BigW Consortium Gitlab
Skip to content
Projects
Groups
Snippets
Help
This project
Loading...
Sign in / Register
Toggle navigation
G
gitlab-ce
Project
Overview
Details
Activity
Cycle Analytics
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Charts
Issues
0
Issues
0
List
Board
Labels
Milestones
Merge Requests
0
Merge Requests
0
Registry
Registry
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Charts
Create a new issue
Commits
Issue Boards
Open sidebar
Forest Godfrey
gitlab-ce
Commits
238e4f02
Commit
238e4f02
authored
Apr 14, 2015
by
Douwe Maan
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
Add config var to block auto-created LDAP users.
parent
c43411e9
Hide whitespace changes
Inline
Side-by-side
Showing
6 changed files
with
75 additions
and
9 deletions
+75
-9
CHANGELOG
CHANGELOG
+1
-0
gitlab.yml.example
config/gitlab.yml.example
+3
-0
1_settings.rb
config/initializers/1_settings.rb
+1
-0
config.rb
lib/gitlab/ldap/config.rb
+4
-0
user.rb
lib/gitlab/ldap/user.rb
+6
-2
user_spec.rb
spec/lib/gitlab/ldap/user_spec.rb
+60
-7
No files found.
CHANGELOG
View file @
238e4f02
Please view this file on the master branch, on stable branches it's out of date.
v 7.10.0 (unreleased)
- Add config var to block auto-created LDAP users.
- Fix broken file browsing with a submodule that contains a relative link (Stan Hu)
- Fix persistent XSS vulnerability around profile website URLs.
- Fix project import URL regex to prevent arbitary local repos from being imported.
...
...
config/gitlab.yml.example
View file @
238e4f02
...
...
@@ -146,6 +146,9 @@ production: &base
# disable this setting, because the userPrincipalName contains an '@'.
allow_username_or_email_login: false
# Locks down those users until they have been cleared by the admin (default: false).
block_auto_created_users: false
# Base where we can search for users
#
# Ex. ou=People,dc=gitlab,dc=example
...
...
config/initializers/1_settings.rb
View file @
238e4f02
...
...
@@ -76,6 +76,7 @@ if Settings.ldap['enabled'] || Rails.env.test?
Settings
.
ldap
[
'servers'
].
each
do
|
key
,
server
|
server
[
'label'
]
||=
'LDAP'
server
[
'block_auto_created_users'
]
=
false
if
server
[
'block_auto_created_users'
].
nil?
server
[
'allow_username_or_email_login'
]
=
false
if
server
[
'allow_username_or_email_login'
].
nil?
server
[
'active_directory'
]
=
true
if
server
[
'active_directory'
].
nil?
server
[
'provider_name'
]
||=
"ldap
#{
key
}
"
.
downcase
...
...
lib/gitlab/ldap/config.rb
View file @
238e4f02
...
...
@@ -80,6 +80,10 @@ module Gitlab
options
[
'active_directory'
]
end
def
block_auto_created_users
options
[
'block_auto_created_users'
]
end
protected
def
base_config
Gitlab
.
config
.
ldap
...
...
lib/gitlab/ldap/user.rb
View file @
238e4f02
...
...
@@ -55,13 +55,17 @@ module Gitlab
gl_user
.
changed?
||
gl_user
.
identities
.
any?
(
&
:changed?
)
end
def
needs_blocking
?
false
def
block_after_signup
?
ldap_config
.
block_auto_created_users
end
def
allowed?
Gitlab
::
LDAP
::
Access
.
allowed?
(
gl_user
)
end
def
ldap_config
Gitlab
::
LDAP
::
Config
.
new
(
auth_hash
.
provider
)
end
end
end
end
spec/lib/gitlab/ldap/user_spec.rb
View file @
238e4f02
require
'spec_helper'
describe
Gitlab
::
LDAP
::
User
do
let
(
:gl_user
)
{
Gitlab
::
LDAP
::
User
.
new
(
auth_hash
)
}
let
(
:ldap_user
)
{
Gitlab
::
LDAP
::
User
.
new
(
auth_hash
)
}
let
(
:gl_user
)
{
ldap_user
.
gl_user
}
let
(
:info
)
do
{
name:
'John'
,
...
...
@@ -16,17 +17,17 @@ describe Gitlab::LDAP::User do
describe
:changed?
do
it
"marks existing ldap user as changed"
do
existing_user
=
create
(
:omniauth_user
,
extern_uid:
'my-uid'
,
provider:
'ldapmain'
)
expect
(
gl
_user
.
changed?
).
to
be_truthy
expect
(
ldap
_user
.
changed?
).
to
be_truthy
end
it
"marks existing non-ldap user if the email matches as changed"
do
existing_user
=
create
(
:user
,
email:
'john@example.com'
)
expect
(
gl
_user
.
changed?
).
to
be_truthy
expect
(
ldap
_user
.
changed?
).
to
be_truthy
end
it
"dont marks existing ldap user as changed"
do
existing_user
=
create
(
:omniauth_user
,
email:
'john@example.com'
,
extern_uid:
'my-uid'
,
provider:
'ldapmain'
)
expect
(
gl
_user
.
changed?
).
to
be_falsey
expect
(
ldap
_user
.
changed?
).
to
be_falsey
end
end
...
...
@@ -34,12 +35,12 @@ describe Gitlab::LDAP::User do
it
"finds the user if already existing"
do
existing_user
=
create
(
:omniauth_user
,
extern_uid:
'my-uid'
,
provider:
'ldapmain'
)
expect
{
gl
_user
.
save
}.
to_not
change
{
User
.
count
}
expect
{
ldap
_user
.
save
}.
to_not
change
{
User
.
count
}
end
it
"connects to existing non-ldap user if the email matches"
do
existing_user
=
create
(
:omniauth_user
,
email:
'john@example.com'
,
provider:
"twitter"
)
expect
{
gl
_user
.
save
}.
to_not
change
{
User
.
count
}
expect
{
ldap
_user
.
save
}.
to_not
change
{
User
.
count
}
existing_user
.
reload
expect
(
existing_user
.
ldap_identity
.
extern_uid
).
to
eql
'my-uid'
...
...
@@ -47,7 +48,59 @@ describe Gitlab::LDAP::User do
end
it
"creates a new user if not found"
do
expect
{
gl_user
.
save
}.
to
change
{
User
.
count
}.
by
(
1
)
expect
{
ldap_user
.
save
}.
to
change
{
User
.
count
}.
by
(
1
)
end
end
describe
'blocking'
do
context
'signup'
do
context
'dont block on create'
do
before
{
Gitlab
::
LDAP
::
Config
.
any_instance
.
stub
block_auto_created_users:
false
}
it
do
ldap_user
.
save
expect
(
gl_user
).
to
be_valid
expect
(
gl_user
).
not_to
be_blocked
end
end
context
'block on create'
do
before
{
Gitlab
::
LDAP
::
Config
.
any_instance
.
stub
block_auto_created_users:
true
}
it
do
ldap_user
.
save
expect
(
gl_user
).
to
be_valid
expect
(
gl_user
).
to
be_blocked
end
end
end
context
'sign-in'
do
before
do
ldap_user
.
save
ldap_user
.
gl_user
.
activate
end
context
'dont block on create'
do
before
{
Gitlab
::
LDAP
::
Config
.
any_instance
.
stub
block_auto_created_users:
false
}
it
do
ldap_user
.
save
expect
(
gl_user
).
to
be_valid
expect
(
gl_user
).
not_to
be_blocked
end
end
context
'block on create'
do
before
{
Gitlab
::
LDAP
::
Config
.
any_instance
.
stub
block_auto_created_users:
true
}
it
do
ldap_user
.
save
expect
(
gl_user
).
to
be_valid
expect
(
gl_user
).
not_to
be_blocked
end
end
end
end
end
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment