2014-10-13 11:24:05 -04:00
|
|
|
# LDAP authorization model
|
|
|
|
|
#
|
|
|
|
|
# * Check if we are allowed access (not blocked)
|
|
|
|
|
#
|
2014-03-10 08:48:08 -04:00
|
|
|
module Gitlab
|
|
|
|
|
module LDAP
|
|
|
|
|
class Access
|
2014-10-13 11:24:05 -04:00
|
|
|
attr_reader :adapter, :provider, :user
|
2014-03-14 03:55:50 -04:00
|
|
|
|
2014-10-13 11:24:05 -04:00
|
|
|
def self.open(user, &block)
|
|
|
|
|
Gitlab::LDAP::Adapter.open(user.provider) do |adapter|
|
|
|
|
|
block.call(self.new(user, adapter))
|
2014-03-14 03:55:50 -04:00
|
|
|
end
|
|
|
|
|
end
|
|
|
|
|
|
2014-07-30 03:50:50 -04:00
|
|
|
def self.allowed?(user)
|
2014-10-13 11:24:05 -04:00
|
|
|
self.open(user) do |access|
|
|
|
|
|
if access.allowed?
|
2014-07-30 03:50:50 -04:00
|
|
|
user.last_credential_check_at = Time.now
|
|
|
|
|
user.save
|
|
|
|
|
true
|
|
|
|
|
else
|
|
|
|
|
false
|
|
|
|
|
end
|
|
|
|
|
end
|
|
|
|
|
end
|
|
|
|
|
|
2014-10-13 11:24:05 -04:00
|
|
|
def initialize(user, adapter=nil)
|
2014-03-14 03:55:50 -04:00
|
|
|
@adapter = adapter
|
2014-10-13 11:24:05 -04:00
|
|
|
@user = user
|
|
|
|
|
@provider = user.provider
|
2014-03-14 03:55:50 -04:00
|
|
|
end
|
|
|
|
|
|
2014-10-13 11:24:05 -04:00
|
|
|
def allowed?
|
2014-05-14 12:32:40 -04:00
|
|
|
if Gitlab::LDAP::Person.find_by_dn(user.extern_uid, adapter)
|
2014-10-13 11:24:05 -04:00
|
|
|
return true unless ldap_config.active_directory
|
|
|
|
|
!Gitlab::LDAP::Person.disabled_via_active_directory?(user.extern_uid, adapter)
|
2014-05-14 12:32:40 -04:00
|
|
|
else
|
|
|
|
|
false
|
|
|
|
|
end
|
2014-03-10 08:48:08 -04:00
|
|
|
rescue
|
|
|
|
|
false
|
|
|
|
|
end
|
2014-10-13 11:24:05 -04:00
|
|
|
|
|
|
|
|
def adapter
|
|
|
|
|
@adapter ||= Gitlab::LDAP::Adapter.new(provider)
|
|
|
|
|
end
|
2014-10-14 03:40:35 -04:00
|
|
|
|
|
|
|
|
def ldap_config
|
|
|
|
|
Gitlab::LDAP::Config.new(provider)
|
|
|
|
|
end
|
2014-03-10 08:48:08 -04:00
|
|
|
end
|
|
|
|
|
end
|
|
|
|
|
end
|
