summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorJames Edwards-Jones <jedwardsjones@gitlab.com>2019-07-31 02:03:20 +0100
committerJames Edwards-Jones <jedwardsjones@gitlab.com>2019-07-31 02:16:29 +0100
commitad5d27a252149a91ba823e25186fc65d295b22fe (patch)
treeff3b48aba7d1490cf71f0b630aa8bae4c718ea44
parentdcad4c161f9c19723e9c694f45ffa6d9aff9a622 (diff)
downloadgitlab-ce-jej/prevent-ldap-sign-in.tar.gz
WIP: Option to prevent LDAP sign injej/prevent-ldap-sign-in
When LDAP is used for group sync and SAML for authentication, it can be preferable to disable LDAP sign in for security.
Diffstat
-rw-r--r--app/controllers/ldap/omniauth_callbacks_controller.rb2
-rw-r--r--app/controllers/sessions_controller.rb8
-rw-r--r--app/helpers/auth_helper.rb4
-rw-r--r--app/views/devise/sessions/new.html.haml4
-rw-r--r--config/initializers/1_settings.rb1
-rw-r--r--config/routes/user.rb2
-rw-r--r--lib/gitlab/auth/ldap/config.rb8
7 files changed, 24 insertions, 5 deletions
diff --git a/app/controllers/ldap/omniauth_callbacks_controller.rb b/app/controllers/ldap/omniauth_callbacks_controller.rb
index 9a5a45939e0..d08efc59eea 100644
--- a/app/controllers/ldap/omniauth_callbacks_controller.rb
+++ b/app/controllers/ldap/omniauth_callbacks_controller.rb
@@ -4,7 +4,7 @@ class Ldap::OmniauthCallbacksController < OmniauthCallbacksController
extend ::Gitlab::Utils::Override
def self.define_providers!
- return unless Gitlab::Auth::LDAP::Config.enabled?
+ return unless Gitlab::Auth::LDAP::Config.sign_in_enabled?
Gitlab::Auth::LDAP::Config.available_servers.each do |server|
alias_method server['provider_name'], :ldap
diff --git a/app/controllers/sessions_controller.rb b/app/controllers/sessions_controller.rb
index 1880bead3ee..6779da8b3be 100644
--- a/app/controllers/sessions_controller.rb
+++ b/app/controllers/sessions_controller.rb
@@ -237,7 +237,13 @@ class SessionsController < Devise::SessionsController
end
def ldap_servers
- @ldap_servers ||= Gitlab::Auth::LDAP::Config.available_servers
+ @ldap_servers ||= begin
+ if Gitlab::Auth::LDAP::Config.sign_in_enabled?
+ Gitlab::Auth::LDAP::Config.available_servers
+ else
+ []
+ end
+ end
end
def authentication_method
diff --git a/app/helpers/auth_helper.rb b/app/helpers/auth_helper.rb
index 31c4b27273b..dde2068f552 100644
--- a/app/helpers/auth_helper.rb
+++ b/app/helpers/auth_helper.rb
@@ -8,6 +8,10 @@ module AuthHelper
Gitlab::Auth::LDAP::Config.enabled?
end
+ def ldap_sign_in_enabled?
+ Gitlab::Auth::LDAP::Config.sign_in_enabled?
+ end
+
def omniauth_enabled?
Gitlab::Auth.omniauth_enabled?
end
diff --git a/app/views/devise/sessions/new.html.haml b/app/views/devise/sessions/new.html.haml
index 30ed7ed6b29..d9b365de0bf 100644
--- a/app/views/devise/sessions/new.html.haml
+++ b/app/views/devise/sessions/new.html.haml
@@ -6,7 +6,7 @@
- else
= render 'devise/shared/tabs_normal'
.tab-content
- - if password_authentication_enabled_for_web? || ldap_enabled? || crowd_enabled?
+ - if password_authentication_enabled_for_web? || ldap_sign_in_enabled? || crowd_enabled?
= render 'devise/shared/signin_box'
-# Signup only makes sense if you can also sign-in
@@ -14,7 +14,7 @@
= render 'devise/shared/signup_box'
-# Show a message if none of the mechanisms above are enabled
- - if !password_authentication_enabled_for_web? && !ldap_enabled? && !(omniauth_enabled? && devise_mapping.omniauthable?)
+ - if !password_authentication_enabled_for_web? && !ldap_sign_in_enabled? && !(omniauth_enabled? && devise_mapping.omniauthable?)
%div
No authentication methods configured.
diff --git a/config/initializers/1_settings.rb b/config/initializers/1_settings.rb
index 32fec7c3d22..18346965882 100644
--- a/config/initializers/1_settings.rb
+++ b/config/initializers/1_settings.rb
@@ -4,6 +4,7 @@ require_relative '../object_store_settings'
# Default settings
Settings['ldap'] ||= Settingslogic.new({})
Settings.ldap['enabled'] = false if Settings.ldap['enabled'].nil?
+Settings.ldap['prevent_ldap_sign_in'] = false if Settings.ldap['prevent_ldap_sign_in'].nil?
Gitlab.ee do
Settings.ldap['sync_time'] = 3600 if Settings.ldap['sync_time'].nil?
diff --git a/config/routes/user.rb b/config/routes/user.rb
index 80f266aa8f9..b466fe39d57 100644
--- a/config/routes/user.rb
+++ b/config/routes/user.rb
@@ -13,7 +13,7 @@ def override_omniauth(provider, controller, path_prefix = '/users/auth')
end
# Use custom controller for LDAP omniauth callback
-if Gitlab::Auth::LDAP::Config.enabled?
+if Gitlab::Auth::LDAP::Config.sign_in_enabled?
devise_scope :user do
Gitlab::Auth::LDAP::Config.available_servers.each do |server|
override_omniauth(server['provider_name'], 'ldap/omniauth_callbacks')
diff --git a/lib/gitlab/auth/ldap/config.rb b/lib/gitlab/auth/ldap/config.rb
index 354f91306f9..4a68ac5d8f4 100644
--- a/lib/gitlab/auth/ldap/config.rb
+++ b/lib/gitlab/auth/ldap/config.rb
@@ -19,6 +19,14 @@ module Gitlab
Gitlab.config.ldap.enabled
end
+ def self.sign_in_enabled?
+ enabled? && !prevent_ldap_sign_in?
+ end
+
+ def self.prevent_ldap_sign_in?
+ Gitlab.config.ldap.prevent_ldap_sign_in
+ end
+
def self.servers
Gitlab.config.ldap['servers']&.values || []
end
View Lorry Controller Status