gitlab-org--gitlab-foss/lib/gitlab/auth.rb

module Gitlab
  module Auth
    Result = Struct.new(:actor, :project, :type, :capabilities) do
      def success?
        actor.present? || type == :ci
      end
    end

    class MissingPersonalTokenError < StandardError; end

    class << self
      def find_for_git_client(login, password, project:, ip:)
        raise "Must provide an IP for rate limiting" if ip.nil?

        result =
          service_request_check(login, password, project) ||
          build_access_token_check(login, password) ||
          user_with_password_for_git(login, password) ||
          oauth_access_token_check(login, password) ||
          lfs_token_check(login, password) ||
          personal_access_token_check(login, password) ||
          Result.new

        rate_limit!(ip, success: result.success?, login: login)

        result
      end

      def find_with_user_password(login, password)
        user = User.by_login(login)

        # If no user is found, or it's an LDAP server, try LDAP.
        #   LDAP users are only authenticated via LDAP
        if user.nil? || user.ldap_user?
          # Second chance - try LDAP authentication
          return nil unless Gitlab::LDAP::Config.enabled?

          Gitlab::LDAP::Authentication.login(login, password)
        else
          user if user.valid_password?(password)
        end
      end

      def rate_limit!(ip, success:, login:)
        rate_limiter = Gitlab::Auth::IpRateLimiter.new(ip)
        return unless rate_limiter.enabled?

        if success
          # Repeated login 'failures' are normal behavior for some Git clients so
          # it is important to reset the ban counter once the client has proven
          # they are not a 'bad guy'.
          rate_limiter.reset!
        else
          # Register a login failure so that Rack::Attack can block the next
          # request from this IP if needed.
          rate_limiter.register_fail!

          if rate_limiter.banned?
            Rails.logger.info "IP #{ip} failed to login " \
              "as #{login} but has been temporarily banned from Git auth"
          end
        end
      end

      private

      def service_request_check(login, password, project)
        matched_login = /(?<service>^[a-zA-Z]*-ci)-token$/.match(login)

        return unless project && matched_login.present?

        underscored_service = matched_login['service'].underscore

        if Service.available_services_names.include?(underscored_service)
          # We treat underscored_service as a trusted input because it is included
          # in the Service.available_services_names whitelist.
          service = project.public_send("#{underscored_service}_service")

          if service && service.activated? && service.valid_token?(password)
            Result.new(nil, project, :ci, build_capabilities)
          end
        end
      end

      def user_with_password_for_git(login, password)
        user = find_with_user_password(login, password)
        return unless user

        raise Gitlab::Auth::MissingPersonalTokenError if user.two_factor_enabled?

        Result.new(user, nil, :gitlab_or_ldap, full_capabilities)
      end

      def oauth_access_token_check(login, password)
        if login == "oauth2" && password.present?
          token = Doorkeeper::AccessToken.by_token(password)
          if token && token.accessible?
            user = User.find_by(id: token.resource_owner_id)
            Result.new(user, nil, :oauth, read_capabilities)
          end
        end
      end

      def personal_access_token_check(login, password)
        if login && password
          user = User.find_by_personal_access_token(password)
          validation = User.by_login(login)
          Result.new(user, nil, :personal_token, full_capabilities) if user.present? && user == validation
        end
      end

      def lfs_token_check(login, password)
        deploy_key_matches = login.match(/\Alfs\+deploy-key-(\d+)\z/)

        actor =
          if deploy_key_matches
            DeployKey.find(deploy_key_matches[1])
          else
            User.by_login(login)
          end

        if actor
          token_handler = Gitlab::LfsToken.new(actor)

          Result.new(actor, nil, token_handler.type, read_capabilities) if Devise.secure_compare(token_handler.value, password)
        end
      end

      def build_access_token_check(login, password)
        return unless login == 'gitlab-ci-token'
        return unless password

        build = ::Ci::Build.running.find_by_token(password)
        return unless build
        return unless build.project.builds_enabled?

        if build.user
          # If user is assigned to build, use restricted credentials of user
          Result.new(build.user, build.project, :build, build_capabilities)
        else
          # Otherwise use generic CI credentials (backward compatibility)
          Result.new(nil, build.project, :ci, build_capabilities)
        end
      end

      def build_capabilities
        [
          :read_project,
          :build_download_code,
          :build_read_container_image,
          :build_create_container_image
        ]
      end

      def read_capabilities
        [
          :read_project,
          :download_code,
          :read_container_image
        ]
      end

      def full_capabilities
        read_capabilities + [
          :push_code,
          :update_container_image
        ]
      end
    end
  end
end
Refactorn oauth & ldap 2012-09-12 06:23:16 +00:00			`module Gitlab`
Refactor Gitlab::Auth rate limiting 2016-06-03 15:07:40 +00:00			`module Auth`
Merge remote-tracking branch 'origin/lfs-support-for-ssh' into per-build-token # Conflicts: # app/controllers/projects/git_http_client_controller.rb # app/helpers/lfs_helper.rb # lib/gitlab/auth.rb # spec/requests/lfs_http_spec.rb 2016-09-15 19:16:38 +00:00			`Result = Struct.new(:actor, :project, :type, :capabilities) do`
Refactored authentication code to make it a bit clearer, added test for wrong SSH key. 2016-09-15 16:54:24 +00:00			`def success?`
			`actor.present? \|\| type == :ci`
Refactor Gitlab::Auth to simplify the data flow 2016-09-14 15:28:24 +00:00			`end`
			`end`
Changes after more review from Rémy 2016-06-03 12:57:34 +00:00
Better authentication handling, syntax fixes and better actor handling for LFS Tokens 2016-09-06 21:32:39 +00:00			`class MissingPersonalTokenError < StandardError; end`

Make CI/Oauth/rate limiting reusable 2016-04-29 16:58:55 +00:00			`class << self`
Improve Gitlab::Auth method names Auth.find was a very generic name for a very specific method. Auth.find_in_gitlab_or_ldap was inaccurate in GitLab EE where it also looks in Kerberos. 2016-06-10 12:51:16 +00:00			`def find_for_git_client(login, password, project:, ip:)`
Make CI/Oauth/rate limiting reusable 2016-04-29 16:58:55 +00:00			`raise "Must provide an IP for rate limiting" if ip.nil?`

Refactored authentication code to make it a bit clearer, added test for wrong SSH key. 2016-09-15 16:54:24 +00:00			`result =`
Merge remote-tracking branch 'origin/lfs-support-for-ssh' into per-build-token # Conflicts: # app/controllers/projects/git_http_client_controller.rb # app/helpers/lfs_helper.rb # lib/gitlab/auth.rb # spec/requests/lfs_http_spec.rb 2016-09-15 19:16:38 +00:00			`service_request_check(login, password, project) \|\|`
Refactor Gitlab::Auth to simplify the data flow 2016-09-14 15:28:24 +00:00			`build_access_token_check(login, password) \|\|`
			`user_with_password_for_git(login, password) \|\|`
			`oauth_access_token_check(login, password) \|\|`
Refactored authentication code to make it a bit clearer, added test for wrong SSH key. 2016-09-15 16:54:24 +00:00			`lfs_token_check(login, password) \|\|`
Refactor Gitlab::Auth to simplify the data flow 2016-09-14 15:28:24 +00:00			`personal_access_token_check(login, password) \|\|`
			`Result.new`
Make CI/Oauth/rate limiting reusable 2016-04-29 16:58:55 +00:00
Merge remote-tracking branch 'origin/lfs-support-for-ssh' into per-build-token # Conflicts: # app/controllers/projects/git_http_client_controller.rb # app/helpers/lfs_helper.rb # lib/gitlab/auth.rb # spec/requests/lfs_http_spec.rb 2016-09-15 19:16:38 +00:00			`rate_limit!(ip, success: result.success?, login: login)`
Refactored authentication code to make it a bit clearer, added test for wrong SSH key. 2016-09-15 16:54:24 +00:00
Changes after more review from Rémy 2016-06-03 12:57:34 +00:00			`result`
Make CI/Oauth/rate limiting reusable 2016-04-29 16:58:55 +00:00			`end`

Improve Gitlab::Auth method names Auth.find was a very generic name for a very specific method. Auth.find_in_gitlab_or_ldap was inaccurate in GitLab EE where it also looks in Kerberos. 2016-06-10 12:51:16 +00:00			`def find_with_user_password(login, password)`
Make CI/Oauth/rate limiting reusable 2016-04-29 16:58:55 +00:00			`user = User.by_login(login)`

			`# If no user is found, or it's an LDAP server, try LDAP.`
			`# LDAP users are only authenticated via LDAP`
			`if user.nil? \|\| user.ldap_user?`
			`# Second chance - try LDAP authentication`
			`return nil unless Gitlab::LDAP::Config.enabled?`

			`Gitlab::LDAP::Authentication.login(login, password)`
			`else`
			`user if user.valid_password?(password)`
			`end`
			`end`

Fix tests 2016-06-06 15:40:26 +00:00			`def rate_limit!(ip, success:, login:)`
			`rate_limiter = Gitlab::Auth::IpRateLimiter.new(ip)`
			`return unless rate_limiter.enabled?`

			`if success`
			`# Repeated login 'failures' are normal behavior for some Git clients so`
			`# it is important to reset the ban counter once the client has proven`
			`# they are not a 'bad guy'.`
			`rate_limiter.reset!`
			`else`
			`# Register a login failure so that Rack::Attack can block the next`
			`# request from this IP if needed.`
			`rate_limiter.register_fail!`

			`if rate_limiter.banned?`
			`Rails.logger.info "IP #{ip} failed to login " \`
			`"as #{login} but has been temporarily banned from Git auth"`
			`end`
			`end`
			`end`

Make CI/Oauth/rate limiting reusable 2016-04-29 16:58:55 +00:00			`private`

Merge remote-tracking branch 'origin/lfs-support-for-ssh' into per-build-token # Conflicts: # app/controllers/projects/git_http_client_controller.rb # app/helpers/lfs_helper.rb # lib/gitlab/auth.rb # spec/requests/lfs_http_spec.rb 2016-09-15 19:16:38 +00:00			`def service_request_check(login, password, project)`
Make CI/Oauth/rate limiting reusable 2016-04-29 16:58:55 +00:00			`matched_login = /(?<service>^[a-zA-Z]*-ci)-token$/.match(login)`

Refactor Gitlab::Auth to simplify the data flow 2016-09-14 15:28:24 +00:00			`return unless project && matched_login.present?`
Make CI/Oauth/rate limiting reusable 2016-04-29 16:58:55 +00:00
			`underscored_service = matched_login['service'].underscore`

Use a permissions of user to access all dependent projects from CI jobs (this also includes a container images, and in future LFS files) 2016-08-08 10:01:25 +00:00			`if Service.available_services_names.include?(underscored_service)`
Make CI/Oauth/rate limiting reusable 2016-04-29 16:58:55 +00:00			`# We treat underscored_service as a trusted input because it is included`
			`# in the Service.available_services_names whitelist.`
Use public_send 2016-06-03 15:23:34 +00:00			`service = project.public_send("#{underscored_service}_service")`
Make CI/Oauth/rate limiting reusable 2016-04-29 16:58:55 +00:00
Refactor Gitlab::Auth to simplify the data flow 2016-09-14 15:28:24 +00:00			`if service && service.activated? && service.valid_token?(password)`
Use `build_read_container_image` and use `build_download_code` 2016-09-15 08:34:53 +00:00			`Result.new(nil, project, :ci, build_capabilities)`
Refactor `find_for_git_client` and its related methods. 2016-08-17 22:59:25 +00:00			`end`
			`end`
			`end`

			`def user_with_password_for_git(login, password)`
			`user = find_with_user_password(login, password)`
Refactor Gitlab::Auth to simplify the data flow 2016-09-14 15:28:24 +00:00			`return unless user`

Merge remote-tracking branch 'origin/lfs-support-for-ssh' into per-build-token # Conflicts: # app/controllers/projects/git_http_client_controller.rb # app/helpers/lfs_helper.rb # lib/gitlab/auth.rb # spec/requests/lfs_http_spec.rb 2016-09-15 19:16:38 +00:00			`raise Gitlab::Auth::MissingPersonalTokenError if user.two_factor_enabled?`
Refactor Gitlab::Auth to simplify the data flow 2016-09-14 15:28:24 +00:00
Merge remote-tracking branch 'origin/lfs-support-for-ssh' into per-build-token # Conflicts: # app/controllers/projects/git_http_client_controller.rb # app/helpers/lfs_helper.rb # lib/gitlab/auth.rb # spec/requests/lfs_http_spec.rb 2016-09-15 19:16:38 +00:00			`Result.new(user, nil, :gitlab_or_ldap, full_capabilities)`
Refactor `find_for_git_client` and its related methods. 2016-08-17 22:59:25 +00:00			`end`

Make CI/Oauth/rate limiting reusable 2016-04-29 16:58:55 +00:00			`def oauth_access_token_check(login, password)`
			`if login == "oauth2" && password.present?`
			`token = Doorkeeper::AccessToken.by_token(password)`
Refactor `find_for_git_client` method to not use assignment in conditionals and syntax fixes. 2016-08-17 22:21:18 +00:00			`if token && token.accessible?`
			`user = User.find_by(id: token.resource_owner_id)`
Refactor Gitlab::Auth to simplify the data flow 2016-09-14 15:28:24 +00:00			`Result.new(user, nil, :oauth, read_capabilities)`
Refactor `find_for_git_client` method to not use assignment in conditionals and syntax fixes. 2016-08-17 22:21:18 +00:00			`end`
Make CI/Oauth/rate limiting reusable 2016-04-29 16:58:55 +00:00			`end`
			`end`
Allow Git over HTTP access using Personal Access Tokens 2016-08-11 00:03:32 +00:00
			`def personal_access_token_check(login, password)`
			`if login && password`
			`user = User.find_by_personal_access_token(password)`
Refactor `find_for_git_client` method to not use assignment in conditionals and syntax fixes. 2016-08-17 22:21:18 +00:00			`validation = User.by_login(login)`
Merge remote-tracking branch 'origin/lfs-support-for-ssh' into per-build-token # Conflicts: # app/controllers/projects/git_http_client_controller.rb # app/helpers/lfs_helper.rb # lib/gitlab/auth.rb # spec/requests/lfs_http_spec.rb 2016-09-15 19:16:38 +00:00			`Result.new(user, nil, :personal_token, full_capabilities) if user.present? && user == validation`
Refactor `find_for_git_client` method to not use assignment in conditionals and syntax fixes. 2016-08-17 22:21:18 +00:00			`end`
			`end`
Added LFS support to SSH - Required on the GitLab Rails side is mostly authentication and API related. 2016-08-25 22:26:20 +00:00
			`def lfs_token_check(login, password)`
Further refactoring of authentication code, and code style fixes. 2016-09-08 17:32:20 +00:00			`deploy_key_matches = login.match(/\Alfs\+deploy-key-(\d+)\z/)`

Refactored handling of the `LfsToken` and added functionality to it to simplify external code. 2016-08-30 23:43:24 +00:00			`actor =`
Further refactoring of authentication code, and code style fixes. 2016-09-08 17:32:20 +00:00			`if deploy_key_matches`
			`DeployKey.find(deploy_key_matches[1])`
Refactored handling of the `LfsToken` and added functionality to it to simplify external code. 2016-08-30 23:43:24 +00:00			`else`
			`User.by_login(login)`
Add access specs 2016-09-15 09:57:09 +00:00			`end`
Refactored handling of the `LfsToken` and added functionality to it to simplify external code. 2016-08-30 23:43:24 +00:00
Refactored authentication code to make it a bit clearer, added test for wrong SSH key. 2016-09-15 16:54:24 +00:00			`if actor`
			`token_handler = Gitlab::LfsToken.new(actor)`
Refactored handling of the `LfsToken` and added functionality to it to simplify external code. 2016-08-30 23:43:24 +00:00
Merge remote-tracking branch 'origin/lfs-support-for-ssh' into per-build-token # Conflicts: # app/controllers/projects/git_http_client_controller.rb # app/helpers/lfs_helper.rb # lib/gitlab/auth.rb # spec/requests/lfs_http_spec.rb 2016-09-15 19:16:38 +00:00			`Result.new(actor, nil, token_handler.type, read_capabilities) if Devise.secure_compare(token_handler.value, password)`
Use a permissions of user to access all dependent projects from CI jobs (this also includes a container images, and in future LFS files) 2016-08-08 10:01:25 +00:00			`end`
			`end`

			`def build_access_token_check(login, password)`
			`return unless login == 'gitlab-ci-token'`
			`return unless password`

Fix existing authorization specs 2016-09-15 11:49:11 +00:00			`build = ::Ci::Build.running.find_by_token(password)`
Use a permissions of user to access all dependent projects from CI jobs (this also includes a container images, and in future LFS files) 2016-08-08 10:01:25 +00:00			`return unless build`
Fix most of specs 2016-09-15 13:40:53 +00:00			`return unless build.project.builds_enabled?`
Use a permissions of user to access all dependent projects from CI jobs (this also includes a container images, and in future LFS files) 2016-08-08 10:01:25 +00:00
			`if build.user`
			`# If user is assigned to build, use restricted credentials of user`
Use `build_read_container_image` and use `build_download_code` 2016-09-15 08:34:53 +00:00			`Result.new(build.user, build.project, :build, build_capabilities)`
Use a permissions of user to access all dependent projects from CI jobs (this also includes a container images, and in future LFS files) 2016-08-08 10:01:25 +00:00			`else`
			`# Otherwise use generic CI credentials (backward compatibility)`
Use `build_read_container_image` and use `build_download_code` 2016-09-15 08:34:53 +00:00			`Result.new(nil, build.project, :ci, build_capabilities)`
Refactor `find_for_git_client` method to not use assignment in conditionals and syntax fixes. 2016-08-17 22:21:18 +00:00			`end`
			`end`
Make result to return project and capabilities granted 2016-09-13 13:27:05 +00:00
Use `build_read_container_image` and use `build_download_code` 2016-09-15 08:34:53 +00:00			`def build_capabilities`
Make result to return project and capabilities granted 2016-09-13 13:27:05 +00:00			`[`
			`:read_project,`
Use `build_read_container_image` and use `build_download_code` 2016-09-15 08:34:53 +00:00			`:build_download_code,`
			`:build_read_container_image,`
			`:build_create_container_image`
Make result to return project and capabilities granted 2016-09-13 13:27:05 +00:00			`]`
			`end`

Refactor Gitlab::Auth to simplify the data flow 2016-09-14 15:28:24 +00:00			`def read_capabilities`
Use `build_read_container_image` and use `build_download_code` 2016-09-15 08:34:53 +00:00			`[`
			`:read_project,`
Make result to return project and capabilities granted 2016-09-13 13:27:05 +00:00			`:download_code,`
Refactor Gitlab::Auth to simplify the data flow 2016-09-14 15:28:24 +00:00			`:read_container_image`
			`]`
			`end`

			`def full_capabilities`
			`read_capabilities + [`
Make result to return project and capabilities granted 2016-09-13 13:27:05 +00:00			`:push_code,`
			`:update_container_image`
			`]`
			`end`
Add LDAP support to /api/session 2013-07-16 08:28:19 +00:00			`end`
Refactorn oauth & ldap 2012-09-12 06:23:16 +00:00			`end`
			`end`