1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
|
# LDAP authorization model
#
# * Check if we are allowed access (not blocked)
#
module Gitlab
module Auth
module LDAP
class Access
attr_reader :provider, :user, :ldap_identity
def self.open(user, &block)
Gitlab::Auth::LDAP::Adapter.open(user.ldap_identity.provider) do |adapter|
block.call(self.new(user, adapter))
end
end
def self.allowed?(user, options = {})
self.open(user) do |access|
# Whether user is allowed, or not, we should update
# permissions to keep things clean
if access.allowed?
unless Gitlab::Database.read_only?
access.update_user
Users::UpdateService.new(user, user: user, last_credential_check_at: Time.now).execute
end
true
else
false
end
end
end
def initialize(user, adapter = nil)
@adapter = adapter
@user = user
@ldap_identity = user.ldap_identity
@provider = adapter&.provider || ldap_identity&.provider
end
def allowed?
if ldap_user
unless ldap_config.active_directory
unblock_user(user, 'is available again') if user.ldap_blocked?
return true
end
# Block user in GitLab if he/she was blocked in AD
if Gitlab::Auth::LDAP::Person.disabled_via_active_directory?(ldap_identity.extern_uid, adapter)
block_user(user, 'is disabled in Active Directory')
false
else
unblock_user(user, 'is not disabled anymore') if user.ldap_blocked?
true
end
else
# Block the user if they no longer exist in LDAP/AD
block_user(user, 'does not exist anymore')
false
end
rescue LDAPConnectionError
false
end
def update_user
# no-op in CE
end
private
def adapter
@adapter ||= Gitlab::Auth::LDAP::Adapter.new(provider)
end
def ldap_config
Gitlab::Auth::LDAP::Config.new(provider)
end
def ldap_user
return unless provider
@ldap_user ||= find_ldap_user
end
def find_ldap_user
Gitlab::Auth::LDAP::Person.find_by_dn(ldap_identity.extern_uid, adapter)
end
def block_user(user, reason)
user.ldap_block
if provider
Gitlab::AppLogger.info(
"LDAP account \"#{ldap_identity.extern_uid}\" #{reason}, " \
"blocking GitLab user \"#{user.name}\" (#{user.email})"
)
else
Gitlab::AppLogger.info(
"Account is not provided by LDAP, " \
"blocking GitLab user \"#{user.name}\" (#{user.email})"
)
end
end
def unblock_user(user, reason)
user.activate
Gitlab::AppLogger.info(
"LDAP account \"#{ldap_identity.extern_uid}\" #{reason}, " \
"unblocking GitLab user \"#{user.name}\" (#{user.email})"
)
end
end
end
end
end
|
