Obtain lease before querying LDAP

bf253a10 · Jacob Vosmaer · 73c777cf · bf253a10 · bf253a10 · bf253a10
Commit bf253a10 authored Mar 11, 2016 by Jacob Vosmaer
Showing with 10 additions and 1 deletion

app/controllers/application_controller.rb app/controllers/application_controller.rb +2 -0

app/models/user.rb app/models/user.rb +7 -0

lib/gitlab/user_access.rb lib/gitlab/user_access.rb +1 -1

No files found.
--- a/app/controllers/application_controller.rb
+++ b/app/controllers/application_controller.rb
@@ -246,6 +246,8 @@ class ApplicationController < ActionController::Base

  def ldap_security_check
    if current_user && current_user.requires_ldap_check?
+      return unless current_user.try_obtain_ldap_lease
+
      unless Gitlab::LDAP::Access.allowed?(current_user)
        sign_out current_user
        flash[:alert] = "Access denied for your LDAP account."

--- a/app/models/user.rb
+++ b/app/models/user.rb
@@ -603,6 +603,13 @@ class User < ActiveRecord::Base
    end
  end

+  def try_obtain_ldap_lease
+    # After obtaining this lease LDAP checks will be blocked for 600 seconds
+    # (10 minutes) for this user.
+    lease = Gitlab::ExclusiveLease.new("user_ldap_check:#{id}", timeout: 600)
+    lease.try_obtain
+  end
+
  def solo_owned_groups
    @solo_owned_groups ||= owned_groups.select do |group|
      group.owners == [self]

--- a/lib/gitlab/user_access.rb
+++ b/lib/gitlab/user_access.rb
@@ -3,7 +3,7 @@ module Gitlab
    def self.allowed?(user)
      return false if user.blocked?

-      if user.requires_ldap_check?
+      if user.requires_ldap_check? && user.try_obtain_ldap_lease
        return false unless Gitlab::LDAP::Access.allowed?(user)
      end