Skip to content
Snippets Groups Projects
Normal view Permalink
access.rb 1.66 KiB
Newer Older
  • Learn to ignore specific revisions
    • Jan-Willem van der Meer's avatar
    Refactor lib files for multiple LDAP groups  
    Jan-Willem van der Meer committed
    1 2 3 4 
    # LDAP authorization model
#
# * Check if we are allowed access (not blocked)
#
    Dmitriy Zaporozhets's avatar
    Port LDAP code from EE
    Dmitriy Zaporozhets committed
    5 6 7 
    module Gitlab
  module LDAP
    class Access
    Drew Blessing's avatar
    Optimize LDAP and add a search timeout  
    Drew Blessing committed
    8 
          attr_reader :provider, :user
    Jacob Vosmaer's avatar
    Add Gitlab::LDAP::Access.open  
    Jacob Vosmaer committed
    9
    Jan-Willem van der Meer's avatar
    Refactor lib files for multiple LDAP groups  
    Jan-Willem van der Meer committed
    10 
          def self.open(user, &block)
    Valery Sizov's avatar
    Supporting for multiple omniauth provider for the same user  
    Valery Sizov committed
    11 
            Gitlab::LDAP::Adapter.open(user.ldap_identity.provider) do |adapter|
    Jan-Willem van der Meer's avatar
    Refactor lib files for multiple LDAP groups  
    Jan-Willem van der Meer committed
    12 
              block.call(self.new(user, adapter))
    Jacob Vosmaer's avatar
    Add Gitlab::LDAP::Access.open  
    Jacob Vosmaer committed
    13 14 15 
            end
      end
    Jacob Vosmaer's avatar
    Move LDAP timeout code to Gitlab::LDAP::Access  
    Jacob Vosmaer committed
    16 
          def self.allowed?(user)
    Jan-Willem van der Meer's avatar
    Refactor lib files for multiple LDAP groups  
    Jan-Willem van der Meer committed
    17 18 
            self.open(user) do |access|
          if access.allowed?
    Jacob Vosmaer's avatar
    Move LDAP timeout code to Gitlab::LDAP::Access  
    Jacob Vosmaer committed
    19 20 21 22 23 24 25 26 27 
                user.last_credential_check_at = Time.now
            user.save
            true
          else
            false
          end
        end
      end
    Gabriel Mazetto's avatar
    Enable Style/SpaceAroundEqualsInParameterDefault cop  
    Gabriel Mazetto committed
    28 
          def initialize(user, adapter = nil)
    Jacob Vosmaer's avatar
    Add Gitlab::LDAP::Access.open  
    Jacob Vosmaer committed
    29 
            @adapter = adapter
    Jan-Willem van der Meer's avatar
    Refactor lib files for multiple LDAP groups  
    Jan-Willem van der Meer committed
    30 
            @user = user
    Valery Sizov's avatar
    Supporting for multiple omniauth provider for the same user  
    Valery Sizov committed
    31 
            @provider = user.ldap_identity.provider
    Jacob Vosmaer's avatar
    Add Gitlab::LDAP::Access.open  
    Jacob Vosmaer committed
    32 33 
          end
    Jan-Willem van der Meer's avatar
    Refactor lib files for multiple LDAP groups  
    Jan-Willem van der Meer committed
    34 
          def allowed?
    Drew Blessing's avatar
    Optimize LDAP and add a search timeout  
    Drew Blessing committed
    35 
            if ldap_user
    Gabriel Mazetto's avatar
    Unblocks user when active_directory is disabled and it can be found  
    Gabriel Mazetto committed
    36 37 38 39 
              unless ldap_config.active_directory
            user.activate if user.ldap_blocked?
            return true
          end
    Dmitriy Zaporozhets's avatar
    Block user if he/she was blocked in Active Directory  
    Dmitriy Zaporozhets committed
    40 41 42 
    
          # Block user in GitLab if he/she was blocked in AD
          if Gitlab::LDAP::Person.disabled_via_active_directory?(user.ldap_identity.extern_uid, adapter)
    Gabriel Mazetto's avatar
    LDAP synchronization block/unblock new states  
    Gabriel Mazetto committed
    43 
                user.ldap_block
    Dmitriy Zaporozhets's avatar
    Block user if he/she was blocked in Active Directory  
    Dmitriy Zaporozhets committed
    44 45 
                false
          else
    Gabriel Mazetto's avatar
    fixed LDAP activation on login to use new ldap_blocked state  
    Gabriel Mazetto committed
    46 
                user.activate if user.ldap_blocked?
    Dmitriy Zaporozhets's avatar
    Block user if he/she was blocked in Active Directory  
    Dmitriy Zaporozhets committed
    47 48 
                true
          end
    Jacob Vosmaer's avatar
    Check for the AD disabled flag in Access#allowed?  
    Jacob Vosmaer committed
    49 
            else
    Drew Blessing's avatar
    Block LDAP user when they are no longer found in the LDAP server  
    Drew Blessing committed
    50 
              # Block the user if they no longer exist in LDAP/AD
    Gabriel Mazetto's avatar
    LDAP synchronization block/unblock new states  
    Gabriel Mazetto committed
    51 
              user.ldap_block
    Jacob Vosmaer's avatar
    Check for the AD disabled flag in Access#allowed?  
    Jacob Vosmaer committed
    52 53 
              false
        end
    Dmitriy Zaporozhets's avatar
    Port LDAP code from EE
    Dmitriy Zaporozhets committed
    54 55 56 
          rescue
        false
      end
    Jan-Willem van der Meer's avatar
    Refactor lib files for multiple LDAP groups  
    Jan-Willem van der Meer committed
    57 58 59 60 
    
      def adapter
        @adapter ||= Gitlab::LDAP::Adapter.new(provider)
      end
    Jan-Willem van der Meer's avatar
    Fix authorization for LDAP login  
    Jan-Willem van der Meer committed
    61 62 63 64 
    
      def ldap_config
        Gitlab::LDAP::Config.new(provider)
      end
    Drew Blessing's avatar
    Optimize LDAP and add a search timeout  
    Drew Blessing committed
    65 66 67 68 
    
      def ldap_user
        @ldap_user ||= Gitlab::LDAP::Person.find_by_dn(user.ldap_identity.extern_uid, adapter)
      end
    Dmitriy Zaporozhets's avatar
    Port LDAP code from EE
    Dmitriy Zaporozhets committed
    69 70 71 
        end
  end
end