Add ldap check in application_controller and internal api

Signed-off-by: Dmitriy Zaporozhets <dmitriy.zaporozhets@gmail.com>
2014-03-10 17:10:23 +02:00 · 2014-03-10 17:10:23 +02:00 · b1ff8e31b1
commit b1ff8e31b1
parent 0fdab6a747
3 changed files with 40 additions and 2 deletions
--- a/app/controllers/application_controller.rb
+++ b/app/controllers/application_controller.rb
@ -6,6 +6,7 @@ class ApplicationController < ActionController::Base
  before_filter :check_password_expiration
  around_filter :set_current_user_for_thread
  before_filter :add_abilities
+  before_filter :ldap_security_check
  before_filter :dev_tools if Rails.env == 'development'
  before_filter :default_headers
  before_filter :add_gon_variables
@ -179,11 +180,29 @@ class ApplicationController < ActionController::Base
    end
  end

+  def ldap_security_check
+    if current_user && current_user.ldap_user? && current_user.requires_ldap_check?
+      if gitlab_ldap_access.allowed?(current_user)
+        gitlab_ldap_access.update_permissions(current_user)
+        current_user.last_credential_check_at = Time.now
+        current_user.save
+      else
+        sign_out current_user
+        flash[:alert] = "Access denied for your LDAP account."
+        redirect_to new_user_session_path
+      end
+    end
+  end
+
  def event_filter
    filters = cookies['event_filter'].split(',') if cookies['event_filter'].present?
    @event_filter ||= EventFilter.new(filters)
  end

+  def gitlab_ldap_access
+    Gitlab::LDAP::Access.new
+  end
+
  # JSON for infinite scroll via Pager object
  def pager_json(partial, count)
    html = render_to_string(
--- a/config/gitlab.yml.example
+++ b/config/gitlab.yml.example
@ -121,7 +121,6 @@ production: &base
  ldap:
    enabled: false
    host: '_your_ldap_server'
-    base: '_the_base_where_you_search_for_users'
    port: 636
    uid: 'sAMAccountName'
    method: 'ssl' # "tls" or "ssl" or "plain"
@ -138,6 +137,20 @@ production: &base
    # disable this setting, because the userPrincipalName contains an '@'.
    allow_username_or_email_login: true

+    # Base where we can search for users
+    #
+    #   Ex. ou=People,dc=gitlab,dc=example
+    #
+    base: ''
+
+    # Filter LDAP users
+    #
+    #   Format: RFC 4515
+    #   Ex. (employeeType=developer)
+    #
+    user_filter: ''
+
+
  ## OmniAuth settings
  omniauth:
    # Allow login via Twitter, Google, etc. using OmniAuth providers
--- a/lib/api/internal.rb
+++ b/lib/api/internal.rb
@ -35,8 +35,14 @@ module API
          user = key.user

          return false if user.blocked?
+
          if Gitlab.config.ldap.enabled
-            return false if user.ldap_user? && Gitlab::LDAP::User.blocked?(user.extern_uid)
+            if user.ldap_user?
+              # Check if LDAP user exists and match LDAP user_filter
+              unless Gitlab::LDAP::Access.new.allowed?(user)
+                return false
+              end
+            end
          end

          action = case git_cmd