2021-08-10 12:11:00 +00:00
|
|
|
|
# frozen_string_literal: true
|
|
|
|
|
|
module RestrictedSignup
|
|
|
|
|
|
extend ActiveSupport::Concern
|
|
|
|
|
|
|
|
|
|
|
|
private
|
|
|
|
|
|
|
|
|
|
|
|
def validate_admin_signup_restrictions(email)
|
|
|
|
|
|
return if allowed_domain?(email)
|
|
|
|
|
|
|
2021-10-01 21:11:37 +00:00
|
|
|
|
error_type = fetch_error_type(email)
|
|
|
|
|
|
|
|
|
|
|
|
return unless error_type.present?
|
|
|
|
|
|
|
|
|
|
|
|
[
|
|
|
|
|
|
signup_email_invalid_message,
|
|
|
|
|
|
error_message[created_by_key][error_type]
|
|
|
|
|
|
].join(' ')
|
|
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
|
|
def fetch_error_type(email)
|
2021-08-10 12:11:00 +00:00
|
|
|
|
if allowlist_present?
|
2021-10-01 21:11:37 +00:00
|
|
|
|
:allowlist
|
2021-08-10 12:11:00 +00:00
|
|
|
|
elsif denied_domain?(email)
|
2021-10-01 21:11:37 +00:00
|
|
|
|
:denylist
|
2021-08-10 12:11:00 +00:00
|
|
|
|
elsif restricted_email?(email)
|
2021-10-01 21:11:37 +00:00
|
|
|
|
:restricted
|
2021-08-10 12:11:00 +00:00
|
|
|
|
end
|
2021-10-01 21:11:37 +00:00
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
|
|
def error_message
|
|
|
|
|
|
{
|
|
|
|
|
|
admin: {
|
|
|
|
|
|
allowlist: html_escape_once(_("Go to the 'Admin area > Sign-up restrictions', and check 'Allowed domains for sign-ups'.")).html_safe,
|
|
|
|
|
|
denylist: html_escape_once(_("Go to the 'Admin area > Sign-up restrictions', and check the 'Domain denylist'.")).html_safe,
|
|
|
|
|
|
restricted: html_escape_once(_("Go to the 'Admin area > Sign-up restrictions', and check 'Email restrictions for sign-ups'.")).html_safe,
|
|
|
|
|
|
group_setting: html_escape_once(_("Go to the group’s 'Settings > General' page, and check 'Restrict membership by email domain'.")).html_safe
|
|
|
|
|
|
},
|
|
|
|
|
|
nonadmin: {
|
|
|
|
|
|
allowlist: error_nonadmin,
|
|
|
|
|
|
denylist: error_nonadmin,
|
|
|
|
|
|
restricted: error_nonadmin,
|
|
|
|
|
|
group_setting: error_nonadmin
|
|
|
|
|
|
}
|
|
|
|
|
|
}
|
|
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
|
|
def error_nonadmin
|
|
|
|
|
|
_("Check with your administrator.")
|
|
|
|
|
|
end
|
2021-08-10 12:11:00 +00:00
|
|
|
|
|
2021-10-01 21:11:37 +00:00
|
|
|
|
def created_by_key
|
|
|
|
|
|
created_by&.can_admin_all_resources? ? :admin : :nonadmin
|
2021-08-10 12:11:00 +00:00
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
|
|
def denied_domain?(email)
|
|
|
|
|
|
return false unless Gitlab::CurrentSettings.domain_denylist_enabled?
|
|
|
|
|
|
|
|
|
|
|
|
denied_domains = Gitlab::CurrentSettings.domain_denylist
|
|
|
|
|
|
denied_domains.present? && domain_matches?(denied_domains, email)
|
|
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
|
|
def allowlist_present?
|
|
|
|
|
|
Gitlab::CurrentSettings.domain_allowlist.present?
|
|
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
|
|
def allowed_domain?(email)
|
|
|
|
|
|
allowed_domains = Gitlab::CurrentSettings.domain_allowlist
|
|
|
|
|
|
allowlist_present? && domain_matches?(allowed_domains, email)
|
|
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
|
|
def restricted_email?(email)
|
|
|
|
|
|
return false unless Gitlab::CurrentSettings.email_restrictions_enabled?
|
|
|
|
|
|
|
|
|
|
|
|
restrictions = Gitlab::CurrentSettings.email_restrictions
|
|
|
|
|
|
restrictions.present? && Gitlab::UntrustedRegexp.new(restrictions).match?(email)
|
|
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
|
|
def domain_matches?(email_domains, email)
|
|
|
|
|
|
signup_domain = Mail::Address.new(email).domain
|
|
|
|
|
|
email_domains.any? do |domain|
|
|
|
|
|
|
escaped = Regexp.escape(domain).gsub('\*', '.*?')
|
|
|
|
|
|
regexp = Regexp.new "^#{escaped}$", Regexp::IGNORECASE
|
|
|
|
|
|
signup_domain =~ regexp
|
|
|
|
|
|
end
|
|
|
|
|
|
end
|
|
|
|
|
|
end
|
