120 lines
3.3 KiB
Ruby
120 lines
3.3 KiB
Ruby
# frozen_string_literal: true
|
|
|
|
# LDAP authorization model
|
|
#
|
|
# * Check if we are allowed access (not blocked)
|
|
#
|
|
module Gitlab
|
|
module Auth
|
|
module Ldap
|
|
class Access
|
|
attr_reader :provider, :user, :ldap_identity
|
|
|
|
def self.open(user, &block)
|
|
Gitlab::Auth::Ldap::Adapter.open(user.ldap_identity.provider) do |adapter|
|
|
block.call(self.new(user, adapter))
|
|
end
|
|
end
|
|
|
|
def self.allowed?(user, options = {})
|
|
self.open(user) do |access|
|
|
# Whether user is allowed, or not, we should update
|
|
# permissions to keep things clean
|
|
if access.allowed?
|
|
unless Gitlab::Database.read_only?
|
|
access.update_user
|
|
Users::UpdateService.new(user, user: user, last_credential_check_at: Time.now).execute
|
|
end
|
|
|
|
true
|
|
else
|
|
false
|
|
end
|
|
end
|
|
end
|
|
|
|
def initialize(user, adapter = nil)
|
|
@adapter = adapter
|
|
@user = user
|
|
@ldap_identity = user.ldap_identity
|
|
@provider = adapter&.provider || ldap_identity&.provider
|
|
end
|
|
|
|
def allowed?
|
|
if ldap_user
|
|
unless ldap_config.active_directory
|
|
unblock_user(user, 'is available again') if user.ldap_blocked?
|
|
return true
|
|
end
|
|
|
|
# Block user in GitLab if they were blocked in AD
|
|
if Gitlab::Auth::Ldap::Person.disabled_via_active_directory?(ldap_identity.extern_uid, adapter)
|
|
block_user(user, 'is disabled in Active Directory')
|
|
false
|
|
else
|
|
unblock_user(user, 'is not disabled anymore') if user.ldap_blocked?
|
|
true
|
|
end
|
|
else
|
|
# Block the user if they no longer exist in LDAP/AD
|
|
block_user(user, 'does not exist anymore')
|
|
false
|
|
end
|
|
rescue LdapConnectionError
|
|
false
|
|
end
|
|
|
|
def update_user
|
|
# no-op in CE
|
|
end
|
|
|
|
private
|
|
|
|
def adapter
|
|
@adapter ||= Gitlab::Auth::Ldap::Adapter.new(provider)
|
|
end
|
|
|
|
def ldap_config
|
|
Gitlab::Auth::Ldap::Config.new(provider)
|
|
end
|
|
|
|
def ldap_user
|
|
return unless provider
|
|
|
|
@ldap_user ||= find_ldap_user
|
|
end
|
|
|
|
def find_ldap_user
|
|
Gitlab::Auth::Ldap::Person.find_by_dn(ldap_identity.extern_uid, adapter)
|
|
end
|
|
|
|
def block_user(user, reason)
|
|
user.ldap_block
|
|
|
|
if provider
|
|
Gitlab::AppLogger.info(
|
|
"LDAP account \"#{ldap_identity.extern_uid}\" #{reason}, " \
|
|
"blocking GitLab user \"#{user.name}\" (#{user.email})"
|
|
)
|
|
else
|
|
Gitlab::AppLogger.info(
|
|
"Account is not provided by LDAP, " \
|
|
"blocking GitLab user \"#{user.name}\" (#{user.email})"
|
|
)
|
|
end
|
|
end
|
|
|
|
def unblock_user(user, reason)
|
|
user.activate
|
|
|
|
Gitlab::AppLogger.info(
|
|
"LDAP account \"#{ldap_identity.extern_uid}\" #{reason}, " \
|
|
"unblocking GitLab user \"#{user.name}\" (#{user.email})"
|
|
)
|
|
end
|
|
end
|
|
end
|
|
end
|
|
end
|
|
|
|
Gitlab::Auth::Ldap::Access.prepend_if_ee('::EE::Gitlab::Auth::Ldap::Access')
|