debian-mirror-gitlab/lib/gitlab/auth/ldap/adapter.rb

145 lines
4 KiB
Ruby
Raw Normal View History

2018-12-13 13:39:08 +05:30
# frozen_string_literal: true
2018-03-27 19:54:05 +05:30
module Gitlab
module Auth
2020-04-08 14:13:33 +05:30
module Ldap
2018-03-27 19:54:05 +05:30
class Adapter
2018-05-09 12:01:36 +05:30
SEARCH_RETRY_FACTOR = [1, 1, 2, 3].freeze
MAX_SEARCH_RETRIES = Rails.env.test? ? 1 : SEARCH_RETRY_FACTOR.size.freeze
2018-03-27 19:54:05 +05:30
attr_reader :provider, :ldap
def self.open(provider, &block)
Net::LDAP.open(config(provider).adapter_options) do |ldap|
block.call(self.new(provider, ldap))
end
end
def self.config(provider)
2020-04-08 14:13:33 +05:30
Gitlab::Auth::Ldap::Config.new(provider)
2018-03-27 19:54:05 +05:30
end
def initialize(provider, ldap = nil)
@provider = provider
2018-05-09 12:01:36 +05:30
@ldap = ldap || renew_connection_adapter
2018-03-27 19:54:05 +05:30
end
def config
2020-04-08 14:13:33 +05:30
Gitlab::Auth::Ldap::Config.new(provider)
2018-03-27 19:54:05 +05:30
end
def users(fields, value, limit = nil)
options = user_options(Array(fields), value, limit)
2019-03-02 22:35:43 +05:30
users_search(options)
2018-03-27 19:54:05 +05:30
end
def user(*args)
users(*args).first
end
def dn_matches_filter?(dn, filter)
ldap_search(base: dn,
filter: filter,
scope: Net::LDAP::SearchScope_BaseObject,
attributes: %w{dn}).any?
end
def ldap_search(*args)
2018-05-09 12:01:36 +05:30
retries ||= 0
2018-03-27 19:54:05 +05:30
# Net::LDAP's `time` argument doesn't work. Use Ruby `Timeout` instead.
2018-05-09 12:01:36 +05:30
Timeout.timeout(timeout_time(retries)) do
2018-03-27 19:54:05 +05:30
results = ldap.search(*args)
if results.nil?
response = ldap.get_operation_result
2020-10-24 23:57:45 +05:30
unless response.code == 0
2019-09-30 21:07:59 +05:30
Rails.logger.warn("LDAP search error: #{response.message}") # rubocop:disable Gitlab/RailsLogger
2018-03-27 19:54:05 +05:30
end
[]
else
results
end
end
2018-05-09 12:01:36 +05:30
rescue Net::LDAP::Error, Timeout::Error => error
retries += 1
error_message = connection_error_message(error)
2019-09-30 21:07:59 +05:30
Rails.logger.warn(error_message) # rubocop:disable Gitlab/RailsLogger
2018-05-09 12:01:36 +05:30
if retries < MAX_SEARCH_RETRIES
renew_connection_adapter
retry
else
2020-04-08 14:13:33 +05:30
raise LdapConnectionError, error_message
2018-05-09 12:01:36 +05:30
end
2018-03-27 19:54:05 +05:30
end
private
2018-05-09 12:01:36 +05:30
def timeout_time(retry_number)
SEARCH_RETRY_FACTOR[retry_number] * config.timeout
end
2019-03-02 22:35:43 +05:30
def users_search(options)
entries = ldap_search(options).select do |entry|
entry.respond_to? config.uid
end
entries.map do |entry|
2020-04-08 14:13:33 +05:30
Gitlab::Auth::Ldap::Person.new(entry, provider)
2019-03-02 22:35:43 +05:30
end
end
2018-03-27 19:54:05 +05:30
def user_options(fields, value, limit)
options = {
2020-04-08 14:13:33 +05:30
attributes: Gitlab::Auth::Ldap::Person.ldap_attributes(config),
2018-03-27 19:54:05 +05:30
base: config.base
}
options[:size] = limit if limit
if fields.include?('dn')
raise ArgumentError, 'It is not currently possible to search the DN and other fields at the same time.' if fields.size > 1
options[:base] = value
options[:scope] = Net::LDAP::SearchScope_BaseObject
else
filter = fields.map { |field| Net::LDAP::Filter.eq(field, value) }.inject(:|)
end
options.merge(filter: user_filter(filter))
end
def user_filter(filter = nil)
user_filter = config.constructed_user_filter if config.user_filter.present?
if user_filter && filter
Net::LDAP::Filter.join(filter, user_filter)
elsif user_filter
user_filter
else
filter
end
end
2018-05-09 12:01:36 +05:30
def connection_error_message(exception)
if exception.is_a?(Timeout::Error)
"LDAP search timed out after #{config.timeout} seconds"
else
"LDAP search raised exception #{exception.class}: #{exception.message}"
end
end
def renew_connection_adapter
@ldap = Net::LDAP.new(config.adapter_options)
end
2018-03-27 19:54:05 +05:30
end
end
end
end
2020-05-24 23:13:21 +05:30
Gitlab::Auth::Ldap::Adapter.prepend_if_ee('::EE::Gitlab::Auth::Ldap::Adapter')