2012-09-12 02:23:16 -04:00
|
|
|
module Gitlab
|
2016-06-03 11:07:40 -04:00
|
|
|
module Auth
|
2017-10-12 05:27:16 -04:00
|
|
|
MissingPersonalAccessTokenError = Class.new(StandardError)
|
2016-09-06 17:32:39 -04:00
|
|
|
|
2017-09-15 11:43:49 -04:00
|
|
|
REGISTRY_SCOPES = [:read_registry].freeze
|
2017-05-31 09:55:12 -04:00
|
|
|
|
2017-01-31 05:21:29 -05:00
|
|
|
# Scopes used for GitLab API access
|
2017-10-12 08:38:39 -04:00
|
|
|
API_SCOPES = [:api, :read_user, :sudo].freeze
|
2017-01-31 05:21:29 -05:00
|
|
|
|
2017-02-06 10:39:35 -05:00
|
|
|
# Scopes used for OpenID Connect
|
2017-01-31 05:21:29 -05:00
|
|
|
OPENID_SCOPES = [:openid].freeze
|
|
|
|
|
2017-02-06 10:39:35 -05:00
|
|
|
# Default scopes for OAuth applications that don't define their own
|
2017-02-21 18:32:18 -05:00
|
|
|
DEFAULT_SCOPES = [:api].freeze
|
2017-02-06 10:39:35 -05:00
|
|
|
|
2016-04-29 12:58:55 -04:00
|
|
|
class << self
|
2017-08-31 05:47:03 -04:00
|
|
|
include Gitlab::CurrentSettings
|
|
|
|
|
2016-06-10 08:51:16 -04:00
|
|
|
def find_for_git_client(login, password, project:, ip:)
|
2016-04-29 12:58:55 -04:00
|
|
|
raise "Must provide an IP for rate limiting" if ip.nil?
|
|
|
|
|
2017-01-24 12:12:49 -05:00
|
|
|
# `user_with_password_for_git` should be the last check
|
|
|
|
# because it's the most expensive, especially when LDAP
|
|
|
|
# is enabled.
|
2016-09-15 12:54:24 -04:00
|
|
|
result =
|
2016-09-15 15:16:38 -04:00
|
|
|
service_request_check(login, password, project) ||
|
2016-09-14 11:28:24 -04:00
|
|
|
build_access_token_check(login, password) ||
|
2017-11-08 11:21:39 -05:00
|
|
|
lfs_token_check(login, password, project) ||
|
2017-01-24 12:12:49 -05:00
|
|
|
oauth_access_token_check(login, password) ||
|
2016-12-28 11:19:08 -05:00
|
|
|
personal_access_token_check(password) ||
|
2017-05-31 09:55:12 -04:00
|
|
|
user_with_password_for_git(login, password) ||
|
2016-09-19 07:50:28 -04:00
|
|
|
Gitlab::Auth::Result.new
|
2016-04-29 12:58:55 -04:00
|
|
|
|
2016-09-15 15:16:38 -04:00
|
|
|
rate_limit!(ip, success: result.success?, login: login)
|
2017-02-20 09:09:05 -05:00
|
|
|
Gitlab::Auth::UniqueIpsLimiter.limit_user!(result.actor)
|
2016-09-15 12:54:24 -04:00
|
|
|
|
2017-06-27 14:02:09 -04:00
|
|
|
return result if result.success? || current_application_settings.password_authentication_enabled? || Gitlab::LDAP::Config.enabled?
|
2017-06-07 15:49:45 -04:00
|
|
|
|
|
|
|
# If sign-in is disabled and LDAP is not configured, recommend a
|
|
|
|
# personal access token on failed auth attempts
|
2017-10-12 05:27:16 -04:00
|
|
|
raise Gitlab::Auth::MissingPersonalAccessTokenError
|
2016-04-29 12:58:55 -04:00
|
|
|
end
|
|
|
|
|
2016-06-10 08:51:16 -04:00
|
|
|
def find_with_user_password(login, password)
|
2017-05-19 04:38:31 -04:00
|
|
|
# Avoid resource intensive login checks if password is not provided
|
|
|
|
return unless password.present?
|
|
|
|
|
2017-02-06 07:48:46 -05:00
|
|
|
Gitlab::Auth::UniqueIpsLimiter.limit_user! do
|
|
|
|
user = User.by_login(login)
|
2016-04-29 12:58:55 -04:00
|
|
|
|
2017-02-06 07:48:46 -05:00
|
|
|
# If no user is found, or it's an LDAP server, try LDAP.
|
|
|
|
# LDAP users are only authenticated via LDAP
|
|
|
|
if user.nil? || user.ldap_user?
|
|
|
|
# Second chance - try LDAP authentication
|
2017-05-19 04:38:31 -04:00
|
|
|
return unless Gitlab::LDAP::Config.enabled?
|
2016-04-29 12:58:55 -04:00
|
|
|
|
2017-02-06 07:48:46 -05:00
|
|
|
Gitlab::LDAP::Authentication.login(login, password)
|
|
|
|
else
|
2017-01-18 05:23:25 -05:00
|
|
|
user if user.active? && user.valid_password?(password)
|
2017-02-06 07:48:46 -05:00
|
|
|
end
|
2016-04-29 12:58:55 -04:00
|
|
|
end
|
|
|
|
end
|
|
|
|
|
2016-06-06 11:40:26 -04:00
|
|
|
def rate_limit!(ip, success:, login:)
|
|
|
|
rate_limiter = Gitlab::Auth::IpRateLimiter.new(ip)
|
|
|
|
return unless rate_limiter.enabled?
|
|
|
|
|
|
|
|
if success
|
|
|
|
# Repeated login 'failures' are normal behavior for some Git clients so
|
|
|
|
# it is important to reset the ban counter once the client has proven
|
|
|
|
# they are not a 'bad guy'.
|
|
|
|
rate_limiter.reset!
|
|
|
|
else
|
|
|
|
# Register a login failure so that Rack::Attack can block the next
|
|
|
|
# request from this IP if needed.
|
|
|
|
rate_limiter.register_fail!
|
|
|
|
|
|
|
|
if rate_limiter.banned?
|
|
|
|
Rails.logger.info "IP #{ip} failed to login " \
|
|
|
|
"as #{login} but has been temporarily banned from Git auth"
|
|
|
|
end
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
2016-04-29 12:58:55 -04:00
|
|
|
private
|
|
|
|
|
2016-09-15 15:16:38 -04:00
|
|
|
def service_request_check(login, password, project)
|
2016-04-29 12:58:55 -04:00
|
|
|
matched_login = /(?<service>^[a-zA-Z]*-ci)-token$/.match(login)
|
|
|
|
|
2016-09-14 11:28:24 -04:00
|
|
|
return unless project && matched_login.present?
|
2016-04-29 12:58:55 -04:00
|
|
|
|
|
|
|
underscored_service = matched_login['service'].underscore
|
|
|
|
|
2016-08-08 06:01:25 -04:00
|
|
|
if Service.available_services_names.include?(underscored_service)
|
2016-04-29 12:58:55 -04:00
|
|
|
# We treat underscored_service as a trusted input because it is included
|
|
|
|
# in the Service.available_services_names whitelist.
|
2017-08-10 12:39:26 -04:00
|
|
|
service = project.public_send("#{underscored_service}_service") # rubocop:disable GitlabSecurity/PublicSend
|
2016-04-29 12:58:55 -04:00
|
|
|
|
2016-09-14 11:28:24 -04:00
|
|
|
if service && service.activated? && service.valid_token?(password)
|
2016-09-19 07:50:28 -04:00
|
|
|
Gitlab::Auth::Result.new(nil, project, :ci, build_authentication_abilities)
|
2016-08-17 18:59:25 -04:00
|
|
|
end
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
def user_with_password_for_git(login, password)
|
|
|
|
user = find_with_user_password(login, password)
|
2016-09-14 11:28:24 -04:00
|
|
|
return unless user
|
|
|
|
|
2017-10-12 05:27:16 -04:00
|
|
|
raise Gitlab::Auth::MissingPersonalAccessTokenError if user.two_factor_enabled?
|
2016-09-14 11:28:24 -04:00
|
|
|
|
2017-06-06 07:18:01 -04:00
|
|
|
Gitlab::Auth::Result.new(user, nil, :gitlab_or_ldap, full_authentication_abilities)
|
2016-08-17 18:59:25 -04:00
|
|
|
end
|
|
|
|
|
2016-04-29 12:58:55 -04:00
|
|
|
def oauth_access_token_check(login, password)
|
|
|
|
if login == "oauth2" && password.present?
|
|
|
|
token = Doorkeeper::AccessToken.by_token(password)
|
2017-05-31 09:55:12 -04:00
|
|
|
|
2016-11-24 04:09:12 -05:00
|
|
|
if valid_oauth_token?(token)
|
2016-08-17 18:21:18 -04:00
|
|
|
user = User.find_by(id: token.resource_owner_id)
|
2017-06-06 07:18:01 -04:00
|
|
|
Gitlab::Auth::Result.new(user, nil, :oauth, full_authentication_abilities)
|
2016-08-17 18:21:18 -04:00
|
|
|
end
|
2016-04-29 12:58:55 -04:00
|
|
|
end
|
|
|
|
end
|
2016-08-10 20:03:32 -04:00
|
|
|
|
2016-12-28 11:19:08 -05:00
|
|
|
def personal_access_token_check(password)
|
|
|
|
return unless password.present?
|
2016-11-22 04:13:37 -05:00
|
|
|
|
2017-03-01 11:59:03 -05:00
|
|
|
token = PersonalAccessTokensFinder.new(state: 'active').find_by(token: password)
|
2016-12-28 11:19:08 -05:00
|
|
|
|
2017-09-15 11:43:49 -04:00
|
|
|
if token && valid_scoped_token?(token, available_scopes)
|
2017-10-12 05:27:16 -04:00
|
|
|
Gitlab::Auth::Result.new(token.user, nil, :personal_access_token, abilities_for_scope(token.scopes))
|
2016-08-17 18:21:18 -04:00
|
|
|
end
|
|
|
|
end
|
2016-08-25 18:26:20 -04:00
|
|
|
|
2016-11-24 04:09:12 -05:00
|
|
|
def valid_oauth_token?(token)
|
2017-06-28 03:12:23 -04:00
|
|
|
token && token.accessible? && valid_scoped_token?(token, [:api])
|
2016-11-24 04:09:12 -05:00
|
|
|
end
|
|
|
|
|
2017-06-06 07:18:01 -04:00
|
|
|
def valid_scoped_token?(token, scopes)
|
2017-05-31 09:55:12 -04:00
|
|
|
AccessTokenValidationService.new(token).include_any_scope?(scopes)
|
|
|
|
end
|
|
|
|
|
|
|
|
def abilities_for_scope(scopes)
|
2017-06-06 07:18:01 -04:00
|
|
|
scopes.map do |scope|
|
2017-08-10 12:39:26 -04:00
|
|
|
self.public_send(:"#{scope}_scope_authentication_abilities") # rubocop:disable GitlabSecurity/PublicSend
|
2017-06-06 07:18:01 -04:00
|
|
|
end.flatten.uniq
|
2016-11-22 04:13:37 -05:00
|
|
|
end
|
|
|
|
|
2017-11-08 11:21:39 -05:00
|
|
|
def lfs_token_check(login, password, project)
|
2016-09-19 10:34:32 -04:00
|
|
|
deploy_key_matches = login.match(/\Alfs\+deploy-key-(\d+)\z/)
|
|
|
|
|
|
|
|
actor =
|
|
|
|
if deploy_key_matches
|
|
|
|
DeployKey.find(deploy_key_matches[1])
|
|
|
|
else
|
|
|
|
User.by_login(login)
|
|
|
|
end
|
|
|
|
|
2016-09-20 03:41:21 -04:00
|
|
|
return unless actor
|
2016-09-19 10:34:32 -04:00
|
|
|
|
2016-09-20 03:41:21 -04:00
|
|
|
token_handler = Gitlab::LfsToken.new(actor)
|
2016-09-19 10:34:32 -04:00
|
|
|
|
2016-09-20 03:41:21 -04:00
|
|
|
authentication_abilities =
|
|
|
|
if token_handler.user?
|
2017-06-06 07:18:01 -04:00
|
|
|
full_authentication_abilities
|
2017-11-08 11:21:39 -05:00
|
|
|
elsif token_handler.deploy_key_pushable?(project)
|
|
|
|
read_write_authentication_abilities
|
2016-09-20 03:41:21 -04:00
|
|
|
else
|
2017-06-06 07:18:01 -04:00
|
|
|
read_authentication_abilities
|
2016-09-20 03:41:21 -04:00
|
|
|
end
|
|
|
|
|
2017-01-24 12:12:49 -05:00
|
|
|
if Devise.secure_compare(token_handler.token, password)
|
|
|
|
Gitlab::Auth::Result.new(actor, nil, token_handler.type, authentication_abilities)
|
|
|
|
end
|
2016-09-19 10:34:32 -04:00
|
|
|
end
|
|
|
|
|
2016-08-08 06:01:25 -04:00
|
|
|
def build_access_token_check(login, password)
|
|
|
|
return unless login == 'gitlab-ci-token'
|
|
|
|
return unless password
|
|
|
|
|
2016-09-15 07:49:11 -04:00
|
|
|
build = ::Ci::Build.running.find_by_token(password)
|
2016-08-08 06:01:25 -04:00
|
|
|
return unless build
|
2016-09-15 09:40:53 -04:00
|
|
|
return unless build.project.builds_enabled?
|
2016-08-08 06:01:25 -04:00
|
|
|
|
|
|
|
if build.user
|
|
|
|
# If user is assigned to build, use restricted credentials of user
|
2016-09-19 07:50:28 -04:00
|
|
|
Gitlab::Auth::Result.new(build.user, build.project, :build, build_authentication_abilities)
|
2016-08-08 06:01:25 -04:00
|
|
|
else
|
|
|
|
# Otherwise use generic CI credentials (backward compatibility)
|
2016-09-19 07:50:28 -04:00
|
|
|
Gitlab::Auth::Result.new(nil, build.project, :ci, build_authentication_abilities)
|
2016-08-17 18:21:18 -04:00
|
|
|
end
|
|
|
|
end
|
2016-09-13 09:27:05 -04:00
|
|
|
|
2016-09-16 07:34:05 -04:00
|
|
|
public
|
|
|
|
|
2016-09-16 03:59:10 -04:00
|
|
|
def build_authentication_abilities
|
2016-09-13 09:27:05 -04:00
|
|
|
[
|
|
|
|
:read_project,
|
2016-09-15 04:34:53 -04:00
|
|
|
:build_download_code,
|
|
|
|
:build_read_container_image,
|
|
|
|
:build_create_container_image
|
2016-09-13 09:27:05 -04:00
|
|
|
]
|
|
|
|
end
|
|
|
|
|
2017-06-06 07:18:01 -04:00
|
|
|
def read_authentication_abilities
|
2016-09-15 04:34:53 -04:00
|
|
|
[
|
|
|
|
:read_project,
|
2016-09-13 09:27:05 -04:00
|
|
|
:download_code,
|
2016-09-14 11:28:24 -04:00
|
|
|
:read_container_image
|
|
|
|
]
|
|
|
|
end
|
|
|
|
|
2017-11-08 11:21:39 -05:00
|
|
|
def read_write_authentication_abilities
|
2017-06-06 07:18:01 -04:00
|
|
|
read_authentication_abilities + [
|
2016-09-13 09:27:05 -04:00
|
|
|
:push_code,
|
2017-11-08 11:21:39 -05:00
|
|
|
:create_container_image
|
|
|
|
]
|
|
|
|
end
|
|
|
|
|
|
|
|
def full_authentication_abilities
|
|
|
|
read_write_authentication_abilities + [
|
2017-08-02 05:27:21 -04:00
|
|
|
:admin_container_image
|
2016-09-13 09:27:05 -04:00
|
|
|
]
|
|
|
|
end
|
2017-06-06 07:18:01 -04:00
|
|
|
alias_method :api_scope_authentication_abilities, :full_authentication_abilities
|
|
|
|
|
|
|
|
def read_registry_scope_authentication_abilities
|
|
|
|
[:read_container_image]
|
|
|
|
end
|
|
|
|
|
|
|
|
# The currently used auth method doesn't allow any actions for this scope
|
|
|
|
def read_user_scope_authentication_abilities
|
|
|
|
[]
|
|
|
|
end
|
2017-09-15 11:43:49 -04:00
|
|
|
|
2017-10-12 08:38:39 -04:00
|
|
|
def available_scopes(current_user = nil)
|
|
|
|
scopes = API_SCOPES + registry_scopes
|
|
|
|
scopes.delete(:sudo) if current_user && !current_user.admin?
|
|
|
|
scopes
|
2017-09-15 11:43:49 -04:00
|
|
|
end
|
|
|
|
|
|
|
|
# Other available scopes
|
|
|
|
def optional_scopes
|
|
|
|
available_scopes + OPENID_SCOPES - DEFAULT_SCOPES
|
|
|
|
end
|
|
|
|
|
|
|
|
def registry_scopes
|
|
|
|
return [] unless Gitlab.config.registry.enabled
|
|
|
|
|
|
|
|
REGISTRY_SCOPES
|
|
|
|
end
|
2013-07-16 04:28:19 -04:00
|
|
|
end
|
2012-09-12 02:23:16 -04:00
|
|
|
end
|
|
|
|
end
|