Class: Gitlab::Auth::Ldap::Access

Inherits:
Object
  • Object
show all
Defined in:
lib/gitlab/auth/ldap/access.rb

Instance Attribute Summary collapse

Class Method Summary collapse

Instance Method Summary collapse

Constructor Details

#initialize(user, adapter = nil) ⇒ Access

Returns a new instance of Access.


36
37
38
39
40
41
# File 'lib/gitlab/auth/ldap/access.rb', line 36

def initialize(user, adapter = nil)
  @adapter = adapter
  @user = user
  @ldap_identity = user.ldap_identity
  @provider = adapter&.provider || ldap_identity&.provider
end

Instance Attribute Details

#ldap_identityObject (readonly)

Returns the value of attribute ldap_identity


11
12
13
# File 'lib/gitlab/auth/ldap/access.rb', line 11

def ldap_identity
  @ldap_identity
end

#providerObject (readonly)

Returns the value of attribute provider


11
12
13
# File 'lib/gitlab/auth/ldap/access.rb', line 11

def provider
  @provider
end

#userObject (readonly)

Returns the value of attribute user


11
12
13
# File 'lib/gitlab/auth/ldap/access.rb', line 11

def user
  @user
end

Class Method Details

.allowed?(user, options = {}) ⇒ Boolean

Returns:

  • (Boolean)

19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
# File 'lib/gitlab/auth/ldap/access.rb', line 19

def self.allowed?(user, options = {})
  self.open(user) do |access|
    # Whether user is allowed, or not, we should update
    # permissions to keep things clean
    if access.allowed?
      unless Gitlab::Database.read_only?
        access.update_user
        Users::UpdateService.new(user, user: user, last_credential_check_at: Time.now).execute
      end

      true
    else
      false
    end
  end
end

.open(user, &block) ⇒ Object


13
14
15
16
17
# File 'lib/gitlab/auth/ldap/access.rb', line 13

def self.open(user, &block)
  Gitlab::Auth::Ldap::Adapter.open(user.ldap_identity.provider) do |adapter|
    block.call(self.new(user, adapter))
  end
end

Instance Method Details

#allowed?Boolean

Returns:

  • (Boolean)

43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
# File 'lib/gitlab/auth/ldap/access.rb', line 43

def allowed?
  if ldap_user
    unless ldap_config.active_directory
      unblock_user(user, 'is available again') if user.ldap_blocked?
      return true
    end

    # Block user in GitLab if they were blocked in AD
    if Gitlab::Auth::Ldap::Person.disabled_via_active_directory?(ldap_identity.extern_uid, adapter)
      block_user(user, 'is disabled in Active Directory')
      false
    else
      unblock_user(user, 'is not disabled anymore') if user.ldap_blocked?
      true
    end
  else
    # Block the user if they no longer exist in LDAP/AD
    block_user(user, 'does not exist anymore')
    false
  end
rescue LdapConnectionError
  false
end

#update_userObject


67
68
69
# File 'lib/gitlab/auth/ldap/access.rb', line 67

def update_user
  # no-op in CE
end