Add config var to block auto-created LDAP users.
This commit is contained in:
parent
c43411e97a
commit
238e4f0295
|
@ -1,6 +1,7 @@
|
||||||
Please view this file on the master branch, on stable branches it's out of date.
|
Please view this file on the master branch, on stable branches it's out of date.
|
||||||
|
|
||||||
v 7.10.0 (unreleased)
|
v 7.10.0 (unreleased)
|
||||||
|
- Add config var to block auto-created LDAP users.
|
||||||
- Fix broken file browsing with a submodule that contains a relative link (Stan Hu)
|
- Fix broken file browsing with a submodule that contains a relative link (Stan Hu)
|
||||||
- Fix persistent XSS vulnerability around profile website URLs.
|
- Fix persistent XSS vulnerability around profile website URLs.
|
||||||
- Fix project import URL regex to prevent arbitary local repos from being imported.
|
- Fix project import URL regex to prevent arbitary local repos from being imported.
|
||||||
|
|
|
@ -146,6 +146,9 @@ production: &base
|
||||||
# disable this setting, because the userPrincipalName contains an '@'.
|
# disable this setting, because the userPrincipalName contains an '@'.
|
||||||
allow_username_or_email_login: false
|
allow_username_or_email_login: false
|
||||||
|
|
||||||
|
# Locks down those users until they have been cleared by the admin (default: false).
|
||||||
|
block_auto_created_users: false
|
||||||
|
|
||||||
# Base where we can search for users
|
# Base where we can search for users
|
||||||
#
|
#
|
||||||
# Ex. ou=People,dc=gitlab,dc=example
|
# Ex. ou=People,dc=gitlab,dc=example
|
||||||
|
|
|
@ -76,6 +76,7 @@ if Settings.ldap['enabled'] || Rails.env.test?
|
||||||
|
|
||||||
Settings.ldap['servers'].each do |key, server|
|
Settings.ldap['servers'].each do |key, server|
|
||||||
server['label'] ||= 'LDAP'
|
server['label'] ||= 'LDAP'
|
||||||
|
server['block_auto_created_users'] = false if server['block_auto_created_users'].nil?
|
||||||
server['allow_username_or_email_login'] = false if server['allow_username_or_email_login'].nil?
|
server['allow_username_or_email_login'] = false if server['allow_username_or_email_login'].nil?
|
||||||
server['active_directory'] = true if server['active_directory'].nil?
|
server['active_directory'] = true if server['active_directory'].nil?
|
||||||
server['provider_name'] ||= "ldap#{key}".downcase
|
server['provider_name'] ||= "ldap#{key}".downcase
|
||||||
|
|
|
@ -80,6 +80,10 @@ module Gitlab
|
||||||
options['active_directory']
|
options['active_directory']
|
||||||
end
|
end
|
||||||
|
|
||||||
|
def block_auto_created_users
|
||||||
|
options['block_auto_created_users']
|
||||||
|
end
|
||||||
|
|
||||||
protected
|
protected
|
||||||
def base_config
|
def base_config
|
||||||
Gitlab.config.ldap
|
Gitlab.config.ldap
|
||||||
|
|
|
@ -55,13 +55,17 @@ module Gitlab
|
||||||
gl_user.changed? || gl_user.identities.any?(&:changed?)
|
gl_user.changed? || gl_user.identities.any?(&:changed?)
|
||||||
end
|
end
|
||||||
|
|
||||||
def needs_blocking?
|
def block_after_signup?
|
||||||
false
|
ldap_config.block_auto_created_users
|
||||||
end
|
end
|
||||||
|
|
||||||
def allowed?
|
def allowed?
|
||||||
Gitlab::LDAP::Access.allowed?(gl_user)
|
Gitlab::LDAP::Access.allowed?(gl_user)
|
||||||
end
|
end
|
||||||
|
|
||||||
|
def ldap_config
|
||||||
|
Gitlab::LDAP::Config.new(auth_hash.provider)
|
||||||
|
end
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
|
@ -1,7 +1,8 @@
|
||||||
require 'spec_helper'
|
require 'spec_helper'
|
||||||
|
|
||||||
describe Gitlab::LDAP::User do
|
describe Gitlab::LDAP::User do
|
||||||
let(:gl_user) { Gitlab::LDAP::User.new(auth_hash) }
|
let(:ldap_user) { Gitlab::LDAP::User.new(auth_hash) }
|
||||||
|
let(:gl_user) { ldap_user.gl_user }
|
||||||
let(:info) do
|
let(:info) do
|
||||||
{
|
{
|
||||||
name: 'John',
|
name: 'John',
|
||||||
|
@ -16,17 +17,17 @@ describe Gitlab::LDAP::User do
|
||||||
describe :changed? do
|
describe :changed? do
|
||||||
it "marks existing ldap user as changed" do
|
it "marks existing ldap user as changed" do
|
||||||
existing_user = create(:omniauth_user, extern_uid: 'my-uid', provider: 'ldapmain')
|
existing_user = create(:omniauth_user, extern_uid: 'my-uid', provider: 'ldapmain')
|
||||||
expect(gl_user.changed?).to be_truthy
|
expect(ldap_user.changed?).to be_truthy
|
||||||
end
|
end
|
||||||
|
|
||||||
it "marks existing non-ldap user if the email matches as changed" do
|
it "marks existing non-ldap user if the email matches as changed" do
|
||||||
existing_user = create(:user, email: 'john@example.com')
|
existing_user = create(:user, email: 'john@example.com')
|
||||||
expect(gl_user.changed?).to be_truthy
|
expect(ldap_user.changed?).to be_truthy
|
||||||
end
|
end
|
||||||
|
|
||||||
it "dont marks existing ldap user as changed" do
|
it "dont marks existing ldap user as changed" do
|
||||||
existing_user = create(:omniauth_user, email: 'john@example.com', extern_uid: 'my-uid', provider: 'ldapmain')
|
existing_user = create(:omniauth_user, email: 'john@example.com', extern_uid: 'my-uid', provider: 'ldapmain')
|
||||||
expect(gl_user.changed?).to be_falsey
|
expect(ldap_user.changed?).to be_falsey
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
|
@ -34,12 +35,12 @@ describe Gitlab::LDAP::User do
|
||||||
it "finds the user if already existing" do
|
it "finds the user if already existing" do
|
||||||
existing_user = create(:omniauth_user, extern_uid: 'my-uid', provider: 'ldapmain')
|
existing_user = create(:omniauth_user, extern_uid: 'my-uid', provider: 'ldapmain')
|
||||||
|
|
||||||
expect{ gl_user.save }.to_not change{ User.count }
|
expect{ ldap_user.save }.to_not change{ User.count }
|
||||||
end
|
end
|
||||||
|
|
||||||
it "connects to existing non-ldap user if the email matches" do
|
it "connects to existing non-ldap user if the email matches" do
|
||||||
existing_user = create(:omniauth_user, email: 'john@example.com', provider: "twitter")
|
existing_user = create(:omniauth_user, email: 'john@example.com', provider: "twitter")
|
||||||
expect{ gl_user.save }.to_not change{ User.count }
|
expect{ ldap_user.save }.to_not change{ User.count }
|
||||||
|
|
||||||
existing_user.reload
|
existing_user.reload
|
||||||
expect(existing_user.ldap_identity.extern_uid).to eql 'my-uid'
|
expect(existing_user.ldap_identity.extern_uid).to eql 'my-uid'
|
||||||
|
@ -47,7 +48,59 @@ describe Gitlab::LDAP::User do
|
||||||
end
|
end
|
||||||
|
|
||||||
it "creates a new user if not found" do
|
it "creates a new user if not found" do
|
||||||
expect{ gl_user.save }.to change{ User.count }.by(1)
|
expect{ ldap_user.save }.to change{ User.count }.by(1)
|
||||||
|
end
|
||||||
|
end
|
||||||
|
|
||||||
|
|
||||||
|
describe 'blocking' do
|
||||||
|
context 'signup' do
|
||||||
|
context 'dont block on create' do
|
||||||
|
before { Gitlab::LDAP::Config.any_instance.stub block_auto_created_users: false }
|
||||||
|
|
||||||
|
it do
|
||||||
|
ldap_user.save
|
||||||
|
expect(gl_user).to be_valid
|
||||||
|
expect(gl_user).not_to be_blocked
|
||||||
|
end
|
||||||
|
end
|
||||||
|
|
||||||
|
context 'block on create' do
|
||||||
|
before { Gitlab::LDAP::Config.any_instance.stub block_auto_created_users: true }
|
||||||
|
|
||||||
|
it do
|
||||||
|
ldap_user.save
|
||||||
|
expect(gl_user).to be_valid
|
||||||
|
expect(gl_user).to be_blocked
|
||||||
|
end
|
||||||
|
end
|
||||||
|
end
|
||||||
|
|
||||||
|
context 'sign-in' do
|
||||||
|
before do
|
||||||
|
ldap_user.save
|
||||||
|
ldap_user.gl_user.activate
|
||||||
|
end
|
||||||
|
|
||||||
|
context 'dont block on create' do
|
||||||
|
before { Gitlab::LDAP::Config.any_instance.stub block_auto_created_users: false }
|
||||||
|
|
||||||
|
it do
|
||||||
|
ldap_user.save
|
||||||
|
expect(gl_user).to be_valid
|
||||||
|
expect(gl_user).not_to be_blocked
|
||||||
|
end
|
||||||
|
end
|
||||||
|
|
||||||
|
context 'block on create' do
|
||||||
|
before { Gitlab::LDAP::Config.any_instance.stub block_auto_created_users: true }
|
||||||
|
|
||||||
|
it do
|
||||||
|
ldap_user.save
|
||||||
|
expect(gl_user).to be_valid
|
||||||
|
expect(gl_user).not_to be_blocked
|
||||||
|
end
|
||||||
|
end
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
Loading…
Reference in New Issue