user.rb 5.4 KB
Newer Older
1 2 3 4 5 6 7
# OAuth extension for User model
#
# * Find GitLab user based on omniauth uid and provider
# * Create new user from omniauth data
#
module Gitlab
  module OAuth
8
    SignupDisabledError = Class.new(StandardError)
9

10
    class User
11
      attr_accessor :auth_hash, :gl_user
12

13 14 15
      def initialize(auth_hash)
        self.auth_hash = auth_hash
      end
16

17
      def persisted?
18
        gl_user.try(:persisted?)
19
      end
20

21
      def new?
22
        !persisted?
23
      end
24

25
      def valid?
26
        gl_user.try(:valid?)
27
      end
28

29
      def save(provider = 'OAuth')
30 31
        unauthorized_to_create unless gl_user

32 33
        block_after_save = needs_blocking?

34 35
        gl_user.save!

36
        gl_user.block if block_after_save
37

38
        log.info "(#{provider}) saving user #{auth_hash.email} from login with extern_uid => #{auth_hash.uid}"
39 40
        gl_user
      rescue ActiveRecord::RecordInvalid => e
41
        log.info "(#{provider}) Error saving user #{auth_hash.uid} (#{auth_hash.email}): #{gl_user.errors.full_messages}"
42 43 44 45
        return self, e.record.errors
      end

      def gl_user
46 47
        @user ||= find_by_uid_and_provider

48 49 50 51
        if auto_link_ldap_user?
          @user ||= find_or_create_ldap_user
        end

52
        if signup_enabled?
53 54
          @user ||= build_new_user
        end
55

Patricio Cano's avatar
Patricio Cano committed
56 57
        if external_provider? && @user
          @user.external = true
58 59
        end

60
        @user
61
      end
62

63
      protected
64

65 66
      def find_or_create_ldap_user
        return unless ldap_person
Douwe Maan's avatar
Douwe Maan committed
67 68

        # If a corresponding person exists with same uid in a LDAP server,
69
        # check if the user already has a GitLab account.
70 71
        user = Gitlab::LDAP::User.find_by_uid_and_provider(ldap_person.dn, ldap_person.provider)
        if user
72
          # Case when a LDAP user already exists in Gitlab. Add the OAuth identity to existing account.
73
          log.info "LDAP account found for user #{user.username}. Building new #{auth_hash.provider} identity."
Drew Blessing's avatar
Drew Blessing committed
74
          user.identities.find_or_initialize_by(extern_uid: auth_hash.uid, provider: auth_hash.provider)
75
        else
76
          log.info "No existing LDAP account was found in GitLab. Checking for #{auth_hash.provider} account."
77 78
          user = find_by_uid_and_provider
          if user.nil?
79
            log.info "No user found using #{auth_hash.provider} provider. Creating a new one."
80 81 82
            user = build_new_user
          end
          log.info "Correct account has been found. Adding LDAP identity to user: #{user.username}."
83 84
          user.identities.new(provider: ldap_person.provider, extern_uid: ldap_person.dn)
        end
Douwe Maan's avatar
Douwe Maan committed
85

86 87 88 89 90 91 92 93 94 95 96 97 98 99
        user
      end

      def auto_link_ldap_user?
        Gitlab.config.omniauth.auto_link_ldap_user
      end

      def creating_linked_ldap_user?
        auto_link_ldap_user? && ldap_person
      end

      def ldap_person
        return @ldap_person if defined?(@ldap_person)

100 101
        # Look for a corresponding person with same uid in any of the configured LDAP providers
        Gitlab::LDAP::Config.providers.each do |provider|
102
          adapter = Gitlab::LDAP::Adapter.new(provider)
103
          @ldap_person = Gitlab::LDAP::Person.find_by_uid(auth_hash.uid, adapter)
104 105
          # The `uid` might actually be a DN. Try it next.
          @ldap_person ||= Gitlab::LDAP::Person.find_by_dn(auth_hash.uid, adapter)
106
          break if @ldap_person
107
        end
108
        @ldap_person
109 110 111
      end

      def ldap_config
Douwe Maan's avatar
Douwe Maan committed
112
        Gitlab::LDAP::Config.new(ldap_person.provider) if ldap_person
113 114
      end

115
      def needs_blocking?
Douwe Maan's avatar
Douwe Maan committed
116
        new? && block_after_signup?
117 118 119
      end

      def signup_enabled?
120
        providers = Gitlab.config.omniauth.allow_single_sign_on
121 122 123 124 125
        if providers.is_a?(Array)
          providers.include?(auth_hash.provider)
        else
          providers
        end
126 127
      end

128 129 130 131
      def external_provider?
        Gitlab.config.omniauth.external_providers.include?(auth_hash.provider)
      end

132
      def block_after_signup?
Douwe Maan's avatar
Douwe Maan committed
133 134
        if creating_linked_ldap_user?
          ldap_config.block_auto_created_users
135
        else
Douwe Maan's avatar
Douwe Maan committed
136 137
          Gitlab.config.omniauth.block_auto_created_users
        end
138 139
      end

140 141 142 143
      def auth_hash=(auth_hash)
        @auth_hash = AuthHash.new(auth_hash)
      end

144
      def find_by_uid_and_provider
145 146
        identity = Identity.find_by(provider: auth_hash.provider, extern_uid: auth_hash.uid)
        identity && identity.user
147
      end
148

149
      def build_new_user
150 151
        user_params = user_attributes.merge(extern_uid: auth_hash.uid, provider: auth_hash.provider, skip_confirmation: true)
        Users::CreateService.new(nil, user_params).build
152 153
      end

154
      def user_attributes
155
        # Give preference to LDAP for sensitive information when creating a linked account
Douwe Maan's avatar
Douwe Maan committed
156
        if creating_linked_ldap_user?
157 158
          username = ldap_person.username.presence
          email = ldap_person.email.first.presence
159
        end
160

161 162 163
        username ||= auth_hash.username
        email ||= auth_hash.email

164 165
        name = auth_hash.name
        name = ::Namespace.clean_path(username) if name.strip.empty?
166

Douwe Maan's avatar
Douwe Maan committed
167
        {
168
          name:                       name,
169 170
          username:                   ::Namespace.clean_path(username),
          email:                      email,
171 172 173
          password:                   auth_hash.password,
          password_confirmation:      auth_hash.password,
          password_automatically_set: true
174 175
        }
      end
176

177 178 179 180
      def log
        Gitlab::AppLogger
      end

181
      def unauthorized_to_create
182
        raise SignupDisabledError
183
      end
184 185 186
    end
  end
end