Added the ability to block sign ups using a domain blacklist.

author: Patricio Cano <suprnova32@gmail.com> 2016-07-14 13:19:40 -0500
committer: Patricio Cano <suprnova32@gmail.com> 2016-07-18 17:52:29 -0500
commit: defb8660c08a904a385b584280f72fc6a5a94c6e (patch)
tree: 1a93c424e4ad3ffb3d18350fdaaaa6c43879bad1 /app/models
parent: 777a080892f710915c8f4d62864813ef388a1873 (diff)
download: gitlab-ce-defb8660c08a904a385b584280f72fc6a5a94c6e.tar.gz
2 files changed, 56 insertions, 19 deletions
diff --git a/app/models/application_setting.rb b/app/models/application_setting.rb
index c6f77cc055f..84b1b54eeae 100644
--- a/app/models/application_setting.rb
+++ b/app/models/application_setting.rb
@@ -9,7 +9,9 @@ class ApplicationSetting < ActiveRecord::Base
   serialize :import_sources
   serialize :disabled_oauth_sign_in_sources, Array
   serialize :restricted_signup_domains, Array
-  attr_accessor :restricted_signup_domains_raw
+  serialize :domain_blacklist, Array
+
+  attr_accessor :restricted_signup_domains_raw, :domain_blacklist_raw
 
   validates :session_expire_delay,
             presence: true,
@@ -62,6 +64,10 @@ class ApplicationSetting < ActiveRecord::Base
   validates :enabled_git_access_protocol,
             inclusion: { in: %w(ssh http), allow_blank: true, allow_nil: true }
 
+  validates :domain_blacklist,
+            presence: true,
+            if: :domain_blacklist_enabled?
+
   validates_each :restricted_visibility_levels do |record, attr, value|
     unless value.nil?
       value.each do |level|
@@ -154,18 +160,35 @@ class ApplicationSetting < ActiveRecord::Base
     self.restricted_signup_domains.join("\n") unless self.restricted_signup_domains.nil?
   end
 
-  def restricted_signup_domains_raw=(values)
-    self.restricted_signup_domains = []
-    self.restricted_signup_domains = values.split(
-      /\s*[,;]\s*     # comma or semicolon, optionally surrounded by whitespace
+  def domain_blacklist_raw
+    self.domain_blacklist.join("\n") unless self.domain_blacklist.nil?
+  end
+
+  def splitter
+    /\s*[,;]\s*     # comma or semicolon, optionally surrounded by whitespace
       |               # or
       \s              # any whitespace character
       |               # or
       [\r\n]          # any number of newline characters
-      /x)
+    /x
+  end
+
+  def restricted_signup_domains_raw=(values)
+    self.restricted_signup_domains = []
+    self.restricted_signup_domains = values.split(splitter)
     self.restricted_signup_domains.reject! { |d| d.empty? }
   end
 
+  def domain_blacklist_raw=(values)
+    self.domain_blacklist = []
+    self.domain_blacklist = values.split(splitter)
+    self.domain_blacklist.reject! { |d| d.empty? }
+  end
+
+  def domain_blacklist_file=(file)
+    self.domain_blacklist_raw = file.read
+  end
+
   def runners_registration_token
     ensure_runners_registration_token!
   end
diff --git a/app/models/user.rb b/app/models/user.rb
index 3d0a033785c..b0c5d84fc40 100644
--- a/app/models/user.rb
+++ b/app/models/user.rb
@@ -111,7 +111,7 @@ class User < ActiveRecord::Base
   validates :avatar, file_size: { maximum: 200.kilobytes.to_i }
 
   before_validation :generate_password, on: :create
-  before_validation :restricted_signup_domains, on: :create
+  before_validation :signup_domain_valid?, on: :create
   before_validation :sanitize_attrs
   before_validation :set_notification_email, if: ->(user) { user.email_changed? }
   before_validation :set_public_email, if: ->(user) { user.public_email_changed? }
@@ -760,27 +760,41 @@ class User < ActiveRecord::Base
     Project.where(id: events)
   end
 
-  def restricted_signup_domains
-    email_domains = current_application_settings.restricted_signup_domains
+  def match_domain(email_domains)
+    email_domains.any? do |domain|
+      escaped = Regexp.escape(domain).gsub('\*', '.*?')
+      regexp = Regexp.new "^#{escaped}$", Regexp::IGNORECASE
+      email_domain = Mail::Address.new(self.email).domain
+      email_domain =~ regexp
+    end
+  end
+
+  def signup_domain_valid?
+    valid = true
 
-    unless email_domains.blank?
-      match_found = email_domains.any? do |domain|
-        escaped = Regexp.escape(domain).gsub('\*', '.*?')
-        regexp = Regexp.new "^#{escaped}$", Regexp::IGNORECASE
-        email_domain = Mail::Address.new(self.email).domain
-        email_domain =~ regexp
+    if current_application_settings.domain_blacklist_enabled?
+      blocked_domains = current_application_settings.domain_blacklist
+      if match_domain(blocked_domains)
+        self.errors.add :email, 'is not from an allowed domain.'
+        valid = false
       end
+    end
 
-      unless match_found
+    allowed_domains = current_application_settings.restricted_signup_domains
+    unless allowed_domains.blank?
+      if match_domain(allowed_domains)
+        self.errors.clear
+        valid = true
+      else
         self.errors.add :email,
                         'is not whitelisted. ' +
                         'Email domains valid for registration are: ' +
-                        email_domains.join(', ')
-        return false
+                        allowed_domains.join(', ')
+        valid = false
       end
     end
 
-    true
+    return valid
   end
 
   def can_be_removed?
author	Patricio Cano <suprnova32@gmail.com>	2016-07-14 13:19:40 -0500
committer	Patricio Cano <suprnova32@gmail.com>	2016-07-18 17:52:29 -0500
commit	defb8660c08a904a385b584280f72fc6a5a94c6e (patch)
tree	1a93c424e4ad3ffb3d18350fdaaaa6c43879bad1 /app/models
parent	777a080892f710915c8f4d62864813ef388a1873 (diff)
download	gitlab-ce-defb8660c08a904a385b584280f72fc6a5a94c6e.tar.gz