Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Support
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
G
gitlab-ce
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Issues
0
Issues
0
List
Boards
Labels
Milestones
Merge Requests
1
Merge Requests
1
Analytics
Analytics
Repository
Value Stream
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Create a new issue
Commits
Issue Boards
Open sidebar
nexedi
gitlab-ce
Commits
e87e2805
Commit
e87e2805
authored
Dec 12, 2016
by
Markus Koller
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
Log messages when blocking/unblocking LDAP accounts
parent
ad1a1d97
Changes
4
Show whitespace changes
Inline
Side-by-side
Showing
4 changed files
with
82 additions
and
13 deletions
+82
-13
changelogs/unreleased/feature-log-ldap-to-application-log.yml
...gelogs/unreleased/feature-log-ldap-to-application-log.yml
+4
-0
doc/administration/auth/ldap.md
doc/administration/auth/ldap.md
+1
-1
lib/gitlab/ldap/access.rb
lib/gitlab/ldap/access.rb
+22
-4
spec/lib/gitlab/ldap/access_spec.rb
spec/lib/gitlab/ldap/access_spec.rb
+55
-8
No files found.
changelogs/unreleased/feature-log-ldap-to-application-log.yml
0 → 100644
View file @
e87e2805
---
title
:
Log LDAP blocking/unblocking events to application log
merge_request
:
8042
author
:
Markus Koller
doc/administration/auth/ldap.md
View file @
e87e2805
...
...
@@ -302,4 +302,4 @@ GitLab. Common combinations are `method: 'plain'` and `port: 389`, OR
If there is an unexpected error while authenticating the user with the LDAP
backend, the login is rejected and details about the error are logged to
`
produc
tion.log`
.
`
applica
tion.log`
.
lib/gitlab/ldap/access.rb
View file @
e87e2805
...
...
@@ -34,21 +34,21 @@ module Gitlab
def
allowed?
if
ldap_user
unless
ldap_config
.
active_directory
u
ser
.
activate
if
user
.
ldap_blocked?
u
nblock_user
(
user
,
'is not in Active Directory anymore'
)
if
user
.
ldap_blocked?
return
true
end
# Block user in GitLab if he/she was blocked in AD
if
Gitlab
::
LDAP
::
Person
.
disabled_via_active_directory?
(
user
.
ldap_identity
.
extern_uid
,
adapter
)
user
.
ldap_block
block_user
(
user
,
'is disabled in Active Directory'
)
false
else
u
ser
.
activate
if
user
.
ldap_blocked?
u
nblock_user
(
user
,
'is not disabled anymore'
)
if
user
.
ldap_blocked?
true
end
else
# Block the user if they no longer exist in LDAP/AD
user
.
ldap_block
block_user
(
user
,
'does not exist anymore'
)
false
end
end
...
...
@@ -64,6 +64,24 @@ module Gitlab
def
ldap_user
@ldap_user
||=
Gitlab
::
LDAP
::
Person
.
find_by_dn
(
user
.
ldap_identity
.
extern_uid
,
adapter
)
end
def
block_user
(
user
,
reason
)
user
.
ldap_block
Gitlab
::
AppLogger
.
info
(
"LDAP account
\"
#{
user
.
ldap_identity
.
extern_uid
}
\"
#{
reason
}
, "
+
"blocking Gitlab user
\"
#{
user
.
name
}
\"
(
#{
user
.
email
}
)"
)
end
def
unblock_user
(
user
,
reason
)
user
.
activate
Gitlab
::
AppLogger
.
info
(
"LDAP account
\"
#{
user
.
ldap_identity
.
extern_uid
}
\"
#{
reason
}
, "
+
"unblocking Gitlab user
\"
#{
user
.
name
}
\"
(
#{
user
.
email
}
)"
)
end
end
end
end
spec/lib/gitlab/ldap/access_spec.rb
View file @
e87e2805
...
...
@@ -15,9 +15,9 @@ describe Gitlab::LDAP::Access, lib: true do
it
{
is_expected
.
to
be_falsey
}
it
'should block user in GitLab'
do
expect
(
access
).
to
receive
(
:block_user
).
with
(
user
,
'does not exist anymore'
)
access
.
allowed?
expect
(
user
).
to
be_blocked
expect
(
user
).
to
be_ldap_blocked
end
end
...
...
@@ -34,9 +34,9 @@ describe Gitlab::LDAP::Access, lib: true do
it
{
is_expected
.
to
be_falsey
}
it
'blocks user in GitLab'
do
expect
(
access
).
to
receive
(
:block_user
).
with
(
user
,
'is disabled in Active Directory'
)
access
.
allowed?
expect
(
user
).
to
be_blocked
expect
(
user
).
to
be_ldap_blocked
end
end
...
...
@@ -53,7 +53,10 @@ describe Gitlab::LDAP::Access, lib: true do
end
it
'does not unblock user in GitLab'
do
expect
(
access
).
not_to
receive
(
:unblock_user
)
access
.
allowed?
expect
(
user
).
to
be_blocked
expect
(
user
).
not_to
be_ldap_blocked
# this block is handled by omniauth not by our internal logic
end
...
...
@@ -65,8 +68,9 @@ describe Gitlab::LDAP::Access, lib: true do
end
it
'unblocks user in GitLab'
do
expect
(
access
).
to
receive
(
:unblock_user
).
with
(
user
,
'is not disabled anymore'
)
access
.
allowed?
expect
(
user
).
not_to
be_blocked
end
end
end
...
...
@@ -87,9 +91,9 @@ describe Gitlab::LDAP::Access, lib: true do
it
{
is_expected
.
to
be_falsey
}
it
'blocks user in GitLab'
do
expect
(
access
).
to
receive
(
:block_user
).
with
(
user
,
'does not exist anymore'
)
access
.
allowed?
expect
(
user
).
to
be_blocked
expect
(
user
).
to
be_ldap_blocked
end
end
...
...
@@ -99,11 +103,54 @@ describe Gitlab::LDAP::Access, lib: true do
end
it
'unblocks the user if it exists'
do
expect
(
access
).
to
receive
(
:unblock_user
).
with
(
user
,
'is not in Active Directory anymore'
)
access
.
allowed?
expect
(
user
).
not_to
be_blocked
end
end
end
end
end
describe
'#block_user'
do
before
do
user
.
activate
allow
(
Gitlab
::
AppLogger
).
to
receive
(
:info
)
access
.
block_user
user
,
'reason'
end
it
'blocks the user'
do
expect
(
user
).
to
be_blocked
expect
(
user
).
to
be_ldap_blocked
end
it
'logs the reason'
do
expect
(
Gitlab
::
AppLogger
).
to
have_received
(
:info
).
with
(
"LDAP account
\"
123456
\"
reason, "
+
"blocking Gitlab user
\"
#{
user
.
name
}
\"
(
#{
user
.
email
}
)"
)
end
end
describe
'#unblock_user'
do
before
do
user
.
ldap_block
allow
(
Gitlab
::
AppLogger
).
to
receive
(
:info
)
access
.
unblock_user
user
,
'reason'
end
it
'activates the user'
do
expect
(
user
).
not_to
be_blocked
expect
(
user
).
not_to
be_ldap_blocked
end
it
'logs the reason'
do
Gitlab
::
AppLogger
.
info
(
"LDAP account
\"
123456
\"
reason, "
+
"unblocking Gitlab user
\"
#{
user
.
name
}
\"
(
#{
user
.
email
}
)"
)
end
end
end
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment