debian-mirror-gitlab/lib/gitlab/auth/ldap/config.rb

Ignoring revisions in .git-blame-ignore-revs. Click here to bypass and see the normal blame view.

329 lines
8.3 KiB
Ruby
Raw Normal View History

2018-12-13 13:39:08 +05:30
# frozen_string_literal: true
2018-03-27 19:54:05 +05:30
# Load a specific server configuration
module Gitlab
module Auth
2020-04-08 14:13:33 +05:30
module Ldap
2018-03-27 19:54:05 +05:30
class Config
NET_LDAP_ENCRYPTION_METHOD = {
simple_tls: :simple_tls,
2022-10-11 01:57:18 +05:30
start_tls: :start_tls,
plain: nil
2018-03-27 19:54:05 +05:30
}.freeze
attr_accessor :provider, :options
2018-11-08 19:23:39 +05:30
InvalidProvider = Class.new(StandardError)
2018-03-27 19:54:05 +05:30
def self.enabled?
Gitlab.config.ldap.enabled
end
2019-12-26 22:10:19 +05:30
def self.sign_in_enabled?
enabled? && !prevent_ldap_sign_in?
end
def self.prevent_ldap_sign_in?
Gitlab.config.ldap.prevent_ldap_sign_in
end
2018-03-27 19:54:05 +05:30
def self.servers
2021-03-08 18:12:59 +05:30
Gitlab.config.ldap.servers&.values || []
2018-03-27 19:54:05 +05:30
end
def self.available_servers
return [] unless enabled?
2018-11-08 19:23:39 +05:30
_available_servers
end
def self._available_servers
2018-03-27 19:54:05 +05:30
Array.wrap(servers.first)
end
def self.providers
2021-03-08 18:12:59 +05:30
provider_names_from_servers(servers)
2018-03-27 19:54:05 +05:30
end
2021-03-08 18:12:59 +05:30
def self.available_providers
provider_names_from_servers(available_servers)
end
def self.provider_names_from_servers(servers)
servers&.map { |server| server['provider_name'] } || []
end
private_class_method :provider_names_from_servers
2018-03-27 19:54:05 +05:30
def self.valid_provider?(provider)
providers.include?(provider)
end
def self.invalid_provider(provider)
2021-06-08 01:23:25 +05:30
raise InvalidProvider, "Unknown provider (#{provider}). Available providers: #{providers}"
2018-03-27 19:54:05 +05:30
end
2021-02-22 17:27:13 +05:30
def self.encrypted_secrets
Settings.encrypted(Gitlab.config.ldap.secret_file)
end
2018-03-27 19:54:05 +05:30
def initialize(provider)
if self.class.valid_provider?(provider)
@provider = provider
else
self.class.invalid_provider(provider)
end
@options = config_for(@provider) # Use @provider, not provider
end
def enabled?
base_config.enabled
end
def adapter_options
opts = base_options.merge(
encryption: encryption_options
)
opts.merge!(auth_options) if has_auth?
opts
end
def omniauth_options
opts = base_options.merge(
base: base,
encryption: options['encryption'],
filter: omniauth_user_filter,
name_proc: name_proc,
2019-07-07 11:18:12 +05:30
disable_verify_certificates: !options['verify_certificates'],
tls_options: tls_options
2018-03-27 19:54:05 +05:30
)
if has_auth?
opts.merge!(
2021-02-22 17:27:13 +05:30
bind_dn: auth_username,
password: auth_password
2018-03-27 19:54:05 +05:30
)
end
opts
end
def base
2018-11-08 19:23:39 +05:30
@base ||= Person.normalize_dn(options['base'])
2018-03-27 19:54:05 +05:30
end
def uid
options['uid']
end
2018-11-08 19:23:39 +05:30
def label
options['label']
end
2018-03-27 19:54:05 +05:30
def sync_ssh_keys?
sync_ssh_keys.present?
end
# The LDAP attribute in which the ssh keys are stored
def sync_ssh_keys
options['sync_ssh_keys']
end
def user_filter
options['user_filter']
end
def constructed_user_filter
@constructed_user_filter ||= Net::LDAP::Filter.construct(user_filter)
end
def group_base
options['group_base']
end
def admin_group
options['admin_group']
end
def active_directory
options['active_directory']
end
def block_auto_created_users
options['block_auto_created_users']
end
def attributes
default_attributes.merge(options['attributes'])
end
def timeout
options['timeout'].to_i
end
2021-09-30 23:02:18 +05:30
def retry_empty_result_with_codes
options.fetch('retry_empty_result_with_codes', [])
end
2018-11-08 19:23:39 +05:30
def external_groups
options['external_groups'] || []
end
2018-03-27 19:54:05 +05:30
def has_auth?
2021-02-22 17:27:13 +05:30
auth_password || auth_username
2018-03-27 19:54:05 +05:30
end
def allow_username_or_email_login
options['allow_username_or_email_login']
end
def lowercase_usernames
options['lowercase_usernames']
end
def name_proc
if allow_username_or_email_login
proc { |name| name.gsub(/@.*\z/, '') }
else
proc { |name| name }
end
end
def default_attributes
{
2022-10-11 01:57:18 +05:30
'username' => %W(#{uid} uid sAMAccountName userid).uniq,
'email' => %w(mail email userPrincipalName),
'name' => 'cn',
'first_name' => 'givenName',
'last_name' => 'sn'
2018-03-27 19:54:05 +05:30
}
end
protected
def base_options
{
host: options['host'],
2022-03-02 08:16:31 +05:30
port: options['port'],
hosts: options['hosts']
2018-03-27 19:54:05 +05:30
}
end
def base_config
Gitlab.config.ldap
end
def config_for(provider)
base_config.servers.values.find { |server| server['provider_name'] == provider }
end
def encryption_options
2019-07-07 11:18:12 +05:30
method = translate_method
return unless method
2018-03-27 19:54:05 +05:30
{
method: method,
2019-07-07 11:18:12 +05:30
tls_options: tls_options
2018-03-27 19:54:05 +05:30
}
end
2019-07-07 11:18:12 +05:30
def translate_method
NET_LDAP_ENCRYPTION_METHOD[options['encryption']&.to_sym]
2018-03-27 19:54:05 +05:30
end
2019-07-07 11:18:12 +05:30
def tls_options
return @tls_options if defined?(@tls_options)
method = translate_method
return unless method
2018-03-27 19:54:05 +05:30
2019-07-07 11:18:12 +05:30
opts = if options['verify_certificates'] && method != 'plain'
# Dup so we don't accidentally overwrite the constant
OpenSSL::SSL::SSLContext::DEFAULT_PARAMS.dup
2018-03-27 19:54:05 +05:30
else
# It is important to explicitly set verify_mode for two reasons:
# 1. The behavior of OpenSSL is undefined when verify_mode is not set.
# 2. The net-ldap gem implementation verifies the certificate hostname
# unless verify_mode is set to VERIFY_NONE.
{ verify_mode: OpenSSL::SSL::VERIFY_NONE }
end
2019-07-07 11:18:12 +05:30
opts.merge!(custom_tls_options)
2019-05-18 00:54:41 +05:30
2019-07-07 11:18:12 +05:30
@tls_options = opts
end
def custom_tls_options
return {} unless options['tls_options']
# Dup so we don't overwrite the original value
custom_options = options['tls_options'].dup.delete_if { |_, value| value.nil? || value.blank? }
custom_options.symbolize_keys!
if custom_options[:cert]
begin
custom_options[:cert] = OpenSSL::X509::Certificate.new(custom_options[:cert])
rescue OpenSSL::X509::CertificateError => e
2020-11-24 15:15:51 +05:30
Gitlab::AppLogger.error "LDAP TLS Options 'cert' is invalid for provider #{provider}: #{e.message}"
2019-07-07 11:18:12 +05:30
end
end
if custom_options[:key]
begin
custom_options[:key] = OpenSSL::PKey.read(custom_options[:key])
rescue OpenSSL::PKey::PKeyError => e
2020-11-24 15:15:51 +05:30
Gitlab::AppLogger.error "LDAP TLS Options 'key' is invalid for provider #{provider}: #{e.message}"
2019-07-07 11:18:12 +05:30
end
end
custom_options
2018-03-27 19:54:05 +05:30
end
def auth_options
{
auth: {
method: :simple,
2021-02-22 17:27:13 +05:30
username: auth_username,
password: auth_password
2018-03-27 19:54:05 +05:30
}
}
end
2021-02-22 17:27:13 +05:30
def secrets
@secrets ||= self.class.encrypted_secrets[@provider.delete_prefix('ldap').to_sym]
2021-06-08 01:23:25 +05:30
rescue StandardError => e
2021-02-22 17:27:13 +05:30
Gitlab::AppLogger.error "LDAP encrypted secrets are invalid: #{e.inspect}"
nil
end
def auth_password
return options['password'] if options['password']
secrets&.fetch(:password, nil)&.chomp
end
def auth_username
return options['bind_dn'] if options['bind_dn']
secrets&.fetch(:bind_dn, nil)&.chomp
end
2018-03-27 19:54:05 +05:30
def omniauth_user_filter
uid_filter = Net::LDAP::Filter.eq(uid, '%{username}')
if user_filter.present?
Net::LDAP::Filter.join(uid_filter, constructed_user_filter).to_s
else
uid_filter.to_s
end
end
end
end
end
end
2020-05-24 23:13:21 +05:30
2021-06-08 01:23:25 +05:30
Gitlab::Auth::Ldap::Config.prepend_mod_with('Gitlab::Auth::Ldap::Config')