gitlab-org--gitlab-foss/lib/gitlab/o_auth/user.rb

# OAuth extension for User model
#
# * Find GitLab user based on omniauth uid and provider
# * Create new user from omniauth data
#
module Gitlab
  module OAuth
    class SignupDisabledError < StandardError; end

    class User
      attr_accessor :auth_hash, :gl_user

      def initialize(auth_hash)
        self.auth_hash = auth_hash
      end

      def persisted?
        gl_user.try(:persisted?)
      end

      def new?
        !persisted?
      end

      def valid?
        gl_user.try(:valid?)
      end

      def save
        unauthorized_to_create unless gl_user

        if needs_blocking?
          gl_user.save!
          gl_user.block
        else
          gl_user.save!
        end

        log.info "(OAuth) saving user #{auth_hash.email} from login with extern_uid => #{auth_hash.uid}"
        gl_user
      rescue ActiveRecord::RecordInvalid => e
        log.info "(OAuth) Error saving user: #{gl_user.errors.full_messages}"
        return self, e.record.errors
      end

      def gl_user
        @user ||= find_by_uid_and_provider

        if auto_link_ldap_user?
          @user ||= find_or_create_ldap_user
        end

        if signup_enabled?
          @user ||= build_new_user
        end

        @user
      end

      protected

      def find_or_create_ldap_user
        return unless ldap_person
        #If a corresponding person exists with same uid in a LDAP server,
        #set up a Gitlab user with dual LDAP and Omniauth identities.
        if user = Gitlab::LDAP::User.find_by_uid_and_provider(ldap_person.dn.downcase, ldap_person.provider)
          #case when a LDAP user already exists in Gitlab. Add the Omniauth identity to existing account.
          user.identities.build(extern_uid: auth_hash.uid, provider: auth_hash.provider)
        else
          #no account in Gitlab yet: create it and add the LDAP identity
          user = build_new_user
          user.identities.new(provider: ldap_person.provider, extern_uid: ldap_person.dn)
        end
        user
      end

      def auto_link_ldap_user?
        Gitlab.config.omniauth.auto_link_ldap_user
      end

      def creating_linked_ldap_user?
        auto_link_ldap_user? && ldap_person
      end

      def ldap_person
        return @ldap_person if defined?(@ldap_person)

        #looks for a corresponding person with same uid in any of the configured LDAP providers
        Gitlab::LDAP::Config.providers.each do |provider|
          adapter = Gitlab::LDAP::Adapter.new(provider)
          @ldap_person = Gitlab::LDAP::Person.find_by_uid(auth_hash.uid, adapter)
          break if @ldap_person #exit on first person found
        end
        @ldap_person #may be nil if we could not find a match
      end

      def ldap_config
        ldap_person && Gitlab::LDAP::Config.new(ldap_person.provider)
      end

      def needs_blocking?
        return false unless new?
        if creating_linked_ldap_user?
          ldap_config.block_auto_created_users
        else 
          block_after_signup?
        end
      end

      def signup_enabled?
        Gitlab.config.omniauth.allow_single_sign_on
      end

      def block_after_signup?
        Gitlab.config.omniauth.block_auto_created_users
      end

      def auth_hash=(auth_hash)
        @auth_hash = AuthHash.new(auth_hash)
      end

      def find_by_uid_and_provider
        identity = Identity.find_by(provider: auth_hash.provider, extern_uid: auth_hash.uid)
        identity && identity.user
      end

      def build_new_user
        user = ::User.new(user_attributes)
        user.skip_confirmation!
        user.identities.new(extern_uid: auth_hash.uid, provider: auth_hash.provider)
        user
      end

      def user_attributes
        # Give preference to LDAP for sensitive information when creating a linked account
        username, email = if creating_linked_ldap_user?
          [ ldap_person.username,  ldap_person.email.first ]
        else
          [ auth_hash.username, auth_hash.email ]
        end
        return {
          name:                       auth_hash.name,
          username:                   ::Namespace.clean_path(username),
          email:                      email,
          password:                   auth_hash.password,
          password_confirmation:      auth_hash.password,
          password_automatically_set: true
        }
      end

      def log
        Gitlab::AppLogger
      end

      def unauthorized_to_create
        raise SignupDisabledError
      end
    end
  end
end
Added Gitlab::OAuth::User class Authenticate or create users from OAuth providers 2013-09-03 17:04:27 -04:00			`# OAuth extension for User model`
			`#`
			`# * Find GitLab user based on omniauth uid and provider`
			`# * Create new user from omniauth data`
			`#`
			`module Gitlab`
			`module OAuth`
Improve OAuth signup error message. 2015-05-12 06:50:06 -04:00			`class SignupDisabledError < StandardError; end`
Supporting for multiple omniauth provider for the same user 2014-11-27 06:34:39 -05:00
Added Gitlab::OAuth::User class Authenticate or create users from OAuth providers 2013-09-03 17:04:27 -04:00			`class User`
Refactor OAuth refactorings to CE 2014-10-10 06:03:32 -04:00			`attr_accessor :auth_hash, :gl_user`
Added Gitlab::OAuth::User class Authenticate or create users from OAuth providers 2013-09-03 17:04:27 -04:00
Refactor OAuth refactorings to CE 2014-10-10 06:03:32 -04:00			`def initialize(auth_hash)`
			`self.auth_hash = auth_hash`
			`end`
Added Gitlab::OAuth::User class Authenticate or create users from OAuth providers 2013-09-03 17:04:27 -04:00
Refactor OAuth refactorings to CE 2014-10-10 06:03:32 -04:00			`def persisted?`
Add regressiontest to verify allow_single_sign_on setting verification for #1677 Since testing omniauth_callback_controller.rb is very difficult, the logic is moved to the models 2014-10-16 14:08:30 -04:00			`gl_user.try(:persisted?)`
Refactor OAuth refactorings to CE 2014-10-10 06:03:32 -04:00			`end`
Added Gitlab::OAuth::User class Authenticate or create users from OAuth providers 2013-09-03 17:04:27 -04:00
Refactor OAuth refactorings to CE 2014-10-10 06:03:32 -04:00			`def new?`
Fix account existing blocking Signed-off-by: Dmitriy Zaporozhets <dmitriy.zaporozhets@gmail.com> 2014-10-17 07:08:02 -04:00			`!persisted?`
Refactor OAuth refactorings to CE 2014-10-10 06:03:32 -04:00			`end`
Added Gitlab::OAuth::User class Authenticate or create users from OAuth providers 2013-09-03 17:04:27 -04:00
Refactor OAuth refactorings to CE 2014-10-10 06:03:32 -04:00			`def valid?`
Add regressiontest to verify allow_single_sign_on setting verification for #1677 Since testing omniauth_callback_controller.rb is very difficult, the logic is moved to the models 2014-10-16 14:08:30 -04:00			`gl_user.try(:valid?)`
Refactor Oauth::User class to use instance methods 2014-09-03 09:59:50 -04:00			`end`
Added Gitlab::OAuth::User class Authenticate or create users from OAuth providers 2013-09-03 17:04:27 -04:00
Refactor OAuth refactorings to CE 2014-10-10 06:03:32 -04:00			`def save`
Add regressiontest to verify allow_single_sign_on setting verification for #1677 Since testing omniauth_callback_controller.rb is very difficult, the logic is moved to the models 2014-10-16 14:08:30 -04:00			`unauthorized_to_create unless gl_user`

Fix account existing blocking Signed-off-by: Dmitriy Zaporozhets <dmitriy.zaporozhets@gmail.com> 2014-10-17 07:08:02 -04:00			`if needs_blocking?`
Supporting for multiple omniauth provider for the same user 2014-11-27 06:34:39 -05:00			`gl_user.save!`
Fix account existing blocking Signed-off-by: Dmitriy Zaporozhets <dmitriy.zaporozhets@gmail.com> 2014-10-17 07:08:02 -04:00			`gl_user.block`
Supporting for multiple omniauth provider for the same user 2014-11-27 06:34:39 -05:00			`else`
			`gl_user.save!`
Fix account existing blocking Signed-off-by: Dmitriy Zaporozhets <dmitriy.zaporozhets@gmail.com> 2014-10-17 07:08:02 -04:00			`end`
Added Gitlab::OAuth::User class Authenticate or create users from OAuth providers 2013-09-03 17:04:27 -04:00
Fix account existing blocking Signed-off-by: Dmitriy Zaporozhets <dmitriy.zaporozhets@gmail.com> 2014-10-17 07:08:02 -04:00			`log.info "(OAuth) saving user #{auth_hash.email} from login with extern_uid => #{auth_hash.uid}"`
Refactor OAuth refactorings to CE 2014-10-10 06:03:32 -04:00			`gl_user`
			`rescue ActiveRecord::RecordInvalid => e`
			`log.info "(OAuth) Error saving user: #{gl_user.errors.full_messages}"`
			`return self, e.record.errors`
			`end`

			`def gl_user`
Add regressiontest to verify allow_single_sign_on setting verification for #1677 Since testing omniauth_callback_controller.rb is very difficult, the logic is moved to the models 2014-10-16 14:08:30 -04:00			`@user \|\|= find_by_uid_and_provider`

Add option to automatically link omniauth and LDAP identities Until now, a user needed to first sign in with his LDAP identity and then manually link his/her account with an omniauth identity from their profile. Only when this is done can the user authenticate with the omniauth provider and at the same time benefit from the LDAP integration (HTTPS authentication with LDAP username/password and in EE: LDAP groups, SSH keys etc.). This feature automates the process by looking up a corresponding LDAP person when a user connects with omniauth for the first time and then automatically linking the LDAP and omniauth identities (of course, like the existing allow_single_sign_on setting, this is meant to be used with trusted omniauth providers). The result is identical to a manual account link. Add config initializers for other omniauth settings. 2015-06-02 06:01:29 -04:00			`if auto_link_ldap_user?`
			`@user \|\|= find_or_create_ldap_user`
			`end`

Fix account existing blocking Signed-off-by: Dmitriy Zaporozhets <dmitriy.zaporozhets@gmail.com> 2014-10-17 07:08:02 -04:00			`if signup_enabled?`
Add regressiontest to verify allow_single_sign_on setting verification for #1677 Since testing omniauth_callback_controller.rb is very difficult, the logic is moved to the models 2014-10-16 14:08:30 -04:00			`@user \|\|= build_new_user`
			`end`
Fix account existing blocking Signed-off-by: Dmitriy Zaporozhets <dmitriy.zaporozhets@gmail.com> 2014-10-17 07:08:02 -04:00
Add regressiontest to verify allow_single_sign_on setting verification for #1677 Since testing omniauth_callback_controller.rb is very difficult, the logic is moved to the models 2014-10-16 14:08:30 -04:00			`@user`
Refactor Oauth::User class to use instance methods 2014-09-03 09:59:50 -04:00			`end`
Added Gitlab::OAuth::User class Authenticate or create users from OAuth providers 2013-09-03 17:04:27 -04:00
Refactor OAuth refactorings to CE 2014-10-10 06:03:32 -04:00			`protected`
Fix account existing blocking Signed-off-by: Dmitriy Zaporozhets <dmitriy.zaporozhets@gmail.com> 2014-10-17 07:08:02 -04:00
Add option to automatically link omniauth and LDAP identities Until now, a user needed to first sign in with his LDAP identity and then manually link his/her account with an omniauth identity from their profile. Only when this is done can the user authenticate with the omniauth provider and at the same time benefit from the LDAP integration (HTTPS authentication with LDAP username/password and in EE: LDAP groups, SSH keys etc.). This feature automates the process by looking up a corresponding LDAP person when a user connects with omniauth for the first time and then automatically linking the LDAP and omniauth identities (of course, like the existing allow_single_sign_on setting, this is meant to be used with trusted omniauth providers). The result is identical to a manual account link. Add config initializers for other omniauth settings. 2015-06-02 06:01:29 -04:00			`def find_or_create_ldap_user`
			`return unless ldap_person`
			`#If a corresponding person exists with same uid in a LDAP server,`
			`#set up a Gitlab user with dual LDAP and Omniauth identities.`
			`if user = Gitlab::LDAP::User.find_by_uid_and_provider(ldap_person.dn.downcase, ldap_person.provider)`
			`#case when a LDAP user already exists in Gitlab. Add the Omniauth identity to existing account.`
			`user.identities.build(extern_uid: auth_hash.uid, provider: auth_hash.provider)`
			`else`
			`#no account in Gitlab yet: create it and add the LDAP identity`
			`user = build_new_user`
			`user.identities.new(provider: ldap_person.provider, extern_uid: ldap_person.dn)`
			`end`
			`user`
			`end`

			`def auto_link_ldap_user?`
			`Gitlab.config.omniauth.auto_link_ldap_user`
			`end`

			`def creating_linked_ldap_user?`
			`auto_link_ldap_user? && ldap_person`
			`end`

			`def ldap_person`
			`return @ldap_person if defined?(@ldap_person)`

			`#looks for a corresponding person with same uid in any of the configured LDAP providers`
			`Gitlab::LDAP::Config.providers.each do \|provider\|`
			`adapter = Gitlab::LDAP::Adapter.new(provider)`
			`@ldap_person = Gitlab::LDAP::Person.find_by_uid(auth_hash.uid, adapter)`
			`break if @ldap_person #exit on first person found`
			`end`
			`@ldap_person #may be nil if we could not find a match`
			`end`

			`def ldap_config`
			`ldap_person && Gitlab::LDAP::Config.new(ldap_person.provider)`
			`end`

Fix account existing blocking Signed-off-by: Dmitriy Zaporozhets <dmitriy.zaporozhets@gmail.com> 2014-10-17 07:08:02 -04:00			`def needs_blocking?`
Add option to automatically link omniauth and LDAP identities Until now, a user needed to first sign in with his LDAP identity and then manually link his/her account with an omniauth identity from their profile. Only when this is done can the user authenticate with the omniauth provider and at the same time benefit from the LDAP integration (HTTPS authentication with LDAP username/password and in EE: LDAP groups, SSH keys etc.). This feature automates the process by looking up a corresponding LDAP person when a user connects with omniauth for the first time and then automatically linking the LDAP and omniauth identities (of course, like the existing allow_single_sign_on setting, this is meant to be used with trusted omniauth providers). The result is identical to a manual account link. Add config initializers for other omniauth settings. 2015-06-02 06:01:29 -04:00			`return false unless new?`
			`if creating_linked_ldap_user?`
			`ldap_config.block_auto_created_users`
			`else`
			`block_after_signup?`
			`end`
Fix account existing blocking Signed-off-by: Dmitriy Zaporozhets <dmitriy.zaporozhets@gmail.com> 2014-10-17 07:08:02 -04:00			`end`

			`def signup_enabled?`
			`Gitlab.config.omniauth.allow_single_sign_on`
			`end`

			`def block_after_signup?`
			`Gitlab.config.omniauth.block_auto_created_users`
			`end`

Move auth hash to a seperate class 2014-09-04 06:55:10 -04:00			`def auth_hash=(auth_hash)`
			`@auth_hash = AuthHash.new(auth_hash)`
			`end`

Refactor OAuth refactorings to CE 2014-10-10 06:03:32 -04:00			`def find_by_uid_and_provider`
Multi-provider auth. LDAP is not reworked 2014-11-25 11:15:30 -05:00			`identity = Identity.find_by(provider: auth_hash.provider, extern_uid: auth_hash.uid)`
			`identity && identity.user`
Refactor OAuth refactorings to CE 2014-10-10 06:03:32 -04:00			`end`
Use instance methods of LDAP::User as well Still in need of some proper cleanup 2014-09-03 11:33:03 -04:00
Refactor OAuth refactorings to CE 2014-10-10 06:03:32 -04:00			`def build_new_user`
Supporting for multiple omniauth provider for the same user 2014-11-27 06:34:39 -05:00			`user = ::User.new(user_attributes)`
Multi-provider auth. LDAP is not reworked 2014-11-25 11:15:30 -05:00			`user.skip_confirmation!`
			`user.identities.new(extern_uid: auth_hash.uid, provider: auth_hash.provider)`
Supporting for multiple omniauth provider for the same user 2014-11-27 06:34:39 -05:00			`user`
Use instance methods of LDAP::User as well Still in need of some proper cleanup 2014-09-03 11:33:03 -04:00			`end`

Refactor Oauth::User class to use instance methods 2014-09-03 09:59:50 -04:00			`def user_attributes`
Add option to automatically link omniauth and LDAP identities Until now, a user needed to first sign in with his LDAP identity and then manually link his/her account with an omniauth identity from their profile. Only when this is done can the user authenticate with the omniauth provider and at the same time benefit from the LDAP integration (HTTPS authentication with LDAP username/password and in EE: LDAP groups, SSH keys etc.). This feature automates the process by looking up a corresponding LDAP person when a user connects with omniauth for the first time and then automatically linking the LDAP and omniauth identities (of course, like the existing allow_single_sign_on setting, this is meant to be used with trusted omniauth providers). The result is identical to a manual account link. Add config initializers for other omniauth settings. 2015-06-02 06:01:29 -04:00			`# Give preference to LDAP for sensitive information when creating a linked account`
			`username, email = if creating_linked_ldap_user?`
			`[ ldap_person.username, ldap_person.email.first ]`
			`else`
			`[ auth_hash.username, auth_hash.email ]`
			`end`
			`return {`
Allow users that signed up via OAuth to set their password in order to use Git over HTTP(S). 2015-02-13 07:33:28 -05:00			`name: auth_hash.name,`
Add option to automatically link omniauth and LDAP identities Until now, a user needed to first sign in with his LDAP identity and then manually link his/her account with an omniauth identity from their profile. Only when this is done can the user authenticate with the omniauth provider and at the same time benefit from the LDAP integration (HTTPS authentication with LDAP username/password and in EE: LDAP groups, SSH keys etc.). This feature automates the process by looking up a corresponding LDAP person when a user connects with omniauth for the first time and then automatically linking the LDAP and omniauth identities (of course, like the existing allow_single_sign_on setting, this is meant to be used with trusted omniauth providers). The result is identical to a manual account link. Add config initializers for other omniauth settings. 2015-06-02 06:01:29 -04:00			`username: ::Namespace.clean_path(username),`
			`email: email,`
Allow users that signed up via OAuth to set their password in order to use Git over HTTP(S). 2015-02-13 07:33:28 -05:00			`password: auth_hash.password,`
			`password_confirmation: auth_hash.password,`
			`password_automatically_set: true`
Refactor Oauth::User class to use instance methods 2014-09-03 09:59:50 -04:00			`}`
			`end`
Added Gitlab::OAuth::User class Authenticate or create users from OAuth providers 2013-09-03 17:04:27 -04:00
Refactor Oauth::User class to use instance methods 2014-09-03 09:59:50 -04:00			`def log`
			`Gitlab::AppLogger`
			`end`

Supporting for multiple omniauth provider for the same user 2014-11-27 06:34:39 -05:00			`def unauthorized_to_create`
Improve OAuth signup error message. 2015-05-12 06:50:06 -04:00			`raise SignupDisabledError`
Add regressiontest to verify allow_single_sign_on setting verification for #1677 Since testing omniauth_callback_controller.rb is very difficult, the logic is moved to the models 2014-10-16 14:08:30 -04:00			`end`
Added Gitlab::OAuth::User class Authenticate or create users from OAuth providers 2013-09-03 17:04:27 -04:00			`end`
			`end`
			`end`