Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Support
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
G
gitlab-ce
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Issues
0
Issues
0
List
Boards
Labels
Milestones
Merge Requests
1
Merge Requests
1
Analytics
Analytics
Repository
Value Stream
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Create a new issue
Commits
Issue Boards
Open sidebar
nexedi
gitlab-ce
Commits
2405e0bd
Commit
2405e0bd
authored
Aug 22, 2018
by
Douglas Barbosa Alexandre
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
LDAP - Does not update permissions on a read-only database
parent
4f277d3c
Changes
6
Expand all
Show whitespace changes
Inline
Side-by-side
Showing
6 changed files
with
302 additions
and
266 deletions
+302
-266
ee/lib/ee/gitlab/auth/ldap/access.rb
ee/lib/ee/gitlab/auth/ldap/access.rb
+13
-9
ee/spec/lib/gitlab/auth/ldap/access_spec.rb
ee/spec/lib/gitlab/auth/ldap/access_spec.rb
+171
-178
lib/gitlab/auth/ldap/access.rb
lib/gitlab/auth/ldap/access.rb
+14
-10
spec/lib/gitlab/auth/ldap/access_spec.rb
spec/lib/gitlab/auth/ldap/access_spec.rb
+83
-69
spec/support/helpers/ldap_helpers.rb
spec/support/helpers/ldap_helpers.rb
+17
-0
spec/support/helpers/stub_configuration.rb
spec/support/helpers/stub_configuration.rb
+4
-0
No files found.
ee/lib/ee/gitlab/auth/ldap/access.rb
View file @
2405e0bd
...
@@ -6,6 +6,19 @@ module EE
...
@@ -6,6 +6,19 @@ module EE
extend
ActiveSupport
::
Concern
extend
ActiveSupport
::
Concern
extend
::
Gitlab
::
Utils
::
Override
extend
::
Gitlab
::
Utils
::
Override
override
:update_user
def
update_user
return
if
::
Gitlab
::
Database
.
read_only?
update_email
update_memberships
update_identity
update_ssh_keys
if
sync_ssh_keys?
update_kerberos_identity
if
import_kerberos_identities?
end
private
override
:find_ldap_user
override
:find_ldap_user
def
find_ldap_user
def
find_ldap_user
found_user
=
super
found_user
=
super
...
@@ -16,15 +29,6 @@ module EE
...
@@ -16,15 +29,6 @@ module EE
end
end
end
end
override
:update_user
def
update_user
update_email
update_memberships
update_identity
update_ssh_keys
if
sync_ssh_keys?
update_kerberos_identity
if
import_kerberos_identities?
end
# Update user ssh keys if they changed in LDAP
# Update user ssh keys if they changed in LDAP
def
update_ssh_keys
def
update_ssh_keys
remove_old_ssh_keys
remove_old_ssh_keys
...
...
ee/spec/lib/gitlab/auth/ldap/access_spec.rb
View file @
2405e0bd
This diff is collapsed.
Click to expand it.
lib/gitlab/auth/ldap/access.rb
View file @
2405e0bd
...
@@ -21,8 +21,10 @@ module Gitlab
...
@@ -21,8 +21,10 @@ module Gitlab
# Whether user is allowed, or not, we should update
# Whether user is allowed, or not, we should update
# permissions to keep things clean
# permissions to keep things clean
if
access
.
allowed?
if
access
.
allowed?
unless
Gitlab
::
Database
.
read_only?
access
.
update_user
access
.
update_user
Users
::
UpdateService
.
new
(
user
,
user:
user
,
last_credential_check_at:
Time
.
now
).
execute
Users
::
UpdateService
.
new
(
user
,
user:
user
,
last_credential_check_at:
Time
.
now
).
execute
end
true
true
else
else
...
@@ -62,6 +64,12 @@ module Gitlab
...
@@ -62,6 +64,12 @@ module Gitlab
false
false
end
end
def
update_user
# no-op in CE
end
private
def
adapter
def
adapter
@adapter
||=
Gitlab
::
Auth
::
LDAP
::
Adapter
.
new
(
provider
)
@adapter
||=
Gitlab
::
Auth
::
LDAP
::
Adapter
.
new
(
provider
)
end
end
...
@@ -70,16 +78,16 @@ module Gitlab
...
@@ -70,16 +78,16 @@ module Gitlab
Gitlab
::
Auth
::
LDAP
::
Config
.
new
(
provider
)
Gitlab
::
Auth
::
LDAP
::
Config
.
new
(
provider
)
end
end
def
find_ldap_user
Gitlab
::
Auth
::
LDAP
::
Person
.
find_by_dn
(
ldap_identity
.
extern_uid
,
adapter
)
end
def
ldap_user
def
ldap_user
return
unless
provider
return
unless
provider
@ldap_user
||=
find_ldap_user
@ldap_user
||=
find_ldap_user
end
end
def
find_ldap_user
Gitlab
::
Auth
::
LDAP
::
Person
.
find_by_dn
(
ldap_identity
.
extern_uid
,
adapter
)
end
def
block_user
(
user
,
reason
)
def
block_user
(
user
,
reason
)
user
.
ldap_block
user
.
ldap_block
...
@@ -104,10 +112,6 @@ module Gitlab
...
@@ -104,10 +112,6 @@ module Gitlab
"unblocking Gitlab user
\"
#{
user
.
name
}
\"
(
#{
user
.
email
}
)"
"unblocking Gitlab user
\"
#{
user
.
name
}
\"
(
#{
user
.
email
}
)"
)
)
end
end
def
update_user
# no-op in CE
end
end
end
end
end
end
end
...
...
spec/lib/gitlab/auth/ldap/access_spec.rb
View file @
2405e0bd
...
@@ -3,51 +3,61 @@ require 'spec_helper'
...
@@ -3,51 +3,61 @@ require 'spec_helper'
describe
Gitlab
::
Auth
::
LDAP
::
Access
do
describe
Gitlab
::
Auth
::
LDAP
::
Access
do
include
LdapHelpers
include
LdapHelpers
let
(
:access
)
{
described_class
.
new
user
}
let
(
:user
)
{
create
(
:omniauth_user
)
}
let
(
:user
)
{
create
(
:omniauth_user
)
}
subject
(
:access
)
{
described_class
.
new
(
user
)
}
describe
'.allowed?'
do
describe
'.allowed?'
do
it
'updates the users `last_credential_check_at'
do
before
do
allow
(
access
).
to
receive
(
:update_user
)
allow
(
access
).
to
receive
(
:update_user
)
expect
(
access
).
to
receive
(
:allowed?
)
{
true
}
allow
(
access
).
to
receive
(
:allowed?
).
and_return
(
true
)
expect
(
described_class
).
to
receive
(
:open
).
and_yield
(
access
)
allow
(
described_class
).
to
receive
(
:open
).
and_yield
(
access
)
end
it
"updates the user's `last_credential_check_at`"
do
expect
{
described_class
.
allowed?
(
user
)
}
expect
{
described_class
.
allowed?
(
user
)
}
.
to
change
{
user
.
last_credential_check_at
}
.
to
change
{
user
.
last_credential_check_at
}
end
end
end
describe
'#find_ldap_user'
do
it
"does not update user's `last_credential_check_at` when in a read-only GitLab instance"
do
it
'finds a user by dn first'
do
allow
(
Gitlab
::
Database
).
to
receive
(
:read_only?
).
and_return
(
true
)
expect
(
Gitlab
::
Auth
::
LDAP
::
Person
).
to
receive
(
:find_by_dn
).
and_return
(
:ldap_user
)
access
.
find_ldap_user
expect
{
described_class
.
allowed?
(
user
)
}
.
not_to
change
{
user
.
last_credential_check_at
}
end
end
end
end
describe
'#allowed?'
do
describe
'#allowed?'
do
subject
{
access
.
allowed?
}
context
'when the user cannot be found'
do
context
'when the user cannot be found'
do
before
do
before
do
allow
(
Gitlab
::
Auth
::
LDAP
::
Person
).
to
receive
(
:find_by_dn
).
and_retur
n
(
nil
)
stub_ldap_person_find_by_d
n
(
nil
)
allow
(
Gitlab
::
Auth
::
LDAP
::
Person
).
to
receive
(
:find_by_email
).
and_return
(
nil
)
stub_ldap_person_find_by_email
(
user
.
email
,
nil
)
end
end
it
{
is_expected
.
to
be_falsey
}
it
'returns false'
do
expect
(
access
.
allowed?
).
to
be_falsey
end
it
'blocks user in GitLab'
do
it
'blocks user in GitLab'
do
expect
(
access
).
to
receive
(
:block_user
).
with
(
user
,
'does not exist anymore'
)
access
.
allowed?
expect
(
user
).
to
be_blocked
expect
(
user
).
to
be_ldap_blocked
end
it
'logs the reason'
do
expect
(
Gitlab
::
AppLogger
).
to
receive
(
:info
).
with
(
"LDAP account
\"
123456
\"
does not exist anymore, "
\
"blocking Gitlab user
\"
#{
user
.
name
}
\"
(
#{
user
.
email
}
)"
)
access
.
allowed?
access
.
allowed?
end
end
end
end
context
'when the user is found'
do
context
'when the user is found'
do
let
(
:ldap_user
)
{
Gitlab
::
Auth
::
LDAP
::
Person
.
new
(
Net
::
LDAP
::
Entry
.
new
,
'ldapmain'
)
}
before
do
before
do
allow
(
Gitlab
::
Auth
::
LDAP
::
Person
).
to
receive
(
:find_by_dn
).
and_return
(
ldap_user
)
stub_ldap_person_find_by_dn
(
Net
::
LDAP
::
Entry
.
new
)
end
end
context
'and the user is disabled via active directory'
do
context
'and the user is disabled via active directory'
do
...
@@ -55,10 +65,22 @@ describe Gitlab::Auth::LDAP::Access do
...
@@ -55,10 +65,22 @@ describe Gitlab::Auth::LDAP::Access do
allow
(
Gitlab
::
Auth
::
LDAP
::
Person
).
to
receive
(
:disabled_via_active_directory?
).
and_return
(
true
)
allow
(
Gitlab
::
Auth
::
LDAP
::
Person
).
to
receive
(
:disabled_via_active_directory?
).
and_return
(
true
)
end
end
it
{
is_expected
.
to
be_falsey
}
it
'returns false'
do
expect
(
access
.
allowed?
).
to
be_falsey
end
it
'blocks user in GitLab'
do
it
'blocks user in GitLab'
do
expect
(
access
).
to
receive
(
:block_user
).
with
(
user
,
'is disabled in Active Directory'
)
access
.
allowed?
expect
(
user
).
to
be_blocked
expect
(
user
).
to
be_ldap_blocked
end
it
'logs the reason'
do
expect
(
Gitlab
::
AppLogger
).
to
receive
(
:info
).
with
(
"LDAP account
\"
123456
\"
is disabled in Active Directory, "
\
"blocking Gitlab user
\"
#{
user
.
name
}
\"
(
#{
user
.
email
}
)"
)
access
.
allowed?
access
.
allowed?
end
end
...
@@ -92,7 +114,17 @@ describe Gitlab::Auth::LDAP::Access do
...
@@ -92,7 +114,17 @@ describe Gitlab::Auth::LDAP::Access do
end
end
it
'unblocks user in GitLab'
do
it
'unblocks user in GitLab'
do
expect
(
access
).
to
receive
(
:unblock_user
).
with
(
user
,
'is not disabled anymore'
)
access
.
allowed?
expect
(
user
).
not_to
be_blocked
expect
(
user
).
not_to
be_ldap_blocked
end
it
'logs the reason'
do
expect
(
Gitlab
::
AppLogger
).
to
receive
(
:info
).
with
(
"LDAP account
\"
123456
\"
is not disabled anymore, "
\
"unblocking Gitlab user
\"
#{
user
.
name
}
\"
(
#{
user
.
email
}
)"
)
access
.
allowed?
access
.
allowed?
end
end
...
@@ -105,18 +137,32 @@ describe Gitlab::Auth::LDAP::Access do
...
@@ -105,18 +137,32 @@ describe Gitlab::Auth::LDAP::Access do
allow_any_instance_of
(
Gitlab
::
Auth
::
LDAP
::
Config
).
to
receive
(
:active_directory
).
and_return
(
false
)
allow_any_instance_of
(
Gitlab
::
Auth
::
LDAP
::
Config
).
to
receive
(
:active_directory
).
and_return
(
false
)
end
end
it
{
is_expected
.
to
be_truthy
}
it
'returns true'
do
expect
(
access
.
allowed?
).
to
be_truthy
end
context
'when user cannot be found'
do
context
'when user cannot be found'
do
before
do
before
do
allow
(
Gitlab
::
Auth
::
LDAP
::
Person
).
to
receive
(
:find_by_dn
).
and_retur
n
(
nil
)
stub_ldap_person_find_by_d
n
(
nil
)
allow
(
Gitlab
::
Auth
::
LDAP
::
Person
).
to
receive
(
:find_by_email
).
and_return
(
nil
)
stub_ldap_person_find_by_email
(
user
.
email
,
nil
)
end
end
it
{
is_expected
.
to
be_falsey
}
it
'returns false'
do
expect
(
access
.
allowed?
).
to
be_falsey
end
it
'blocks user in GitLab'
do
it
'blocks user in GitLab'
do
expect
(
access
).
to
receive
(
:block_user
).
with
(
user
,
'does not exist anymore'
)
access
.
allowed?
expect
(
user
).
to
be_blocked
expect
(
user
).
to
be_ldap_blocked
end
it
'logs the reason'
do
expect
(
Gitlab
::
AppLogger
).
to
receive
(
:info
).
with
(
"LDAP account
\"
123456
\"
does not exist anymore, "
\
"blocking Gitlab user
\"
#{
user
.
name
}
\"
(
#{
user
.
email
}
)"
)
access
.
allowed?
access
.
allowed?
end
end
...
@@ -128,7 +174,17 @@ describe Gitlab::Auth::LDAP::Access do
...
@@ -128,7 +174,17 @@ describe Gitlab::Auth::LDAP::Access do
end
end
it
'unblocks the user if it exists'
do
it
'unblocks the user if it exists'
do
expect
(
access
).
to
receive
(
:unblock_user
).
with
(
user
,
'is available again'
)
access
.
allowed?
expect
(
user
).
not_to
be_blocked
expect
(
user
).
not_to
be_ldap_blocked
end
it
'logs the reason'
do
expect
(
Gitlab
::
AppLogger
).
to
receive
(
:info
).
with
(
"LDAP account
\"
123456
\"
is available again, "
\
"unblocking Gitlab user
\"
#{
user
.
name
}
\"
(
#{
user
.
email
}
)"
)
access
.
allowed?
access
.
allowed?
end
end
...
@@ -152,46 +208,4 @@ describe Gitlab::Auth::LDAP::Access do
...
@@ -152,46 +208,4 @@ describe Gitlab::Auth::LDAP::Access do
end
end
end
end
end
end
describe
'#block_user'
do
before
do
user
.
activate
allow
(
Gitlab
::
AppLogger
).
to
receive
(
:info
)
access
.
block_user
user
,
'reason'
end
it
'blocks the user'
do
expect
(
user
).
to
be_blocked
expect
(
user
).
to
be_ldap_blocked
end
it
'logs the reason'
do
expect
(
Gitlab
::
AppLogger
).
to
have_received
(
:info
).
with
(
"LDAP account
\"
123456
\"
reason, "
\
"blocking Gitlab user
\"
#{
user
.
name
}
\"
(
#{
user
.
email
}
)"
)
end
end
describe
'#unblock_user'
do
before
do
user
.
ldap_block
allow
(
Gitlab
::
AppLogger
).
to
receive
(
:info
)
access
.
unblock_user
user
,
'reason'
end
it
'activates the user'
do
expect
(
user
).
not_to
be_blocked
expect
(
user
).
not_to
be_ldap_blocked
end
it
'logs the reason'
do
Gitlab
::
AppLogger
.
info
(
"LDAP account
\"
123456
\"
reason, "
\
"unblocking Gitlab user
\"
#{
user
.
name
}
\"
(
#{
user
.
email
}
)"
)
end
end
end
end
spec/support/helpers/ldap_helpers.rb
View file @
2405e0bd
...
@@ -45,6 +45,23 @@ module LdapHelpers
...
@@ -45,6 +45,23 @@ module LdapHelpers
.
to
receive
(
:find_by_uid
).
with
(
uid
,
any_args
).
and_return
(
return_value
)
.
to
receive
(
:find_by_uid
).
with
(
uid
,
any_args
).
and_return
(
return_value
)
end
end
def
stub_ldap_person_find_by_dn
(
entry
,
provider
=
'ldapmain'
)
person
=
::
Gitlab
::
Auth
::
LDAP
::
Person
.
new
(
entry
,
provider
)
if
entry
.
present?
allow
(
::
Gitlab
::
Auth
::
LDAP
::
Person
)
.
to
receive
(
:find_by_dn
)
.
and_return
(
person
)
end
def
stub_ldap_person_find_by_email
(
email
,
entry
,
provider
=
'ldapmain'
)
person
=
::
Gitlab
::
Auth
::
LDAP
::
Person
.
new
(
entry
,
provider
)
if
entry
.
present?
allow
(
::
Gitlab
::
Auth
::
LDAP
::
Person
)
.
to
receive
(
:find_by_email
)
.
with
(
email
,
anything
)
.
and_return
(
person
)
end
# Create a simple LDAP user entry.
# Create a simple LDAP user entry.
def
ldap_user_entry
(
uid
)
def
ldap_user_entry
(
uid
)
entry
=
Net
::
LDAP
::
Entry
.
new
entry
=
Net
::
LDAP
::
Entry
.
new
...
...
spec/support/helpers/stub_configuration.rb
View file @
2405e0bd
...
@@ -82,6 +82,10 @@ module StubConfiguration
...
@@ -82,6 +82,10 @@ module StubConfiguration
allow
(
Gitlab
.
config
.
repositories
).
to
receive
(
:storages
).
and_return
(
Settingslogic
.
new
(
messages
))
allow
(
Gitlab
.
config
.
repositories
).
to
receive
(
:storages
).
and_return
(
Settingslogic
.
new
(
messages
))
end
end
def
stub_kerberos_setting
(
messages
)
allow
(
Gitlab
.
config
.
kerberos
).
to
receive_messages
(
to_settings
(
messages
))
end
private
private
# Modifies stubbed messages to also stub possible predicate versions
# Modifies stubbed messages to also stub possible predicate versions
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment