2012-09-12 06:23:16 +00:00
|
|
|
module Gitlab
|
2016-06-03 15:07:40 +00:00
|
|
|
module Auth
|
2016-06-03 12:57:34 +00:00
|
|
|
Result = Struct.new(:user, :type)
|
|
|
|
|
|
2016-04-29 16:58:55 +00:00
|
|
|
class << self
|
2016-06-10 12:51:16 +00:00
|
|
|
def find_for_git_client(login, password, project:, ip:)
|
2016-04-29 16:58:55 +00:00
|
|
|
raise "Must provide an IP for rate limiting" if ip.nil?
|
|
|
|
|
|
2016-06-03 12:57:34 +00:00
|
|
|
result = Result.new
|
2016-04-29 16:58:55 +00:00
|
|
|
|
|
|
|
|
if valid_ci_request?(login, password, project)
|
2016-06-03 12:57:34 +00:00
|
|
|
result.type = :ci
|
2016-06-10 12:51:16 +00:00
|
|
|
elsif result.user = find_with_user_password(login, password)
|
2016-06-03 12:57:34 +00:00
|
|
|
result.type = :gitlab_or_ldap
|
|
|
|
|
elsif result.user = oauth_access_token_check(login, password)
|
|
|
|
|
result.type = :oauth
|
2016-04-29 16:58:55 +00:00
|
|
|
end
|
|
|
|
|
|
2016-06-03 12:57:34 +00:00
|
|
|
rate_limit!(ip, success: !!result.user || (result.type == :ci), login: login)
|
|
|
|
|
result
|
2016-04-29 16:58:55 +00:00
|
|
|
end
|
|
|
|
|
|
2016-06-10 12:51:16 +00:00
|
|
|
def find_with_user_password(login, password)
|
2016-04-29 16:58:55 +00:00
|
|
|
user = User.by_login(login)
|
|
|
|
|
|
|
|
|
|
# If no user is found, or it's an LDAP server, try LDAP.
|
|
|
|
|
# LDAP users are only authenticated via LDAP
|
|
|
|
|
if user.nil? || user.ldap_user?
|
|
|
|
|
# Second chance - try LDAP authentication
|
|
|
|
|
return nil unless Gitlab::LDAP::Config.enabled?
|
|
|
|
|
|
|
|
|
|
Gitlab::LDAP::Authentication.login(login, password)
|
|
|
|
|
else
|
|
|
|
|
user if user.valid_password?(password)
|
|
|
|
|
end
|
|
|
|
|
end
|
|
|
|
|
|
2016-06-06 15:40:26 +00:00
|
|
|
def rate_limit!(ip, success:, login:)
|
|
|
|
|
rate_limiter = Gitlab::Auth::IpRateLimiter.new(ip)
|
|
|
|
|
return unless rate_limiter.enabled?
|
|
|
|
|
|
|
|
|
|
if success
|
|
|
|
|
# Repeated login 'failures' are normal behavior for some Git clients so
|
|
|
|
|
# it is important to reset the ban counter once the client has proven
|
|
|
|
|
# they are not a 'bad guy'.
|
|
|
|
|
rate_limiter.reset!
|
|
|
|
|
else
|
|
|
|
|
# Register a login failure so that Rack::Attack can block the next
|
|
|
|
|
# request from this IP if needed.
|
|
|
|
|
rate_limiter.register_fail!
|
|
|
|
|
|
|
|
|
|
if rate_limiter.banned?
|
|
|
|
|
Rails.logger.info "IP #{ip} failed to login " \
|
|
|
|
|
"as #{login} but has been temporarily banned from Git auth"
|
|
|
|
|
end
|
|
|
|
|
end
|
|
|
|
|
end
|
|
|
|
|
|
2016-04-29 16:58:55 +00:00
|
|
|
private
|
|
|
|
|
|
|
|
|
|
def valid_ci_request?(login, password, project)
|
|
|
|
|
matched_login = /(?<service>^[a-zA-Z]*-ci)-token$/.match(login)
|
|
|
|
|
|
|
|
|
|
return false unless project && matched_login.present?
|
|
|
|
|
|
|
|
|
|
underscored_service = matched_login['service'].underscore
|
|
|
|
|
|
|
|
|
|
if underscored_service == 'gitlab_ci'
|
|
|
|
|
project && project.valid_build_token?(password)
|
|
|
|
|
elsif Service.available_services_names.include?(underscored_service)
|
|
|
|
|
# We treat underscored_service as a trusted input because it is included
|
|
|
|
|
# in the Service.available_services_names whitelist.
|
2016-06-03 15:23:34 +00:00
|
|
|
service = project.public_send("#{underscored_service}_service")
|
2016-04-29 16:58:55 +00:00
|
|
|
|
|
|
|
|
service && service.activated? && service.valid_token?(password)
|
|
|
|
|
end
|
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
def oauth_access_token_check(login, password)
|
|
|
|
|
if login == "oauth2" && password.present?
|
|
|
|
|
token = Doorkeeper::AccessToken.by_token(password)
|
|
|
|
|
token && token.accessible? && User.find_by(id: token.resource_owner_id)
|
|
|
|
|
end
|
|
|
|
|
end
|
2013-07-16 08:28:19 +00:00
|
|
|
end
|
2012-09-12 06:23:16 +00:00
|
|
|
end
|
|
|
|
|
end
|
