Commit a27b4f74 authored by Michael Kozono's avatar Michael Kozono

Sync LDAP user with external groups on login

parent aae32406
...@@ -20,6 +20,7 @@ module Gitlab ...@@ -20,6 +20,7 @@ module Gitlab
def initialize(auth_hash) def initialize(auth_hash)
super super
update_user_attributes update_user_attributes
set_external_with_external_groups
end end
def save def save
...@@ -75,6 +76,24 @@ module Gitlab ...@@ -75,6 +76,24 @@ module Gitlab
def auth_hash=(auth_hash) def auth_hash=(auth_hash)
@auth_hash = Gitlab::LDAP::AuthHash.new(auth_hash) @auth_hash = Gitlab::LDAP::AuthHash.new(auth_hash)
end end
def set_external_with_external_groups
gl_user.external = in_any_external_group?
end
def in_any_external_group?
::EE::Gitlab::LDAP::Sync::Proxy.open(auth_hash.provider) do |proxy|
external_groups = proxy.adapter.config.external_groups
external_groups.any? do |group_cn|
in_group?(proxy, group_cn)
end
end
end
def in_group?(proxy, group_cn)
member_dns = proxy.dns_for_group_cn(group_cn)
member_dns.include?(auth_hash.uid)
end
end end
end end
end end
...@@ -25,6 +25,13 @@ describe Gitlab::LDAP::User do ...@@ -25,6 +25,13 @@ describe Gitlab::LDAP::User do
OmniAuth::AuthHash.new(uid: 'my-uid', provider: 'ldapmain', info: info_upper_case) OmniAuth::AuthHash.new(uid: 'my-uid', provider: 'ldapmain', info: info_upper_case)
end end
describe '#initialize' do
it 'calls #set_external_with_external_groups' do
expect_any_instance_of(described_class).to receive(:set_external_with_external_groups)
ldap_user
end
end
describe '#changed?' do describe '#changed?' do
it "marks existing ldap user as changed" do it "marks existing ldap user as changed" do
create(:omniauth_user, extern_uid: 'my-uid', provider: 'ldapmain') create(:omniauth_user, extern_uid: 'my-uid', provider: 'ldapmain')
...@@ -228,4 +235,98 @@ describe Gitlab::LDAP::User do ...@@ -228,4 +235,98 @@ describe Gitlab::LDAP::User do
end end
end end
end end
describe '#set_external_with_external_groups' do
context 'when the LDAP user is in an external group' do
before do
expect(ldap_user).to receive(:in_any_external_group?).and_return(true)
end
it 'sets the GitLab user external flag to true' do
expect do
ldap_user.set_external_with_external_groups
end.to change { gl_user.external }.from(false).to(true)
end
end
context 'when the LDAP user is not in an external group' do
before do
expect(ldap_user).to receive(:in_any_external_group?).and_return(false)
end
it 'sets the GitLab user external flag to true' do
gl_user.external = true
gl_user.save
expect do
ldap_user.set_external_with_external_groups
end.to change { gl_user.external }.from(true).to(false)
end
end
end
describe '#in_any_external_group?' do
context 'when there is an external group' do
before do
expect_any_instance_of(Gitlab::LDAP::Config).to receive(:external_groups).and_return(['foo'])
end
context 'when the user is in an external group' do
before do
expect(ldap_user).to receive(:in_group?).and_return(true)
end
it 'returns true' do
expect(ldap_user.in_any_external_group?).to be_truthy
end
end
context 'when the user is not in an external group' do
before do
expect(ldap_user).to receive(:in_group?).and_return(false)
end
it 'returns false' do
expect(ldap_user.in_any_external_group?).to be_falsey
end
end
end
context 'when are no external groups' do
before do
expect_any_instance_of(Gitlab::LDAP::Config).to receive(:external_groups).and_return([])
end
it 'returns false' do
expect(ldap_user.in_any_external_group?).to be_falsey
end
end
end
describe '#in_group?' do
let(:proxy) { double(:proxy) }
let(:group) { 'foo' }
let(:member_dns_in_group) { ['uid=alice,ou=people,dc=example,dc=com'] }
subject { ldap_user.in_group?(proxy, group) }
before do
expect(proxy).to receive(:dns_for_group_cn).with(group).and_return(member_dns_in_group)
end
context 'when the LDAP user is in the group' do
before do
member_dns_in_group << ldap_user.auth_hash.uid
end
it 'returns true' do
expect(subject).to be_truthy
end
end
context 'when the LDAP user is not in the group' do
it 'returns false' do
expect(subject).to be_falsey
end
end
end
end end
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment