Add ldap check in application_controller and internal api

Signed-off-by: 's avatarDmitriy Zaporozhets <dmitriy.zaporozhets@gmail.com>
parent 0fdab6a7
......@@ -6,6 +6,7 @@ class ApplicationController < ActionController::Base
before_filter :check_password_expiration
around_filter :set_current_user_for_thread
before_filter :add_abilities
before_filter :ldap_security_check
before_filter :dev_tools if Rails.env == 'development'
before_filter :default_headers
before_filter :add_gon_variables
......@@ -179,11 +180,29 @@ class ApplicationController < ActionController::Base
end
end
def ldap_security_check
if current_user && current_user.ldap_user? && current_user.requires_ldap_check?
if gitlab_ldap_access.allowed?(current_user)
gitlab_ldap_access.update_permissions(current_user)
current_user.last_credential_check_at = Time.now
current_user.save
else
sign_out current_user
flash[:alert] = "Access denied for your LDAP account."
redirect_to new_user_session_path
end
end
end
def event_filter
filters = cookies['event_filter'].split(',') if cookies['event_filter'].present?
@event_filter ||= EventFilter.new(filters)
end
def gitlab_ldap_access
Gitlab::LDAP::Access.new
end
# JSON for infinite scroll via Pager object
def pager_json(partial, count)
html = render_to_string(
......
......@@ -121,7 +121,6 @@ production: &base
ldap:
enabled: false
host: '_your_ldap_server'
base: '_the_base_where_you_search_for_users'
port: 636
uid: 'sAMAccountName'
method: 'ssl' # "tls" or "ssl" or "plain"
......@@ -138,6 +137,20 @@ production: &base
# disable this setting, because the userPrincipalName contains an '@'.
allow_username_or_email_login: true
# Base where we can search for users
#
# Ex. ou=People,dc=gitlab,dc=example
#
base: ''
# Filter LDAP users
#
# Format: RFC 4515
# Ex. (employeeType=developer)
#
user_filter: ''
## OmniAuth settings
omniauth:
# Allow login via Twitter, Google, etc. using OmniAuth providers
......
......@@ -35,8 +35,14 @@ module API
user = key.user
return false if user.blocked?
if Gitlab.config.ldap.enabled
return false if user.ldap_user? && Gitlab::LDAP::User.blocked?(user.extern_uid)
if user.ldap_user?
# Check if LDAP user exists and match LDAP user_filter
unless Gitlab::LDAP::Access.new.allowed?(user)
return false
end
end
end
action = case git_cmd
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment