gitlab-org--gitlab-foss/lib/gitlab/auth/user_auth_finders.rb

module Gitlab
  module Auth
    module UserAuthFinders
      PRIVATE_TOKEN_HEADER = 'HTTP_PRIVATE_TOKEN'.freeze
      PRIVATE_TOKEN_PARAM = :private_token

      # Check the Rails session for valid authentication details
      def find_user_from_warden
        env['warden']&.authenticate if verified_request?
      end

      def find_user_from_rss_token
        return unless request.format.atom?

        token = params[:rss_token].presence
        return unless token

        handle_return_value!(User.find_by_rss_token(token))
      end

      def find_user_from_access_token
        return unless access_token

        validate_access_token!

        handle_return_value!(access_token&.user)
      end

      def validate_access_token!(scopes: [])
        return unless access_token

        case AccessTokenValidationService.new(access_token, request: request).validate(scopes: scopes)
        when AccessTokenValidationService::INSUFFICIENT_SCOPE
          raise API::APIGuard::InsufficientScopeError.new(scopes)
        when AccessTokenValidationService::EXPIRED
          raise API::APIGuard::ExpiredError
        when AccessTokenValidationService::REVOKED
          raise API::APIGuard::RevokedError
        end
      end

      private

      def handle_return_value!(value, &block)
        raise API::APIGuard::UnauthorizedError unless value

        block_given? ? yield(value) : value
      end

      def access_token
        return @access_token if defined?(@access_token)

        @access_token = find_oauth_access_token || find_personal_access_token
      end

      def private_token
        params[PRIVATE_TOKEN_PARAM].presence ||
          env[PRIVATE_TOKEN_HEADER].presence
      end

      def find_personal_access_token
        token = private_token
        return unless token

        # Expiration, revocation and scopes are verified in `validate_access_token!`
        handle_return_value!(PersonalAccessToken.find_by(token: token))
      end

      def find_oauth_access_token
        current_request = ensure_action_dispatch_request(request)
        token = Doorkeeper::OAuth::Token.from_request(current_request, *Doorkeeper.configuration.access_token_methods)
        return unless token

        # Expiration, revocation and scopes are verified in `validate_access_token!`
        handle_return_value!(OauthAccessToken.by_token(token)) do |oauth_token|
          oauth_token.revoke_previous_refresh_token!
          oauth_token
        end
      end

      # Check if the request is GET/HEAD, or if CSRF token is valid.
      def verified_request?
        Gitlab::RequestForgeryProtection.verified?(request.env)
      end

      def ensure_action_dispatch_request(request)
        return request if request.is_a?(ActionDispatch::Request)

        ActionDispatch::Request.new(request.env)
      end
    end
  end
end
First refactor 2017-11-07 09:52:05 +00:00			`module Gitlab`
			`module Auth`
			`module UserAuthFinders`
Applied some code review comments 2017-11-08 18:41:07 +00:00			`PRIVATE_TOKEN_HEADER = 'HTTP_PRIVATE_TOKEN'.freeze`
			`PRIVATE_TOKEN_PARAM = :private_token`

First refactor 2017-11-07 09:52:05 +00:00			`# Check the Rails session for valid authentication details`
Some fixes after rebase 2017-11-07 18:17:41 +00:00			`def find_user_from_warden`
Applied some code review comments 2017-11-08 18:41:07 +00:00			`env['warden']&.authenticate if verified_request?`
First refactor 2017-11-07 09:52:05 +00:00			`end`

Applied some code review comments 2017-11-08 18:41:07 +00:00			`def find_user_from_rss_token`
Some fixes after rebase 2017-11-07 18:17:41 +00:00			`return unless request.format.atom?`
First refactor 2017-11-07 09:52:05 +00:00
Applied some code review comments 2017-11-08 18:41:07 +00:00			`token = params[:rss_token].presence`
			`return unless token`
First refactor 2017-11-07 09:52:05 +00:00
Some fixes after rebase 2017-11-07 18:17:41 +00:00			`handle_return_value!(User.find_by_rss_token(token))`
First refactor 2017-11-07 09:52:05 +00:00			`end`

Some fixes after rebase 2017-11-07 18:17:41 +00:00			`def find_user_from_access_token`
			`return unless access_token`
First refactor 2017-11-07 09:52:05 +00:00
Some fixes after rebase 2017-11-07 18:17:41 +00:00			`validate_access_token!`
First refactor 2017-11-07 09:52:05 +00:00
Some fixes after rebase 2017-11-07 18:17:41 +00:00			`handle_return_value!(access_token&.user)`
			`end`
First refactor 2017-11-07 09:52:05 +00:00
Some fixes after rebase 2017-11-07 18:17:41 +00:00			`def validate_access_token!(scopes: [])`
Applied some code review comments 2017-11-08 18:41:07 +00:00			`return unless access_token`

			`case AccessTokenValidationService.new(access_token, request: request).validate(scopes: scopes)`
			`when AccessTokenValidationService::INSUFFICIENT_SCOPE`
			`raise API::APIGuard::InsufficientScopeError.new(scopes)`
			`when AccessTokenValidationService::EXPIRED`
			`raise API::APIGuard::ExpiredError`
			`when AccessTokenValidationService::REVOKED`
			`raise API::APIGuard::RevokedError`
			`end`
First refactor 2017-11-07 09:52:05 +00:00			`end`

Some fixes after rebase 2017-11-07 18:17:41 +00:00			`private`
First refactor 2017-11-07 09:52:05 +00:00
Some fixes after rebase 2017-11-07 18:17:41 +00:00			`def handle_return_value!(value, &block)`
Applied some code review comments 2017-11-08 18:41:07 +00:00			`raise API::APIGuard::UnauthorizedError unless value`
First refactor 2017-11-07 09:52:05 +00:00
Some fixes after rebase 2017-11-07 18:17:41 +00:00			`block_given? ? yield(value) : value`
First refactor 2017-11-07 09:52:05 +00:00			`end`

Some fixes after rebase 2017-11-07 18:17:41 +00:00			`def access_token`
			`return @access_token if defined?(@access_token)`

			`@access_token = find_oauth_access_token \|\| find_personal_access_token`
			`end`
Updated refactor and pushing to see if test fails 2017-11-07 15:13:00 +00:00
			`def private_token`
Applied some code review comments 2017-11-08 18:41:07 +00:00			`params[PRIVATE_TOKEN_PARAM].presence \|\|`
			`env[PRIVATE_TOKEN_HEADER].presence`
Updated refactor and pushing to see if test fails 2017-11-07 15:13:00 +00:00			`end`

Some fixes after rebase 2017-11-07 18:17:41 +00:00			`def find_personal_access_token`
Applied some code review comments 2017-11-08 18:41:07 +00:00			`token = private_token`
			`return unless token`
Updated refactor and pushing to see if test fails 2017-11-07 15:13:00 +00:00
Some fixes after rebase 2017-11-07 18:17:41 +00:00			# Expiration, revocation and scopes are verified in `validate_access_token!`
			`handle_return_value!(PersonalAccessToken.find_by(token: token))`
Updated refactor and pushing to see if test fails 2017-11-07 15:13:00 +00:00			`end`

First refactor 2017-11-07 09:52:05 +00:00			`def find_oauth_access_token`
			`current_request = ensure_action_dispatch_request(request)`
			`token = Doorkeeper::OAuth::Token.from_request(current_request, *Doorkeeper.configuration.access_token_methods)`
Some fixes after rebase 2017-11-07 18:17:41 +00:00			`return unless token`
First refactor 2017-11-07 09:52:05 +00:00
Some fixes after rebase 2017-11-07 18:17:41 +00:00			# Expiration, revocation and scopes are verified in `validate_access_token!`
			`handle_return_value!(OauthAccessToken.by_token(token)) do \|oauth_token\|`
			`oauth_token.revoke_previous_refresh_token!`
			`oauth_token`
			`end`
First refactor 2017-11-07 09:52:05 +00:00			`end`

			`# Check if the request is GET/HEAD, or if CSRF token is valid.`
			`def verified_request?`
			`Gitlab::RequestForgeryProtection.verified?(request.env)`
			`end`

			`def ensure_action_dispatch_request(request)`
			`return request if request.is_a?(ActionDispatch::Request)`

			`ActionDispatch::Request.new(request.env)`
			`end`
			`end`
			`end`
			`end`