debian-mirror-gitlab/lib/gitlab/auth/ldap/access.rb

121 lines
3.3 KiB
Ruby
Raw Normal View History

2018-12-13 13:39:08 +05:30
# frozen_string_literal: true
2018-03-27 19:54:05 +05:30
# LDAP authorization model
#
# * Check if we are allowed access (not blocked)
#
module Gitlab
module Auth
2020-04-08 14:13:33 +05:30
module Ldap
2018-03-27 19:54:05 +05:30
class Access
2020-04-08 14:13:33 +05:30
prepend_if_ee('::EE::Gitlab::Auth::Ldap::Access') # rubocop: disable Cop/InjectEnterpriseEditionModule
2019-12-04 20:38:33 +05:30
2018-11-08 19:23:39 +05:30
attr_reader :provider, :user, :ldap_identity
2018-03-27 19:54:05 +05:30
def self.open(user, &block)
2020-04-08 14:13:33 +05:30
Gitlab::Auth::Ldap::Adapter.open(user.ldap_identity.provider) do |adapter|
2018-03-27 19:54:05 +05:30
block.call(self.new(user, adapter))
end
end
2018-11-08 19:23:39 +05:30
def self.allowed?(user, options = {})
2018-03-27 19:54:05 +05:30
self.open(user) do |access|
2018-11-08 19:23:39 +05:30
# Whether user is allowed, or not, we should update
# permissions to keep things clean
2018-03-27 19:54:05 +05:30
if access.allowed?
2018-11-20 20:47:30 +05:30
unless Gitlab::Database.read_only?
access.update_user
Users::UpdateService.new(user, user: user, last_credential_check_at: Time.now).execute
end
2018-03-27 19:54:05 +05:30
true
else
false
end
end
end
def initialize(user, adapter = nil)
@adapter = adapter
@user = user
2018-11-08 19:23:39 +05:30
@ldap_identity = user.ldap_identity
@provider = adapter&.provider || ldap_identity&.provider
2018-03-27 19:54:05 +05:30
end
def allowed?
if ldap_user
unless ldap_config.active_directory
unblock_user(user, 'is available again') if user.ldap_blocked?
return true
end
2020-03-09 13:42:32 +05:30
# Block user in GitLab if they were blocked in AD
2020-04-08 14:13:33 +05:30
if Gitlab::Auth::Ldap::Person.disabled_via_active_directory?(ldap_identity.extern_uid, adapter)
2018-03-27 19:54:05 +05:30
block_user(user, 'is disabled in Active Directory')
false
else
unblock_user(user, 'is not disabled anymore') if user.ldap_blocked?
true
end
else
# Block the user if they no longer exist in LDAP/AD
block_user(user, 'does not exist anymore')
false
end
2020-04-08 14:13:33 +05:30
rescue LdapConnectionError
2018-05-09 12:01:36 +05:30
false
2018-03-27 19:54:05 +05:30
end
2018-11-20 20:47:30 +05:30
def update_user
# no-op in CE
end
private
2018-03-27 19:54:05 +05:30
def adapter
2020-04-08 14:13:33 +05:30
@adapter ||= Gitlab::Auth::Ldap::Adapter.new(provider)
2018-03-27 19:54:05 +05:30
end
def ldap_config
2020-04-08 14:13:33 +05:30
Gitlab::Auth::Ldap::Config.new(provider)
2018-03-27 19:54:05 +05:30
end
def ldap_user
2018-11-08 19:23:39 +05:30
return unless provider
@ldap_user ||= find_ldap_user
2018-03-27 19:54:05 +05:30
end
2018-11-20 20:47:30 +05:30
def find_ldap_user
2020-04-08 14:13:33 +05:30
Gitlab::Auth::Ldap::Person.find_by_dn(ldap_identity.extern_uid, adapter)
2018-11-20 20:47:30 +05:30
end
2018-03-27 19:54:05 +05:30
def block_user(user, reason)
user.ldap_block
2018-11-08 19:23:39 +05:30
if provider
Gitlab::AppLogger.info(
"LDAP account \"#{ldap_identity.extern_uid}\" #{reason}, " \
2018-12-05 23:21:45 +05:30
"blocking GitLab user \"#{user.name}\" (#{user.email})"
2018-11-08 19:23:39 +05:30
)
else
Gitlab::AppLogger.info(
"Account is not provided by LDAP, " \
2018-12-05 23:21:45 +05:30
"blocking GitLab user \"#{user.name}\" (#{user.email})"
2018-11-08 19:23:39 +05:30
)
end
2018-03-27 19:54:05 +05:30
end
def unblock_user(user, reason)
user.activate
Gitlab::AppLogger.info(
2018-11-08 19:23:39 +05:30
"LDAP account \"#{ldap_identity.extern_uid}\" #{reason}, " \
2018-12-05 23:21:45 +05:30
"unblocking GitLab user \"#{user.name}\" (#{user.email})"
2018-03-27 19:54:05 +05:30
)
end
end
end
end
end