2018-09-29 18:34:47 -04:00
|
|
|
# frozen_string_literal: true
|
|
|
|
|
2014-12-19 09:15:29 -05:00
|
|
|
# Guard API with OAuth 2.0 Access Token
|
|
|
|
|
|
|
|
require 'rack/oauth2'
|
|
|
|
|
2016-04-15 11:35:40 -04:00
|
|
|
module API
|
|
|
|
module APIGuard
|
|
|
|
extend ActiveSupport::Concern
|
2014-12-19 09:15:29 -05:00
|
|
|
|
2016-04-15 11:35:40 -04:00
|
|
|
included do |base|
|
|
|
|
# OAuth2 Resource Server Authentication
|
|
|
|
use Rack::OAuth2::Server::Resource::Bearer, 'The API' do |request|
|
|
|
|
# The authenticator only fetches the raw token string
|
2014-12-19 09:15:29 -05:00
|
|
|
|
2016-04-15 11:35:40 -04:00
|
|
|
# Must yield access token to store it in the env
|
|
|
|
request.access_token
|
|
|
|
end
|
2014-12-19 09:15:29 -05:00
|
|
|
|
2019-09-26 08:06:00 -04:00
|
|
|
use AdminModeMiddleware
|
|
|
|
|
2016-04-15 11:35:40 -04:00
|
|
|
helpers HelperMethods
|
2014-12-19 09:15:29 -05:00
|
|
|
|
2016-04-15 11:35:40 -04:00
|
|
|
install_error_responders(base)
|
|
|
|
end
|
2014-12-19 09:15:29 -05:00
|
|
|
|
2017-06-20 03:40:24 -04:00
|
|
|
class_methods do
|
2017-06-20 08:00:57 -04:00
|
|
|
# Set the authorization scope(s) allowed for an API endpoint.
|
2017-06-20 03:40:24 -04:00
|
|
|
#
|
2017-06-20 08:00:57 -04:00
|
|
|
# A call to this method maps the given scope(s) to the current API
|
|
|
|
# endpoint class. If this method is called multiple times on the same class,
|
|
|
|
# the scopes are all aggregated.
|
2017-06-20 03:40:24 -04:00
|
|
|
def allow_access_with_scope(scopes, options = {})
|
2017-06-23 07:18:44 -04:00
|
|
|
Array(scopes).each do |scope|
|
2017-06-28 03:12:23 -04:00
|
|
|
allowed_scopes << Scope.new(scope, options)
|
2017-06-23 07:18:44 -04:00
|
|
|
end
|
2017-06-20 03:40:24 -04:00
|
|
|
end
|
|
|
|
|
2017-06-23 07:18:44 -04:00
|
|
|
def allowed_scopes
|
|
|
|
@scopes ||= []
|
2017-06-20 03:40:24 -04:00
|
|
|
end
|
|
|
|
end
|
|
|
|
|
2016-04-15 11:35:40 -04:00
|
|
|
# Helper Methods for Grape Endpoint
|
|
|
|
module HelperMethods
|
2019-09-13 09:26:31 -04:00
|
|
|
prepend_if_ee('EE::API::APIGuard::HelperMethods') # rubocop: disable Cop/InjectEnterpriseEditionModule
|
2017-11-17 04:09:56 -05:00
|
|
|
include Gitlab::Auth::UserAuthFinders
|
2017-11-13 10:27:30 -05:00
|
|
|
|
2017-10-12 08:38:39 -04:00
|
|
|
def find_current_user!
|
2018-02-05 04:44:23 -05:00
|
|
|
user = find_user_from_sources
|
2017-10-12 08:38:39 -04:00
|
|
|
return unless user
|
2017-09-27 09:56:48 -04:00
|
|
|
|
2018-05-08 09:07:55 -04:00
|
|
|
unless api_access_allowed?(user)
|
|
|
|
forbidden!(api_access_denied_message(user))
|
|
|
|
end
|
2017-09-27 09:56:48 -04:00
|
|
|
|
2019-09-26 08:06:00 -04:00
|
|
|
# Set admin mode for API requests (if admin)
|
|
|
|
if Feature.enabled?(:user_mode_in_session)
|
|
|
|
Gitlab::Auth::CurrentUserMode.new(user).enable_admin_mode!(skip_password_validation: true)
|
|
|
|
end
|
|
|
|
|
2017-09-27 09:56:48 -04:00
|
|
|
user
|
|
|
|
end
|
|
|
|
|
2018-02-05 04:44:23 -05:00
|
|
|
def find_user_from_sources
|
2019-12-10 13:08:04 -05:00
|
|
|
find_user_from_access_token ||
|
|
|
|
find_user_from_job_token ||
|
|
|
|
find_user_from_warden
|
2018-02-05 04:44:23 -05:00
|
|
|
end
|
|
|
|
|
2017-11-07 13:17:41 -05:00
|
|
|
private
|
2016-11-22 04:04:23 -05:00
|
|
|
|
2017-09-27 09:56:48 -04:00
|
|
|
# An array of scopes that were registered (using `allow_access_with_scope`)
|
|
|
|
# for the current endpoint class. It also returns scopes registered on
|
|
|
|
# `API::API`, since these are meant to apply to all API routes.
|
|
|
|
def scopes_registered_for_endpoint
|
|
|
|
@scopes_registered_for_endpoint ||=
|
|
|
|
begin
|
|
|
|
endpoint_classes = [options[:for].presence, ::API::API].compact
|
|
|
|
endpoint_classes.reduce([]) do |memo, endpoint|
|
|
|
|
if endpoint.respond_to?(:allowed_scopes)
|
|
|
|
memo.concat(endpoint.allowed_scopes)
|
|
|
|
else
|
|
|
|
memo
|
|
|
|
end
|
|
|
|
end
|
|
|
|
end
|
|
|
|
end
|
2018-05-08 09:07:55 -04:00
|
|
|
|
|
|
|
def api_access_allowed?(user)
|
|
|
|
Gitlab::UserAccess.new(user).allowed? && user.can?(:access_api)
|
|
|
|
end
|
|
|
|
|
|
|
|
def api_access_denied_message(user)
|
|
|
|
Gitlab::Auth::UserAccessDeniedReason.new(user).rejection_message
|
|
|
|
end
|
2014-12-19 09:15:29 -05:00
|
|
|
end
|
|
|
|
|
2018-08-27 08:35:31 -04:00
|
|
|
class_methods do
|
2016-04-15 11:35:40 -04:00
|
|
|
private
|
2014-12-19 09:15:29 -05:00
|
|
|
|
2016-04-15 11:35:40 -04:00
|
|
|
def install_error_responders(base)
|
2017-11-16 11:03:19 -05:00
|
|
|
error_classes = [Gitlab::Auth::MissingTokenError,
|
|
|
|
Gitlab::Auth::TokenNotFoundError,
|
|
|
|
Gitlab::Auth::ExpiredError,
|
|
|
|
Gitlab::Auth::RevokedError,
|
2018-11-24 07:39:16 -05:00
|
|
|
Gitlab::Auth::ImpersonationDisabled,
|
2017-11-16 11:03:19 -05:00
|
|
|
Gitlab::Auth::InsufficientScopeError]
|
2014-12-19 09:15:29 -05:00
|
|
|
|
2017-08-10 12:39:26 -04:00
|
|
|
base.__send__(:rescue_from, *error_classes, oauth2_bearer_token_error_handler) # rubocop:disable GitlabSecurity/PublicSend
|
2016-04-15 11:35:40 -04:00
|
|
|
end
|
|
|
|
|
|
|
|
def oauth2_bearer_token_error_handler
|
2017-03-31 11:11:28 -04:00
|
|
|
proc do |e|
|
2016-04-15 11:35:40 -04:00
|
|
|
response =
|
|
|
|
case e
|
2017-11-16 11:03:19 -05:00
|
|
|
when Gitlab::Auth::MissingTokenError
|
2016-04-15 11:35:40 -04:00
|
|
|
Rack::OAuth2::Server::Resource::Bearer::Unauthorized.new
|
|
|
|
|
2017-11-16 11:03:19 -05:00
|
|
|
when Gitlab::Auth::TokenNotFoundError
|
2016-04-15 11:35:40 -04:00
|
|
|
Rack::OAuth2::Server::Resource::Bearer::Unauthorized.new(
|
|
|
|
:invalid_token,
|
|
|
|
"Bad Access Token.")
|
|
|
|
|
2017-11-16 11:03:19 -05:00
|
|
|
when Gitlab::Auth::ExpiredError
|
2016-04-15 11:35:40 -04:00
|
|
|
Rack::OAuth2::Server::Resource::Bearer::Unauthorized.new(
|
|
|
|
:invalid_token,
|
|
|
|
"Token is expired. You can either do re-authorization or token refresh.")
|
|
|
|
|
2017-11-16 11:03:19 -05:00
|
|
|
when Gitlab::Auth::RevokedError
|
2016-04-15 11:35:40 -04:00
|
|
|
Rack::OAuth2::Server::Resource::Bearer::Unauthorized.new(
|
|
|
|
:invalid_token,
|
|
|
|
"Token was revoked. You have to re-authorize from the user.")
|
|
|
|
|
2018-11-24 07:39:16 -05:00
|
|
|
when Gitlab::Auth::ImpersonationDisabled
|
|
|
|
Rack::OAuth2::Server::Resource::Bearer::Unauthorized.new(
|
|
|
|
:invalid_token,
|
|
|
|
"Token is an impersonation token but impersonation was disabled.")
|
|
|
|
|
2017-11-16 11:03:19 -05:00
|
|
|
when Gitlab::Auth::InsufficientScopeError
|
2016-04-15 11:35:40 -04:00
|
|
|
# FIXME: ForbiddenError (inherited from Bearer::Forbidden of Rack::Oauth2)
|
|
|
|
# does not include WWW-Authenticate header, which breaks the standard.
|
|
|
|
Rack::OAuth2::Server::Resource::Bearer::Forbidden.new(
|
|
|
|
:insufficient_scope,
|
|
|
|
Rack::OAuth2::Server::Resource::ErrorMethods::DEFAULT_DESCRIPTION[:insufficient_scope],
|
|
|
|
{ scope: e.scopes })
|
|
|
|
end
|
|
|
|
|
|
|
|
response.finish
|
|
|
|
end
|
2015-02-03 00:22:57 -05:00
|
|
|
end
|
2014-12-19 09:15:29 -05:00
|
|
|
end
|
2019-09-26 08:06:00 -04:00
|
|
|
|
|
|
|
class AdminModeMiddleware < ::Grape::Middleware::Base
|
|
|
|
def initialize(app, **options)
|
|
|
|
super
|
|
|
|
end
|
|
|
|
|
|
|
|
def call(env)
|
|
|
|
if Feature.enabled?(:user_mode_in_session)
|
|
|
|
session = {}
|
|
|
|
Gitlab::Session.with_session(session) do
|
|
|
|
app.call(env)
|
|
|
|
end
|
|
|
|
else
|
|
|
|
app.call(env)
|
|
|
|
end
|
|
|
|
end
|
|
|
|
end
|
2014-12-19 09:15:29 -05:00
|
|
|
end
|
2015-02-02 22:30:09 -05:00
|
|
|
end
|