kotovalexarian-likes-gitlab/gitlab-org--gitlab-foss
1
0
Fork 0
Code Releases Activity

Add ldap check in application_controller and internal api

Browse source 
Signed-off-by: Dmitriy Zaporozhets <dmitriy.zaporozhets@gmail.com>
This commit is contained in:
Dmitriy Zaporozhets 2014-03-10 17:10:23 +02:00
parent 0fdab6a747
commit b1ff8e31b1
No known key found for this signature in database
GPG key ID: 627C5F589F467F17
3 changed files with 40 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

19
app/controllers/application_controller.rb
View file

@ -6,6 +6,7 @@ class ApplicationController < ActionController::Base
before_filter :check_password_expiration before_filter :check_password_expiration
around_filter :set_current_user_for_thread around_filter :set_current_user_for_thread
before_filter :add_abilities before_filter :add_abilities
before_filter :ldap_security_check
before_filter :dev_tools if Rails.env == 'development' before_filter :dev_tools if Rails.env == 'development'
before_filter :default_headers before_filter :default_headers
before_filter :add_gon_variables before_filter :add_gon_variables
@ -179,11 +180,29 @@ class ApplicationController < ActionController::Base
end end
end end
def ldap_security_check
if current_user && current_user.ldap_user? && current_user.requires_ldap_check?
if gitlab_ldap_access.allowed?(current_user)
gitlab_ldap_access.update_permissions(current_user)
current_user.last_credential_check_at = Time.now
current_user.save
else
sign_out current_user
flash[:alert] = "Access denied for your LDAP account."
redirect_to new_user_session_path
end
end
end
def event_filter def event_filter
filters = cookies['event_filter'].split(',') if cookies['event_filter'].present? filters = cookies['event_filter'].split(',') if cookies['event_filter'].present?
@event_filter ||= EventFilter.new(filters) @event_filter ||= EventFilter.new(filters)
end end
def gitlab_ldap_access
Gitlab::LDAP::Access.new
end
# JSON for infinite scroll via Pager object # JSON for infinite scroll via Pager object
def pager_json(partial, count) def pager_json(partial, count)
html = render_to_string( html = render_to_string(

15
config/gitlab.yml.example
View file

@ -121,7 +121,6 @@ production: &base
ldap: ldap:
enabled: false enabled: false
host: '_your_ldap_server' host: '_your_ldap_server'
base: '_the_base_where_you_search_for_users'
port: 636 port: 636
uid: 'sAMAccountName' uid: 'sAMAccountName'
method: 'ssl' # "tls" or "ssl" or "plain" method: 'ssl' # "tls" or "ssl" or "plain"
@ -138,6 +137,20 @@ production: &base
# disable this setting, because the userPrincipalName contains an '@'. # disable this setting, because the userPrincipalName contains an '@'.
allow_username_or_email_login: true allow_username_or_email_login: true
# Base where we can search for users
#
# Ex. ou=People,dc=gitlab,dc=example
#
base: ''
# Filter LDAP users
#
# Format: RFC 4515
# Ex. (employeeType=developer)
#
user_filter: ''
## OmniAuth settings ## OmniAuth settings
omniauth: omniauth:
# Allow login via Twitter, Google, etc. using OmniAuth providers # Allow login via Twitter, Google, etc. using OmniAuth providers

8
lib/api/internal.rb
View file

@ -35,8 +35,14 @@ module API
user = key.user user = key.user
return false if user.blocked? return false if user.blocked?
if Gitlab.config.ldap.enabled if Gitlab.config.ldap.enabled
return false if user.ldap_user? && Gitlab::LDAP::User.blocked?(user.extern_uid) if user.ldap_user?
# Check if LDAP user exists and match LDAP user_filter
unless Gitlab::LDAP::Access.new.allowed?(user)
return false
end
end
end end
action = case git_cmd action = case git_cmd