gitlab-org--gitlab-foss/lib/api/api_guard.rb

170 lines
5.3 KiB
Ruby
Raw Normal View History

# frozen_string_literal: true
2014-12-19 09:15:29 -05:00
# Guard API with OAuth 2.0 Access Token
require 'rack/oauth2'
module API
module APIGuard
extend ActiveSupport::Concern
2014-12-19 09:15:29 -05:00
included do |base|
# OAuth2 Resource Server Authentication
use Rack::OAuth2::Server::Resource::Bearer, 'The API' do |request|
# The authenticator only fetches the raw token string
2014-12-19 09:15:29 -05:00
# Must yield access token to store it in the env
request.access_token
end
2014-12-19 09:15:29 -05:00
use AdminModeMiddleware
helpers HelperMethods
2014-12-19 09:15:29 -05:00
install_error_responders(base)
end
2014-12-19 09:15:29 -05:00
class_methods do
# Set the authorization scope(s) allowed for an API endpoint.
#
# A call to this method maps the given scope(s) to the current API
# endpoint class. If this method is called multiple times on the same class,
# the scopes are all aggregated.
def allow_access_with_scope(scopes, options = {})
Array(scopes).each do |scope|
allowed_scopes << Scope.new(scope, options)
end
end
def allowed_scopes
@scopes ||= []
end
end
# Helper Methods for Grape Endpoint
module HelperMethods
prepend_if_ee('EE::API::APIGuard::HelperMethods') # rubocop: disable Cop/InjectEnterpriseEditionModule
2017-11-17 04:09:56 -05:00
include Gitlab::Auth::UserAuthFinders
2017-11-13 10:27:30 -05:00
2017-10-12 08:38:39 -04:00
def find_current_user!
user = find_user_from_sources
2017-10-12 08:38:39 -04:00
return unless user
unless api_access_allowed?(user)
forbidden!(api_access_denied_message(user))
end
# Set admin mode for API requests (if admin)
if Feature.enabled?(:user_mode_in_session)
Gitlab::Auth::CurrentUserMode.new(user).enable_admin_mode!(skip_password_validation: true)
end
user
end
def find_user_from_sources
find_user_from_access_token || find_user_from_warden
end
2017-11-07 13:17:41 -05:00
private
# An array of scopes that were registered (using `allow_access_with_scope`)
# for the current endpoint class. It also returns scopes registered on
# `API::API`, since these are meant to apply to all API routes.
def scopes_registered_for_endpoint
@scopes_registered_for_endpoint ||=
begin
endpoint_classes = [options[:for].presence, ::API::API].compact
endpoint_classes.reduce([]) do |memo, endpoint|
if endpoint.respond_to?(:allowed_scopes)
memo.concat(endpoint.allowed_scopes)
else
memo
end
end
end
end
def api_access_allowed?(user)
Gitlab::UserAccess.new(user).allowed? && user.can?(:access_api)
end
def api_access_denied_message(user)
Gitlab::Auth::UserAccessDeniedReason.new(user).rejection_message
end
2014-12-19 09:15:29 -05:00
end
class_methods do
private
2014-12-19 09:15:29 -05:00
def install_error_responders(base)
2017-11-16 11:03:19 -05:00
error_classes = [Gitlab::Auth::MissingTokenError,
Gitlab::Auth::TokenNotFoundError,
Gitlab::Auth::ExpiredError,
Gitlab::Auth::RevokedError,
Gitlab::Auth::ImpersonationDisabled,
2017-11-16 11:03:19 -05:00
Gitlab::Auth::InsufficientScopeError]
2014-12-19 09:15:29 -05:00
base.__send__(:rescue_from, *error_classes, oauth2_bearer_token_error_handler) # rubocop:disable GitlabSecurity/PublicSend
end
def oauth2_bearer_token_error_handler
2017-03-31 11:11:28 -04:00
proc do |e|
response =
case e
2017-11-16 11:03:19 -05:00
when Gitlab::Auth::MissingTokenError
Rack::OAuth2::Server::Resource::Bearer::Unauthorized.new
2017-11-16 11:03:19 -05:00
when Gitlab::Auth::TokenNotFoundError
Rack::OAuth2::Server::Resource::Bearer::Unauthorized.new(
:invalid_token,
"Bad Access Token.")
2017-11-16 11:03:19 -05:00
when Gitlab::Auth::ExpiredError
Rack::OAuth2::Server::Resource::Bearer::Unauthorized.new(
:invalid_token,
"Token is expired. You can either do re-authorization or token refresh.")
2017-11-16 11:03:19 -05:00
when Gitlab::Auth::RevokedError
Rack::OAuth2::Server::Resource::Bearer::Unauthorized.new(
:invalid_token,
"Token was revoked. You have to re-authorize from the user.")
when Gitlab::Auth::ImpersonationDisabled
Rack::OAuth2::Server::Resource::Bearer::Unauthorized.new(
:invalid_token,
"Token is an impersonation token but impersonation was disabled.")
2017-11-16 11:03:19 -05:00
when Gitlab::Auth::InsufficientScopeError
# FIXME: ForbiddenError (inherited from Bearer::Forbidden of Rack::Oauth2)
# does not include WWW-Authenticate header, which breaks the standard.
Rack::OAuth2::Server::Resource::Bearer::Forbidden.new(
:insufficient_scope,
Rack::OAuth2::Server::Resource::ErrorMethods::DEFAULT_DESCRIPTION[:insufficient_scope],
{ scope: e.scopes })
end
response.finish
end
end
2014-12-19 09:15:29 -05:00
end
class AdminModeMiddleware < ::Grape::Middleware::Base
def initialize(app, **options)
super
end
def call(env)
if Feature.enabled?(:user_mode_in_session)
session = {}
Gitlab::Session.with_session(session) do
app.call(env)
end
else
app.call(env)
end
end
end
2014-12-19 09:15:29 -05:00
end
2015-02-02 22:30:09 -05:00
end