Commit c50b98da authored by Drew Blessing's avatar Drew Blessing 3️⃣
Browse files

Centralize LDAP config/filter logic 

Centralize all LDAP config logic in `GitLab::LDAP::Config`. Previously,
some logic was in the Devise initializer and it was not honoring the
`user_filter`. If a user outside the configured `user_filter` signed
in, an account would be created but they would then be denied access.
Now that logic is centralized, the filter is honored and users outside
the filter are never created.
parent 6eeff67c

app/helpers/auth_helper.rb

+1 −1
Original line number Diff line number Diff line
@@ -3,7 +3,7 @@ module AuthHelper 
  FORM_BASED_PROVIDERS = [/\Aldap/, 'crowd'].freeze



  def ldap_enabled?

    Gitlab.config.ldap.enabled

    Gitlab::LDAP::Config.enabled?

  end



  def omniauth_enabled?

changelogs/unreleased/user_filter_auth.yml

0 → 100644
+4 −0
Original line number Diff line number Diff line 
---

title: Centralize LDAP config/filter logic

merge_request: 6606

author:

config/initializers/devise.rb

+3 −16
Original line number Diff line number Diff line
@@ -213,22 +213,9 @@ 
  end



  if Gitlab::LDAP::Config.enabled?

    Gitlab.config.ldap.servers.values.each do |server|

      if server['allow_username_or_email_login']

        email_stripping_proc = ->(name) {name.gsub(/@.*\z/, '')}

      else

        email_stripping_proc = ->(name) {name}

      end



      config.omniauth server['provider_name'],

        host:     server['host'],

        base:     server['base'],

        uid:      server['uid'],

        port:     server['port'],

        method:   server['method'],

        bind_dn:  server['bind_dn'],

        password: server['password'],

        name_proc: email_stripping_proc

    Gitlab::LDAP::Config.providers.each do |provider|

      ldap_config = Gitlab::LDAP::Config.new(provider)

      config.omniauth(provider, ldap_config.omniauth_options)

    end

  end

lib/gitlab/ldap/adapter.rb

+1 −3
Original line number Diff line number Diff line
@@ -89,9 +89,7 @@ def user_options(field, value, limit) 
      end



      def user_filter(filter = nil)

        if config.user_filter.present?

          user_filter = Net::LDAP::Filter.construct(config.user_filter)

        end

        user_filter = config.constructed_user_filter if config.user_filter.present?



        if user_filter && filter

          Net::LDAP::Filter.join(filter, user_filter)

lib/gitlab/ldap/authentication.rb

+2 −4
Original line number Diff line number Diff line
@@ -54,11 +54,9 @@ def user_filter(login) 


        # Apply LDAP user filter if present

        if config.user_filter.present?

          filter = Net::LDAP::Filter.join(

            filter,

            Net::LDAP::Filter.construct(config.user_filter)

          )

          filter = Net::LDAP::Filter.join(filter, config.constructed_user_filter)

        end



        filter

      end