2013-09-03 17:04:27 -04:00
|
|
|
# OAuth extension for User model
|
|
|
|
#
|
|
|
|
# * Find GitLab user based on omniauth uid and provider
|
|
|
|
# * Create new user from omniauth data
|
|
|
|
#
|
|
|
|
module Gitlab
|
|
|
|
module OAuth
|
|
|
|
class User
|
2014-10-10 06:03:32 -04:00
|
|
|
attr_accessor :auth_hash, :gl_user
|
2013-09-03 17:04:27 -04:00
|
|
|
|
2014-10-10 06:03:32 -04:00
|
|
|
def initialize(auth_hash)
|
|
|
|
self.auth_hash = auth_hash
|
2017-12-13 12:02:49 -05:00
|
|
|
update_profile
|
2017-09-25 13:07:45 -04:00
|
|
|
add_or_update_user_identities
|
2014-10-10 06:03:32 -04:00
|
|
|
end
|
2013-09-03 17:04:27 -04:00
|
|
|
|
2014-10-10 06:03:32 -04:00
|
|
|
def persisted?
|
2014-10-16 14:08:30 -04:00
|
|
|
gl_user.try(:persisted?)
|
2014-10-10 06:03:32 -04:00
|
|
|
end
|
2013-09-03 17:04:27 -04:00
|
|
|
|
2014-10-10 06:03:32 -04:00
|
|
|
def new?
|
2014-10-17 07:08:02 -04:00
|
|
|
!persisted?
|
2014-10-10 06:03:32 -04:00
|
|
|
end
|
2013-09-03 17:04:27 -04:00
|
|
|
|
2014-10-10 06:03:32 -04:00
|
|
|
def valid?
|
2014-10-16 14:08:30 -04:00
|
|
|
gl_user.try(:valid?)
|
2014-09-03 09:59:50 -04:00
|
|
|
end
|
2013-09-03 17:04:27 -04:00
|
|
|
|
2016-02-18 17:01:07 -05:00
|
|
|
def save(provider = 'OAuth')
|
2018-01-09 11:47:31 -05:00
|
|
|
raise SigninDisabledForProviderError if oauth_provider_disabled?
|
|
|
|
raise SignupDisabledError unless gl_user
|
2014-10-16 14:08:30 -04:00
|
|
|
|
2017-02-22 18:07:29 -05:00
|
|
|
block_after_save = needs_blocking?
|
|
|
|
|
2017-09-27 05:48:33 -04:00
|
|
|
Users::UpdateService.new(gl_user, user: gl_user).execute!
|
2017-02-22 13:43:48 -05:00
|
|
|
|
2017-02-22 18:07:29 -05:00
|
|
|
gl_user.block if block_after_save
|
2013-09-03 17:04:27 -04:00
|
|
|
|
2016-02-18 17:01:07 -05:00
|
|
|
log.info "(#{provider}) saving user #{auth_hash.email} from login with extern_uid => #{auth_hash.uid}"
|
2014-10-10 06:03:32 -04:00
|
|
|
gl_user
|
|
|
|
rescue ActiveRecord::RecordInvalid => e
|
2016-11-30 12:23:04 -05:00
|
|
|
log.info "(#{provider}) Error saving user #{auth_hash.uid} (#{auth_hash.email}): #{gl_user.errors.full_messages}"
|
2014-10-10 06:03:32 -04:00
|
|
|
return self, e.record.errors
|
|
|
|
end
|
|
|
|
|
|
|
|
def gl_user
|
2017-09-25 13:07:45 -04:00
|
|
|
return @gl_user if defined?(@gl_user)
|
2014-10-16 14:08:30 -04:00
|
|
|
|
2017-09-25 13:07:45 -04:00
|
|
|
@gl_user = find_user
|
|
|
|
end
|
2015-06-02 06:01:29 -04:00
|
|
|
|
2017-09-25 13:07:45 -04:00
|
|
|
def find_user
|
|
|
|
user = find_by_uid_and_provider
|
2014-10-17 07:08:02 -04:00
|
|
|
|
2017-09-25 13:07:45 -04:00
|
|
|
user ||= find_or_build_ldap_user if auto_link_ldap_user?
|
|
|
|
user ||= build_new_user if signup_enabled?
|
2016-04-11 11:16:15 -04:00
|
|
|
|
2018-01-24 08:52:31 -05:00
|
|
|
user.external = true if external_provider? && user&.new_record?
|
2016-04-11 11:16:15 -04:00
|
|
|
|
2017-09-25 13:07:45 -04:00
|
|
|
user
|
2014-09-03 09:59:50 -04:00
|
|
|
end
|
2013-09-03 17:04:27 -04:00
|
|
|
|
2014-10-10 06:03:32 -04:00
|
|
|
protected
|
2014-10-17 07:08:02 -04:00
|
|
|
|
2017-09-25 13:07:45 -04:00
|
|
|
def add_or_update_user_identities
|
2017-10-05 06:53:54 -04:00
|
|
|
return unless gl_user
|
|
|
|
|
2017-09-25 13:07:45 -04:00
|
|
|
# find_or_initialize_by doesn't update `gl_user.identities`, and isn't autosaved.
|
|
|
|
identity = gl_user.identities.find { |identity| identity.provider == auth_hash.provider }
|
|
|
|
|
|
|
|
identity ||= gl_user.identities.build(provider: auth_hash.provider)
|
|
|
|
identity.extern_uid = auth_hash.uid
|
|
|
|
|
|
|
|
if auto_link_ldap_user? && !gl_user.ldap_user? && ldap_person
|
|
|
|
log.info "Correct LDAP account has been found. identity to user: #{gl_user.username}."
|
|
|
|
gl_user.identities.build(provider: ldap_person.provider, extern_uid: ldap_person.dn)
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
def find_or_build_ldap_user
|
2015-06-02 06:01:29 -04:00
|
|
|
return unless ldap_person
|
2015-06-05 06:32:01 -04:00
|
|
|
|
2016-06-08 19:09:43 -04:00
|
|
|
user = Gitlab::LDAP::User.find_by_uid_and_provider(ldap_person.dn, ldap_person.provider)
|
|
|
|
if user
|
|
|
|
log.info "LDAP account found for user #{user.username}. Building new #{auth_hash.provider} identity."
|
2017-09-25 13:07:45 -04:00
|
|
|
return user
|
2015-06-02 06:01:29 -04:00
|
|
|
end
|
2015-06-05 06:32:01 -04:00
|
|
|
|
2017-09-25 13:07:45 -04:00
|
|
|
log.info "No user found using #{auth_hash.provider} provider. Creating a new one."
|
|
|
|
build_new_user
|
|
|
|
end
|
|
|
|
|
|
|
|
def find_by_email
|
|
|
|
return unless auth_hash.has_attribute?(:email)
|
|
|
|
|
|
|
|
::User.find_by(email: auth_hash.email.downcase)
|
2015-06-02 06:01:29 -04:00
|
|
|
end
|
|
|
|
|
|
|
|
def auto_link_ldap_user?
|
|
|
|
Gitlab.config.omniauth.auto_link_ldap_user
|
|
|
|
end
|
|
|
|
|
|
|
|
def creating_linked_ldap_user?
|
|
|
|
auto_link_ldap_user? && ldap_person
|
|
|
|
end
|
|
|
|
|
|
|
|
def ldap_person
|
|
|
|
return @ldap_person if defined?(@ldap_person)
|
|
|
|
|
2015-06-17 12:06:27 -04:00
|
|
|
# Look for a corresponding person with same uid in any of the configured LDAP providers
|
|
|
|
Gitlab::LDAP::Config.providers.each do |provider|
|
2015-06-02 06:01:29 -04:00
|
|
|
adapter = Gitlab::LDAP::Adapter.new(provider)
|
2017-07-12 04:41:41 -04:00
|
|
|
@ldap_person = find_ldap_person(auth_hash, adapter)
|
2015-06-17 12:06:27 -04:00
|
|
|
break if @ldap_person
|
2015-06-02 06:01:29 -04:00
|
|
|
end
|
2015-06-17 12:06:27 -04:00
|
|
|
@ldap_person
|
2015-06-02 06:01:29 -04:00
|
|
|
end
|
|
|
|
|
2017-07-12 04:41:41 -04:00
|
|
|
def find_ldap_person(auth_hash, adapter)
|
2017-09-25 13:07:45 -04:00
|
|
|
Gitlab::LDAP::Person.find_by_uid(auth_hash.uid, adapter) ||
|
|
|
|
Gitlab::LDAP::Person.find_by_email(auth_hash.uid, adapter) ||
|
|
|
|
Gitlab::LDAP::Person.find_by_dn(auth_hash.uid, adapter)
|
2017-07-12 04:41:41 -04:00
|
|
|
end
|
|
|
|
|
2015-06-02 06:01:29 -04:00
|
|
|
def ldap_config
|
2015-06-05 06:32:01 -04:00
|
|
|
Gitlab::LDAP::Config.new(ldap_person.provider) if ldap_person
|
2015-06-02 06:01:29 -04:00
|
|
|
end
|
|
|
|
|
2014-10-17 07:08:02 -04:00
|
|
|
def needs_blocking?
|
2015-06-05 06:32:01 -04:00
|
|
|
new? && block_after_signup?
|
2014-10-17 07:08:02 -04:00
|
|
|
end
|
|
|
|
|
|
|
|
def signup_enabled?
|
2016-02-18 17:01:07 -05:00
|
|
|
providers = Gitlab.config.omniauth.allow_single_sign_on
|
2016-02-18 17:02:43 -05:00
|
|
|
if providers.is_a?(Array)
|
|
|
|
providers.include?(auth_hash.provider)
|
|
|
|
else
|
|
|
|
providers
|
|
|
|
end
|
2014-10-17 07:08:02 -04:00
|
|
|
end
|
|
|
|
|
2016-04-11 11:16:15 -04:00
|
|
|
def external_provider?
|
|
|
|
Gitlab.config.omniauth.external_providers.include?(auth_hash.provider)
|
|
|
|
end
|
|
|
|
|
2014-10-17 07:08:02 -04:00
|
|
|
def block_after_signup?
|
2015-06-05 06:32:01 -04:00
|
|
|
if creating_linked_ldap_user?
|
|
|
|
ldap_config.block_auto_created_users
|
2016-01-19 10:25:38 -05:00
|
|
|
else
|
2015-06-05 06:32:01 -04:00
|
|
|
Gitlab.config.omniauth.block_auto_created_users
|
|
|
|
end
|
2014-10-17 07:08:02 -04:00
|
|
|
end
|
|
|
|
|
2014-09-04 06:55:10 -04:00
|
|
|
def auth_hash=(auth_hash)
|
|
|
|
@auth_hash = AuthHash.new(auth_hash)
|
|
|
|
end
|
|
|
|
|
2014-10-10 06:03:32 -04:00
|
|
|
def find_by_uid_and_provider
|
2017-11-17 09:24:25 -05:00
|
|
|
identity = Identity.with_extern_uid(auth_hash.provider, auth_hash.uid).take
|
2014-11-25 11:15:30 -05:00
|
|
|
identity && identity.user
|
2014-10-10 06:03:32 -04:00
|
|
|
end
|
2014-09-03 11:33:03 -04:00
|
|
|
|
2014-10-10 06:03:32 -04:00
|
|
|
def build_new_user
|
2017-09-25 13:07:45 -04:00
|
|
|
user_params = user_attributes.merge(skip_confirmation: true)
|
2017-04-24 17:12:14 -04:00
|
|
|
Users::BuildService.new(nil, user_params).execute(skip_authorization: true)
|
2014-09-03 11:33:03 -04:00
|
|
|
end
|
|
|
|
|
2014-09-03 09:59:50 -04:00
|
|
|
def user_attributes
|
2015-06-02 06:01:29 -04:00
|
|
|
# Give preference to LDAP for sensitive information when creating a linked account
|
2015-06-05 06:32:01 -04:00
|
|
|
if creating_linked_ldap_user?
|
2016-01-19 10:25:38 -05:00
|
|
|
username = ldap_person.username.presence
|
|
|
|
email = ldap_person.email.first.presence
|
2015-06-02 06:01:29 -04:00
|
|
|
end
|
2016-01-07 13:14:41 -05:00
|
|
|
|
2016-01-19 10:25:38 -05:00
|
|
|
username ||= auth_hash.username
|
|
|
|
email ||= auth_hash.email
|
|
|
|
|
2017-08-01 16:42:46 -04:00
|
|
|
valid_username = ::Namespace.clean_path(username)
|
|
|
|
|
|
|
|
uniquify = Uniquify.new
|
2018-01-31 12:39:03 -05:00
|
|
|
valid_username = uniquify.string(valid_username) { |s| !NamespacePathValidator.valid_path?(s) }
|
2017-08-01 16:42:46 -04:00
|
|
|
|
2016-01-07 13:14:41 -05:00
|
|
|
name = auth_hash.name
|
2017-08-01 16:42:46 -04:00
|
|
|
name = valid_username if name.strip.empty?
|
2016-01-19 10:25:38 -05:00
|
|
|
|
2015-06-05 06:32:01 -04:00
|
|
|
{
|
2016-01-07 13:14:41 -05:00
|
|
|
name: name,
|
2017-08-01 16:42:46 -04:00
|
|
|
username: valid_username,
|
2015-06-02 06:01:29 -04:00
|
|
|
email: email,
|
2015-02-13 07:33:28 -05:00
|
|
|
password: auth_hash.password,
|
|
|
|
password_confirmation: auth_hash.password,
|
|
|
|
password_automatically_set: true
|
2014-09-03 09:59:50 -04:00
|
|
|
}
|
|
|
|
end
|
2013-09-03 17:04:27 -04:00
|
|
|
|
2017-08-29 04:57:41 -04:00
|
|
|
def sync_profile_from_provider?
|
2017-12-13 12:02:49 -05:00
|
|
|
Gitlab::OAuth::Provider.sync_profile_from_provider?(auth_hash.provider)
|
2017-06-06 11:39:54 -04:00
|
|
|
end
|
|
|
|
|
2017-08-29 04:57:41 -04:00
|
|
|
def update_profile
|
2017-12-13 12:02:49 -05:00
|
|
|
return unless sync_profile_from_provider? || creating_linked_ldap_user?
|
|
|
|
|
|
|
|
metadata = gl_user.user_synced_attributes_metadata || gl_user.build_user_synced_attributes_metadata
|
|
|
|
|
|
|
|
if sync_profile_from_provider?
|
|
|
|
UserSyncedAttributesMetadata::SYNCABLE_ATTRIBUTES.each do |key|
|
|
|
|
if auth_hash.has_attribute?(key) && gl_user.sync_attribute?(key)
|
|
|
|
gl_user[key] = auth_hash.public_send(key) # rubocop:disable GitlabSecurity/PublicSend
|
|
|
|
metadata.set_attribute_synced(key, true)
|
|
|
|
else
|
|
|
|
metadata.set_attribute_synced(key, false)
|
|
|
|
end
|
2017-08-29 04:57:41 -04:00
|
|
|
end
|
2017-12-13 12:02:49 -05:00
|
|
|
|
|
|
|
metadata.provider = auth_hash.provider
|
2017-06-06 11:39:54 -04:00
|
|
|
end
|
2017-08-29 04:57:41 -04:00
|
|
|
|
2017-12-13 12:02:49 -05:00
|
|
|
if creating_linked_ldap_user? && gl_user.email == ldap_person.email.first
|
|
|
|
metadata.set_attribute_synced(:email, true)
|
|
|
|
metadata.provider = ldap_person.provider
|
|
|
|
end
|
2017-06-06 11:39:54 -04:00
|
|
|
end
|
|
|
|
|
2014-09-03 09:59:50 -04:00
|
|
|
def log
|
|
|
|
Gitlab::AppLogger
|
|
|
|
end
|
|
|
|
|
2018-01-09 11:47:31 -05:00
|
|
|
def oauth_provider_disabled?
|
|
|
|
Gitlab::CurrentSettings.current_application_settings
|
|
|
|
.disabled_oauth_sign_in_sources
|
|
|
|
.include?(auth_hash.provider)
|
2014-10-16 14:08:30 -04:00
|
|
|
end
|
2013-09-03 17:04:27 -04:00
|
|
|
end
|
|
|
|
end
|
|
|
|
end
|