BigW Consortium Gitlab

access.rb 2.26 KB
Newer Older
1 2 3 4
# LDAP authorization model
#
# * Check if we are allowed access (not blocked)
#
5 6 7
module Gitlab
  module LDAP
    class Access
8
      attr_reader :provider, :user
9

10
      def self.open(user, &block)
11
        Gitlab::LDAP::Adapter.open(user.ldap_identity.provider) do |adapter|
12
          block.call(self.new(user, adapter))
13 14 15
        end
      end

16
      def self.allowed?(user)
17 18
        self.open(user) do |access|
          if access.allowed?
19
            Users::UpdateService.new(user, last_credential_check_at: Time.now).execute
20

21 22 23 24 25 26 27
            true
          else
            false
          end
        end
      end

28
      def initialize(user, adapter = nil)
29
        @adapter = adapter
30
        @user = user
31
        @provider = user.ldap_identity.provider
32 33
      end

34
      def allowed?
35
        if ldap_user
36
          unless ldap_config.active_directory
37
            unblock_user(user, 'is available again') if user.ldap_blocked?
38 39
            return true
          end
40 41 42

          # Block user in GitLab if he/she was blocked in AD
          if Gitlab::LDAP::Person.disabled_via_active_directory?(user.ldap_identity.extern_uid, adapter)
43
            block_user(user, 'is disabled in Active Directory')
44 45
            false
          else
46
            unblock_user(user, 'is not disabled anymore') if user.ldap_blocked?
47 48
            true
          end
49
        else
50
          # Block the user if they no longer exist in LDAP/AD
51
          block_user(user, 'does not exist anymore')
52 53
          false
        end
54
      end
55 56 57 58

      def adapter
        @adapter ||= Gitlab::LDAP::Adapter.new(provider)
      end
59 60 61 62

      def ldap_config
        Gitlab::LDAP::Config.new(provider)
      end
63 64 65 66

      def ldap_user
        @ldap_user ||= Gitlab::LDAP::Person.find_by_dn(user.ldap_identity.extern_uid, adapter)
      end
67 68 69 70 71

      def block_user(user, reason)
        user.ldap_block

        Gitlab::AppLogger.info(
72
          "LDAP account \"#{user.ldap_identity.extern_uid}\" #{reason}, " \
73 74 75 76 77 78 79 80
          "blocking Gitlab user \"#{user.name}\" (#{user.email})"
        )
      end

      def unblock_user(user, reason)
        user.activate

        Gitlab::AppLogger.info(
81
          "LDAP account \"#{user.ldap_identity.extern_uid}\" #{reason}, " \
82 83 84
          "unblocking Gitlab user \"#{user.name}\" (#{user.email})"
        )
      end
85 86 87
    end
  end
end