPrincipalName']
+
+    # If no full name could be found at the attribute specified for `name`,
+    # the full name is determined using the attributes specified for 
+    # `first_name` and `last_name`.
+    name:       'cn'
+    first_name: 'givenName'
+    last_name:  'sn'
+
 # GitLab EE only: add more LDAP servers
 # Choose an ID made of a-z and 0-9 . This ID will be stored in the database
 # so that GitLab can remember which LDAP server a user belongs to.

lib/gitlab/ldap/auth_hash.rb

@@ -0,0 +1,35 @@
+# Class to parse and transform the info provided by omniauth
+#
+module Gitlab
+  module LDAP
+    class AuthHash < Gitlab::OAuth::AuthHash
+      private
+
+      def get_info(key)
+        attributes = ldap_config.attributes[key]
+        return super unless attributes
+
+        attributes = Array(attributes)
+
+        value = nil
+        attributes.each do |attribute|
+          value = get_raw(attribute)
+          break if value.present?
+        end
+        
+        return super unless value
+
+        Gitlab::Utils.force_utf8(value)
+        value
+      end
+
+      def get_raw(key)
+        auth_hash.extra[:raw_info][key]
+      end
+
+      def ldap_config
+        @ldap_config ||= Gitlab::LDAP::Config.new(self.provider)
+      end
+    end
+  end
+end

lib/gitlab/ldap/config.rb

@@ -84,6 +84,10 @@ module Gitlab
         options['block_auto_created_users']
       end
 
+      def attributes
+        options['attributes']
+      end
+
       protected
       def base_config
         Gitlab.config.ldap

lib/gitlab/ldap/user.rb

@@ -71,6 +71,10 @@ module Gitlab
       def ldap_config
         Gitlab::LDAP::Config.new(auth_hash.provider)
       end
+
+      def auth_hash=(auth_hash)
+        @auth_hash = Gitlab::LDAP::AuthHash.new(auth_hash)
+      end
     end
   end
 end

lib/gitlab/o_auth/auth_hash.rb

@@ -16,16 +16,6 @@ module Gitlab
         @provider ||= Gitlab::Utils.force_utf8(auth_hash.provider.to_s)
       end
 
-      def info
-        auth_hash.info
-      end
-
-      def get_info(key)
-        value = info.try(key)
-        Gitlab::Utils.force_utf8(value) if value
-        value
-      end
-
       def name
         @name ||= get_info(:name) || "#{get_info(:first_name)} #{get_info(:last_name)}"
       end
@@ -44,9 +34,19 @@ module Gitlab
 
       private
 
+      def info
+        auth_hash.info
+      end
+
+      def get_info(key)
+        value = info[key]
+        Gitlab::Utils.force_utf8(value) if value
+        value
+      end
+
       def username_and_email
         @username_and_email ||= begin
-          username  = get_info(:nickname) || get_info(:username)
+          username  = get_info(:username) || get_info(:nickname)
           email     = get_info(:email)
 
           username ||= generate_username(email)             if email

spec/lib/gitlab/ldap/auth_hash_spec.rb

@@ -0,0 +1,65 @@
+require 'spec_helper'
+
+describe Gitlab::LDAP::AuthHash do
+  let(:auth_hash) do
+    Gitlab::LDAP::AuthHash.new(
+      OmniAuth::AuthHash.new(
+        uid: '123456', 
+        provider: 'ldapmain', 
+        info: info,
+        extra: {
+          raw_info: raw_info
+        }
+      )
+    )
+  end
+
+  let(:info) do
+    {
+      name:     'Smith, J.',
+      email:    'johnsmith@example.com',
+      nickname: '123456'
+    }
+  end
+
+  let(:raw_info) do
+    {
+      uid:      '123456',
+      email:    'johnsmith@example.com',
+      cn:       'Smith, J.',
+      fullName: 'John Smith'
+    }
+  end
+
+  context "without overridden attributes" do
+
+    it "has the correct username" do
+      expect(auth_hash.username).to eq("123456") 
+    end
+
+    it "has the correct name" do
+      expect(auth_hash.name).to eq("Smith, J.") 
+    end
+  end
+
+  context "with overridden attributes" do
+    let(:attributes) do
+      {
+        username: ['mail', 'email'],
+        name:     'fullName'
+      }
+    end
+
+    before do
+      allow_any_instance_of(Gitlab::LDAP::Config).to receive(:attributes).and_return(attributes)
+    end
+
+    it "has the correct username" do
+      expect(auth_hash.username).to eq("johnsmith@example.com") 
+    end
+
+    it "has the correct name" do
+      expect(auth_hash.name).to eq("John Smith") 
+    end
+  end
+end

spec/lib/gitlab/ldap/user_spec.rb

@@ -11,7 +11,7 @@ describe Gitlab::LDAP::User do
     }
   end
   let(:auth_hash) do
-    double(uid: 'my-uid', provider: 'ldapmain', info: double(info))
+    OmniAuth::AuthHash.new(uid: 'my-uid', provider: 'ldapmain', info: info)
   end
 
   describe :changed? do

spec/lib/gitlab/o_auth/auth_hash_spec.rb

@@ -3,11 +3,11 @@ require 'spec_helper'
 describe Gitlab::OAuth::AuthHash do
   let(:auth_hash) do
     Gitlab::OAuth::AuthHash.new(
-      double({
+      OmniAuth::AuthHash.new(
         provider: provider_ascii,
         uid: uid_ascii,
-        info: double(info_hash)
-      })
+        info: info_hash
+      )
     )
   end
 

spec/lib/gitlab/o_auth/user_spec.rb

@@ -5,7 +5,7 @@ describe Gitlab::OAuth::User do
   let(:gl_user) { oauth_user.gl_user }
   let(:uid) { 'my-uid' }
   let(:provider) { 'my-provider' }
-  let(:auth_hash) { double(uid: uid, provider: provider, info: double(info_hash)) }
+  let(:auth_hash) { OmniAuth::AuthHash.new(uid: uid, provider: provider, info: info_hash) }
   let(:info_hash) do
     {
       nickname: '-john+gitlab-ETC%.git@gmail.com',