Commit 4ab22a8c authored by Dmitriy Zaporozhets's avatar Dmitriy Zaporozhets

Merge branch 'ldap-block_auto_created_users' into 'master'

Add config var to block auto-created LDAP users.

Addresses private issue https://dev.gitlab.org/gitlab/gitlabhq/issues/2110.

See merge request !522
parents 27055005 55d086ba
...@@ -3,6 +3,7 @@ Please view this file on the master branch, on stable branches it's out of date. ...@@ -3,6 +3,7 @@ Please view this file on the master branch, on stable branches it's out of date.
v 7.10.0 (unreleased) v 7.10.0 (unreleased)
- Allow users to be invited by email to join a group or project. - Allow users to be invited by email to join a group or project.
- Don't crash when project repository doesn't exist. - Don't crash when project repository doesn't exist.
- Add config var to block auto-created LDAP users.
- Fix broken file browsing with a submodule that contains a relative link (Stan Hu) - Fix broken file browsing with a submodule that contains a relative link (Stan Hu)
- Fix persistent XSS vulnerability around profile website URLs. - Fix persistent XSS vulnerability around profile website URLs.
- Fix project import URL regex to prevent arbitary local repos from being imported. - Fix project import URL regex to prevent arbitary local repos from being imported.
......
...@@ -146,6 +146,11 @@ production: &base ...@@ -146,6 +146,11 @@ production: &base
# disable this setting, because the userPrincipalName contains an '@'. # disable this setting, because the userPrincipalName contains an '@'.
allow_username_or_email_login: false allow_username_or_email_login: false
# To maintain tight control over the number of active users on your GitLab installation,
# enable this setting to keep new users blocked until they have been cleared by the admin
# (default: false).
block_auto_created_users: false
# Base where we can search for users # Base where we can search for users
# #
# Ex. ou=People,dc=gitlab,dc=example # Ex. ou=People,dc=gitlab,dc=example
......
...@@ -76,6 +76,7 @@ if Settings.ldap['enabled'] || Rails.env.test? ...@@ -76,6 +76,7 @@ if Settings.ldap['enabled'] || Rails.env.test?
Settings.ldap['servers'].each do |key, server| Settings.ldap['servers'].each do |key, server|
server['label'] ||= 'LDAP' server['label'] ||= 'LDAP'
server['block_auto_created_users'] = false if server['block_auto_created_users'].nil?
server['allow_username_or_email_login'] = false if server['allow_username_or_email_login'].nil? server['allow_username_or_email_login'] = false if server['allow_username_or_email_login'].nil?
server['active_directory'] = true if server['active_directory'].nil? server['active_directory'] = true if server['active_directory'].nil?
server['provider_name'] ||= "ldap#{key}".downcase server['provider_name'] ||= "ldap#{key}".downcase
......
...@@ -51,6 +51,11 @@ main: # 'main' is the GitLab 'provider ID' of this LDAP server ...@@ -51,6 +51,11 @@ main: # 'main' is the GitLab 'provider ID' of this LDAP server
# disable this setting, because the userPrincipalName contains an '@'. # disable this setting, because the userPrincipalName contains an '@'.
allow_username_or_email_login: false allow_username_or_email_login: false
# To maintain tight control over the number of active users on your GitLab installation,
# enable this setting to keep new users blocked until they have been cleared by the admin
# (default: false).
block_auto_created_users: false
# Base where we can search for users # Base where we can search for users
# #
# Ex. ou=People,dc=gitlab,dc=example # Ex. ou=People,dc=gitlab,dc=example
......
...@@ -80,6 +80,10 @@ module Gitlab ...@@ -80,6 +80,10 @@ module Gitlab
options['active_directory'] options['active_directory']
end end
def block_auto_created_users
options['block_auto_created_users']
end
protected protected
def base_config def base_config
Gitlab.config.ldap Gitlab.config.ldap
......
...@@ -39,6 +39,8 @@ module Gitlab ...@@ -39,6 +39,8 @@ module Gitlab
end end
def update_user_attributes def update_user_attributes
return unless persisted?
gl_user.skip_reconfirmation! gl_user.skip_reconfirmation!
gl_user.email = auth_hash.email gl_user.email = auth_hash.email
...@@ -53,13 +55,17 @@ module Gitlab ...@@ -53,13 +55,17 @@ module Gitlab
gl_user.changed? || gl_user.identities.any?(&:changed?) gl_user.changed? || gl_user.identities.any?(&:changed?)
end end
def needs_blocking? def block_after_signup?
false ldap_config.block_auto_created_users
end end
def allowed? def allowed?
Gitlab::LDAP::Access.allowed?(gl_user) Gitlab::LDAP::Access.allowed?(gl_user)
end end
def ldap_config
Gitlab::LDAP::Config.new(auth_hash.provider)
end
end end
end end
end end
require 'spec_helper' require 'spec_helper'
describe Gitlab::LDAP::User do describe Gitlab::LDAP::User do
let(:gl_user) { Gitlab::LDAP::User.new(auth_hash) } let(:ldap_user) { Gitlab::LDAP::User.new(auth_hash) }
let(:gl_user) { ldap_user.gl_user }
let(:info) do let(:info) do
{ {
name: 'John', name: 'John',
...@@ -16,17 +17,17 @@ describe Gitlab::LDAP::User do ...@@ -16,17 +17,17 @@ describe Gitlab::LDAP::User do
describe :changed? do describe :changed? do
it "marks existing ldap user as changed" do it "marks existing ldap user as changed" do
existing_user = create(:omniauth_user, extern_uid: 'my-uid', provider: 'ldapmain') existing_user = create(:omniauth_user, extern_uid: 'my-uid', provider: 'ldapmain')
expect(gl_user.changed?).to be_truthy expect(ldap_user.changed?).to be_truthy
end end
it "marks existing non-ldap user if the email matches as changed" do it "marks existing non-ldap user if the email matches as changed" do
existing_user = create(:user, email: 'john@example.com') existing_user = create(:user, email: 'john@example.com')
expect(gl_user.changed?).to be_truthy expect(ldap_user.changed?).to be_truthy
end end
it "dont marks existing ldap user as changed" do it "dont marks existing ldap user as changed" do
existing_user = create(:omniauth_user, email: 'john@example.com', extern_uid: 'my-uid', provider: 'ldapmain') existing_user = create(:omniauth_user, email: 'john@example.com', extern_uid: 'my-uid', provider: 'ldapmain')
expect(gl_user.changed?).to be_falsey expect(ldap_user.changed?).to be_falsey
end end
end end
...@@ -34,12 +35,12 @@ describe Gitlab::LDAP::User do ...@@ -34,12 +35,12 @@ describe Gitlab::LDAP::User do
it "finds the user if already existing" do it "finds the user if already existing" do
existing_user = create(:omniauth_user, extern_uid: 'my-uid', provider: 'ldapmain') existing_user = create(:omniauth_user, extern_uid: 'my-uid', provider: 'ldapmain')
expect{ gl_user.save }.to_not change{ User.count } expect{ ldap_user.save }.to_not change{ User.count }
end end
it "connects to existing non-ldap user if the email matches" do it "connects to existing non-ldap user if the email matches" do
existing_user = create(:omniauth_user, email: 'john@example.com', provider: "twitter") existing_user = create(:omniauth_user, email: 'john@example.com', provider: "twitter")
expect{ gl_user.save }.to_not change{ User.count } expect{ ldap_user.save }.to_not change{ User.count }
existing_user.reload existing_user.reload
expect(existing_user.ldap_identity.extern_uid).to eql 'my-uid' expect(existing_user.ldap_identity.extern_uid).to eql 'my-uid'
...@@ -47,7 +48,59 @@ describe Gitlab::LDAP::User do ...@@ -47,7 +48,59 @@ describe Gitlab::LDAP::User do
end end
it "creates a new user if not found" do it "creates a new user if not found" do
expect{ gl_user.save }.to change{ User.count }.by(1) expect{ ldap_user.save }.to change{ User.count }.by(1)
end
end
describe 'blocking' do
context 'signup' do
context 'dont block on create' do
before { Gitlab::LDAP::Config.any_instance.stub block_auto_created_users: false }
it do
ldap_user.save
expect(gl_user).to be_valid
expect(gl_user).not_to be_blocked
end
end
context 'block on create' do
before { Gitlab::LDAP::Config.any_instance.stub block_auto_created_users: true }
it do
ldap_user.save
expect(gl_user).to be_valid
expect(gl_user).to be_blocked
end
end
end
context 'sign-in' do
before do
ldap_user.save
ldap_user.gl_user.activate
end
context 'dont block on create' do
before { Gitlab::LDAP::Config.any_instance.stub block_auto_created_users: false }
it do
ldap_user.save
expect(gl_user).to be_valid
expect(gl_user).not_to be_blocked
end
end
context 'block on create' do
before { Gitlab::LDAP::Config.any_instance.stub block_auto_created_users: true }
it do
ldap_user.save
expect(gl_user).to be_valid
expect(gl_user).not_to be_blocked
end
end
end end
end end
end end
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment