user.rb 4.35 KB
Newer Older
1 2 3 4 5 6 7
# OAuth extension for User model
#
# * Find GitLab user based on omniauth uid and provider
# * Create new user from omniauth data
#
module Gitlab
  module OAuth
8
    class SignupDisabledError < StandardError; end
9

10
    class User
11
      attr_accessor :auth_hash, :gl_user
12

13 14 15
      def initialize(auth_hash)
        self.auth_hash = auth_hash
      end
16

17
      def persisted?
18
        gl_user.try(:persisted?)
19
      end
20

21
      def new?
22
        !persisted?
23
      end
24

25
      def valid?
26
        gl_user.try(:valid?)
27
      end
28

29
      def save
30 31
        unauthorized_to_create unless gl_user

32
        if needs_blocking?
33
          gl_user.save!
34
          gl_user.block
35 36
        else
          gl_user.save!
37
        end
38

39
        log.info "(OAuth) saving user #{auth_hash.email} from login with extern_uid => #{auth_hash.uid}"
40 41 42 43 44 45 46
        gl_user
      rescue ActiveRecord::RecordInvalid => e
        log.info "(OAuth) Error saving user: #{gl_user.errors.full_messages}"
        return self, e.record.errors
      end

      def gl_user
47 48
        @user ||= find_by_uid_and_provider

49 50 51 52
        if auto_link_ldap_user?
          @user ||= find_or_create_ldap_user
        end

53
        if signup_enabled?
54 55
          @user ||= build_new_user
        end
56

57
        @user
58
      end
59

60
      protected
61

62 63
      def find_or_create_ldap_user
        return unless ldap_person
Douwe Maan's avatar
Douwe Maan committed
64 65 66

        # If a corresponding person exists with same uid in a LDAP server,
        # set up a Gitlab user with dual LDAP and Omniauth identities.
67
        if user = Gitlab::LDAP::User.find_by_uid_and_provider(ldap_person.dn, ldap_person.provider)
Douwe Maan's avatar
Douwe Maan committed
68
          # Case when a LDAP user already exists in Gitlab. Add the Omniauth identity to existing account.
69 70
          user.identities.build(extern_uid: auth_hash.uid, provider: auth_hash.provider)
        else
Douwe Maan's avatar
Douwe Maan committed
71
          # No account in Gitlab yet: create it and add the LDAP identity
72 73 74
          user = build_new_user
          user.identities.new(provider: ldap_person.provider, extern_uid: ldap_person.dn)
        end
Douwe Maan's avatar
Douwe Maan committed
75

76 77 78 79 80 81 82 83 84 85 86 87 88 89
        user
      end

      def auto_link_ldap_user?
        Gitlab.config.omniauth.auto_link_ldap_user
      end

      def creating_linked_ldap_user?
        auto_link_ldap_user? && ldap_person
      end

      def ldap_person
        return @ldap_person if defined?(@ldap_person)

90 91
        # Look for a corresponding person with same uid in any of the configured LDAP providers
        Gitlab::LDAP::Config.providers.each do |provider|
92
          adapter = Gitlab::LDAP::Adapter.new(provider)
93 94
          @ldap_person = Gitlab::LDAP::Person.find_by_uid(auth_hash.uid, adapter)
          break if @ldap_person
95
        end
96
        @ldap_person
97 98 99
      end

      def ldap_config
Douwe Maan's avatar
Douwe Maan committed
100
        Gitlab::LDAP::Config.new(ldap_person.provider) if ldap_person
101 102
      end

103
      def needs_blocking?
Douwe Maan's avatar
Douwe Maan committed
104
        new? && block_after_signup?
105 106 107 108 109 110 111
      end

      def signup_enabled?
        Gitlab.config.omniauth.allow_single_sign_on
      end

      def block_after_signup?
Douwe Maan's avatar
Douwe Maan committed
112 113 114 115 116
        if creating_linked_ldap_user?
          ldap_config.block_auto_created_users
        else 
          Gitlab.config.omniauth.block_auto_created_users
        end
117 118
      end

119 120 121 122
      def auth_hash=(auth_hash)
        @auth_hash = AuthHash.new(auth_hash)
      end

123
      def find_by_uid_and_provider
124 125
        identity = Identity.find_by(provider: auth_hash.provider, extern_uid: auth_hash.uid)
        identity && identity.user
126
      end
127

128
      def build_new_user
129
        user = ::User.new(user_attributes)
130 131
        user.skip_confirmation!
        user.identities.new(extern_uid: auth_hash.uid, provider: auth_hash.provider)
132
        user
133 134
      end

135
      def user_attributes
136
        # Give preference to LDAP for sensitive information when creating a linked account
Douwe Maan's avatar
Douwe Maan committed
137 138 139
        if creating_linked_ldap_user?
          username = ldap_person.username
          email = ldap_person.email.first
140
        else
Douwe Maan's avatar
Douwe Maan committed
141 142
          username = auth_hash.username
          email = auth_hash.email
143
        end
Douwe Maan's avatar
Douwe Maan committed
144 145
        
        {
146
          name:                       auth_hash.name,
147 148
          username:                   ::Namespace.clean_path(username),
          email:                      email,
149 150 151
          password:                   auth_hash.password,
          password_confirmation:      auth_hash.password,
          password_automatically_set: true
152 153
        }
      end
154

155 156 157 158
      def log
        Gitlab::AppLogger
      end

159
      def unauthorized_to_create
160
        raise SignupDisabledError
161
      end
162 163 164
    end
  end
end