Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Support
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
G
gitlab-ce
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Issues
0
Issues
0
List
Boards
Labels
Milestones
Merge Requests
1
Merge Requests
1
Analytics
Analytics
Repository
Value Stream
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Create a new issue
Commits
Issue Boards
Open sidebar
nexedi
gitlab-ce
Commits
acd9bc02
Commit
acd9bc02
authored
Mar 09, 2016
by
Jacob Vosmaer
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
Acquire lock before LDAP sync
parent
3eb7ea49
Changes
4
Hide whitespace changes
Inline
Side-by-side
Showing
4 changed files
with
63 additions
and
2 deletions
+63
-2
app/controllers/application_controller.rb
app/controllers/application_controller.rb
+2
-0
lib/gitlab/expiring_lock.rb
lib/gitlab/expiring_lock.rb
+52
-0
lib/gitlab/ldap/access.rb
lib/gitlab/ldap/access.rb
+6
-0
lib/gitlab/user_access.rb
lib/gitlab/user_access.rb
+3
-2
No files found.
app/controllers/application_controller.rb
View file @
acd9bc02
...
@@ -246,6 +246,8 @@ class ApplicationController < ActionController::Base
...
@@ -246,6 +246,8 @@ class ApplicationController < ActionController::Base
def
ldap_security_check
def
ldap_security_check
if
current_user
&&
current_user
.
requires_ldap_check?
if
current_user
&&
current_user
.
requires_ldap_check?
return
unless
Gitlab
::
LDAP
::
Access
.
try_lock_user
(
user
)
unless
Gitlab
::
LDAP
::
Access
.
allowed?
(
current_user
)
unless
Gitlab
::
LDAP
::
Access
.
allowed?
(
current_user
)
sign_out
current_user
sign_out
current_user
flash
[
:alert
]
=
"Access denied for your LDAP account."
flash
[
:alert
]
=
"Access denied for your LDAP account."
...
...
lib/gitlab/expiring_lock.rb
0 → 100644
View file @
acd9bc02
module
Gitlab
# This class implements a distributed self-expiring lock.
#
# [2] pry(main)> l = Gitlab::ExpiringLock.new('foobar', 5)
# => #<Gitlab::ExpiringLock:0x007ffb9d7cb7f8 @key="foobar", @timeout=5>
# [3] pry(main)> l.try_lock
# => true
# [4] pry(main)> l.try_lock # Only the first try_lock succeeds
# => false
# [5] pry(main)> l.locked?
# => true
# [6] pry(main)> sleep 5
# => 5
# [7] pry(main)> l.locked? # After the timeout the lock is released
# => false
#
class
ExpiringLock
def
initialize
(
key
,
timeout
)
@key
,
@timeout
=
key
,
timeout
end
# Try to obtain the lock. Return true on succes,
# false if the lock is already taken.
def
try_lock
# INCR does not change the key TTL
if
redis
.
incr
(
redis_key
)
==
1
# We won the race to insert the key into Redis
redis
.
expire
(
redis_key
,
@timeout
)
true
else
# Somebody else won the race
false
end
end
# Check if somebody somewhere locked this key
def
locked?
!!
redis
.
get
(
redis_key
)
end
private
def
redis
# Maybe someday we want to use a connection pool...
@redis
||=
Redis
.
new
(
url:
Gitlab
::
RedisConfig
.
url
)
end
def
redis_key
"gitlab:expiring_lock:
#{
@key
}
"
end
end
end
lib/gitlab/ldap/access.rb
View file @
acd9bc02
...
@@ -7,6 +7,12 @@ module Gitlab
...
@@ -7,6 +7,12 @@ module Gitlab
class
Access
class
Access
attr_reader
:provider
,
:user
attr_reader
:provider
,
:user
LOCK_TIMEOUT
=
600
def
self
.
try_lock_user
(
user
)
Gitlab
::
ExpiringLock
.
new
(
"user_ldap_check:
#{
user
.
id
}
"
,
LOCK_TIMEOUT
).
try_lock
end
def
self
.
open
(
user
,
&
block
)
def
self
.
open
(
user
,
&
block
)
Gitlab
::
LDAP
::
Adapter
.
open
(
user
.
ldap_identity
.
provider
)
do
|
adapter
|
Gitlab
::
LDAP
::
Adapter
.
open
(
user
.
ldap_identity
.
provider
)
do
|
adapter
|
block
.
call
(
self
.
new
(
user
,
adapter
))
block
.
call
(
self
.
new
(
user
,
adapter
))
...
...
lib/gitlab/user_access.rb
View file @
acd9bc02
...
@@ -3,8 +3,9 @@ module Gitlab
...
@@ -3,8 +3,9 @@ module Gitlab
def
self
.
allowed?
(
user
)
def
self
.
allowed?
(
user
)
return
false
if
user
.
blocked?
return
false
if
user
.
blocked?
if
user
.
requires_ldap_check?
if
user
.
requires_ldap_check?
&&
Gitlab
::
LDAP
::
Access
.
try_lock_user
(
user
)
return
false
unless
Gitlab
::
LDAP
::
Access
.
allowed?
(
user
)
return
Gitlab
::
LDAP
::
Access
.
allowed?
(
user
)
end
end
end
true
true
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment