diff options
| author | Drew Blessing <drew@blessing.io> | 2019-05-17 15:26:15 -0500 |
|---|---|---|
| committer | Drew Blessing <drew@blessing.io> | 2019-06-21 05:49:56 -0500 |
| commit | 05d5504d072fa1a1c222e94b21e483ba28cbe666 (patch) | |
| tree | d71b107855b213fb87fa64032b78808ef23b4983 | |
| parent | c10bde1ff088d0b744ce98b28ee6faa16b0eda34 (diff) | |
| download | gitlab-ce-05d5504d072fa1a1c222e94b21e483ba28cbe666.tar.gz | |
Sanitize LDAP output in Rake tasks
The various LDAP check Rake tasks have long supported a SANITIZE
environment variable. When present, identifiable information is
obscured such as user names and project/group names. Until now,
the LDAP check did not honor this. Now it will only say how many
users were found. This should at least give the indication that
the LDAP configuration found something, but will not leak what
it is. Resolves #56131
| -rw-r--r-- | changelogs/unreleased/sanitize_rake_ldap_check_output.yml | 5 | ||||
| -rw-r--r-- | lib/system_check/ldap_check.rb | 9 | ||||
| -rw-r--r-- | spec/tasks/gitlab/check_rake_spec.rb | 9 |
3 files changed, 21 insertions, 2 deletions
diff --git a/changelogs/unreleased/sanitize_rake_ldap_check_output.yml b/changelogs/unreleased/sanitize_rake_ldap_check_output.yml new file mode 100644 index 00000000000..92824d1dd48 --- /dev/null +++ b/changelogs/unreleased/sanitize_rake_ldap_check_output.yml @@ -0,0 +1,5 @@ +--- +title: Sanitize LDAP output in Rake tasks +merge_request: 28427 +author: +type: fixed diff --git a/lib/system_check/ldap_check.rb b/lib/system_check/ldap_check.rb index 619fb3cccb8..938026424ed 100644 --- a/lib/system_check/ldap_check.rb +++ b/lib/system_check/ldap_check.rb @@ -33,8 +33,13 @@ module SystemCheck $stdout.puts "LDAP users with access to your GitLab server (only showing the first #{limit} results)" users = adapter.users(adapter.config.uid, '*', limit) - users.each do |user| - $stdout.puts "\tDN: #{user.dn}\t #{adapter.config.uid}: #{user.uid}" + + if should_sanitize? + $stdout.puts "\tUser output sanitized. Found #{users.length} users of #{limit} limit." + else + users.each do |user| + $stdout.puts "\tDN: #{user.dn}\t #{adapter.config.uid}: #{user.uid}" + end end end rescue Net::LDAP::ConnectionRefusedError, Errno::ECONNREFUSED => e diff --git a/spec/tasks/gitlab/check_rake_spec.rb b/spec/tasks/gitlab/check_rake_spec.rb index 06525e3c771..0fcb9b269f3 100644 --- a/spec/tasks/gitlab/check_rake_spec.rb +++ b/spec/tasks/gitlab/check_rake_spec.rb @@ -96,6 +96,15 @@ describe 'check.rake' do subject end + + it 'sanitizes output' do + user = double(dn: 'uid=fake_user1', uid: 'fake_user1') + allow(adapter).to receive(:users).and_return([user]) + stub_env('SANITIZE', 'true') + + expect { subject }.to output(/User output sanitized/).to_stdout + expect { subject }.not_to output('fake_user1').to_stdout + end end end end |