Merge branch 'dblessing_ldap_unblock_on_sign_in' into 'master'

Unblock LDAP blocked user on sign-in with other auth methods See merge request gitlab-org/gitlab!73471

Merge branch 'dblessing_ldap_unblock_on_sign_in' into 'master'
Unblock LDAP blocked user on sign-in with other auth methods See merge request gitlab-org/gitlab!73471
832744e6 · Etienne Baqué · 2143d854 · 8190473e · 832744e6 · 832744e6
Commit 832744e6 authored Nov 05, 2021 by Etienne Baqué
Hide whitespace changes
Inline Side-by-side

Showing with 44 additions and 2 deletions

app/models/user.rb app/models/user.rb +12 -1

spec/models/user_spec.rb spec/models/user_spec.rb +32 -1

No files found.
--- a/app/models/user.rb
+++ b/app/models/user.rb
@@ -473,7 +473,11 @@ class User < ApplicationRecord
  end

  def active_for_authentication?
-    super && can?(:log_in)
+    return false unless super
+
+    check_ldap_if_ldap_blocked!
+
+    can?(:log_in)
  end

  # The messages for these keys are defined in `devise.en.yml`
@@ -2167,6 +2171,13 @@ class User < ApplicationRecord
  def ci_job_token_scope_cache_key
    "users:#{id}:ci:job_token_scope"
  end
+
+  # An `ldap_blocked` user will be unblocked if LDAP indicates they are allowed.
+  def check_ldap_if_ldap_blocked!
+    return unless ::Gitlab::Auth::Ldap::Config.enabled? && ldap_blocked?
+
+    ::Gitlab::Auth::Ldap::Access.allowed?(self)
+  end
 end

 User.prepend_mod_with('User')
--- a/spec/models/user_spec.rb
+++ b/spec/models/user_spec.rb
@@ -6,6 +6,7 @@ RSpec.describe User do
  include ProjectForksHelper
  include TermsHelper
  include ExclusiveLeaseHelpers
+  include LdapHelpers

  it_behaves_like 'having unique enum values'

@@ -5808,7 +5809,7 @@ RSpec.describe User do
  end

  describe '#active_for_authentication?' do
-    subject { user.active_for_authentication? }
+    subject(:active_for_authentication?) { user.active_for_authentication? }

    let(:user) { create(:user) }

@@ -5818,6 +5819,14 @@ RSpec.describe User do
      end

      it { is_expected.to be false }
+
+      it 'does not check if LDAP is allowed' do
+        stub_ldap_setting(enabled: true)
+
+        expect(Gitlab::Auth::Ldap::Access).not_to receive(:allowed?)
+
+        active_for_authentication?
+      end
    end

    context 'when user is a ghost user' do
@@ -5828,6 +5837,28 @@ RSpec.describe User do
      it { is_expected.to be false }
    end

+    context 'when user is ldap_blocked' do
+      before do
+        user.ldap_block
+      end
+
+      it 'rechecks if LDAP is allowed when LDAP is enabled' do
+        stub_ldap_setting(enabled: true)
+
+        expect(Gitlab::Auth::Ldap::Access).to receive(:allowed?)
+
+        active_for_authentication?
+      end
+
+      it 'does not check if LDAP is allowed when LDAP is not enabled' do
+        stub_ldap_setting(enabled: false)
+
+        expect(Gitlab::Auth::Ldap::Access).not_to receive(:allowed?)
+
+        active_for_authentication?
+      end
+    end
+
    context 'based on user type' do
      using RSpec::Parameterized::TableSyntax