Merge branch 'ldap-attributes' into 'master'

Allow configuration of LDAP attributes GitLab will use for the new user account. Fixes #2412. See merge request !1261

Merge branch 'ldap-attributes' into 'master'
Allow configuration of LDAP attributes GitLab will use for the new user account. Fixes #2412. See merge request !1261
09bcce7d · Robert Speicher · a0aa6453 · 84d57bc7 · 09bcce7d · 09bcce7d
Commit 09bcce7d authored Sep 16, 2015 by Robert Speicher
12 changed files
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -56,6 +56,7 @@ v 7.14.3
 v 7.14.2
  - Upgrade gitlab_git to 7.2.15 to fix `git blame` errors with ISO-encoded files (Stan Hu)
+  - Allow configuration of LDAP attributes GitLab will use for the new user account.
 v 7.14.1
  - Improve abuse reports management from admin area

--- a/config/gitlab.yml.example
+++ b/config/gitlab.yml.example
@@ -159,7 +159,7 @@ production: &base
        method: 'plain' # "tls" or "ssl" or "plain"
        bind_dn: '_the_full_dn_of_the_user_you_will_bind_with'
        password: '_the_password_of_the_bind_user'
        # This setting specifies if LDAP server is Active Directory LDAP server.
        # For non AD servers it skips the AD specific queries.
        # If your LDAP server is not AD, set this to false.
@@ -196,6 +196,26 @@ production: &base
        #
        user_filter: ''
+        # LDAP attributes that GitLab will use to create an account for the LDAP user.
+        # The specified attribute can either be the attribute name as a string (e.g. 'mail'),
+        # or an array of attribute names to try in order (e.g. ['mail', 'email']).
+        # Note that the user's LDAP login will always be the attribute specified as `uid` above.
+        attributes:
+          # The username will be used in paths for the user's own projects
+          # (like `gitlab.example.com/username/project`) and when mentioning
+          # them in issues, merge request and comments (like `@username`).
+          # If the attribute specified for `username` contains an email address, 
+          # the GitLab username will be the part of the email address before the '@'.
+          username: ['uid', 'userid', 'sAMAccountName']
+          email:    ['mail', 'email', 'userPrincipalName']
+          # If no full name could be found at the attribute specified for `name`,
+          # the full name is determined using the attributes specified for 
+          # `first_name` and `last_name`.
+          name:       'cn'
+          first_name: 'givenName'
+          last_name:  'sn'
      # GitLab EE only: add more LDAP servers
      # Choose an ID made of a-z and 0-9 . This ID will be stored in the database
      # so that GitLab can remember which LDAP server a user belongs to.

--- a/config/initializers/1_settings.rb
+++ b/config/initializers/1_settings.rb
@@ -109,6 +109,7 @@ if Settings.ldap['enabled'] || Rails.env.test?
    server['block_auto_created_users'] = false if server['block_auto_created_users'].nil?
    server['allow_username_or_email_login'] = false if server['allow_username_or_email_login'].nil?
    server['active_directory'] = true if server['active_directory'].nil?
+    server['attributes'] = {} if server['attributes'].nil?
    server['provider_name'] ||= "ldap#{key}".downcase
    server['provider_class'] = OmniAuth::Utils.camelize(server['provider_name'])
  end

--- a/doc/integration/ldap.md
+++ b/doc/integration/ldap.md
@@ -78,6 +78,26 @@ main: # 'main' is the GitLab 'provider ID' of this LDAP server
  #
  user_filter: ''
+  # LDAP attributes that GitLab will use to create an account for the LDAP user.
+  # The specified attribute can either be the attribute name as a string (e.g. 'mail'),
+  # or an array of attribute names to try in order (e.g. ['mail', 'email']).
+  # Note that the user's LDAP login will always be the attribute specified as `uid` above.
+  attributes:
+    # The username will be used in paths for the user's own projects
+    # (like `gitlab.example.com/username/project`) and when mentioning
+    # them in issues, merge request and comments (like `@username`).
+    # If the attribute specified for `username` contains an email address, 
+    # the GitLab username will be the part of the email address before the '@'.
+    username: ['uid', 'userid', 'sAMAccountName']
+    email:    ['mail', 'email', 'userPrincipalName']
+    # If no full name could be found at the attribute specified for `name`,
+    # the full name is determined using the attributes specified for 
+    # `first_name` and `last_name`.
+    name:       'cn'
+    first_name: 'givenName'
+    last_name:  'sn'
 # GitLab EE only: add more LDAP servers
 # Choose an ID made of a-z and 0-9 . This ID will be stored in the database
 # so that GitLab can remember which LDAP server a user belongs to.

--- a/lib/gitlab/ldap/auth_hash.rb
+++ b/lib/gitlab/ldap/auth_hash.rb
+# Class to parse and transform the info provided by omniauth
+#
+module Gitlab
+  module LDAP
+    class AuthHash < Gitlab::OAuth::AuthHash
+      private
+      def get_info(key)
+        attributes = ldap_config.attributes[key]
+        return super unless attributes
+        attributes = Array(attributes)
+        value = nil
+        attributes.each do |attribute|
+          value = get_raw(attribute)
+          break if value.present?
+        end
+        return super unless value
+        Gitlab::Utils.force_utf8(value)
+        value
+      end
+      def get_raw(key)
+        auth_hash.extra[:raw_info][key]
+      end
+      def ldap_config
+        @ldap_config ||= Gitlab::LDAP::Config.new(self.provider)
+      end
+    end
+  end
+end
--- a/lib/gitlab/ldap/config.rb
+++ b/lib/gitlab/ldap/config.rb
@@ -84,6 +84,10 @@ module Gitlab
        options['block_auto_created_users']
      end
+      def attributes
+        options['attributes']
+      end
      protected
      def base_config
        Gitlab.config.ldap

--- a/lib/gitlab/ldap/user.rb
+++ b/lib/gitlab/ldap/user.rb
@@ -71,6 +71,10 @@ module Gitlab
      def ldap_config
        Gitlab::LDAP::Config.new(auth_hash.provider)
      end
+      def auth_hash=(auth_hash)
+        @auth_hash = Gitlab::LDAP::AuthHash.new(auth_hash)
+      end
    end
  end
 end
--- a/lib/gitlab/o_auth/auth_hash.rb
+++ b/lib/gitlab/o_auth/auth_hash.rb
@@ -16,16 +16,6 @@ module Gitlab
        @provider ||= Gitlab::Utils.force_utf8(auth_hash.provider.to_s)
      end
-      def info
-        auth_hash.info
-      end
-      def get_info(key)
-        value = info.try(key)
-        Gitlab::Utils.force_utf8(value) if value
-        value
-      end
      def name
        @name ||= get_info(:name) || "#{get_info(:first_name)} #{get_info(:last_name)}"
      end
@@ -44,9 +34,19 @@ module Gitlab
      private
+      def info
+        auth_hash.info
+      end
+      def get_info(key)
+        value = info[key]
+        Gitlab::Utils.force_utf8(value) if value
+        value
+      end
      def username_and_email
        @username_and_email ||= begin
-          username  = get_info(:nickname) || get_info(:username)
+          username  = get_info(:username) || get_info(:nickname)
          email     = get_info(:email)
          username ||= generate_username(email)             if email

--- a/spec/lib/gitlab/ldap/auth_hash_spec.rb
+++ b/spec/lib/gitlab/ldap/auth_hash_spec.rb
+require 'spec_helper'
+describe Gitlab::LDAP::AuthHash do
+  let(:auth_hash) do
+    Gitlab::LDAP::AuthHash.new(
+      OmniAuth::AuthHash.new(
+        uid: '123456', 
+        provider: 'ldapmain', 
+        info: info,
+        extra: {
+          raw_info: raw_info
+        }
+      )
+    )
+  end
+  let(:info) do
+    {
+      name:     'Smith, J.',
+      email:    'johnsmith@example.com',
+      nickname: '123456'
+    }
+  end
+  let(:raw_info) do
+    {
+      uid:      '123456',
+      email:    'johnsmith@example.com',
+      cn:       'Smith, J.',
+      fullName: 'John Smith'
+    }
+  end
+  context "without overridden attributes" do
+    it "has the correct username" do
+      expect(auth_hash.username).to eq("123456") 
+    end
+    it "has the correct name" do
+      expect(auth_hash.name).to eq("Smith, J.") 
+    end
+  end
+  context "with overridden attributes" do
+    let(:attributes) do
+      {
+        username: ['mail', 'email'],
+        name:     'fullName'
+      }
+    end
+    before do
+      allow_any_instance_of(Gitlab::LDAP::Config).to receive(:attributes).and_return(attributes)
+    end
+    it "has the correct username" do
+      expect(auth_hash.username).to eq("johnsmith@example.com") 
+    end
+    it "has the correct name" do
+      expect(auth_hash.name).to eq("John Smith") 
+    end
+  end
+end
--- a/spec/lib/gitlab/ldap/user_spec.rb
+++ b/spec/lib/gitlab/ldap/user_spec.rb
@@ -11,7 +11,7 @@ describe Gitlab::LDAP::User do
    }
  end
  let(:auth_hash) do
-    double(uid: 'my-uid', provider: 'ldapmain', info: double(info))
+    OmniAuth::AuthHash.new(uid: 'my-uid', provider: 'ldapmain', info: info)
  end
  describe :changed? do

--- a/spec/lib/gitlab/o_auth/auth_hash_spec.rb
+++ b/spec/lib/gitlab/o_auth/auth_hash_spec.rb
@@ -3,11 +3,11 @@ require 'spec_helper'
 describe Gitlab::OAuth::AuthHash do
  let(:auth_hash) do
    Gitlab::OAuth::AuthHash.new(
-      double({
+      OmniAuth::AuthHash.new(
        provider: provider_ascii,
        uid: uid_ascii,
-        info: double(info_hash)
+        info: info_hash
-      })
+      )
    )
  end

--- a/spec/lib/gitlab/o_auth/user_spec.rb
+++ b/spec/lib/gitlab/o_auth/user_spec.rb
@@ -5,7 +5,7 @@ describe Gitlab::OAuth::User do
  let(:gl_user) { oauth_user.gl_user }
  let(:uid) { 'my-uid' }
  let(:provider) { 'my-provider' }
-  let(:auth_hash) { double(uid: uid, provider: provider, info: double(info_hash)) }
+  let(:auth_hash) { OmniAuth::AuthHash.new(uid: uid, provider: provider, info: info_hash) }
  let(:info_hash) do
    {
      nickname: '-john+gitlab-ETC%.git@gmail.com',