gitlab-org--gitlab-foss/lib/gitlab/auth.rb

module Gitlab
  module Auth
    Result = Struct.new(:user, :type)

    class << self
      def find_for_git_client(login, password, project:, ip:)
        raise "Must provide an IP for rate limiting" if ip.nil?

        result = Result.new

        if valid_ci_request?(login, password, project)
          result.type = :ci
        else
          result = populate_result(login, password)
        end

        success = result.user.present? || [:ci, :missing_personal_token].include?(result.type)
        rate_limit!(ip, success: success, login: login)
        result
      end

      def find_with_user_password(login, password)
        user = User.by_login(login)

        # If no user is found, or it's an LDAP server, try LDAP.
        #   LDAP users are only authenticated via LDAP
        if user.nil? || user.ldap_user?
          # Second chance - try LDAP authentication
          return nil unless Gitlab::LDAP::Config.enabled?

          Gitlab::LDAP::Authentication.login(login, password)
        else
          user if user.valid_password?(password)
        end
      end

      def rate_limit!(ip, success:, login:)
        rate_limiter = Gitlab::Auth::IpRateLimiter.new(ip)
        return unless rate_limiter.enabled?

        if success
          # Repeated login 'failures' are normal behavior for some Git clients so
          # it is important to reset the ban counter once the client has proven
          # they are not a 'bad guy'.
          rate_limiter.reset!
        else
          # Register a login failure so that Rack::Attack can block the next
          # request from this IP if needed.
          rate_limiter.register_fail!

          if rate_limiter.banned?
            Rails.logger.info "IP #{ip} failed to login " \
              "as #{login} but has been temporarily banned from Git auth"
          end
        end
      end

      private

      def valid_ci_request?(login, password, project)
        matched_login = /(?<service>^[a-zA-Z]*-ci)-token$/.match(login)

        return false unless project && matched_login.present?

        underscored_service = matched_login['service'].underscore

        if underscored_service == 'gitlab_ci'
          project && project.valid_build_token?(password)
        elsif Service.available_services_names.include?(underscored_service)
          # We treat underscored_service as a trusted input because it is included
          # in the Service.available_services_names whitelist.
          service = project.public_send("#{underscored_service}_service")

          service && service.activated? && service.valid_token?(password)
        end
      end

      def populate_result(login, password)
        result =
          user_with_password_for_git(login, password) ||
          oauth_access_token_check(login, password) ||
          lfs_token_check(login, password) ||
          personal_access_token_check(login, password)

        if result
          result.type = nil unless result.user

          if result.user && result.type == :gitlab_or_ldap && result.user.two_factor_enabled?
            result.type = :missing_personal_token
          end
        end

        result || Result.new
      end

      def user_with_password_for_git(login, password)
        user = find_with_user_password(login, password)
        Result.new(user, :gitlab_or_ldap) if user
      end

      def oauth_access_token_check(login, password)
        if login == "oauth2" && password.present?
          token = Doorkeeper::AccessToken.by_token(password)
          if token && token.accessible?
            user = User.find_by(id: token.resource_owner_id)
            Result.new(user, :oauth)
          end
        end
      end

      def personal_access_token_check(login, password)
        if login && password
          user = User.find_by_personal_access_token(password)
          validation = User.by_login(login)
          Result.new(user, :personal_token) if user == validation
        end
      end

      def lfs_token_check(login, password)
        if login.include?('lfs-deploy-key')
          key = DeployKey.find(login.gsub('lfs-deploy-key-', ''))
          token = Gitlab::LfsToken.new(key).value
          Result.new(key, :lfs_deploy_token) if key && token == password
        else
          user = User.by_login(login)
          token = Gitlab::LfsToken.new(user).value
          Result.new(user, :lfs_token) if user && token == password
        end
      end
    end
  end
end
Refactorn oauth & ldap 2012-09-12 02:23:16 -04:00			`module Gitlab`
Refactor Gitlab::Auth rate limiting 2016-06-03 11:07:40 -04:00			`module Auth`
Changes after more review from Rémy 2016-06-03 08:57:34 -04:00			`Result = Struct.new(:user, :type)`

Make CI/Oauth/rate limiting reusable 2016-04-29 12:58:55 -04:00			`class << self`
Improve Gitlab::Auth method names Auth.find was a very generic name for a very specific method. Auth.find_in_gitlab_or_ldap was inaccurate in GitLab EE where it also looks in Kerberos. 2016-06-10 08:51:16 -04:00			`def find_for_git_client(login, password, project:, ip:)`
Make CI/Oauth/rate limiting reusable 2016-04-29 12:58:55 -04:00			`raise "Must provide an IP for rate limiting" if ip.nil?`

Changes after more review from Rémy 2016-06-03 08:57:34 -04:00			`result = Result.new`
Make CI/Oauth/rate limiting reusable 2016-04-29 12:58:55 -04:00
			`if valid_ci_request?(login, password, project)`
Changes after more review from Rémy 2016-06-03 08:57:34 -04:00			`result.type = :ci`
Refactor `find_for_git_client` method to not use assignment in conditionals and syntax fixes. 2016-08-17 18:21:18 -04:00			`else`
Refactor `find_for_git_client` and its related methods. 2016-08-17 18:59:25 -04:00			`result = populate_result(login, password)`
Make CI/Oauth/rate limiting reusable 2016-04-29 12:58:55 -04:00			`end`

Moved 2FA check to `auth.rb` and cleaned up the flow `authenticate_user` 2016-08-15 16:47:29 -04:00			`success = result.user.present? \|\| [:ci, :missing_personal_token].include?(result.type)`
			`rate_limit!(ip, success: success, login: login)`
Changes after more review from Rémy 2016-06-03 08:57:34 -04:00			`result`
Make CI/Oauth/rate limiting reusable 2016-04-29 12:58:55 -04:00			`end`

Improve Gitlab::Auth method names Auth.find was a very generic name for a very specific method. Auth.find_in_gitlab_or_ldap was inaccurate in GitLab EE where it also looks in Kerberos. 2016-06-10 08:51:16 -04:00			`def find_with_user_password(login, password)`
Make CI/Oauth/rate limiting reusable 2016-04-29 12:58:55 -04:00			`user = User.by_login(login)`

			`# If no user is found, or it's an LDAP server, try LDAP.`
			`# LDAP users are only authenticated via LDAP`
			`if user.nil? \|\| user.ldap_user?`
			`# Second chance - try LDAP authentication`
			`return nil unless Gitlab::LDAP::Config.enabled?`

			`Gitlab::LDAP::Authentication.login(login, password)`
			`else`
			`user if user.valid_password?(password)`
			`end`
			`end`

Fix tests 2016-06-06 11:40:26 -04:00			`def rate_limit!(ip, success:, login:)`
			`rate_limiter = Gitlab::Auth::IpRateLimiter.new(ip)`
			`return unless rate_limiter.enabled?`

			`if success`
			`# Repeated login 'failures' are normal behavior for some Git clients so`
			`# it is important to reset the ban counter once the client has proven`
			`# they are not a 'bad guy'.`
			`rate_limiter.reset!`
			`else`
			`# Register a login failure so that Rack::Attack can block the next`
			`# request from this IP if needed.`
			`rate_limiter.register_fail!`

			`if rate_limiter.banned?`
			`Rails.logger.info "IP #{ip} failed to login " \`
			`"as #{login} but has been temporarily banned from Git auth"`
			`end`
			`end`
			`end`

Make CI/Oauth/rate limiting reusable 2016-04-29 12:58:55 -04:00			`private`

			`def valid_ci_request?(login, password, project)`
			`matched_login = /(?<service>^[a-zA-Z]*-ci)-token$/.match(login)`

			`return false unless project && matched_login.present?`

			`underscored_service = matched_login['service'].underscore`

			`if underscored_service == 'gitlab_ci'`
			`project && project.valid_build_token?(password)`
			`elsif Service.available_services_names.include?(underscored_service)`
			`# We treat underscored_service as a trusted input because it is included`
			`# in the Service.available_services_names whitelist.`
Use public_send 2016-06-03 11:23:34 -04:00			`service = project.public_send("#{underscored_service}_service")`
Make CI/Oauth/rate limiting reusable 2016-04-29 12:58:55 -04:00
			`service && service.activated? && service.valid_token?(password)`
			`end`
			`end`

Refactor `find_for_git_client` and its related methods. 2016-08-17 18:59:25 -04:00			`def populate_result(login, password)`
			`result =`
			`user_with_password_for_git(login, password) \|\|`
			`oauth_access_token_check(login, password) \|\|`
Added LFS support to SSH - Required on the GitLab Rails side is mostly authentication and API related. 2016-08-25 18:26:20 -04:00			`lfs_token_check(login, password) \|\|`
Refactor `find_for_git_client` and its related methods. 2016-08-17 18:59:25 -04:00			`personal_access_token_check(login, password)`

			`if result`
			`result.type = nil unless result.user`

Added LFS support to SSH - Required on the GitLab Rails side is mostly authentication and API related. 2016-08-25 18:26:20 -04:00			`if result.user && result.type == :gitlab_or_ldap && result.user.two_factor_enabled?`
Refactor `find_for_git_client` and its related methods. 2016-08-17 18:59:25 -04:00			`result.type = :missing_personal_token`
			`end`
			`end`

			`result \|\| Result.new`
			`end`

			`def user_with_password_for_git(login, password)`
			`user = find_with_user_password(login, password)`
			`Result.new(user, :gitlab_or_ldap) if user`
			`end`

Make CI/Oauth/rate limiting reusable 2016-04-29 12:58:55 -04:00			`def oauth_access_token_check(login, password)`
			`if login == "oauth2" && password.present?`
			`token = Doorkeeper::AccessToken.by_token(password)`
Refactor `find_for_git_client` method to not use assignment in conditionals and syntax fixes. 2016-08-17 18:21:18 -04:00			`if token && token.accessible?`
			`user = User.find_by(id: token.resource_owner_id)`
Refactor `find_for_git_client` and its related methods. 2016-08-17 18:59:25 -04:00			`Result.new(user, :oauth)`
Refactor `find_for_git_client` method to not use assignment in conditionals and syntax fixes. 2016-08-17 18:21:18 -04:00			`end`
Make CI/Oauth/rate limiting reusable 2016-04-29 12:58:55 -04:00			`end`
			`end`
Allow Git over HTTP access using Personal Access Tokens 2016-08-10 20:03:32 -04:00
			`def personal_access_token_check(login, password)`
			`if login && password`
			`user = User.find_by_personal_access_token(password)`
Refactor `find_for_git_client` method to not use assignment in conditionals and syntax fixes. 2016-08-17 18:21:18 -04:00			`validation = User.by_login(login)`
Refactor `find_for_git_client` and its related methods. 2016-08-17 18:59:25 -04:00			`Result.new(user, :personal_token) if user == validation`
Refactor `find_for_git_client` method to not use assignment in conditionals and syntax fixes. 2016-08-17 18:21:18 -04:00			`end`
			`end`
Added LFS support to SSH - Required on the GitLab Rails side is mostly authentication and API related. 2016-08-25 18:26:20 -04:00
			`def lfs_token_check(login, password)`
Refactor LFS token logic to use a Redis key instead of a DB field, making it a 1 use only token. 2016-08-29 14:05:07 -04:00			`if login.include?('lfs-deploy-key')`
			`key = DeployKey.find(login.gsub('lfs-deploy-key-', ''))`
Refactored LFS auth logic when using SSH to use its own API endpoint `/lfs_authenticate` and added tests. 2016-08-30 14:38:22 -04:00			`token = Gitlab::LfsToken.new(key).value`
Refactor LFS token logic to use a Redis key instead of a DB field, making it a 1 use only token. 2016-08-29 14:05:07 -04:00			`Result.new(key, :lfs_deploy_token) if key && token == password`
Added LFS support to SSH - Required on the GitLab Rails side is mostly authentication and API related. 2016-08-25 18:26:20 -04:00			`else`
Refactor LFS token logic to use a Redis key instead of a DB field, making it a 1 use only token. 2016-08-29 14:05:07 -04:00			`user = User.by_login(login)`
Refactored LFS auth logic when using SSH to use its own API endpoint `/lfs_authenticate` and added tests. 2016-08-30 14:38:22 -04:00			`token = Gitlab::LfsToken.new(user).value`
Refactor LFS token logic to use a Redis key instead of a DB field, making it a 1 use only token. 2016-08-29 14:05:07 -04:00			`Result.new(user, :lfs_token) if user && token == password`
Added LFS support to SSH - Required on the GitLab Rails side is mostly authentication and API related. 2016-08-25 18:26:20 -04:00			`end`
			`end`
Add LDAP support to /api/session 2013-07-16 04:28:19 -04:00			`end`
Refactorn oauth & ldap 2012-09-12 02:23:16 -04:00			`end`
			`end`