gitlab-org--gitlab-foss/lib/gitlab/auth/request_authenticator.rb

# frozen_string_literal: true

# Use for authentication only, in particular for Rack::Attack.
# Does not perform authorization of scopes, etc.
module Gitlab
  module Auth
    class RequestAuthenticator
      include AuthFinders

      attr_reader :request

      def initialize(request)
        @request = request
      end

      def user(request_formats)
        request_formats.each do |format|
          user = find_sessionless_user(format)

          return user if user
        end

        find_user_from_warden
      end

      def runner
        find_runner_from_token
      rescue Gitlab::Auth::AuthenticationError
        nil
      end

      def find_sessionless_user(request_format)
        find_user_from_web_access_token(request_format) ||
          find_user_from_feed_token(request_format) ||
          find_user_from_static_object_token(request_format) ||
          find_user_from_basic_auth_job ||
          find_user_from_job_token
      rescue Gitlab::Auth::AuthenticationError
        nil
      end

      def valid_access_token?(scopes: [])
        validate_access_token!(scopes: scopes)

        true
      rescue Gitlab::Auth::AuthenticationError
        false
      end

      private

      def access_token
        strong_memoize(:access_token) do
          super || find_personal_access_token_from_http_basic_auth
        end
      end

      def route_authentication_setting
        @route_authentication_setting ||= {
          job_token_allowed: api_request?,
          basic_auth_personal_access_token: api_request?
        }
      end
    end
  end
end
Enable some frozen string in lib/gitlab Enable frozen string for the following files: * lib/gitlab/auth/*/.rb * lib/gitlab/badge/*/.rb * lib/gitlab/bare_repository_import/*/.rb * lib/gitlab/bitbucket_import/*/.rb * lib/gitlab/bitbucket_server_import/*/.rb * lib/gitlab/cache/*/.rb * lib/gitlab/checks/*/.rb Partially addresses #47424. 2018-10-11 16:12:21 -04:00			`# frozen_string_literal: true`

Fix OAuth API and RSS rate limiting 2017-10-13 20:05:18 -04:00			`# Use for authentication only, in particular for Rack::Attack.`
			`# Does not perform authorization of scopes, etc.`
			`module Gitlab`
			`module Auth`
			`class RequestAuthenticator`
Add latest changes from gitlab-org/gitlab@master 2019-12-11 07:08:10 -05:00			`include AuthFinders`
First refactor 2017-11-07 04:52:05 -05:00
			`attr_reader :request`

Fix OAuth API and RSS rate limiting 2017-10-13 20:05:18 -04:00			`def initialize(request)`
Applied some code review comments 2017-11-08 13:41:07 -05:00			`@request = request`
Fix OAuth API and RSS rate limiting 2017-10-13 20:05:18 -04:00			`end`

Merge branch 'security-fix-pat-web-access' into 'master' [master] Resolve "Personal access token with only `read_user` scope can be used to authenticate any web request" See merge request gitlab/gitlabhq!2583 2018-11-28 14:06:02 -05:00			`def user(request_formats)`
			`request_formats.each do \|format\|`
			`user = find_sessionless_user(format)`

			`return user if user`
			`end`

			`find_user_from_warden`
Fix OAuth API and RSS rate limiting 2017-10-13 20:05:18 -04:00			`end`

Add latest changes from gitlab-org/gitlab@master 2019-12-11 07:08:10 -05:00			`def runner`
			`find_runner_from_token`
			`rescue Gitlab::Auth::AuthenticationError`
			`nil`
			`end`

Merge branch 'security-fix-pat-web-access' into 'master' [master] Resolve "Personal access token with only `read_user` scope can be used to authenticate any web request" See merge request gitlab/gitlabhq!2583 2018-11-28 14:06:02 -05:00			`def find_sessionless_user(request_format)`
Enable serving static objects from an external storage It consists of two parts: 1. Redirecting users to the configured external storage 1. Allowing the external storage to request the static object(s) on behalf of the user by means of specific tokens Part of https://gitlab.com/gitlab-com/gl-infra/infrastructure/issues/6829 2019-07-22 10:56:40 -04:00			`find_user_from_web_access_token(request_format) \|\|`
			`find_user_from_feed_token(request_format) \|\|`
Add latest changes from gitlab-org/gitlab@master 2019-12-16 22:07:45 -05:00			`find_user_from_static_object_token(request_format) \|\|`
Add latest changes from gitlab-org/gitlab@master 2020-01-09 07:08:03 -05:00			`find_user_from_basic_auth_job \|\|`
			`find_user_from_job_token`
Renaming AuthenticationException to AuthenticationError 2017-11-17 07:33:21 -05:00			`rescue Gitlab::Auth::AuthenticationError`
Applied some code review comments 2017-11-08 13:41:07 -05:00			`nil`
Fix OAuth API and RSS rate limiting 2017-10-13 20:05:18 -04:00			`end`
Allow token authentication on go-get request 2018-02-23 05:33:46 -05:00
			`def valid_access_token?(scopes: [])`
			`validate_access_token!(scopes: scopes)`

			`true`
			`rescue Gitlab::Auth::AuthenticationError`
			`false`
			`end`
Add latest changes from gitlab-org/gitlab@master 2020-01-09 07:08:03 -05:00
			`private`

Add latest changes from gitlab-org/gitlab@master 2020-12-04 07:09:39 -05:00			`def access_token`
			`strong_memoize(:access_token) do`
			`super \|\| find_personal_access_token_from_http_basic_auth`
			`end`
			`end`

Add latest changes from gitlab-org/gitlab@master 2020-01-09 07:08:03 -05:00			`def route_authentication_setting`
			`@route_authentication_setting \|\|= {`
Add latest changes from gitlab-org/gitlab@master 2020-12-04 07:09:39 -05:00			`job_token_allowed: api_request?,`
			`basic_auth_personal_access_token: api_request?`
Add latest changes from gitlab-org/gitlab@master 2020-01-09 07:08:03 -05:00			`}`
			`end`
Fix OAuth API and RSS rate limiting 2017-10-13 20:05:18 -04:00			`end`
			`end`
			`end`