GitLab steht wegen Wartungsarbeiten am Montag, den 10. Mai, zwischen 17:00 und 19:00 Uhr nicht zur Verfügung.

user.rb 4.52 KB
Newer Older
1 2 3 4 5 6 7
# OAuth extension for User model
#
# * Find GitLab user based on omniauth uid and provider
# * Create new user from omniauth data
#
module Gitlab
  module OAuth
8
    class SignupDisabledError < StandardError; end
9

10
    class User
11
      attr_accessor :auth_hash, :gl_user
12

13 14 15
      def initialize(auth_hash)
        self.auth_hash = auth_hash
      end
16

17
      def persisted?
18
        gl_user.try(:persisted?)
19
      end
20

21
      def new?
22
        !persisted?
23
      end
24

25
      def valid?
26
        gl_user.try(:valid?)
27
      end
28

29
      def save(provider = 'OAuth')
30 31
        unauthorized_to_create unless gl_user

32
        if needs_blocking?
33
          gl_user.save!
34
          gl_user.block
35 36
        else
          gl_user.save!
37
        end
38

39
        log.info "(#{provider}) saving user #{auth_hash.email} from login with extern_uid => #{auth_hash.uid}"
40 41
        gl_user
      rescue ActiveRecord::RecordInvalid => e
42
        log.info "(#{provider}) Error saving user: #{gl_user.errors.full_messages}"
43 44 45 46
        return self, e.record.errors
      end

      def gl_user
47 48
        @user ||= find_by_uid_and_provider

49 50 51 52
        if auto_link_ldap_user?
          @user ||= find_or_create_ldap_user
        end

53
        if signup_enabled?
54 55
          @user ||= build_new_user
        end
56

57
        @user
58
      end
59

60
      protected
61

62 63
      def find_or_create_ldap_user
        return unless ldap_person
Douwe Maan's avatar
Douwe Maan committed
64 65 66

        # If a corresponding person exists with same uid in a LDAP server,
        # set up a Gitlab user with dual LDAP and Omniauth identities.
67
        if user = Gitlab::LDAP::User.find_by_uid_and_provider(ldap_person.dn, ldap_person.provider)
Douwe Maan's avatar
Douwe Maan committed
68
          # Case when a LDAP user already exists in Gitlab. Add the Omniauth identity to existing account.
69 70
          user.identities.build(extern_uid: auth_hash.uid, provider: auth_hash.provider)
        else
Douwe Maan's avatar
Douwe Maan committed
71
          # No account in Gitlab yet: create it and add the LDAP identity
72 73 74
          user = build_new_user
          user.identities.new(provider: ldap_person.provider, extern_uid: ldap_person.dn)
        end
Douwe Maan's avatar
Douwe Maan committed
75

76 77 78 79 80 81 82 83 84 85 86 87 88 89
        user
      end

      def auto_link_ldap_user?
        Gitlab.config.omniauth.auto_link_ldap_user
      end

      def creating_linked_ldap_user?
        auto_link_ldap_user? && ldap_person
      end

      def ldap_person
        return @ldap_person if defined?(@ldap_person)

90 91
        # Look for a corresponding person with same uid in any of the configured LDAP providers
        Gitlab::LDAP::Config.providers.each do |provider|
92
          adapter = Gitlab::LDAP::Adapter.new(provider)
93 94
          @ldap_person = Gitlab::LDAP::Person.find_by_uid(auth_hash.uid, adapter)
          break if @ldap_person
95
        end
96
        @ldap_person
97 98 99
      end

      def ldap_config
Douwe Maan's avatar
Douwe Maan committed
100
        Gitlab::LDAP::Config.new(ldap_person.provider) if ldap_person
101 102
      end

103
      def needs_blocking?
Douwe Maan's avatar
Douwe Maan committed
104
        new? && block_after_signup?
105 106 107
      end

      def signup_enabled?
108 109
        providers = Gitlab.config.omniauth.allow_single_sign_on
        providers.include?(auth_hash.provider)
110 111 112
      end

      def block_after_signup?
Douwe Maan's avatar
Douwe Maan committed
113 114
        if creating_linked_ldap_user?
          ldap_config.block_auto_created_users
115
        else
Douwe Maan's avatar
Douwe Maan committed
116 117
          Gitlab.config.omniauth.block_auto_created_users
        end
118 119
      end

120 121 122 123
      def auth_hash=(auth_hash)
        @auth_hash = AuthHash.new(auth_hash)
      end

124
      def find_by_uid_and_provider
125 126
        identity = Identity.find_by(provider: auth_hash.provider, extern_uid: auth_hash.uid)
        identity && identity.user
127
      end
128

129
      def build_new_user
130
        user = ::User.new(user_attributes)
131 132
        user.skip_confirmation!
        user.identities.new(extern_uid: auth_hash.uid, provider: auth_hash.provider)
133
        user
134 135
      end

136
      def user_attributes
137
        # Give preference to LDAP for sensitive information when creating a linked account
Douwe Maan's avatar
Douwe Maan committed
138
        if creating_linked_ldap_user?
139 140
          username = ldap_person.username.presence
          email = ldap_person.email.first.presence
141
        end
142

143 144 145
        username ||= auth_hash.username
        email ||= auth_hash.email

146 147
        name = auth_hash.name
        name = ::Namespace.clean_path(username) if name.strip.empty?
148

Douwe Maan's avatar
Douwe Maan committed
149
        {
150
          name:                       name,
151 152
          username:                   ::Namespace.clean_path(username),
          email:                      email,
153 154 155
          password:                   auth_hash.password,
          password_confirmation:      auth_hash.password,
          password_automatically_set: true
156 157
        }
      end
158

159 160 161 162
      def log
        Gitlab::AppLogger
      end

163
      def unauthorized_to_create
164
        raise SignupDisabledError
165
      end
166 167 168
    end
  end
end