BigW Consortium Gitlab

user.rb 6.84 KB
Newer Older
1 2 3 4 5 6 7
# OAuth extension for User model
#
# * Find GitLab user based on omniauth uid and provider
# * Create new user from omniauth data
#
module Gitlab
  module OAuth
8
    SignupDisabledError = Class.new(StandardError)
9

10
    class User
11
      attr_accessor :auth_hash, :gl_user
12

13 14
      def initialize(auth_hash)
        self.auth_hash = auth_hash
15
        update_profile if sync_profile_from_provider?
16
        add_or_update_user_identities
17
      end
18

19
      def persisted?
20
        gl_user.try(:persisted?)
21
      end
22

23
      def new?
24
        !persisted?
25
      end
26

27
      def valid?
28
        gl_user.try(:valid?)
29
      end
30

31
      def save(provider = 'OAuth')
32 33
        unauthorized_to_create unless gl_user

34 35
        block_after_save = needs_blocking?

36
        Users::UpdateService.new(gl_user, user: gl_user).execute!
37

38
        gl_user.block if block_after_save
39

40
        log.info "(#{provider}) saving user #{auth_hash.email} from login with extern_uid => #{auth_hash.uid}"
41 42
        gl_user
      rescue ActiveRecord::RecordInvalid => e
43
        log.info "(#{provider}) Error saving user #{auth_hash.uid} (#{auth_hash.email}): #{gl_user.errors.full_messages}"
44 45 46 47
        return self, e.record.errors
      end

      def gl_user
48
        return @gl_user if defined?(@gl_user)
49

50 51
        @gl_user = find_user
      end
52

53 54
      def find_user
        user = find_by_uid_and_provider
55

56 57
        user ||= find_or_build_ldap_user if auto_link_ldap_user?
        user ||= build_new_user if signup_enabled?
58

59
        user.external = true if external_provider? && user
60

61
        user
62
      end
63

64
      protected
65

66
      def add_or_update_user_identities
67 68
        return unless gl_user

69 70 71 72 73 74 75 76 77 78 79 80 81
        # find_or_initialize_by doesn't update `gl_user.identities`, and isn't autosaved.
        identity = gl_user.identities.find { |identity| identity.provider == auth_hash.provider }

        identity ||= gl_user.identities.build(provider: auth_hash.provider)
        identity.extern_uid = auth_hash.uid

        if auto_link_ldap_user? && !gl_user.ldap_user? && ldap_person
          log.info "Correct LDAP account has been found. identity to user: #{gl_user.username}."
          gl_user.identities.build(provider: ldap_person.provider, extern_uid: ldap_person.dn)
        end
      end

      def find_or_build_ldap_user
82
        return unless ldap_person
Douwe Maan committed
83

84 85 86
        user = Gitlab::LDAP::User.find_by_uid_and_provider(ldap_person.dn, ldap_person.provider)
        if user
          log.info "LDAP account found for user #{user.username}. Building new #{auth_hash.provider} identity."
87
          return user
88
        end
Douwe Maan committed
89

90 91 92 93 94 95 96 97
        log.info "No user found using #{auth_hash.provider} provider. Creating a new one."
        build_new_user
      end

      def find_by_email
        return unless auth_hash.has_attribute?(:email)

        ::User.find_by(email: auth_hash.email.downcase)
98 99 100 101 102 103 104 105 106 107 108 109 110
      end

      def auto_link_ldap_user?
        Gitlab.config.omniauth.auto_link_ldap_user
      end

      def creating_linked_ldap_user?
        auto_link_ldap_user? && ldap_person
      end

      def ldap_person
        return @ldap_person if defined?(@ldap_person)

111 112
        # Look for a corresponding person with same uid in any of the configured LDAP providers
        Gitlab::LDAP::Config.providers.each do |provider|
113
          adapter = Gitlab::LDAP::Adapter.new(provider)
114
          @ldap_person = find_ldap_person(auth_hash, adapter)
115
          break if @ldap_person
116
        end
117
        @ldap_person
118 119
      end

120
      def find_ldap_person(auth_hash, adapter)
121 122 123
        Gitlab::LDAP::Person.find_by_uid(auth_hash.uid, adapter) ||
          Gitlab::LDAP::Person.find_by_email(auth_hash.uid, adapter) ||
          Gitlab::LDAP::Person.find_by_dn(auth_hash.uid, adapter)
124 125
      end

126
      def ldap_config
Douwe Maan committed
127
        Gitlab::LDAP::Config.new(ldap_person.provider) if ldap_person
128 129
      end

130
      def needs_blocking?
Douwe Maan committed
131
        new? && block_after_signup?
132 133 134
      end

      def signup_enabled?
135
        providers = Gitlab.config.omniauth.allow_single_sign_on
136 137 138 139 140
        if providers.is_a?(Array)
          providers.include?(auth_hash.provider)
        else
          providers
        end
141 142
      end

143 144 145 146
      def external_provider?
        Gitlab.config.omniauth.external_providers.include?(auth_hash.provider)
      end

147
      def block_after_signup?
Douwe Maan committed
148 149
        if creating_linked_ldap_user?
          ldap_config.block_auto_created_users
150
        else
Douwe Maan committed
151 152
          Gitlab.config.omniauth.block_auto_created_users
        end
153 154
      end

155 156 157 158
      def auth_hash=(auth_hash)
        @auth_hash = AuthHash.new(auth_hash)
      end

159
      def find_by_uid_and_provider
160 161
        identity = Identity.find_by(provider: auth_hash.provider, extern_uid: auth_hash.uid)
        identity && identity.user
162
      end
163

164
      def build_new_user
165
        user_params = user_attributes.merge(skip_confirmation: true)
166
        Users::BuildService.new(nil, user_params).execute(skip_authorization: true)
167 168
      end

169
      def user_attributes
170
        # Give preference to LDAP for sensitive information when creating a linked account
Douwe Maan committed
171
        if creating_linked_ldap_user?
172 173
          username = ldap_person.username.presence
          email = ldap_person.email.first.presence
174
        end
175

176 177 178
        username ||= auth_hash.username
        email ||= auth_hash.email

179 180 181 182 183
        valid_username = ::Namespace.clean_path(username)

        uniquify = Uniquify.new
        valid_username = uniquify.string(valid_username) { |s| !DynamicPathValidator.valid_user_path?(s) }

184
        name = auth_hash.name
185
        name = valid_username if name.strip.empty?
186

Douwe Maan committed
187
        {
188
          name:                       name,
189
          username:                   valid_username,
190
          email:                      email,
191 192 193
          password:                   auth_hash.password,
          password_confirmation:      auth_hash.password,
          password_automatically_set: true
194 195
        }
      end
196

197 198 199 200 201 202 203 204
      def sync_profile_from_provider?
        providers = Gitlab.config.omniauth.sync_profile_from_provider

        if providers.is_a?(Array)
          providers.include?(auth_hash.provider)
        else
          providers
        end
205 206
      end

207 208
      def update_profile
        user_synced_attributes_metadata = gl_user.user_synced_attributes_metadata || gl_user.build_user_synced_attributes_metadata
209

210 211 212 213 214 215 216
        UserSyncedAttributesMetadata::SYNCABLE_ATTRIBUTES.each do |key|
          if auth_hash.has_attribute?(key) && gl_user.sync_attribute?(key)
            gl_user[key] = auth_hash.public_send(key) # rubocop:disable GitlabSecurity/PublicSend
            user_synced_attributes_metadata.set_attribute_synced(key, true)
          else
            user_synced_attributes_metadata.set_attribute_synced(key, false)
          end
217
        end
218 219 220

        user_synced_attributes_metadata.provider = auth_hash.provider
        gl_user.user_synced_attributes_metadata = user_synced_attributes_metadata
221 222
      end

223 224 225 226
      def log
        Gitlab::AppLogger
      end

227
      def unauthorized_to_create
228
        raise SignupDisabledError
229
      end
230 231 232
    end
  end
end