Merge branch 'ldap_logging' into 'master'

LDAP key logging See merge request !125

Merge branch 'ldap_logging' into 'master'
LDAP key logging See merge request !125
2028c64e · Dmitriy Zaporozhets · 9aa67914 · 41a3c84e · 2028c64e · 2028c64e
Commit 2028c64e authored Jul 09, 2014 by Dmitriy Zaporozhets
4 changed files
--- a/app/models/key.rb
+++ b/app/models/key.rb
@@ -27,6 +27,8 @@ class Key < ActiveRecord::Base
  validates :key, presence: true, length: { within: 0..5000 }, format: { with: /\A(ssh|ecdsa)-.*\Z/ }, uniqueness: true
  validates :fingerprint, uniqueness: true, presence: { message: 'cannot be generated' }

+  scope :ldap, -> { where(type: 'LDAPKey') }
+
  delegate :name, :email, to: :user, prefix: true

  after_create :add_to_shell

--- a/lib/gitlab/ldap/access.rb
+++ b/lib/gitlab/ldap/access.rb
@@ -62,21 +62,20 @@ module Gitlab
        # Get LDAP user entry
        ldap_user = Gitlab::LDAP::Person.find_by_dn(user.extern_uid)

-        if ldap_user.entry.respond_to?(Gitlab.config.ldap['sync_ssh_keys'].to_sym)
-          sshkeys = ldap_user.entry[Gitlab.config.ldap['sync_ssh_keys'].to_sym]
-        else
-          sshkeys = []
-        end
-        sshkeys.each do |key|
-          unless user.keys.find_by_key(key)
-            k = LDAPKey.new(title: "LDAP - #{Gitlab.config.ldap['sync_ssh_keys']}", key: key)
-            user.keys << k if k.save
+        user.keys.ldap.where.not(key: ldap_user.ssh_keys).each do |deleted_key|
+          Rails.logger.info "#{self.class.name}: removing LDAP SSH key #{deleted_key.key} from #{user.name} (#{user.id})"
+          unless deleted_key.destroy
+            Rails.logger.error "#{self.class.name}: failed to remove LDAP SSH key #{key.inspect} from #{user.name} (#{user.id})"
          end
        end
-        user.keys.to_a.each do |k|
-          if k.is_a?(LDAPKey) && !sshkeys.include?(k.key)
-            user.keys.delete(k)
-            k.destroy
+
+        (ldap_user.ssh_keys - user.keys.ldap.pluck(:key)).each do |key|
+          Rails.logger.info "#{self.class.name}: adding LDAP SSH key #{key.inspect} to #{user.name} (#{user.id})"
+          new_key = LDAPKey.new(title: "LDAP - #{Gitlab.config.ldap['sync_ssh_keys']}", key: key)
+          new_key.user = user
+          unless new_key.save
+            Rails.logger.error "#{self.class.name}: failed to add LDAP SSH key #{key.inspect} to #{user.name} (#{user.id})\n"\
+              "error messages: #{new_key.errors.messages}"
          end
        end
      end

--- a/lib/gitlab/ldap/person.rb
+++ b/lib/gitlab/ldap/person.rb
@@ -46,12 +46,21 @@ module Gitlab
        entry.dn
      end

-      def entry
-        @entry
+      def ssh_keys
+        ssh_keys_attribute = Gitlab.config.ldap['sync_ssh_keys'].to_sym
+        if entry.respond_to?(ssh_keys_attribute)
+          entry[ssh_keys_attribute]
+        else
+          []
+        end
      end

      private

+      def entry
+        @entry
+      end
+
      def adapter
        @adapter ||= Gitlab::LDAP::Adapter.new
      end

--- a/spec/lib/gitlab/ldap/ldap_access_spec.rb
+++ b/spec/lib/gitlab/ldap/ldap_access_spec.rb
@@ -88,6 +88,7 @@ describe Gitlab::LDAP::Access do

      expect(user_ldap.keys.size).to be(0)
      access.update_ssh_keys(user_ldap)
+      user_ldap.reload
      expect(user_ldap.keys.size).to be(1)
    end