Merge branch 'restrict_ldap_return_attributes' into 'master'

Restrict ldap return attributes ## What does this MR do? Fixes the CE part of #13821. We really only ever need uid, dn, cn, and mail attributes, and in some cases, even less. This merge request strips the request down to those four attributes by default, and allows the caller to specify others, if needed. ## Why was this MR needed? This will improve performance especially in cases where the connection is slow between GitLab and LDAP, or when the LDAP object has lots of attributes we don't care about. See merge request !6187
author: Robert Speicher <robert@gitlab.com> 2016-09-09 18:59:33 +0000
committer: Robert Speicher <robert@gitlab.com> 2016-09-09 18:59:33 +0000
commit: 0b2a34108d3189aff9a15f30006c270fb84be00e (patch)
tree: 9f3f644a0c4856d4f564849291d19868268b7702 /lib
parent: 516100c55b589e69198feca602a2f71e4e66e280 (diff)
parent: bf8a48e179119830f83f3b358f66f8a95af17963 (diff)
download: gitlab-ce-0b2a34108d3189aff9a15f30006c270fb84be00e.tar.gz
1 files changed, 33 insertions, 25 deletions
diff --git a/lib/gitlab/ldap/adapter.rb b/lib/gitlab/ldap/adapter.rb
index 9a5bcfb5c9b..9100719da87 100644
--- a/lib/gitlab/ldap/adapter.rb
+++ b/lib/gitlab/ldap/adapter.rb
@@ -23,31 +23,7 @@ module Gitlab
       end
 
       def users(field, value, limit = nil)
-        if field.to_sym == :dn
-          options = {
-            base: value,
-            scope: Net::LDAP::SearchScope_BaseObject
-          }
-        else
-          options = {
-            base: config.base,
-            filter: Net::LDAP::Filter.eq(field, value)
-          }
-        end
-
-        if config.user_filter.present?
-          user_filter = Net::LDAP::Filter.construct(config.user_filter)
-
-          options[:filter] = if options[:filter]
-                               Net::LDAP::Filter.join(options[:filter], user_filter)
-                             else
-                               user_filter
-                             end
-        end
-
-        if limit.present?
-          options.merge!(size: limit)
-        end
+        options = user_options(field, value, limit)
 
         entries = ldap_search(options).select do |entry|
           entry.respond_to? config.uid
@@ -90,6 +66,38 @@ module Gitlab
         Rails.logger.warn("LDAP search timed out after #{config.timeout} seconds")
         []
       end
+
+      private
+
+      def user_options(field, value, limit)
+        options = { attributes: %W(#{config.uid} cn mail dn) }
+        options[:size] = limit if limit
+
+        if field.to_sym == :dn
+          options[:base] = value
+          options[:scope] = Net::LDAP::SearchScope_BaseObject
+          options[:filter] = user_filter
+        else
+          options[:base] = config.base
+          options[:filter] = user_filter(Net::LDAP::Filter.eq(field, value))
+        end
+
+        options
+      end
+
+      def user_filter(filter = nil)
+        if config.user_filter.present?
+          user_filter = Net::LDAP::Filter.construct(config.user_filter)
+        end
+
+        if user_filter && filter
+          Net::LDAP::Filter.join(filter, user_filter)
+        elsif user_filter
+          user_filter
+        else
+          filter
+        end
+      end
     end
   end
 end
author	Robert Speicher <robert@gitlab.com>	2016-09-09 18:59:33 +0000
committer	Robert Speicher <robert@gitlab.com>	2016-09-09 18:59:33 +0000
commit	0b2a34108d3189aff9a15f30006c270fb84be00e (patch)
tree	9f3f644a0c4856d4f564849291d19868268b7702 /lib
parent	516100c55b589e69198feca602a2f71e4e66e280 (diff)
parent	bf8a48e179119830f83f3b358f66f8a95af17963 (diff)
download	gitlab-ce-0b2a34108d3189aff9a15f30006c270fb84be00e.tar.gz