app/models/concerns/restricted_signup.rb


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86

# frozen_string_literal: true
module RestrictedSignup
  extend ActiveSupport::Concern

  private

  def validate_admin_signup_restrictions(email)
    return if allowed_domain?(email)

    error_type = fetch_error_type(email)

    return unless error_type.present?

    [
      signup_email_invalid_message,
      error_message[created_by_key][error_type]
    ].join(' ')
  end

  def fetch_error_type(email)
    if allowlist_present?
      :allowlist
    elsif denied_domain?(email)
      :denylist
    elsif restricted_email?(email)
      :restricted
    end
  end

  def error_message
    {
      admin: {
        allowlist: html_escape_once(_("Go to the 'Admin area &gt; Sign-up restrictions', and check 'Allowed domains for sign-ups'.")).html_safe,
        denylist: html_escape_once(_("Go to the 'Admin area &gt; Sign-up restrictions', and check the 'Domain denylist'.")).html_safe,
        restricted: html_escape_once(_("Go to the 'Admin area &gt; Sign-up restrictions', and check 'Email restrictions for sign-ups'.")).html_safe,
        group_setting: html_escape_once(_("Go to the group’s 'Settings &gt; General' page, and check 'Restrict membership by email domain'.")).html_safe
      },
      nonadmin: {
        allowlist: error_nonadmin,
        denylist: error_nonadmin,
        restricted: error_nonadmin,
        group_setting: error_nonadmin
      }
    }
  end

  def error_nonadmin
    _("Check with your administrator.")
  end

  def created_by_key
    created_by&.can_admin_all_resources? ? :admin : :nonadmin
  end

  def denied_domain?(email)
    return false unless Gitlab::CurrentSettings.domain_denylist_enabled?

    denied_domains = Gitlab::CurrentSettings.domain_denylist
    denied_domains.present? && domain_matches?(denied_domains, email)
  end

  def allowlist_present?
    Gitlab::CurrentSettings.domain_allowlist.present?
  end

  def allowed_domain?(email)
    allowed_domains = Gitlab::CurrentSettings.domain_allowlist
    allowlist_present? && domain_matches?(allowed_domains, email)
  end

  def restricted_email?(email)
    return false unless Gitlab::CurrentSettings.email_restrictions_enabled?

    restrictions = Gitlab::CurrentSettings.email_restrictions
    restrictions.present? && Gitlab::UntrustedRegexp.new(restrictions).match?(email)
  end

  def domain_matches?(email_domains, email)
    signup_domain = Mail::Address.new(email).domain
    email_domains.any? do |domain|
      escaped = Regexp.escape(domain).gsub('\*', '.*?')
      regexp = Regexp.new "^#{escaped}$", Regexp::IGNORECASE
      signup_domain =~ regexp
    end
  end
end