kotovalexarian-likes-gitlab/gitlab-org--gitlab-foss
1
0
Fork 0
Code Releases Activity

Minimize CE/EE difference in Gitlab::Auth::LDAP::Access

Browse source 
Signed-off-by: Rémy Coutable <remy@rymai.me>
This commit is contained in:
Rémy Coutable 2018-05-18 16:26:44 +02:00
parent dfdbf198b3
commit 8b287679a1
No known key found for this signature in database
GPG key ID: 98DFFD1C0C62B70B
2 changed files with 43 additions and 11 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

35
lib/gitlab/auth/ldap/access.rb
View file

@ -6,7 +6,7 @@ module Gitlab
module Auth module Auth
module LDAP module LDAP
class Access class Access
attr_reader :provider, :user attr_reader :provider, :user, :ldap_identity
def self.open(user, &block) def self.open(user, &block)
Gitlab::Auth::LDAP::Adapter.open(user.ldap_identity.provider) do |adapter| Gitlab::Auth::LDAP::Adapter.open(user.ldap_identity.provider) do |adapter|
@ -14,9 +14,12 @@ module Gitlab
end end
end end
def self.allowed?(user) def self.allowed?(user, options = {})
self.open(user) do |access| self.open(user) do |access|
# Whether user is allowed, or not, we should update
# permissions to keep things clean
if access.allowed? if access.allowed?
access.update_user
Users::UpdateService.new(user, user: user, last_credential_check_at: Time.now).execute Users::UpdateService.new(user, user: user, last_credential_check_at: Time.now).execute
true true
@ -29,7 +32,8 @@ module Gitlab
def initialize(user, adapter = nil) def initialize(user, adapter = nil)
@adapter = adapter @adapter = adapter
@user = user @user = user
@provider = user.ldap_identity.provider @ldap_identity = user.ldap_identity
@provider = adapter&.provider || ldap_identity&.provider
end end
def allowed? def allowed?
@ -40,7 +44,7 @@ module Gitlab
end end
# Block user in GitLab if he/she was blocked in AD # Block user in GitLab if he/she was blocked in AD
if Gitlab::Auth::LDAP::Person.disabled_via_active_directory?(user.ldap_identity.extern_uid, adapter) if Gitlab::Auth::LDAP::Person.disabled_via_active_directory?(ldap_identity.extern_uid, adapter)
block_user(user, 'is disabled in Active Directory') block_user(user, 'is disabled in Active Directory')
false false
else else
@ -64,27 +68,44 @@ module Gitlab
Gitlab::Auth::LDAP::Config.new(provider) Gitlab::Auth::LDAP::Config.new(provider)
end end
def find_ldap_user
Gitlab::Auth::LDAP::Person.find_by_dn(ldap_identity.extern_uid, adapter)
end
def ldap_user def ldap_user
@ldap_user ||= Gitlab::Auth::LDAP::Person.find_by_dn(user.ldap_identity.extern_uid, adapter) return unless provider
@ldap_user ||= find_ldap_user
end end
def block_user(user, reason) def block_user(user, reason)
user.ldap_block user.ldap_block
if provider
Gitlab::AppLogger.info( Gitlab::AppLogger.info(
"LDAP account \"#{user.ldap_identity.extern_uid}\" #{reason}, " \ "LDAP account \"#{ldap_identity.extern_uid}\" #{reason}, " \
"blocking Gitlab user \"#{user.name}\" (#{user.email})" "blocking Gitlab user \"#{user.name}\" (#{user.email})"
) )
else
Gitlab::AppLogger.info(
"Account is not provided by LDAP, " \
"blocking Gitlab user \"#{user.name}\" (#{user.email})"
)
end
end end
def unblock_user(user, reason) def unblock_user(user, reason)
user.activate user.activate
Gitlab::AppLogger.info( Gitlab::AppLogger.info(
"LDAP account \"#{user.ldap_identity.extern_uid}\" #{reason}, " \ "LDAP account \"#{ldap_identity.extern_uid}\" #{reason}, " \
"unblocking Gitlab user \"#{user.name}\" (#{user.email})" "unblocking Gitlab user \"#{user.name}\" (#{user.email})"
) )
end end
def update_user
# no-op in CE
end
end end
end end
end end

13
spec/lib/gitlab/auth/ldap/access_spec.rb
View file

@ -8,6 +8,7 @@ describe Gitlab::Auth::LDAP::Access do
describe '.allowed?' do describe '.allowed?' do
it 'updates the users `last_credential_check_at' do it 'updates the users `last_credential_check_at' do
allow(access).to receive(:update_user)
expect(access).to receive(:allowed?) { true } expect(access).to receive(:allowed?) { true }
expect(described_class).to receive(:open).and_yield(access) expect(described_class).to receive(:open).and_yield(access)
@ -16,12 +17,21 @@ describe Gitlab::Auth::LDAP::Access do
end end
end end
describe '#find_ldap_user' do
it 'finds a user by dn first' do
expect(Gitlab::Auth::LDAP::Person).to receive(:find_by_dn).and_return(:ldap_user)
access.find_ldap_user
end
end
describe '#allowed?' do describe '#allowed?' do
subject { access.allowed? } subject { access.allowed? }
context 'when the user cannot be found' do context 'when the user cannot be found' do
before do before do
allow(Gitlab::Auth::LDAP::Person).to receive(:find_by_dn).and_return(nil) allow(Gitlab::Auth::LDAP::Person).to receive(:find_by_dn).and_return(nil)
allow(Gitlab::Auth::LDAP::Person).to receive(:find_by_email).and_return(nil)
end end
it { is_expected.to be_falsey } it { is_expected.to be_falsey }
@ -54,7 +64,7 @@ describe Gitlab::Auth::LDAP::Access do
end end
end end
context 'and has no disabled flag in active diretory' do context 'and has no disabled flag in active directory' do
before do before do
allow(Gitlab::Auth::LDAP::Person).to receive(:disabled_via_active_directory?).and_return(false) allow(Gitlab::Auth::LDAP::Person).to receive(:disabled_via_active_directory?).and_return(false)
end end
@ -100,6 +110,7 @@ describe Gitlab::Auth::LDAP::Access do
context 'when user cannot be found' do context 'when user cannot be found' do
before do before do
allow(Gitlab::Auth::LDAP::Person).to receive(:find_by_dn).and_return(nil) allow(Gitlab::Auth::LDAP::Person).to receive(:find_by_dn).and_return(nil)
allow(Gitlab::Auth::LDAP::Person).to receive(:find_by_email).and_return(nil)
end end
it { is_expected.to be_falsey } it { is_expected.to be_falsey }