2018-10-11 16:12:21 -04:00
|
|
|
# frozen_string_literal: true
|
|
|
|
|
2018-02-23 07:10:39 -05:00
|
|
|
module Gitlab
|
|
|
|
module Auth
|
2020-03-12 11:09:39 -04:00
|
|
|
module Ldap
|
2018-02-23 07:10:39 -05:00
|
|
|
class Person
|
|
|
|
# Active Directory-specific LDAP filter that checks if bit 2 of the
|
|
|
|
# userAccountControl attribute is set.
|
|
|
|
# Source: http://ctogonewild.com/2009/09/03/bitmask-searches-in-ldap/
|
|
|
|
AD_USER_DISABLED = Net::LDAP::Filter.ex("userAccountControl:1.2.840.113556.1.4.803", "2")
|
|
|
|
|
|
|
|
InvalidEntryError = Class.new(StandardError)
|
|
|
|
|
2020-07-22 14:09:27 -04:00
|
|
|
attr_accessor :provider
|
2018-02-23 07:10:39 -05:00
|
|
|
|
|
|
|
def self.find_by_uid(uid, adapter)
|
|
|
|
uid = Net::LDAP::Filter.escape(uid)
|
|
|
|
adapter.user(adapter.config.uid, uid)
|
|
|
|
end
|
|
|
|
|
|
|
|
def self.find_by_dn(dn, adapter)
|
|
|
|
adapter.user('dn', dn)
|
|
|
|
end
|
|
|
|
|
|
|
|
def self.find_by_email(email, adapter)
|
|
|
|
email_fields = adapter.config.attributes['email']
|
|
|
|
|
|
|
|
adapter.user(email_fields, email)
|
|
|
|
end
|
|
|
|
|
|
|
|
def self.disabled_via_active_directory?(dn, adapter)
|
|
|
|
adapter.dn_matches_filter?(dn, AD_USER_DISABLED)
|
|
|
|
end
|
|
|
|
|
|
|
|
def self.ldap_attributes(config)
|
|
|
|
[
|
|
|
|
'dn',
|
|
|
|
config.uid,
|
|
|
|
*config.attributes['name'],
|
|
|
|
*config.attributes['email'],
|
|
|
|
*config.attributes['username']
|
2020-06-04 17:08:11 -04:00
|
|
|
].compact.uniq.reject(&:blank?)
|
2018-02-23 07:10:39 -05:00
|
|
|
end
|
|
|
|
|
|
|
|
def self.normalize_dn(dn)
|
2020-03-12 11:09:39 -04:00
|
|
|
::Gitlab::Auth::Ldap::DN.new(dn).to_normalized_s
|
|
|
|
rescue ::Gitlab::Auth::Ldap::DN::FormatError => e
|
2020-09-09 08:08:22 -04:00
|
|
|
Gitlab::AppLogger.info("Returning original DN \"#{dn}\" due to error during normalization attempt: #{e.message}")
|
2018-02-23 07:10:39 -05:00
|
|
|
|
|
|
|
dn
|
|
|
|
end
|
|
|
|
|
|
|
|
# Returns the UID in a normalized form.
|
|
|
|
#
|
|
|
|
# 1. Excess spaces are stripped
|
|
|
|
# 2. The string is downcased (for case-insensitivity)
|
|
|
|
def self.normalize_uid(uid)
|
2020-03-12 11:09:39 -04:00
|
|
|
::Gitlab::Auth::Ldap::DN.normalize_value(uid)
|
|
|
|
rescue ::Gitlab::Auth::Ldap::DN::FormatError => e
|
2020-09-10 11:09:10 -04:00
|
|
|
Gitlab::AppLogger.info("Returning original UID \"#{uid}\" due to error during normalization attempt: #{e.message}")
|
2018-02-23 07:10:39 -05:00
|
|
|
|
|
|
|
uid
|
|
|
|
end
|
|
|
|
|
|
|
|
def initialize(entry, provider)
|
2020-09-10 11:09:10 -04:00
|
|
|
Gitlab::AppLogger.debug "Instantiating #{self.class.name} with LDIF:\n#{entry.to_ldif}"
|
2018-02-23 07:10:39 -05:00
|
|
|
@entry = entry
|
|
|
|
@provider = provider
|
|
|
|
end
|
|
|
|
|
|
|
|
def name
|
2019-03-20 09:59:07 -04:00
|
|
|
attribute_value(:name)&.first
|
2018-02-23 07:10:39 -05:00
|
|
|
end
|
|
|
|
|
|
|
|
def uid
|
|
|
|
entry.public_send(config.uid).first # rubocop:disable GitlabSecurity/PublicSend
|
|
|
|
end
|
|
|
|
|
|
|
|
def username
|
|
|
|
username = attribute_value(:username)
|
|
|
|
|
|
|
|
# Depending on the attribute, multiple values may
|
|
|
|
# be returned. We need only one for username.
|
|
|
|
# Ex. `uid` returns only one value but `mail` may
|
|
|
|
# return an array of multiple email addresses.
|
|
|
|
[username].flatten.first.tap do |username|
|
|
|
|
username.downcase! if config.lowercase_usernames
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
def email
|
|
|
|
attribute_value(:email)
|
|
|
|
end
|
|
|
|
|
|
|
|
def dn
|
|
|
|
self.class.normalize_dn(entry.dn)
|
|
|
|
end
|
|
|
|
|
|
|
|
private
|
|
|
|
|
2019-01-16 00:48:12 -05:00
|
|
|
attr_reader :entry
|
2018-02-23 07:10:39 -05:00
|
|
|
|
|
|
|
def config
|
2020-03-12 11:09:39 -04:00
|
|
|
@config ||= Gitlab::Auth::Ldap::Config.new(provider)
|
2018-02-23 07:10:39 -05:00
|
|
|
end
|
|
|
|
|
|
|
|
# Using the LDAP attributes configuration, find and return the first
|
|
|
|
# attribute with a value. For example, by default, when given 'email',
|
|
|
|
# this method looks for 'mail', 'email' and 'userPrincipalName' and
|
|
|
|
# returns the first with a value.
|
|
|
|
def attribute_value(attribute)
|
|
|
|
attributes = Array(config.attributes[attribute.to_s])
|
|
|
|
selected_attr = attributes.find { |attr| entry.respond_to?(attr) }
|
|
|
|
|
2019-02-08 07:19:53 -05:00
|
|
|
return unless selected_attr
|
2018-02-23 07:10:39 -05:00
|
|
|
|
|
|
|
entry.public_send(selected_attr) # rubocop:disable GitlabSecurity/PublicSend
|
|
|
|
end
|
|
|
|
end
|
|
|
|
end
|
|
|
|
end
|
|
|
|
end
|
2020-04-28 08:09:44 -04:00
|
|
|
|
|
|
|
Gitlab::Auth::Ldap::Person.prepend_if_ee('::EE::Gitlab::Auth::Ldap::Person')
|