Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Support
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
G
gitlab-ce
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Issues
0
Issues
0
List
Boards
Labels
Milestones
Merge Requests
1
Merge Requests
1
Analytics
Analytics
Repository
Value Stream
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Create a new issue
Commits
Issue Boards
Open sidebar
nexedi
gitlab-ce
Commits
bf65eb1d
Commit
bf65eb1d
authored
Aug 14, 2014
by
Jan-Willem van der Meer
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
Handle multiple LDAP groups
parent
6f71267e
Changes
1
Hide whitespace changes
Inline
Side-by-side
Showing
1 changed file
with
37 additions
and
21 deletions
+37
-21
lib/gitlab/ldap/access.rb
lib/gitlab/ldap/access.rb
+37
-21
No files found.
lib/gitlab/ldap/access.rb
View file @
bf65eb1d
...
@@ -23,10 +23,11 @@ module Gitlab
...
@@ -23,10 +23,11 @@ module Gitlab
false
false
end
end
def
update_permissions
(
user
)
def
get_ldap_user
(
user
)
# Get LDAP user entry
@ldap_user
||=
Gitlab
::
LDAP
::
Person
.
find_by_dn
(
user
.
extern_uid
)
ldap_user
=
Gitlab
::
LDAP
::
Person
.
find_by_dn
(
user
.
extern_uid
)
end
def
update_permissions
(
user
)
if
Gitlab
.
config
.
ldap
[
'sync_ssh_keys'
]
if
Gitlab
.
config
.
ldap
[
'sync_ssh_keys'
]
update_ssh_keys
(
user
)
update_ssh_keys
(
user
)
end
end
...
@@ -35,23 +36,8 @@ module Gitlab
...
@@ -35,23 +36,8 @@ module Gitlab
# if instance does not use group_base setting
# if instance does not use group_base setting
return
true
unless
Gitlab
.
config
.
ldap
[
'group_base'
].
present?
return
true
unless
Gitlab
.
config
.
ldap
[
'group_base'
].
present?
# Get all GitLab groups with activated LDAP
update_ldap_group_links
(
user
)
groups
=
::
Group
.
where
(
'ldap_cn IS NOT NULL'
)
# Get LDAP groups based on cn from GitLab groups
ldap_groups
=
groups
.
pluck
(
:ldap_cn
).
map
{
|
cn
|
Gitlab
::
LDAP
::
Group
.
find_by_cn
(
cn
,
adapter
)
}
ldap_groups
=
ldap_groups
.
compact
.
uniq
# Iterate over ldap groups and check user membership
ldap_groups
.
each
do
|
ldap_group
|
if
ldap_group
.
has_member?
(
ldap_user
)
# If user present in LDAP group -> add him to GitLab groups
add_user_to_groups
(
user
.
id
,
ldap_group
.
cn
)
else
# If not - remove him from GitLab groups
remove_user_from_groups
(
user
.
id
,
ldap_group
.
cn
)
end
end
if
Gitlab
.
config
.
ldap
[
'admin_group'
].
present?
if
Gitlab
.
config
.
ldap
[
'admin_group'
].
present?
update_admin_status
(
user
)
update_admin_status
(
user
)
end
end
...
@@ -60,7 +46,7 @@ module Gitlab
...
@@ -60,7 +46,7 @@ module Gitlab
# Update user ssh keys if they changed in LDAP
# Update user ssh keys if they changed in LDAP
def
update_ssh_keys
(
user
)
def
update_ssh_keys
(
user
)
# Get LDAP user entry
# Get LDAP user entry
ldap_user
=
Gitlab
::
LDAP
::
Person
.
find_by_dn
(
user
.
extern_uid
)
ldap_user
=
get_ldap_user
(
user
)
user
.
keys
.
ldap
.
where
.
not
(
key:
ldap_user
.
ssh_keys
).
each
do
|
deleted_key
|
user
.
keys
.
ldap
.
where
.
not
(
key:
ldap_user
.
ssh_keys
).
each
do
|
deleted_key
|
Rails
.
logger
.
info
"
#{
self
.
class
.
name
}
: removing LDAP SSH key
#{
deleted_key
.
key
}
from
#{
user
.
name
}
(
#{
user
.
id
}
)"
Rails
.
logger
.
info
"
#{
self
.
class
.
name
}
: removing LDAP SSH key
#{
deleted_key
.
key
}
from
#{
user
.
name
}
(
#{
user
.
id
}
)"
...
@@ -83,7 +69,7 @@ module Gitlab
...
@@ -83,7 +69,7 @@ module Gitlab
# Update user email if it changed in LDAP
# Update user email if it changed in LDAP
def
update_email
(
user
)
def
update_email
(
user
)
uid
=
user
.
extern_uid
uid
=
user
.
extern_uid
ldap_user
=
Gitlab
::
LDAP
::
Person
.
find_by_dn
(
uid
,
adapt
er
)
ldap_user
=
get_ldap_user
(
us
er
)
gitlab_user
=
::
User
.
where
(
provider:
'ldap'
,
extern_uid:
uid
).
last
gitlab_user
=
::
User
.
where
(
provider:
'ldap'
,
extern_uid:
uid
).
last
if
gitlab_user
&&
ldap_user
&&
ldap_user
.
email
if
gitlab_user
&&
ldap_user
&&
ldap_user
.
email
...
@@ -149,6 +135,36 @@ module Gitlab
...
@@ -149,6 +135,36 @@ module Gitlab
ldap_group
.
has_member?
(
ldap_user
)
ldap_group
.
has_member?
(
ldap_user
)
end
.
map
(
&
:cn
)
end
.
map
(
&
:cn
)
end
end
def
gitlab_groups_with_ldap_link
::
Group
.
includes
(
:ldap_group_links
).
references
(
:ldap_group_links
).
where
.
not
(
ldap_group_links:
{
id:
nil
})
end
# Loop throug all ldap conneted groups, and update the users link with it
def
update_ldap_group_links
(
user
)
gitlab_groups_with_ldap_link
.
each
do
|
group
|
active_group_links
=
group
.
ldap_group_links
.
where
(
cn:
cns_with_access
(
ldap_user
))
if
active_group_links
.
any?
group
.
add_user
(
user
,
fetch_group_access
(
group
,
user
,
active_group_links
))
else
group
.
users
.
delete
(
user
)
#ensure this is the nice way to do it
end
end
end
# Get the group_access for a give user.
# Always respect the current level, never downgrade it.
def
fetch_group_acess
(
group
,
user
,
active_group_links
)
current_access_level
=
group
.
users_groups
.
where
(
user_id:
user
).
maximum
(
:group_access
)
max_group_access_level
=
active_group_links
.
maximum
(
:group_access
)
# TODO: Test if nil value of current_access_level in handled properly
[
current_access_level
,
max_group_access_level
].
compact
.
max
end
end
end
end
end
end
end
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment