2017-11-07 09:52:05 +00:00
|
|
|
module Gitlab
|
|
|
|
module Auth
|
|
|
|
module UserAuthFinders
|
|
|
|
# Check the Rails session for valid authentication details
|
2017-11-07 18:17:41 +00:00
|
|
|
def find_user_from_warden
|
2017-11-07 09:52:05 +00:00
|
|
|
request.env['warden']&.authenticate if verified_request?
|
|
|
|
end
|
|
|
|
|
2017-11-07 18:17:41 +00:00
|
|
|
def find_user_by_rss_token
|
|
|
|
return unless request.format.atom?
|
2017-11-07 09:52:05 +00:00
|
|
|
|
2017-11-07 18:17:41 +00:00
|
|
|
token = request.params[:rss_token].presence
|
|
|
|
return unless token.present?
|
2017-11-07 09:52:05 +00:00
|
|
|
|
2017-11-07 18:17:41 +00:00
|
|
|
handle_return_value!(User.find_by_rss_token(token))
|
2017-11-07 09:52:05 +00:00
|
|
|
end
|
|
|
|
|
2017-11-07 18:17:41 +00:00
|
|
|
def find_user_from_access_token
|
|
|
|
return unless access_token
|
2017-11-07 09:52:05 +00:00
|
|
|
|
2017-11-07 18:17:41 +00:00
|
|
|
validate_access_token!
|
2017-11-07 09:52:05 +00:00
|
|
|
|
2017-11-07 18:17:41 +00:00
|
|
|
handle_return_value!(access_token&.user)
|
|
|
|
end
|
2017-11-07 09:52:05 +00:00
|
|
|
|
2017-11-07 18:17:41 +00:00
|
|
|
def validate_access_token!(scopes: [])
|
2017-11-07 09:52:05 +00:00
|
|
|
end
|
|
|
|
|
2017-11-07 18:17:41 +00:00
|
|
|
private
|
2017-11-07 09:52:05 +00:00
|
|
|
|
2017-11-07 18:17:41 +00:00
|
|
|
def handle_return_value!(value, &block)
|
2017-11-08 09:13:22 +00:00
|
|
|
unless value
|
|
|
|
raise_unauthorized_error? ? raise_unauthorized_error! : return
|
|
|
|
end
|
2017-11-07 09:52:05 +00:00
|
|
|
|
2017-11-07 18:17:41 +00:00
|
|
|
block_given? ? yield(value) : value
|
2017-11-07 09:52:05 +00:00
|
|
|
end
|
|
|
|
|
2017-11-07 18:17:41 +00:00
|
|
|
def access_token
|
|
|
|
return @access_token if defined?(@access_token)
|
|
|
|
|
|
|
|
@access_token = find_oauth_access_token || find_personal_access_token
|
|
|
|
end
|
2017-11-07 15:13:00 +00:00
|
|
|
|
|
|
|
def private_token
|
|
|
|
request.params[:private_token].presence ||
|
|
|
|
request.headers['PRIVATE-TOKEN'].presence
|
|
|
|
end
|
|
|
|
|
2017-11-07 18:17:41 +00:00
|
|
|
def find_personal_access_token
|
|
|
|
token = private_token.to_s
|
|
|
|
return unless token.present?
|
2017-11-07 15:13:00 +00:00
|
|
|
|
2017-11-07 18:17:41 +00:00
|
|
|
# Expiration, revocation and scopes are verified in `validate_access_token!`
|
|
|
|
handle_return_value!(PersonalAccessToken.find_by(token: token))
|
2017-11-07 15:13:00 +00:00
|
|
|
end
|
|
|
|
|
2017-11-07 09:52:05 +00:00
|
|
|
def find_oauth_access_token
|
|
|
|
current_request = ensure_action_dispatch_request(request)
|
|
|
|
token = Doorkeeper::OAuth::Token.from_request(current_request, *Doorkeeper.configuration.access_token_methods)
|
2017-11-07 18:17:41 +00:00
|
|
|
return unless token
|
2017-11-07 09:52:05 +00:00
|
|
|
|
2017-11-07 18:17:41 +00:00
|
|
|
# Expiration, revocation and scopes are verified in `validate_access_token!`
|
|
|
|
handle_return_value!(OauthAccessToken.by_token(token)) do |oauth_token|
|
|
|
|
oauth_token.revoke_previous_refresh_token!
|
|
|
|
oauth_token
|
|
|
|
end
|
2017-11-07 09:52:05 +00:00
|
|
|
end
|
|
|
|
|
|
|
|
# Check if the request is GET/HEAD, or if CSRF token is valid.
|
|
|
|
def verified_request?
|
|
|
|
Gitlab::RequestForgeryProtection.verified?(request.env)
|
|
|
|
end
|
|
|
|
|
|
|
|
def ensure_action_dispatch_request(request)
|
|
|
|
return request if request.is_a?(ActionDispatch::Request)
|
|
|
|
|
|
|
|
ActionDispatch::Request.new(request.env)
|
|
|
|
end
|
2017-11-08 09:13:22 +00:00
|
|
|
|
|
|
|
def raise_unauthorized_error?
|
|
|
|
defined?(@raise_unauthorized_error) ? @raise_unauthorized_error : false
|
|
|
|
end
|
|
|
|
|
|
|
|
def set_raise_unauthorized_error
|
|
|
|
@raise_unauthorized_error = true
|
|
|
|
end
|
|
|
|
|
|
|
|
def raise_unauthorized_error!
|
|
|
|
raise API::APIGuard::UnauthorizedError
|
|
|
|
end
|
2017-11-07 09:52:05 +00:00
|
|
|
end
|
|
|
|
end
|
|
|
|
end
|