Skip to content
体验新版
项目
组织
正在加载...
登录
切换导航
打开侧边栏
李少辉-开发者
gitlab-foss
提交
e87e2805
G
gitlab-foss
项目概览
李少辉-开发者
/
gitlab-foss
通知
15
Star
0
Fork
0
代码
文件
提交
分支
Tags
贡献者
分支图
Diff
Issue
0
列表
看板
标记
里程碑
合并请求
0
Wiki
0
Wiki
分析
仓库
DevOps
项目成员
Pages
G
gitlab-foss
项目概览
项目概览
详情
发布
仓库
仓库
文件
提交
分支
标签
贡献者
分支图
比较
Issue
0
Issue
0
列表
看板
标记
里程碑
合并请求
0
合并请求
0
Pages
分析
分析
仓库分析
DevOps
Wiki
0
Wiki
成员
成员
收起侧边栏
关闭侧边栏
动态
分支图
创建新Issue
提交
Issue看板
前往新版Gitcode,体验更适合开发者的 AI 搜索 >>
未验证
提交
e87e2805
编写于
12月 12, 2016
作者:
M
Markus Koller
浏览文件
操作
浏览文件
下载
电子邮件补丁
差异文件
Log messages when blocking/unblocking LDAP accounts
上级
ad1a1d97
变更
4
显示空白变更内容
内联
并排
Showing
4 changed file
with
82 addition
and
13 deletion
+82
-13
changelogs/unreleased/feature-log-ldap-to-application-log.yml
...gelogs/unreleased/feature-log-ldap-to-application-log.yml
+4
-0
doc/administration/auth/ldap.md
doc/administration/auth/ldap.md
+1
-1
lib/gitlab/ldap/access.rb
lib/gitlab/ldap/access.rb
+22
-4
spec/lib/gitlab/ldap/access_spec.rb
spec/lib/gitlab/ldap/access_spec.rb
+55
-8
未找到文件。
changelogs/unreleased/feature-log-ldap-to-application-log.yml
0 → 100644
浏览文件 @
e87e2805
---
title
:
Log LDAP blocking/unblocking events to application log
merge_request
:
8042
author
:
Markus Koller
doc/administration/auth/ldap.md
浏览文件 @
e87e2805
...
...
@@ -302,4 +302,4 @@ GitLab. Common combinations are `method: 'plain'` and `port: 389`, OR
If there is an unexpected error while authenticating the user with the LDAP
backend, the login is rejected and details about the error are logged to
`
produc
tion.log`
.
`
applica
tion.log`
.
lib/gitlab/ldap/access.rb
浏览文件 @
e87e2805
...
...
@@ -34,21 +34,21 @@ module Gitlab
def
allowed?
if
ldap_user
unless
ldap_config
.
active_directory
u
ser
.
activate
if
user
.
ldap_blocked?
u
nblock_user
(
user
,
'is not in Active Directory anymore'
)
if
user
.
ldap_blocked?
return
true
end
# Block user in GitLab if he/she was blocked in AD
if
Gitlab
::
LDAP
::
Person
.
disabled_via_active_directory?
(
user
.
ldap_identity
.
extern_uid
,
adapter
)
user
.
ldap_block
block_user
(
user
,
'is disabled in Active Directory'
)
false
else
u
ser
.
activate
if
user
.
ldap_blocked?
u
nblock_user
(
user
,
'is not disabled anymore'
)
if
user
.
ldap_blocked?
true
end
else
# Block the user if they no longer exist in LDAP/AD
user
.
ldap_block
block_user
(
user
,
'does not exist anymore'
)
false
end
end
...
...
@@ -64,6 +64,24 @@ module Gitlab
def
ldap_user
@ldap_user
||=
Gitlab
::
LDAP
::
Person
.
find_by_dn
(
user
.
ldap_identity
.
extern_uid
,
adapter
)
end
def
block_user
(
user
,
reason
)
user
.
ldap_block
Gitlab
::
AppLogger
.
info
(
"LDAP account
\"
#{
user
.
ldap_identity
.
extern_uid
}
\"
#{
reason
}
, "
+
"blocking Gitlab user
\"
#{
user
.
name
}
\"
(
#{
user
.
email
}
)"
)
end
def
unblock_user
(
user
,
reason
)
user
.
activate
Gitlab
::
AppLogger
.
info
(
"LDAP account
\"
#{
user
.
ldap_identity
.
extern_uid
}
\"
#{
reason
}
, "
+
"unblocking Gitlab user
\"
#{
user
.
name
}
\"
(
#{
user
.
email
}
)"
)
end
end
end
end
spec/lib/gitlab/ldap/access_spec.rb
浏览文件 @
e87e2805
...
...
@@ -15,9 +15,9 @@ describe Gitlab::LDAP::Access, lib: true do
it
{
is_expected
.
to
be_falsey
}
it
'should block user in GitLab'
do
expect
(
access
).
to
receive
(
:block_user
).
with
(
user
,
'does not exist anymore'
)
access
.
allowed?
expect
(
user
).
to
be_blocked
expect
(
user
).
to
be_ldap_blocked
end
end
...
...
@@ -34,9 +34,9 @@ describe Gitlab::LDAP::Access, lib: true do
it
{
is_expected
.
to
be_falsey
}
it
'blocks user in GitLab'
do
expect
(
access
).
to
receive
(
:block_user
).
with
(
user
,
'is disabled in Active Directory'
)
access
.
allowed?
expect
(
user
).
to
be_blocked
expect
(
user
).
to
be_ldap_blocked
end
end
...
...
@@ -53,7 +53,10 @@ describe Gitlab::LDAP::Access, lib: true do
end
it
'does not unblock user in GitLab'
do
expect
(
access
).
not_to
receive
(
:unblock_user
)
access
.
allowed?
expect
(
user
).
to
be_blocked
expect
(
user
).
not_to
be_ldap_blocked
# this block is handled by omniauth not by our internal logic
end
...
...
@@ -65,8 +68,9 @@ describe Gitlab::LDAP::Access, lib: true do
end
it
'unblocks user in GitLab'
do
expect
(
access
).
to
receive
(
:unblock_user
).
with
(
user
,
'is not disabled anymore'
)
access
.
allowed?
expect
(
user
).
not_to
be_blocked
end
end
end
...
...
@@ -87,9 +91,9 @@ describe Gitlab::LDAP::Access, lib: true do
it
{
is_expected
.
to
be_falsey
}
it
'blocks user in GitLab'
do
expect
(
access
).
to
receive
(
:block_user
).
with
(
user
,
'does not exist anymore'
)
access
.
allowed?
expect
(
user
).
to
be_blocked
expect
(
user
).
to
be_ldap_blocked
end
end
...
...
@@ -99,11 +103,54 @@ describe Gitlab::LDAP::Access, lib: true do
end
it
'unblocks the user if it exists'
do
expect
(
access
).
to
receive
(
:unblock_user
).
with
(
user
,
'is not in Active Directory anymore'
)
access
.
allowed?
expect
(
user
).
not_to
be_blocked
end
end
end
end
end
describe
'#block_user'
do
before
do
user
.
activate
allow
(
Gitlab
::
AppLogger
).
to
receive
(
:info
)
access
.
block_user
user
,
'reason'
end
it
'blocks the user'
do
expect
(
user
).
to
be_blocked
expect
(
user
).
to
be_ldap_blocked
end
it
'logs the reason'
do
expect
(
Gitlab
::
AppLogger
).
to
have_received
(
:info
).
with
(
"LDAP account
\"
123456
\"
reason, "
+
"blocking Gitlab user
\"
#{
user
.
name
}
\"
(
#{
user
.
email
}
)"
)
end
end
describe
'#unblock_user'
do
before
do
user
.
ldap_block
allow
(
Gitlab
::
AppLogger
).
to
receive
(
:info
)
access
.
unblock_user
user
,
'reason'
end
it
'activates the user'
do
expect
(
user
).
not_to
be_blocked
expect
(
user
).
not_to
be_ldap_blocked
end
it
'logs the reason'
do
Gitlab
::
AppLogger
.
info
(
"LDAP account
\"
123456
\"
reason, "
+
"unblocking Gitlab user
\"
#{
user
.
name
}
\"
(
#{
user
.
email
}
)"
)
end
end
end
编辑
预览
Markdown
is supported
0%
请重试
或
添加新附件
.
添加附件
取消
You are about to add
0
people
to the discussion. Proceed with caution.
先完成此消息的编辑!
取消
想要评论请
注册
或
登录