Commit 9c647a13 authored by Etienne Baqué's avatar Etienne Baqué

Merge branch '341104-fix-ldap-login' into 'master'

Fix LDAP sign-in when user cap set

See merge request gitlab-org/gitlab!75555
parents fa05295c 79d33c51
...@@ -9,12 +9,26 @@ module EE ...@@ -9,12 +9,26 @@ module EE
module Auth module Auth
module Ldap module Ldap
module User module User
extend ::Gitlab::Utils::Override
def initialize(auth_hash) def initialize(auth_hash)
super super
set_external_with_external_groups set_external_with_external_groups
end end
override :find_user
def find_user
user = super
if activate_user_based_on_user_cap?(user)
user.activate
log_user_changes(user, 'LDAP', "user cap not reached yet, unblocking")
end
user
end
private private
# Intended to be called during #initialize, and #save should be called # Intended to be called during #initialize, and #save should be called
......
...@@ -14,6 +14,24 @@ module EE ...@@ -14,6 +14,24 @@ module EE
super super
end end
end end
def activate_user_based_on_user_cap?(user)
return false unless user&.activate_based_on_user_cap?
begin
!::User.user_cap_reached?
rescue ActiveRecord::QueryAborted => e
::Gitlab::ErrorTracking.track_exception(e, user_email: user.email)
false
end
end
def log_user_changes(user, protocol, message)
::Gitlab::AppLogger.info(
"#{protocol}(#{auth_hash.provider}) account \"#{auth_hash.uid}\" #{message} " \
"GitLab user \"#{user.name}\" (#{user.email})"
)
end
end end
end end
end end
......
...@@ -32,32 +32,14 @@ module EE ...@@ -32,32 +32,14 @@ module EE
protected protected
def activate_user_based_on_user_cap?(user)
return false unless user&.activate_based_on_user_cap?
begin
!::User.user_cap_reached?
rescue ActiveRecord::QueryAborted => e
::Gitlab::ErrorTracking.track_exception(e, saml_user_email: user.email)
false
end
end
def block_user(user, reason) def block_user(user, reason)
user.ldap_block user.ldap_block
log_user_changes(user, "#{reason}, blocking") log_user_changes(user, 'SAML', "#{reason}, blocking")
end end
def unblock_user(user, reason) def unblock_user(user, reason)
user.activate user.activate
log_user_changes(user, "#{reason}, unblocking") log_user_changes(user, 'SAML', "#{reason}, unblocking")
end
def log_user_changes(user, message)
::Gitlab::AppLogger.info(
"SAML(#{auth_hash.provider}) account \"#{auth_hash.uid}\" #{message} " \
"GitLab user \"#{user.name}\" (#{user.email})"
)
end end
def user_in_required_group? def user_in_required_group?
......
...@@ -145,4 +145,10 @@ RSpec.describe Gitlab::Auth::Ldap::User do ...@@ -145,4 +145,10 @@ RSpec.describe Gitlab::Auth::Ldap::User do
end end
end end
end end
describe '#find_user' do
it_behaves_like 'finding user when user cap is set' do
let(:o_auth_user) { ldap_user }
end
end
end end
...@@ -145,65 +145,8 @@ RSpec.describe Gitlab::Auth::Saml::User do ...@@ -145,65 +145,8 @@ RSpec.describe Gitlab::Auth::Saml::User do
end end
end end
context 'when a sign-up user cap has been set' do it_behaves_like 'finding user when user cap is set' do
before do let(:o_auth_user) { saml_user }
saml_user.gl_user.state = ::User::BLOCKED_PENDING_APPROVAL_STATE
stub_application_setting(new_user_signups_cap: new_user_signups_cap)
end
context 'when the user cap has been reached' do
let(:new_user_signups_cap) { 1 }
it 'does not activate the user' do
create(:user)
saml_user.save
expect(saml_user.find_user).to be_blocked
end
end
context 'when the user cap has not been reached' do
let(:new_user_signups_cap) { 100 }
before do
stub_omniauth_setting(block_auto_created_users: block)
end
context 'when the user can be activated based on user cap' do
let(:block) { false }
it 'activates the user' do
saml_user.save
expect(saml_user.find_user).to be_active
end
context 'when the query behind .user_cap_reached? times out' do
it 'does not activate the user' do
allow(::User).to receive(:user_cap_reached?).and_raise(ActiveRecord::QueryAborted)
saml_user.save
expect(::Gitlab::ErrorTracking).to receive(:track_exception).with(
instance_of(ActiveRecord::QueryAborted),
saml_user_email: saml_user.gl_user.email
)
expect(saml_user.find_user).to be_blocked
end
end
end
context 'when the user cannot be activated based on user cap' do
let(:block) { true }
it 'does not activate the user' do
saml_user.save
expect(saml_user.find_user).to be_blocked
end
end
end
end end
end end
end end
......
# frozen_string_literal: true
RSpec.shared_examples 'finding user when user cap is set' do
context 'when a sign-up user cap has been set' do
before do
gl_user.state = ::User::BLOCKED_PENDING_APPROVAL_STATE
stub_application_setting(new_user_signups_cap: new_user_signups_cap)
end
context 'when the user cap has been reached' do
let(:new_user_signups_cap) { 1 }
it 'does not activate the user' do
create(:user)
o_auth_user.save # rubocop:disable Rails/SaveBang
expect(o_auth_user.find_user).to be_blocked
end
end
context 'when the user cap has not been reached' do
let(:new_user_signups_cap) { 100 }
before do
stub_omniauth_setting(block_auto_created_users: block)
end
context 'when the user can be activated based on user cap' do
let(:block) { false }
it 'activates the user' do
o_auth_user.save # rubocop:disable Rails/SaveBang
expect(o_auth_user.find_user).to be_active
end
context 'when the query behind .user_cap_reached? times out' do
it 'does not activate the user' do
allow(::User).to receive(:user_cap_reached?).and_raise(ActiveRecord::QueryAborted)
o_auth_user.save # rubocop:disable Rails/SaveBang
expect(::Gitlab::ErrorTracking).to receive(:track_exception).with(
instance_of(ActiveRecord::QueryAborted),
user_email: o_auth_user.gl_user.email
)
expect(o_auth_user.find_user).to be_blocked
end
end
end
context 'when the user cannot be activated based on user cap' do
let(:block) { true }
it 'does not activate the user' do
o_auth_user.save # rubocop:disable Rails/SaveBang
expect(o_auth_user.find_user).to be_blocked
end
end
end
end
end
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment