BigW Consortium Gitlab

Minimize CE/EE difference in Gitlab::Auth::LDAP::Access

Signed-off-by: 's avatarRémy Coutable <remy@rymai.me>
parent dfdbf198
...@@ -6,7 +6,7 @@ module Gitlab ...@@ -6,7 +6,7 @@ module Gitlab
module Auth module Auth
module LDAP module LDAP
class Access class Access
attr_reader :provider, :user attr_reader :provider, :user, :ldap_identity
def self.open(user, &block) def self.open(user, &block)
Gitlab::Auth::LDAP::Adapter.open(user.ldap_identity.provider) do |adapter| Gitlab::Auth::LDAP::Adapter.open(user.ldap_identity.provider) do |adapter|
...@@ -14,9 +14,12 @@ module Gitlab ...@@ -14,9 +14,12 @@ module Gitlab
end end
end end
def self.allowed?(user) def self.allowed?(user, options = {})
self.open(user) do |access| self.open(user) do |access|
# Whether user is allowed, or not, we should update
# permissions to keep things clean
if access.allowed? if access.allowed?
access.update_user
Users::UpdateService.new(user, user: user, last_credential_check_at: Time.now).execute Users::UpdateService.new(user, user: user, last_credential_check_at: Time.now).execute
true true
...@@ -29,7 +32,8 @@ module Gitlab ...@@ -29,7 +32,8 @@ module Gitlab
def initialize(user, adapter = nil) def initialize(user, adapter = nil)
@adapter = adapter @adapter = adapter
@user = user @user = user
@provider = user.ldap_identity.provider @ldap_identity = user.ldap_identity
@provider = adapter&.provider || ldap_identity&.provider
end end
def allowed? def allowed?
...@@ -40,7 +44,7 @@ module Gitlab ...@@ -40,7 +44,7 @@ module Gitlab
end end
# Block user in GitLab if he/she was blocked in AD # Block user in GitLab if he/she was blocked in AD
if Gitlab::Auth::LDAP::Person.disabled_via_active_directory?(user.ldap_identity.extern_uid, adapter) if Gitlab::Auth::LDAP::Person.disabled_via_active_directory?(ldap_identity.extern_uid, adapter)
block_user(user, 'is disabled in Active Directory') block_user(user, 'is disabled in Active Directory')
false false
else else
...@@ -64,27 +68,44 @@ module Gitlab ...@@ -64,27 +68,44 @@ module Gitlab
Gitlab::Auth::LDAP::Config.new(provider) Gitlab::Auth::LDAP::Config.new(provider)
end end
def find_ldap_user
Gitlab::Auth::LDAP::Person.find_by_dn(ldap_identity.extern_uid, adapter)
end
def ldap_user def ldap_user
@ldap_user ||= Gitlab::Auth::LDAP::Person.find_by_dn(user.ldap_identity.extern_uid, adapter) return unless provider
@ldap_user ||= find_ldap_user
end end
def block_user(user, reason) def block_user(user, reason)
user.ldap_block user.ldap_block
if provider
Gitlab::AppLogger.info(
"LDAP account \"#{ldap_identity.extern_uid}\" #{reason}, " \
"blocking Gitlab user \"#{user.name}\" (#{user.email})"
)
else
Gitlab::AppLogger.info( Gitlab::AppLogger.info(
"LDAP account \"#{user.ldap_identity.extern_uid}\" #{reason}, " \ "Account is not provided by LDAP, " \
"blocking Gitlab user \"#{user.name}\" (#{user.email})" "blocking Gitlab user \"#{user.name}\" (#{user.email})"
) )
end end
end
def unblock_user(user, reason) def unblock_user(user, reason)
user.activate user.activate
Gitlab::AppLogger.info( Gitlab::AppLogger.info(
"LDAP account \"#{user.ldap_identity.extern_uid}\" #{reason}, " \ "LDAP account \"#{ldap_identity.extern_uid}\" #{reason}, " \
"unblocking Gitlab user \"#{user.name}\" (#{user.email})" "unblocking Gitlab user \"#{user.name}\" (#{user.email})"
) )
end end
def update_user
# no-op in CE
end
end end
end end
end end
......
...@@ -8,6 +8,7 @@ describe Gitlab::Auth::LDAP::Access do ...@@ -8,6 +8,7 @@ describe Gitlab::Auth::LDAP::Access do
describe '.allowed?' do describe '.allowed?' do
it 'updates the users `last_credential_check_at' do it 'updates the users `last_credential_check_at' do
allow(access).to receive(:update_user)
expect(access).to receive(:allowed?) { true } expect(access).to receive(:allowed?) { true }
expect(described_class).to receive(:open).and_yield(access) expect(described_class).to receive(:open).and_yield(access)
...@@ -16,12 +17,21 @@ describe Gitlab::Auth::LDAP::Access do ...@@ -16,12 +17,21 @@ describe Gitlab::Auth::LDAP::Access do
end end
end end
describe '#find_ldap_user' do
it 'finds a user by dn first' do
expect(Gitlab::Auth::LDAP::Person).to receive(:find_by_dn).and_return(:ldap_user)
access.find_ldap_user
end
end
describe '#allowed?' do describe '#allowed?' do
subject { access.allowed? } subject { access.allowed? }
context 'when the user cannot be found' do context 'when the user cannot be found' do
before do before do
allow(Gitlab::Auth::LDAP::Person).to receive(:find_by_dn).and_return(nil) allow(Gitlab::Auth::LDAP::Person).to receive(:find_by_dn).and_return(nil)
allow(Gitlab::Auth::LDAP::Person).to receive(:find_by_email).and_return(nil)
end end
it { is_expected.to be_falsey } it { is_expected.to be_falsey }
...@@ -54,7 +64,7 @@ describe Gitlab::Auth::LDAP::Access do ...@@ -54,7 +64,7 @@ describe Gitlab::Auth::LDAP::Access do
end end
end end
context 'and has no disabled flag in active diretory' do context 'and has no disabled flag in active directory' do
before do before do
allow(Gitlab::Auth::LDAP::Person).to receive(:disabled_via_active_directory?).and_return(false) allow(Gitlab::Auth::LDAP::Person).to receive(:disabled_via_active_directory?).and_return(false)
end end
...@@ -100,6 +110,7 @@ describe Gitlab::Auth::LDAP::Access do ...@@ -100,6 +110,7 @@ describe Gitlab::Auth::LDAP::Access do
context 'when user cannot be found' do context 'when user cannot be found' do
before do before do
allow(Gitlab::Auth::LDAP::Person).to receive(:find_by_dn).and_return(nil) allow(Gitlab::Auth::LDAP::Person).to receive(:find_by_dn).and_return(nil)
allow(Gitlab::Auth::LDAP::Person).to receive(:find_by_email).and_return(nil)
end end
it { is_expected.to be_falsey } it { is_expected.to be_falsey }
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment