Commit 80174c16 authored by Dmitriy Zaporozhets's avatar Dmitriy Zaporozhets

Merge branch 'feature-oauth-refactoring' into 'master'

Feature oauth refactoring

Only use class methods when needed. In addition, make a proper extension of Gitlab::Oauth::User.

See merge request !1062
parents 699ffeb8 2c047642
...@@ -474,10 +474,6 @@ class User < ActiveRecord::Base ...@@ -474,10 +474,6 @@ class User < ActiveRecord::Base
email =~ /\Atemp-email-for-oauth/ email =~ /\Atemp-email-for-oauth/
end end
def generate_tmp_oauth_email
self.email = "temp-email-for-oauth-#{username}@gitlab.localhost"
end
def public_profile? def public_profile?
authorized_projects.public_only.any? authorized_projects.public_only.any?
end end
......
...@@ -10,37 +10,20 @@ module Gitlab ...@@ -10,37 +10,20 @@ module Gitlab
module LDAP module LDAP
class User < Gitlab::OAuth::User class User < Gitlab::OAuth::User
class << self class << self
def find_or_create(auth) def find_or_create(auth_hash)
@auth = auth self.auth_hash = auth_hash
find(auth_hash) || find_and_connect_by_email(auth_hash) || create(auth_hash)
if uid.blank? || email.blank? || username.blank?
raise_error("Account must provide a dn, uid and email address")
end end
user = find(auth) def find_and_connect_by_email(auth_hash)
self.auth_hash = auth_hash
unless user user = model.find_by(email: self.auth_hash.email)
# Look for user with same emails
#
# Possible cases:
# * When user already has account and need to link their LDAP account.
# * LDAP uid changed for user with same email and we need to update their uid
#
user = model.find_by(email: email)
if user if user
user.update_attributes(extern_uid: uid, provider: provider) user.update_attributes(extern_uid: auth_hash.uid, provider: auth_hash.provider)
log.info("(LDAP) Updating legacy LDAP user #{email} with extern_uid => #{uid}") Gitlab::AppLogger.info("(LDAP) Updating legacy LDAP user #{self.auth_hash.email} with extern_uid => #{auth_hash.uid}")
else return user
# Create a new user inside GitLab database
# based on LDAP credentials
#
#
user = create(auth)
end
end end
user
end end
def authenticate(login, password) def authenticate(login, password)
...@@ -48,17 +31,8 @@ module Gitlab ...@@ -48,17 +31,8 @@ module Gitlab
# Only check with valid login and password to prevent anonymous bind results # Only check with valid login and password to prevent anonymous bind results
return nil unless ldap_conf.enabled && login.present? && password.present? return nil unless ldap_conf.enabled && login.present? && password.present?
ldap = OmniAuth::LDAP::Adaptor.new(ldap_conf) ldap_user = adapter.bind_as(
filter = Net::LDAP::Filter.eq(ldap.uid, login) filter: user_filter(login),
# Apply LDAP user filter if present
if ldap_conf['user_filter'].present?
user_filter = Net::LDAP::Filter.construct(ldap_conf['user_filter'])
filter = Net::LDAP::Filter.join(filter, user_filter)
end
ldap_user = ldap.bind_as(
filter: filter,
size: 1, size: 1,
password: password password: password
) )
...@@ -66,10 +40,14 @@ module Gitlab ...@@ -66,10 +40,14 @@ module Gitlab
find_by_uid(ldap_user.dn) if ldap_user find_by_uid(ldap_user.dn) if ldap_user
end end
private def adapter
@adapter ||= OmniAuth::LDAP::Adaptor.new(ldap_conf)
end
protected
def find_by_uid_and_provider def find_by_uid_and_provider
find_by_uid(uid) find_by_uid(auth_hash.uid)
end end
def find_by_uid(uid) def find_by_uid(uid)
...@@ -88,6 +66,20 @@ module Gitlab ...@@ -88,6 +66,20 @@ module Gitlab
def ldap_conf def ldap_conf
Gitlab.config.ldap Gitlab.config.ldap
end end
def user_filter(login)
filter = Net::LDAP::Filter.eq(adapter.uid, login)
# Apply LDAP user filter if present
if ldap_conf['user_filter'].present?
user_filter = Net::LDAP::Filter.construct(ldap_conf['user_filter'])
filter = Net::LDAP::Filter.join(filter, user_filter)
end
filter
end
end
def needs_blocking?
false
end end
end end
end end
......
# Class to parse and transform the info provided by omniauth
#
module Gitlab
module OAuth
class AuthHash
attr_reader :auth_hash
def initialize(auth_hash)
@auth_hash = auth_hash
end
def uid
auth_hash.uid.to_s
end
def provider
auth_hash.provider
end
def info
auth_hash.info
end
def name
(info.name || full_name).to_s.force_encoding('utf-8')
end
def full_name
"#{info.first_name} #{info.last_name}"
end
def username
(info.try(:nickname) || generate_username).to_s.force_encoding('utf-8')
end
def email
(info.try(:email) || generate_temporarily_email).downcase
end
def password
@password ||= Devise.friendly_token[0, 8].downcase
end
# Get the first part of the email address (before @)
# In addtion in removes illegal characters
def generate_username
email.match(/^[^@]*/)[0].parameterize
end
def generate_temporarily_email
"temp-email-for-oauth-#{username}@gitlab.localhost"
end
end
end
end
...@@ -7,106 +7,78 @@ module Gitlab ...@@ -7,106 +7,78 @@ module Gitlab
module OAuth module OAuth
class User class User
class << self class << self
attr_reader :auth attr_reader :auth_hash
def find(auth) def find(auth_hash)
@auth = auth self.auth_hash = auth_hash
find_by_uid_and_provider find_by_uid_and_provider
end end
def create(auth) def create(auth_hash)
@auth = auth user = new(auth_hash)
password = Devise.friendly_token[0, 8].downcase user.save_and_trigger_callbacks
opts = {
extern_uid: uid,
provider: provider,
name: name,
username: username,
email: email,
password: password,
password_confirmation: password,
}
user = model.build_user(opts)
user.skip_confirmation!
# Services like twitter and github does not return email via oauth
# In this case we generate temporary email and force user to fill it later
if user.email.blank?
user.generate_tmp_oauth_email
elsif provider != "ldap"
# Google oauth returns email but dont return nickname
# So we use part of email as username for new user
# For LDAP, username is already set to the user's
# uid/userid/sAMAccountName.
email_username = email.match(/^[^@]*/)[0]
# Strip apostrophes since they are disallowed as part of username
user.username = email_username.gsub("'", "")
end
begin
user.save!
rescue ActiveRecord::RecordInvalid => e
log.info "(OAuth) Email #{e.record.errors[:email]}. Username #{e.record.errors[:username]}"
return nil, e.record.errors
end end
log.info "(OAuth) Creating user #{email} from login with extern_uid => #{uid}" def model
::User
if Gitlab.config.omniauth['block_auto_created_users'] && !ldap?
user.block
end end
user def auth_hash=(auth_hash)
@auth_hash = AuthHash.new(auth_hash)
end end
private protected
def find_by_uid_and_provider def find_by_uid_and_provider
model.where(provider: provider, extern_uid: uid).last model.where(provider: auth_hash.provider, extern_uid: auth_hash.uid).last
end end
def uid
auth.uid.to_s
end end
def email # Instance methods
return unless auth.info.respond_to?(:email) attr_accessor :auth_hash, :user
auth.info.email.downcase unless auth.info.email.nil?
end
def name def initialize(auth_hash)
if auth.info.name.nil? self.auth_hash = auth_hash
"#{auth.info.first_name} #{auth.info.last_name}".force_encoding('utf-8') self.user = self.class.model.new(user_attributes)
else user.skip_confirmation!
auth.info.name.to_s.force_encoding('utf-8')
end end
def auth_hash=(auth_hash)
@auth_hash = AuthHash.new(auth_hash)
end end
def username def save_and_trigger_callbacks
return unless auth.info.respond_to?(:nickname) user.save!
auth.info.nickname.to_s.force_encoding("utf-8") log.info "(OAuth) Creating user #{auth_hash.email} from login with extern_uid => #{auth_hash.uid}"
user.block if needs_blocking?
user
rescue ActiveRecord::RecordInvalid => e
log.info "(OAuth) Email #{e.record.errors[:email]}. Username #{e.record.errors[:username]}"
return nil, e.record.errors
end end
def provider def user_attributes
auth.provider {
extern_uid: auth_hash.uid,
provider: auth_hash.provider,
name: auth_hash.name,
username: auth_hash.username,
email: auth_hash.email,
password: auth_hash.password,
password_confirmation: auth_hash.password,
}
end end
def log def log
Gitlab::AppLogger Gitlab::AppLogger
end end
def model
::User
end
def raise_error(message) def raise_error(message)
raise OmniAuth::Error, "(OAuth) " + message raise OmniAuth::Error, "(OAuth) " + message
end end
def ldap? def needs_blocking?
provider == 'ldap' Gitlab.config.omniauth['block_auto_created_users']
end
end end
end end
end end
......
...@@ -4,25 +4,44 @@ describe Gitlab::Auth do ...@@ -4,25 +4,44 @@ describe Gitlab::Auth do
let(:gl_auth) { Gitlab::Auth.new } let(:gl_auth) { Gitlab::Auth.new }
describe :find do describe :find do
before do let!(:user) do
@user = create( create(:user,
:user, username: username,
username: 'john', password: password,
password: '88877711', password_confirmation: password)
password_confirmation: '88877711'
)
end end
let(:username) { 'john' }
let(:password) { 'my-secret' }
it "should find user by valid login/password" do it "should find user by valid login/password" do
gl_auth.find('john', '88877711').should == @user expect( gl_auth.find(username, password) ).to eql user
end end
it "should not find user with invalid password" do it "should not find user with invalid password" do
gl_auth.find('john', 'invalid11').should_not == @user password = 'wrong'
expect( gl_auth.find(username, password) ).to_not eql user
end end
it "should not find user with invalid login and password" do it "should not find user with invalid login" do
gl_auth.find('jon', 'invalid11').should_not == @user user = 'wrong'
expect( gl_auth.find(username, password) ).to_not eql user
end
context "with ldap enabled" do
before { Gitlab.config.ldap['enabled'] = true }
after { Gitlab.config.ldap['enabled'] = false }
it "tries to autheticate with db before ldap" do
expect(Gitlab::LDAP::User).not_to receive(:authenticate)
gl_auth.find(username, password)
end
it "uses ldap as fallback to for authentication" do
expect(Gitlab::LDAP::User).to receive(:authenticate)
gl_auth.find('ldap_user', 'password')
end
end end
end end
end end
require 'spec_helper' require 'spec_helper'
describe Gitlab::LDAP::User do describe Gitlab::LDAP::User do
let(:gl_auth) { Gitlab::LDAP::User } let(:gl_user) { Gitlab::LDAP::User }
let(:info) do let(:info) do
double( double(
name: 'John', name: 'John',
...@@ -19,12 +19,12 @@ describe Gitlab::LDAP::User do ...@@ -19,12 +19,12 @@ describe Gitlab::LDAP::User do
it "finds the user if already existing" do it "finds the user if already existing" do
existing_user = create(:user, extern_uid: 'my-uid', provider: 'ldap') existing_user = create(:user, extern_uid: 'my-uid', provider: 'ldap')
expect{ gl_auth.find_or_create(auth) }.to_not change{ User.count } expect{ gl_user.find_or_create(auth) }.to_not change{ User.count }
end end
it "connects to existing non-ldap user if the email matches" do it "connects to existing non-ldap user if the email matches" do
existing_user = create(:user, email: 'john@example.com') existing_user = create(:user, email: 'john@example.com')
expect{ gl_auth.find_or_create(auth) }.to_not change{ User.count } expect{ gl_user.find_or_create(auth) }.to_not change{ User.count }
existing_user.reload existing_user.reload
expect(existing_user.extern_uid).to eql 'my-uid' expect(existing_user.extern_uid).to eql 'my-uid'
...@@ -32,7 +32,23 @@ describe Gitlab::LDAP::User do ...@@ -32,7 +32,23 @@ describe Gitlab::LDAP::User do
end end
it "creates a new user if not found" do it "creates a new user if not found" do
expect{ gl_auth.find_or_create(auth) }.to change{ User.count }.by(1) expect{ gl_user.find_or_create(auth) }.to change{ User.count }.by(1)
end
end
describe "authenticate" do
let(:login) { 'john' }
let(:password) { 'my-secret' }
before {
Gitlab.config.ldap['enabled'] = true
Gitlab.config.ldap['user_filter'] = 'employeeType=developer'
}
after { Gitlab.config.ldap['enabled'] = false }
it "send an authentication request to ldap" do
expect( Gitlab::LDAP::User.adapter ).to receive(:bind_as)
Gitlab::LDAP::User.authenticate(login, password)
end end
end end
end end
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment