kotovalexarian-likes-gitlab/gitlab-org--gitlab-foss
1
0
Fork 0
Code Releases Activity
gitlab-org--gitlab-foss/lib/api/api_guard.rb

206 lines
6.3 KiB
Ruby
Raw Normal View History

Doorkeeper integration
2014-12-19 09:15:29 -05:00
# Guard API with OAuth 2.0 Access Token
require 'rack/oauth2'
Fix a few places where autoloading would fail - Fix naming of API::CommitStatuses - Ensure we use require_dependency instead of require - Ensure the namespace is right in lib/api/api.rb, otherwise, we might require Grape::API::Helpers which defines the `#params` method. This is to avoid requiring a file multiple times and getting an "Already initialized constant" error. Signed-off-by: Rémy Coutable <remy@rymai.me>
2016-04-15 11:35:40 -04:00
module API
module APIGuard
extend ActiveSupport::Concern
Doorkeeper integration
2014-12-19 09:15:29 -05:00
Enable Style/MutableConstant
2017-02-21 18:32:18 -05:00
PRIVATE_TOKEN_HEADER = "HTTP_PRIVATE_TOKEN".freeze
Calls to the API are checked for scope. - Move the `Oauth2::AccessTokenValidationService` class to `AccessTokenValidationService`, since it is now being used for personal access token validation as well. - Each API endpoint declares the scopes it accepts (if any). Currently, the top level API module declares the `api` scope, and the `Users` API module declares the `read_user` scope (for GET requests). - Move the `find_user_by_private_token` from the API `Helpers` module to the `APIGuard` module, to avoid littering `Helpers` with more auth-related methods to support `find_user_by_private_token`
2016-11-22 04:04:23 -05:00
PRIVATE_TOKEN_PARAM = :private_token
Fix a few places where autoloading would fail - Fix naming of API::CommitStatuses - Ensure we use require_dependency instead of require - Ensure the namespace is right in lib/api/api.rb, otherwise, we might require Grape::API::Helpers which defines the `#params` method. This is to avoid requiring a file multiple times and getting an "Already initialized constant" error. Signed-off-by: Rémy Coutable <remy@rymai.me>
2016-04-15 11:35:40 -04:00
included do |base|
# OAuth2 Resource Server Authentication
use Rack::OAuth2::Server::Resource::Bearer, 'The API' do |request|
# The authenticator only fetches the raw token string
Doorkeeper integration
2014-12-19 09:15:29 -05:00
Fix a few places where autoloading would fail - Fix naming of API::CommitStatuses - Ensure we use require_dependency instead of require - Ensure the namespace is right in lib/api/api.rb, otherwise, we might require Grape::API::Helpers which defines the `#params` method. This is to avoid requiring a file multiple times and getting an "Already initialized constant" error. Signed-off-by: Rémy Coutable <remy@rymai.me>
2016-04-15 11:35:40 -04:00
# Must yield access token to store it in the env
request.access_token
end
Doorkeeper integration
2014-12-19 09:15:29 -05:00
Fix a few places where autoloading would fail - Fix naming of API::CommitStatuses - Ensure we use require_dependency instead of require - Ensure the namespace is right in lib/api/api.rb, otherwise, we might require Grape::API::Helpers which defines the `#params` method. This is to avoid requiring a file multiple times and getting an "Already initialized constant" error. Signed-off-by: Rémy Coutable <remy@rymai.me>
2016-04-15 11:35:40 -04:00
helpers HelperMethods
Doorkeeper integration
2014-12-19 09:15:29 -05:00
Fix a few places where autoloading would fail - Fix naming of API::CommitStatuses - Ensure we use require_dependency instead of require - Ensure the namespace is right in lib/api/api.rb, otherwise, we might require Grape::API::Helpers which defines the `#params` method. This is to avoid requiring a file multiple times and getting an "Already initialized constant" error. Signed-off-by: Rémy Coutable <remy@rymai.me>
2016-04-15 11:35:40 -04:00
install_error_responders(base)
end
Doorkeeper integration
2014-12-19 09:15:29 -05:00
Initial attempt at refactoring API scope declarations. - Declaring an endpoint's scopes in a `before` block has proved to be unreliable. For example, if we're accessing the `API::Users` endpoint - code in a `before` block in `API::API` wouldn't be able to see the scopes set in `API::Users` since the `API::API` `before` block runs first. - This commit moves these declarations to the class level, since they don't need to change once set.
2017-06-20 03:40:24 -04:00
class_methods do
When verifying scopes, manually include scopes from `API::API`. - They are not included automatically since `API::Users` does not inherit from `API::API`, as I initially assumed. - Scopes declared in `API::API` are considered global (to the API), and need to be included in all cases.
2017-06-20 08:00:57 -04:00
# Set the authorization scope(s) allowed for an API endpoint.
Initial attempt at refactoring API scope declarations. - Declaring an endpoint's scopes in a `before` block has proved to be unreliable. For example, if we're accessing the `API::Users` endpoint - code in a `before` block in `API::API` wouldn't be able to see the scopes set in `API::Users` since the `API::API` `before` block runs first. - This commit moves these declarations to the class level, since they don't need to change once set.
2017-06-20 03:40:24 -04:00
#
When verifying scopes, manually include scopes from `API::API`. - They are not included automatically since `API::Users` does not inherit from `API::API`, as I initially assumed. - Scopes declared in `API::API` are considered global (to the API), and need to be included in all cases.
2017-06-20 08:00:57 -04:00
# A call to this method maps the given scope(s) to the current API
# endpoint class. If this method is called multiple times on the same class,
# the scopes are all aggregated.
Initial attempt at refactoring API scope declarations. - Declaring an endpoint's scopes in a `before` block has proved to be unreliable. For example, if we're accessing the `API::Users` endpoint - code in a `before` block in `API::API` wouldn't be able to see the scopes set in `API::Users` since the `API::API` `before` block runs first. - This commit moves these declarations to the class level, since they don't need to change once set.
2017-06-20 03:40:24 -04:00
def allow_access_with_scope(scopes, options = {})
Implement review comments from @dbalexandre for !12300.
2017-06-23 07:18:44 -04:00
Array(scopes).each do |scope|
Extract a `Gitlab::Scope` class. - To represent an authorization scope, such as `api` or `read_user` - This is a better abstraction than the hash we were previously using.
2017-06-28 03:12:23 -04:00
allowed_scopes << Scope.new(scope, options)
Implement review comments from @dbalexandre for !12300.
2017-06-23 07:18:44 -04:00
end
Initial attempt at refactoring API scope declarations. - Declaring an endpoint's scopes in a `before` block has proved to be unreliable. For example, if we're accessing the `API::Users` endpoint - code in a `before` block in `API::API` wouldn't be able to see the scopes set in `API::Users` since the `API::API` `before` block runs first. - This commit moves these declarations to the class level, since they don't need to change once set.
2017-06-20 03:40:24 -04:00
end
Implement review comments from @dbalexandre for !12300.
2017-06-23 07:18:44 -04:00
def allowed_scopes
@scopes ||= []
Initial attempt at refactoring API scope declarations. - Declaring an endpoint's scopes in a `before` block has proved to be unreliable. For example, if we're accessing the `API::Users` endpoint - code in a `before` block in `API::API` wouldn't be able to see the scopes set in `API::Users` since the `API::API` `before` block runs first. - This commit moves these declarations to the class level, since they don't need to change once set.
2017-06-20 03:40:24 -04:00
end
end
Fix a few places where autoloading would fail - Fix naming of API::CommitStatuses - Ensure we use require_dependency instead of require - Ensure the namespace is right in lib/api/api.rb, otherwise, we might require Grape::API::Helpers which defines the `#params` method. This is to avoid requiring a file multiple times and getting an "Already initialized constant" error. Signed-off-by: Rémy Coutable <remy@rymai.me>
2016-04-15 11:35:40 -04:00
# Helper Methods for Grape Endpoint
module HelperMethods
Add sudo API scope
2017-10-12 08:38:39 -04:00
def find_current_user!
user = find_user_from_access_token || find_user_from_warden
return unless user
Move all API authentication code to APIGuard
2017-09-27 09:56:48 -04:00
Add sudo API scope
2017-10-12 08:38:39 -04:00
forbidden!('User is blocked') unless Gitlab::UserAccess.new(user).allowed? && user.can?(:access_api)
Move all API authentication code to APIGuard
2017-09-27 09:56:48 -04:00
user
end
Add sudo API scope
2017-10-12 08:38:39 -04:00
def access_token
return @access_token if defined?(@access_token)
Move all API authentication code to APIGuard
2017-09-27 09:56:48 -04:00
Add sudo API scope
2017-10-12 08:38:39 -04:00
@access_token = find_oauth_access_token || find_personal_access_token
end
Move all API authentication code to APIGuard
2017-09-27 09:56:48 -04:00
Add sudo API scope
2017-10-12 08:38:39 -04:00
def validate_access_token!(scopes: [])
return unless access_token
Move all API authentication code to APIGuard
2017-09-27 09:56:48 -04:00
Add sudo API scope
2017-10-12 08:38:39 -04:00
case AccessTokenValidationService.new(access_token, request: request).validate(scopes: scopes)
when AccessTokenValidationService::INSUFFICIENT_SCOPE
raise InsufficientScopeError.new(scopes)
when AccessTokenValidationService::EXPIRED
raise ExpiredError
when AccessTokenValidationService::REVOKED
raise RevokedError
end
Move all API authentication code to APIGuard
2017-09-27 09:56:48 -04:00
end
Add sudo API scope
2017-10-12 08:38:39 -04:00
private
def find_user_from_access_token
Move all API authentication code to APIGuard
2017-09-27 09:56:48 -04:00
return unless access_token
Implement minor changes from @dbalexandre's review. - Mainly whitespace changes. - Require the migration adding the `scope` column to the `personal_access_tokens` table to have downtime, since API calls will fail if the new code is in place, but the migration hasn't run. - Minor refactoring - load `@scopes` in a `before_action`, since we're doing it in three different places.
2016-11-24 02:37:22 -05:00
Add sudo API scope
2017-10-12 08:38:39 -04:00
validate_access_token!
access_token.user || raise(UnauthorizedError)
Move all API authentication code to APIGuard
2017-09-27 09:56:48 -04:00
end
Implement minor changes from @dbalexandre's review. - Mainly whitespace changes. - Require the migration adding the `scope` column to the `personal_access_tokens` table to have downtime, since API calls will fail if the new code is in place, but the migration hasn't run. - Minor refactoring - load `@scopes` in a `before_action`, since we're doing it in three different places.
2016-11-24 02:37:22 -05:00
Move all API authentication code to APIGuard
2017-09-27 09:56:48 -04:00
# Check the Rails session for valid authentication details
def find_user_from_warden
warden.try(:authenticate) if verified_request?
end
Make sure API responds with 401 when invalid authentication info is provided
2017-09-27 09:31:52 -04:00
Move all API authentication code to APIGuard
2017-09-27 09:56:48 -04:00
def warden
env['warden']
end
Doorkeeper integration
2014-12-19 09:15:29 -05:00
Move all API authentication code to APIGuard
2017-09-27 09:56:48 -04:00
# Check if the request is GET/HEAD, or if CSRF token is valid.
def verified_request?
Gitlab::RequestForgeryProtection.verified?(env)
Fix a few places where autoloading would fail - Fix naming of API::CommitStatuses - Ensure we use require_dependency instead of require - Ensure the namespace is right in lib/api/api.rb, otherwise, we might require Grape::API::Helpers which defines the `#params` method. This is to avoid requiring a file multiple times and getting an "Already initialized constant" error. Signed-off-by: Rémy Coutable <remy@rymai.me>
2016-04-15 11:35:40 -04:00
end
Doorkeeper integration
2014-12-19 09:15:29 -05:00
Move all API authentication code to APIGuard
2017-09-27 09:56:48 -04:00
def find_oauth_access_token
token = Doorkeeper::OAuth::Token.from_request(doorkeeper_request, *Doorkeeper.configuration.access_token_methods)
Add sudo API scope
2017-10-12 08:38:39 -04:00
return unless token
Calls to the API are checked for scope. - Move the `Oauth2::AccessTokenValidationService` class to `AccessTokenValidationService`, since it is now being used for personal access token validation as well. - Each API endpoint declares the scopes it accepts (if any). Currently, the top level API module declares the `api` scope, and the `Users` API module declares the `read_user` scope (for GET requests). - Move the `find_user_by_private_token` from the API `Helpers` module to the `APIGuard` module, to avoid littering `Helpers` with more auth-related methods to support `find_user_by_private_token`
2016-11-22 04:04:23 -05:00
Add sudo API scope
2017-10-12 08:38:39 -04:00
# Expiration, revocation and scopes are verified in `find_user_by_access_token`
access_token = OauthAccessToken.by_token(token)
raise UnauthorizedError unless access_token
Calls to the API are checked for scope. - Move the `Oauth2::AccessTokenValidationService` class to `AccessTokenValidationService`, since it is now being used for personal access token validation as well. - Each API endpoint declares the scopes it accepts (if any). Currently, the top level API module declares the `api` scope, and the `Users` API module declares the `read_user` scope (for GET requests). - Move the `find_user_by_private_token` from the API `Helpers` module to the `APIGuard` module, to avoid littering `Helpers` with more auth-related methods to support `find_user_by_private_token`
2016-11-22 04:04:23 -05:00
Add sudo API scope
2017-10-12 08:38:39 -04:00
access_token.revoke_previous_refresh_token!
access_token
Calls to the API are checked for scope. - Move the `Oauth2::AccessTokenValidationService` class to `AccessTokenValidationService`, since it is now being used for personal access token validation as well. - Each API endpoint declares the scopes it accepts (if any). Currently, the top level API module declares the `api` scope, and the `Users` API module declares the `read_user` scope (for GET requests). - Move the `find_user_by_private_token` from the API `Helpers` module to the `APIGuard` module, to avoid littering `Helpers` with more auth-related methods to support `find_user_by_private_token`
2016-11-22 04:04:23 -05:00
end
Add sudo API scope
2017-10-12 08:38:39 -04:00
def find_personal_access_token
token = (params[PRIVATE_TOKEN_PARAM] || env[PRIVATE_TOKEN_HEADER]).to_s
return unless token.present?
Make sure API responds with 401 when invalid authentication info is provided
2017-09-27 09:31:52 -04:00
Add sudo API scope
2017-10-12 08:38:39 -04:00
# Expiration, revocation and scopes are verified in `find_user_by_access_token`
access_token = PersonalAccessToken.find_by(token: token)
raise UnauthorizedError unless access_token
Make sure API responds with 401 when invalid authentication info is provided
2017-09-27 09:31:52 -04:00
Add sudo API scope
2017-10-12 08:38:39 -04:00
access_token
Fix a few places where autoloading would fail - Fix naming of API::CommitStatuses - Ensure we use require_dependency instead of require - Ensure the namespace is right in lib/api/api.rb, otherwise, we might require Grape::API::Helpers which defines the `#params` method. This is to avoid requiring a file multiple times and getting an "Already initialized constant" error. Signed-off-by: Rémy Coutable <remy@rymai.me>
2016-04-15 11:35:40 -04:00
end
Doorkeeper integration
2014-12-19 09:15:29 -05:00
Fix a few places where autoloading would fail - Fix naming of API::CommitStatuses - Ensure we use require_dependency instead of require - Ensure the namespace is right in lib/api/api.rb, otherwise, we might require Grape::API::Helpers which defines the `#params` method. This is to avoid requiring a file multiple times and getting an "Already initialized constant" error. Signed-off-by: Rémy Coutable <remy@rymai.me>
2016-04-15 11:35:40 -04:00
def doorkeeper_request
@doorkeeper_request ||= ActionDispatch::Request.new(env)
end
Move all API authentication code to APIGuard
2017-09-27 09:56:48 -04:00
# An array of scopes that were registered (using `allow_access_with_scope`)
# for the current endpoint class. It also returns scopes registered on
# `API::API`, since these are meant to apply to all API routes.
def scopes_registered_for_endpoint
@scopes_registered_for_endpoint ||=
begin
endpoint_classes = [options[:for].presence, ::API::API].compact
endpoint_classes.reduce([]) do |memo, endpoint|
if endpoint.respond_to?(:allowed_scopes)
memo.concat(endpoint.allowed_scopes)
else
memo
end
end
end
end
Doorkeeper integration
2014-12-19 09:15:29 -05:00
end
Fix a few places where autoloading would fail - Fix naming of API::CommitStatuses - Ensure we use require_dependency instead of require - Ensure the namespace is right in lib/api/api.rb, otherwise, we might require Grape::API::Helpers which defines the `#params` method. This is to avoid requiring a file multiple times and getting an "Already initialized constant" error. Signed-off-by: Rémy Coutable <remy@rymai.me>
2016-04-15 11:35:40 -04:00
module ClassMethods
private
Doorkeeper integration
2014-12-19 09:15:29 -05:00
Fix a few places where autoloading would fail - Fix naming of API::CommitStatuses - Ensure we use require_dependency instead of require - Ensure the namespace is right in lib/api/api.rb, otherwise, we might require Grape::API::Helpers which defines the `#params` method. This is to avoid requiring a file multiple times and getting an "Already initialized constant" error. Signed-off-by: Rémy Coutable <remy@rymai.me>
2016-04-15 11:35:40 -04:00
def install_error_responders(base)
Enable Style/SpaceInsideBrackets
2017-02-21 18:33:53 -05:00
error_classes = [MissingTokenError, TokenNotFoundError,
Fix code for cops
2017-02-22 10:10:32 -05:00
ExpiredError, RevokedError, InsufficientScopeError]
Doorkeeper integration
2014-12-19 09:15:29 -05:00
Whitelist or fix additional `Gitlab/PublicSend` cop violations An upcoming update to rubocop-gitlab-security added additional violations.
2017-08-10 12:39:26 -04:00
base.__send__(:rescue_from, *error_classes, oauth2_bearer_token_error_handler) # rubocop:disable GitlabSecurity/PublicSend
Fix a few places where autoloading would fail - Fix naming of API::CommitStatuses - Ensure we use require_dependency instead of require - Ensure the namespace is right in lib/api/api.rb, otherwise, we might require Grape::API::Helpers which defines the `#params` method. This is to avoid requiring a file multiple times and getting an "Already initialized constant" error. Signed-off-by: Rémy Coutable <remy@rymai.me>
2016-04-15 11:35:40 -04:00
end
def oauth2_bearer_token_error_handler
Enable Style/Proc cop for rubocop
2017-03-31 11:11:28 -04:00
proc do |e|
Fix a few places where autoloading would fail - Fix naming of API::CommitStatuses - Ensure we use require_dependency instead of require - Ensure the namespace is right in lib/api/api.rb, otherwise, we might require Grape::API::Helpers which defines the `#params` method. This is to avoid requiring a file multiple times and getting an "Already initialized constant" error. Signed-off-by: Rémy Coutable <remy@rymai.me>
2016-04-15 11:35:40 -04:00
response =
case e
when MissingTokenError
Rack::OAuth2::Server::Resource::Bearer::Unauthorized.new
when TokenNotFoundError
Rack::OAuth2::Server::Resource::Bearer::Unauthorized.new(
:invalid_token,
"Bad Access Token.")
when ExpiredError
Rack::OAuth2::Server::Resource::Bearer::Unauthorized.new(
:invalid_token,
"Token is expired. You can either do re-authorization or token refresh.")
when RevokedError
Rack::OAuth2::Server::Resource::Bearer::Unauthorized.new(
:invalid_token,
"Token was revoked. You have to re-authorize from the user.")
when InsufficientScopeError
# FIXME: ForbiddenError (inherited from Bearer::Forbidden of Rack::Oauth2)
# does not include WWW-Authenticate header, which breaks the standard.
Rack::OAuth2::Server::Resource::Bearer::Forbidden.new(
:insufficient_scope,
Rack::OAuth2::Server::Resource::ErrorMethods::DEFAULT_DESCRIPTION[:insufficient_scope],
{ scope: e.scopes })
end
response.finish
end
Avoid using {...} for multi-line blocks
2015-02-03 00:22:57 -05:00
end
Doorkeeper integration
2014-12-19 09:15:29 -05:00
end
Fix a few places where autoloading would fail - Fix naming of API::CommitStatuses - Ensure we use require_dependency instead of require - Ensure the namespace is right in lib/api/api.rb, otherwise, we might require Grape::API::Helpers which defines the `#params` method. This is to avoid requiring a file multiple times and getting an "Already initialized constant" error. Signed-off-by: Rémy Coutable <remy@rymai.me>
2016-04-15 11:35:40 -04:00
#
# Exceptions
#
Doorkeeper integration
2014-12-19 09:15:29 -05:00
Enable and autocorrect the CustomErrorClass cop
2017-03-01 06:00:37 -05:00
MissingTokenError = Class.new(StandardError)
TokenNotFoundError = Class.new(StandardError)
ExpiredError = Class.new(StandardError)
RevokedError = Class.new(StandardError)
Make sure API responds with 401 when invalid authentication info is provided
2017-09-27 09:31:52 -04:00
UnauthorizedError = Class.new(StandardError)
Doorkeeper integration
2014-12-19 09:15:29 -05:00
Fix a few places where autoloading would fail - Fix naming of API::CommitStatuses - Ensure we use require_dependency instead of require - Ensure the namespace is right in lib/api/api.rb, otherwise, we might require Grape::API::Helpers which defines the `#params` method. This is to avoid requiring a file multiple times and getting an "Already initialized constant" error. Signed-off-by: Rémy Coutable <remy@rymai.me>
2016-04-15 11:35:40 -04:00
class InsufficientScopeError < StandardError
attr_reader :scopes
def initialize(scopes)
Add sudo API scope
2017-10-12 08:38:39 -04:00
@scopes = scopes.map { |s| s.try(:name) || s }
Fix a few places where autoloading would fail - Fix naming of API::CommitStatuses - Ensure we use require_dependency instead of require - Ensure the namespace is right in lib/api/api.rb, otherwise, we might require Grape::API::Helpers which defines the `#params` method. This is to avoid requiring a file multiple times and getting an "Already initialized constant" error. Signed-off-by: Rémy Coutable <remy@rymai.me>
2016-04-15 11:35:40 -04:00
end
Doorkeeper integration
2014-12-19 09:15:29 -05:00
end
end
Convert hashes to ruby 1.9 style
2015-02-02 22:30:09 -05:00
end
Copy permalink