2018-10-22 07:00:50 +00:00
|
|
|
# frozen_string_literal: true
|
|
|
|
|
2012-09-12 06:23:16 +00:00
|
|
|
module Gitlab
|
2016-06-03 15:07:40 +00:00
|
|
|
module Auth
|
2017-10-12 09:27:16 +00:00
|
|
|
MissingPersonalAccessTokenError = Class.new(StandardError)
|
2019-12-03 21:06:23 +00:00
|
|
|
IpBlacklisted = Class.new(StandardError)
|
2016-09-06 21:32:39 +00:00
|
|
|
|
2019-04-15 13:05:55 +00:00
|
|
|
# Scopes used for GitLab API access
|
2020-04-08 12:09:42 +00:00
|
|
|
API_SCOPES = [:api, :read_user, :read_api].freeze
|
2019-04-15 13:05:55 +00:00
|
|
|
|
|
|
|
# Scopes used for GitLab Repository access
|
|
|
|
REPOSITORY_SCOPES = [:read_repository, :write_repository].freeze
|
|
|
|
|
|
|
|
# Scopes used for GitLab Docker Registry access
|
2020-04-14 00:09:57 +00:00
|
|
|
REGISTRY_SCOPES = [:read_registry, :write_registry].freeze
|
2017-05-31 13:55:12 +00:00
|
|
|
|
2019-04-15 13:05:55 +00:00
|
|
|
# Scopes used for GitLab as admin
|
|
|
|
ADMIN_SCOPES = [:sudo].freeze
|
2017-01-31 10:21:29 +00:00
|
|
|
|
2017-02-06 15:39:35 +00:00
|
|
|
# Scopes used for OpenID Connect
|
2017-01-31 10:21:29 +00:00
|
|
|
OPENID_SCOPES = [:openid].freeze
|
|
|
|
|
2019-02-06 16:48:36 +00:00
|
|
|
# OpenID Connect profile scopes
|
|
|
|
PROFILE_SCOPES = [:profile, :email].freeze
|
|
|
|
|
2017-02-06 15:39:35 +00:00
|
|
|
# Default scopes for OAuth applications that don't define their own
|
2017-02-21 23:32:18 +00:00
|
|
|
DEFAULT_SCOPES = [:api].freeze
|
2017-02-06 15:39:35 +00:00
|
|
|
|
2020-07-30 12:09:33 +00:00
|
|
|
CI_JOB_USER = 'gitlab-ci-token'
|
|
|
|
|
2016-04-29 16:58:55 +00:00
|
|
|
class << self
|
2019-09-13 13:26:31 +00:00
|
|
|
prepend_if_ee('EE::Gitlab::Auth') # rubocop: disable Cop/InjectEnterpriseEditionModule
|
|
|
|
|
2018-07-13 10:39:31 +00:00
|
|
|
def omniauth_enabled?
|
|
|
|
Gitlab.config.omniauth.enabled
|
2018-05-31 18:43:47 +00:00
|
|
|
end
|
|
|
|
|
2016-06-10 12:51:16 +00:00
|
|
|
def find_for_git_client(login, password, project:, ip:)
|
2016-04-29 16:58:55 +00:00
|
|
|
raise "Must provide an IP for rate limiting" if ip.nil?
|
|
|
|
|
2019-12-03 21:06:23 +00:00
|
|
|
rate_limiter = Gitlab::Auth::IpRateLimiter.new(ip)
|
|
|
|
|
|
|
|
raise IpBlacklisted if !skip_rate_limit?(login: login) && rate_limiter.banned?
|
|
|
|
|
2017-01-24 17:12:49 +00:00
|
|
|
# `user_with_password_for_git` should be the last check
|
|
|
|
# because it's the most expensive, especially when LDAP
|
|
|
|
# is enabled.
|
2016-09-15 16:54:24 +00:00
|
|
|
result =
|
2016-09-15 19:16:38 +00:00
|
|
|
service_request_check(login, password, project) ||
|
2016-09-14 15:28:24 +00:00
|
|
|
build_access_token_check(login, password) ||
|
2017-11-08 16:21:39 +00:00
|
|
|
lfs_token_check(login, password, project) ||
|
2017-01-24 17:12:49 +00:00
|
|
|
oauth_access_token_check(login, password) ||
|
2020-09-16 12:10:15 +00:00
|
|
|
personal_access_token_check(password, project) ||
|
2020-02-06 12:10:29 +00:00
|
|
|
deploy_token_check(login, password, project) ||
|
2017-05-31 13:55:12 +00:00
|
|
|
user_with_password_for_git(login, password) ||
|
2016-09-19 11:50:28 +00:00
|
|
|
Gitlab::Auth::Result.new
|
2016-04-29 16:58:55 +00:00
|
|
|
|
2019-12-03 21:06:23 +00:00
|
|
|
rate_limit!(rate_limiter, success: result.success?, login: login)
|
2020-01-08 06:08:13 +00:00
|
|
|
look_to_limit_user(result.actor)
|
2016-09-15 16:54:24 +00:00
|
|
|
|
2017-11-23 13:16:14 +00:00
|
|
|
return result if result.success? || authenticate_using_internal_or_ldap_password?
|
2017-06-07 19:49:45 +00:00
|
|
|
|
|
|
|
# If sign-in is disabled and LDAP is not configured, recommend a
|
|
|
|
# personal access token on failed auth attempts
|
2017-10-12 09:27:16 +00:00
|
|
|
raise Gitlab::Auth::MissingPersonalAccessTokenError
|
2016-04-29 16:58:55 +00:00
|
|
|
end
|
|
|
|
|
2020-09-02 15:10:54 +00:00
|
|
|
# Find and return a user if the provided password is valid for various
|
|
|
|
# authenticators (OAuth, LDAP, Local Database).
|
|
|
|
#
|
|
|
|
# Specify `increment_failed_attempts: true` to increment Devise `failed_attempts`.
|
|
|
|
# CAUTION: Avoid incrementing failed attempts when authentication falls through
|
|
|
|
# different mechanisms, as in `.find_for_git_client`. This may lead to
|
|
|
|
# unwanted access locks when the value provided for `password` was actually
|
|
|
|
# a PAT, deploy token, etc.
|
|
|
|
def find_with_user_password(login, password, increment_failed_attempts: false)
|
2018-03-05 22:26:40 +00:00
|
|
|
# Avoid resource intensive checks if login credentials are not provided
|
|
|
|
return unless login.present? && password.present?
|
2017-05-19 08:38:31 +00:00
|
|
|
|
2017-11-23 13:16:14 +00:00
|
|
|
# Nothing to do here if internal auth is disabled and LDAP is
|
|
|
|
# not configured
|
|
|
|
return unless authenticate_using_internal_or_ldap_password?
|
|
|
|
|
2017-02-06 12:48:46 +00:00
|
|
|
Gitlab::Auth::UniqueIpsLimiter.limit_user! do
|
|
|
|
user = User.by_login(login)
|
2016-04-29 16:58:55 +00:00
|
|
|
|
2019-10-10 00:06:44 +00:00
|
|
|
break if user && !user.can?(:log_in)
|
2018-03-05 22:26:40 +00:00
|
|
|
|
|
|
|
authenticators = []
|
|
|
|
|
|
|
|
if user
|
|
|
|
authenticators << Gitlab::Auth::OAuth::Provider.authentication(user, 'database')
|
|
|
|
|
|
|
|
# Add authenticators for all identities if user is not nil
|
|
|
|
user&.identities&.each do |identity|
|
|
|
|
authenticators << Gitlab::Auth::OAuth::Provider.authentication(user, identity.provider)
|
|
|
|
end
|
|
|
|
else
|
|
|
|
# If no user is provided, try LDAP.
|
|
|
|
# LDAP users are only authenticated via LDAP
|
2020-03-12 15:09:39 +00:00
|
|
|
authenticators << Gitlab::Auth::Ldap::Authentication
|
2017-02-06 12:48:46 +00:00
|
|
|
end
|
2018-03-05 22:26:40 +00:00
|
|
|
|
|
|
|
authenticators.compact!
|
|
|
|
|
2018-03-26 09:23:54 +00:00
|
|
|
# return found user that was authenticated first for given login credentials
|
2020-09-02 15:10:54 +00:00
|
|
|
authenticated_user = authenticators.find do |auth|
|
2018-03-26 09:23:54 +00:00
|
|
|
authenticated_user = auth.login(login, password)
|
|
|
|
break authenticated_user if authenticated_user
|
|
|
|
end
|
2020-09-02 15:10:54 +00:00
|
|
|
|
|
|
|
user_auth_attempt!(user, success: !!authenticated_user) if increment_failed_attempts
|
|
|
|
|
|
|
|
authenticated_user
|
2016-04-29 16:58:55 +00:00
|
|
|
end
|
|
|
|
end
|
|
|
|
|
2019-12-03 21:06:23 +00:00
|
|
|
private
|
|
|
|
|
|
|
|
def rate_limit!(rate_limiter, success:, login:)
|
|
|
|
return if skip_rate_limit?(login: login)
|
2016-06-06 15:40:26 +00:00
|
|
|
|
|
|
|
if success
|
|
|
|
# Repeated login 'failures' are normal behavior for some Git clients so
|
|
|
|
# it is important to reset the ban counter once the client has proven
|
|
|
|
# they are not a 'bad guy'.
|
|
|
|
rate_limiter.reset!
|
|
|
|
else
|
|
|
|
# Register a login failure so that Rack::Attack can block the next
|
|
|
|
# request from this IP if needed.
|
2019-12-03 21:06:23 +00:00
|
|
|
# This returns true when the failures are over the threshold and the IP
|
|
|
|
# is banned.
|
|
|
|
if rate_limiter.register_fail!
|
2020-09-10 00:08:32 +00:00
|
|
|
Gitlab::AppLogger.info "IP #{rate_limiter.ip} failed to login " \
|
2016-06-06 15:40:26 +00:00
|
|
|
"as #{login} but has been temporarily banned from Git auth"
|
|
|
|
end
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
2019-08-23 08:05:48 +00:00
|
|
|
def skip_rate_limit?(login:)
|
2020-08-05 03:10:58 +00:00
|
|
|
CI_JOB_USER == login
|
2019-08-23 08:05:48 +00:00
|
|
|
end
|
|
|
|
|
2020-01-08 06:08:13 +00:00
|
|
|
def look_to_limit_user(actor)
|
|
|
|
Gitlab::Auth::UniqueIpsLimiter.limit_user!(actor) if actor.is_a?(User)
|
|
|
|
end
|
|
|
|
|
2017-11-23 13:16:14 +00:00
|
|
|
def authenticate_using_internal_or_ldap_password?
|
2020-03-12 15:09:39 +00:00
|
|
|
Gitlab::CurrentSettings.password_authentication_enabled_for_git? || Gitlab::Auth::Ldap::Config.enabled?
|
2017-11-23 13:16:14 +00:00
|
|
|
end
|
|
|
|
|
2016-09-15 19:16:38 +00:00
|
|
|
def service_request_check(login, password, project)
|
2016-04-29 16:58:55 +00:00
|
|
|
matched_login = /(?<service>^[a-zA-Z]*-ci)-token$/.match(login)
|
|
|
|
|
2016-09-14 15:28:24 +00:00
|
|
|
return unless project && matched_login.present?
|
2016-04-29 16:58:55 +00:00
|
|
|
|
|
|
|
underscored_service = matched_login['service'].underscore
|
|
|
|
|
2016-08-08 10:01:25 +00:00
|
|
|
if Service.available_services_names.include?(underscored_service)
|
2016-04-29 16:58:55 +00:00
|
|
|
# We treat underscored_service as a trusted input because it is included
|
|
|
|
# in the Service.available_services_names whitelist.
|
2017-08-10 16:39:26 +00:00
|
|
|
service = project.public_send("#{underscored_service}_service") # rubocop:disable GitlabSecurity/PublicSend
|
2016-04-29 16:58:55 +00:00
|
|
|
|
2016-09-14 15:28:24 +00:00
|
|
|
if service && service.activated? && service.valid_token?(password)
|
2016-09-19 11:50:28 +00:00
|
|
|
Gitlab::Auth::Result.new(nil, project, :ci, build_authentication_abilities)
|
2016-08-17 22:59:25 +00:00
|
|
|
end
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
def user_with_password_for_git(login, password)
|
|
|
|
user = find_with_user_password(login, password)
|
2016-09-14 15:28:24 +00:00
|
|
|
return unless user
|
|
|
|
|
2017-10-12 09:27:16 +00:00
|
|
|
raise Gitlab::Auth::MissingPersonalAccessTokenError if user.two_factor_enabled?
|
2016-09-14 15:28:24 +00:00
|
|
|
|
2017-06-06 11:18:01 +00:00
|
|
|
Gitlab::Auth::Result.new(user, nil, :gitlab_or_ldap, full_authentication_abilities)
|
2016-08-17 22:59:25 +00:00
|
|
|
end
|
|
|
|
|
2016-04-29 16:58:55 +00:00
|
|
|
def oauth_access_token_check(login, password)
|
|
|
|
if login == "oauth2" && password.present?
|
|
|
|
token = Doorkeeper::AccessToken.by_token(password)
|
2017-05-31 13:55:12 +00:00
|
|
|
|
2016-11-24 09:09:12 +00:00
|
|
|
if valid_oauth_token?(token)
|
2020-03-28 00:07:51 +00:00
|
|
|
user = User.id_in(token.resource_owner_id).first
|
|
|
|
return unless user&.can?(:log_in)
|
2020-03-26 18:08:03 +00:00
|
|
|
|
2017-06-06 11:18:01 +00:00
|
|
|
Gitlab::Auth::Result.new(user, nil, :oauth, full_authentication_abilities)
|
2016-08-17 22:21:18 +00:00
|
|
|
end
|
2016-04-29 16:58:55 +00:00
|
|
|
end
|
|
|
|
end
|
2016-08-11 00:03:32 +00:00
|
|
|
|
2020-09-16 12:10:15 +00:00
|
|
|
def personal_access_token_check(password, project)
|
2016-12-28 16:19:08 +00:00
|
|
|
return unless password.present?
|
2016-11-22 09:13:37 +00:00
|
|
|
|
2018-10-26 18:42:57 +00:00
|
|
|
token = PersonalAccessTokensFinder.new(state: 'active').find_by_token(password)
|
2016-12-28 16:19:08 +00:00
|
|
|
|
2020-09-16 12:10:15 +00:00
|
|
|
return unless token
|
|
|
|
|
|
|
|
return if project && token.user.project_bot? && !project.bots.include?(token.user)
|
|
|
|
|
|
|
|
return unless valid_scoped_token?(token, all_available_scopes)
|
|
|
|
|
|
|
|
if token.user.project_bot? || token.user.can?(:log_in)
|
2017-11-23 11:41:29 +00:00
|
|
|
Gitlab::Auth::Result.new(token.user, nil, :personal_access_token, abilities_for_scopes(token.scopes))
|
2016-08-17 22:21:18 +00:00
|
|
|
end
|
|
|
|
end
|
2016-08-25 22:26:20 +00:00
|
|
|
|
2016-11-24 09:09:12 +00:00
|
|
|
def valid_oauth_token?(token)
|
2017-06-28 07:12:23 +00:00
|
|
|
token && token.accessible? && valid_scoped_token?(token, [:api])
|
2016-11-24 09:09:12 +00:00
|
|
|
end
|
|
|
|
|
2017-06-06 11:18:01 +00:00
|
|
|
def valid_scoped_token?(token, scopes)
|
2017-05-31 13:55:12 +00:00
|
|
|
AccessTokenValidationService.new(token).include_any_scope?(scopes)
|
|
|
|
end
|
|
|
|
|
2017-11-23 11:41:29 +00:00
|
|
|
def abilities_for_scopes(scopes)
|
|
|
|
abilities_by_scope = {
|
|
|
|
api: full_authentication_abilities,
|
2020-04-08 12:09:42 +00:00
|
|
|
read_api: read_only_authentication_abilities,
|
2018-04-07 08:35:00 +00:00
|
|
|
read_registry: [:read_container_image],
|
2020-04-14 00:09:57 +00:00
|
|
|
write_registry: [:create_container_image],
|
2019-04-15 13:05:55 +00:00
|
|
|
read_repository: [:download_code],
|
|
|
|
write_repository: [:download_code, :push_code]
|
2017-11-23 11:41:29 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
scopes.flat_map do |scope|
|
|
|
|
abilities_by_scope.fetch(scope.to_sym, [])
|
|
|
|
end.uniq
|
2016-11-22 09:13:37 +00:00
|
|
|
end
|
|
|
|
|
2020-02-06 12:10:29 +00:00
|
|
|
def deploy_token_check(login, password, project)
|
2018-04-03 21:34:56 +00:00
|
|
|
return unless password.present?
|
2018-03-29 22:56:35 +00:00
|
|
|
|
2019-07-19 17:44:30 +00:00
|
|
|
token = DeployToken.active.find_by_token(password)
|
2018-04-05 13:49:18 +00:00
|
|
|
|
2018-04-06 03:02:13 +00:00
|
|
|
return unless token && login
|
|
|
|
return if login != token.username
|
2018-04-05 17:22:34 +00:00
|
|
|
|
2020-08-18 18:10:10 +00:00
|
|
|
# Registry access (with jwt) does not have access to project
|
|
|
|
return if project && !token.has_access_to?(project)
|
2020-09-02 15:10:54 +00:00
|
|
|
# When repository is disabled, no resources are accessible via Deploy Token
|
|
|
|
return if project&.repository_access_level == ::ProjectFeature::DISABLED
|
2020-08-18 18:10:10 +00:00
|
|
|
|
2018-04-05 13:49:18 +00:00
|
|
|
scopes = abilities_for_scopes(token.scopes)
|
2018-04-06 03:02:13 +00:00
|
|
|
|
2019-04-15 13:05:55 +00:00
|
|
|
if valid_scoped_token?(token, all_available_scopes)
|
2020-02-06 12:10:29 +00:00
|
|
|
Gitlab::Auth::Result.new(token, project, :deploy_token, scopes)
|
2018-03-29 22:56:35 +00:00
|
|
|
end
|
|
|
|
end
|
|
|
|
|
2018-12-17 06:17:39 +00:00
|
|
|
def lfs_token_check(login, encoded_token, project)
|
2016-09-19 14:34:32 +00:00
|
|
|
deploy_key_matches = login.match(/\Alfs\+deploy-key-(\d+)\z/)
|
|
|
|
|
|
|
|
actor =
|
|
|
|
if deploy_key_matches
|
|
|
|
DeployKey.find(deploy_key_matches[1])
|
|
|
|
else
|
|
|
|
User.by_login(login)
|
|
|
|
end
|
|
|
|
|
2016-09-20 07:41:21 +00:00
|
|
|
return unless actor
|
2016-09-19 14:34:32 +00:00
|
|
|
|
2016-09-20 07:41:21 +00:00
|
|
|
token_handler = Gitlab::LfsToken.new(actor)
|
2016-09-19 14:34:32 +00:00
|
|
|
|
2016-09-20 07:41:21 +00:00
|
|
|
authentication_abilities =
|
|
|
|
if token_handler.user?
|
2019-09-28 00:06:20 +00:00
|
|
|
read_write_project_authentication_abilities
|
2017-11-08 16:21:39 +00:00
|
|
|
elsif token_handler.deploy_key_pushable?(project)
|
|
|
|
read_write_authentication_abilities
|
2016-09-20 07:41:21 +00:00
|
|
|
else
|
2019-04-15 13:05:55 +00:00
|
|
|
read_only_authentication_abilities
|
2016-09-20 07:41:21 +00:00
|
|
|
end
|
|
|
|
|
2018-12-17 06:17:39 +00:00
|
|
|
if token_handler.token_valid?(encoded_token)
|
2017-01-24 17:12:49 +00:00
|
|
|
Gitlab::Auth::Result.new(actor, nil, token_handler.type, authentication_abilities)
|
|
|
|
end
|
2016-09-19 14:34:32 +00:00
|
|
|
end
|
|
|
|
|
2016-08-08 10:01:25 +00:00
|
|
|
def build_access_token_check(login, password)
|
2020-07-30 12:09:33 +00:00
|
|
|
return unless login == CI_JOB_USER
|
2016-08-08 10:01:25 +00:00
|
|
|
return unless password
|
|
|
|
|
2018-06-04 20:25:46 +00:00
|
|
|
build = find_build_by_token(password)
|
2016-08-08 10:01:25 +00:00
|
|
|
return unless build
|
2016-09-15 13:40:53 +00:00
|
|
|
return unless build.project.builds_enabled?
|
2016-08-08 10:01:25 +00:00
|
|
|
|
|
|
|
if build.user
|
2020-03-26 18:08:03 +00:00
|
|
|
return unless build.user.can?(:log_in)
|
|
|
|
|
2016-08-08 10:01:25 +00:00
|
|
|
# If user is assigned to build, use restricted credentials of user
|
2016-09-19 11:50:28 +00:00
|
|
|
Gitlab::Auth::Result.new(build.user, build.project, :build, build_authentication_abilities)
|
2016-08-08 10:01:25 +00:00
|
|
|
else
|
|
|
|
# Otherwise use generic CI credentials (backward compatibility)
|
2016-09-19 11:50:28 +00:00
|
|
|
Gitlab::Auth::Result.new(nil, build.project, :ci, build_authentication_abilities)
|
2016-08-17 22:21:18 +00:00
|
|
|
end
|
|
|
|
end
|
2016-09-13 13:27:05 +00:00
|
|
|
|
2016-09-16 11:34:05 +00:00
|
|
|
public
|
|
|
|
|
2016-09-16 07:59:10 +00:00
|
|
|
def build_authentication_abilities
|
2016-09-13 13:27:05 +00:00
|
|
|
[
|
|
|
|
:read_project,
|
2016-09-15 08:34:53 +00:00
|
|
|
:build_download_code,
|
2018-04-05 13:49:18 +00:00
|
|
|
:build_read_container_image,
|
2019-09-03 02:41:22 +00:00
|
|
|
:build_create_container_image,
|
|
|
|
:build_destroy_container_image
|
2016-09-13 13:27:05 +00:00
|
|
|
]
|
|
|
|
end
|
|
|
|
|
2019-09-28 00:06:20 +00:00
|
|
|
def read_only_project_authentication_abilities
|
2016-09-15 08:34:53 +00:00
|
|
|
[
|
|
|
|
:read_project,
|
2019-09-28 00:06:20 +00:00
|
|
|
:download_code
|
|
|
|
]
|
|
|
|
end
|
|
|
|
|
|
|
|
def read_write_project_authentication_abilities
|
|
|
|
read_only_project_authentication_abilities + [
|
|
|
|
:push_code
|
|
|
|
]
|
|
|
|
end
|
|
|
|
|
|
|
|
def read_only_authentication_abilities
|
|
|
|
read_only_project_authentication_abilities + [
|
2016-09-14 15:28:24 +00:00
|
|
|
:read_container_image
|
|
|
|
]
|
|
|
|
end
|
|
|
|
|
2017-11-08 16:21:39 +00:00
|
|
|
def read_write_authentication_abilities
|
2019-04-15 13:05:55 +00:00
|
|
|
read_only_authentication_abilities + [
|
2016-09-13 13:27:05 +00:00
|
|
|
:push_code,
|
2017-11-08 16:21:39 +00:00
|
|
|
:create_container_image
|
|
|
|
]
|
|
|
|
end
|
|
|
|
|
|
|
|
def full_authentication_abilities
|
|
|
|
read_write_authentication_abilities + [
|
2017-08-02 09:27:21 +00:00
|
|
|
:admin_container_image
|
2016-09-13 13:27:05 +00:00
|
|
|
]
|
|
|
|
end
|
2017-09-15 15:43:49 +00:00
|
|
|
|
2019-04-15 13:05:55 +00:00
|
|
|
def available_scopes_for(current_user)
|
|
|
|
scopes = non_admin_available_scopes
|
|
|
|
scopes += ADMIN_SCOPES if current_user.admin?
|
2017-10-12 12:38:39 +00:00
|
|
|
scopes
|
2017-09-15 15:43:49 +00:00
|
|
|
end
|
|
|
|
|
2019-04-15 13:05:55 +00:00
|
|
|
def all_available_scopes
|
|
|
|
non_admin_available_scopes + ADMIN_SCOPES
|
|
|
|
end
|
|
|
|
|
2017-09-15 15:43:49 +00:00
|
|
|
# Other available scopes
|
|
|
|
def optional_scopes
|
2019-04-15 13:05:55 +00:00
|
|
|
all_available_scopes + OPENID_SCOPES + PROFILE_SCOPES - DEFAULT_SCOPES
|
2017-09-15 15:43:49 +00:00
|
|
|
end
|
|
|
|
|
|
|
|
def registry_scopes
|
|
|
|
return [] unless Gitlab.config.registry.enabled
|
|
|
|
|
|
|
|
REGISTRY_SCOPES
|
|
|
|
end
|
2018-06-04 20:25:46 +00:00
|
|
|
|
2020-05-05 21:09:42 +00:00
|
|
|
def resource_bot_scopes
|
|
|
|
Gitlab::Auth::API_SCOPES + Gitlab::Auth::REPOSITORY_SCOPES + Gitlab::Auth.registry_scopes - [:read_user]
|
|
|
|
end
|
|
|
|
|
2018-06-04 20:25:46 +00:00
|
|
|
private
|
|
|
|
|
2019-04-15 13:05:55 +00:00
|
|
|
def non_admin_available_scopes
|
|
|
|
API_SCOPES + REPOSITORY_SCOPES + registry_scopes
|
|
|
|
end
|
|
|
|
|
2018-06-04 20:25:46 +00:00
|
|
|
def find_build_by_token(token)
|
2020-09-21 18:09:58 +00:00
|
|
|
::Ci::AuthJobFinder.new(token: token).execute
|
2018-06-04 20:25:46 +00:00
|
|
|
end
|
2020-09-02 15:10:54 +00:00
|
|
|
|
|
|
|
def user_auth_attempt!(user, success:)
|
|
|
|
return unless user && Gitlab::Database.read_write?
|
|
|
|
return user.unlock_access! if success
|
|
|
|
|
|
|
|
user.increment_failed_attempts!
|
|
|
|
end
|
2013-07-16 08:28:19 +00:00
|
|
|
end
|
2012-09-12 06:23:16 +00:00
|
|
|
end
|
|
|
|
end
|