gitlab-org--gitlab-foss/lib/gitlab/auth.rb

120 lines
3.8 KiB
Ruby
Raw Normal View History

2012-09-12 02:23:16 -04:00
module Gitlab
2016-06-03 11:07:40 -04:00
module Auth
2016-06-03 08:57:34 -04:00
Result = Struct.new(:user, :type)
2016-04-29 12:58:55 -04:00
class << self
def find_for_git_client(login, password, project:, ip:)
2016-04-29 12:58:55 -04:00
raise "Must provide an IP for rate limiting" if ip.nil?
2016-06-03 08:57:34 -04:00
result = Result.new
2016-04-29 12:58:55 -04:00
if valid_ci_request?(login, password, project)
2016-06-03 08:57:34 -04:00
result.type = :ci
else
result = populate_result(login, password)
2016-04-29 12:58:55 -04:00
end
success = result.user.present? || [:ci, :missing_personal_token].include?(result.type)
rate_limit!(ip, success: success, login: login)
2016-06-03 08:57:34 -04:00
result
2016-04-29 12:58:55 -04:00
end
def find_with_user_password(login, password)
2016-04-29 12:58:55 -04:00
user = User.by_login(login)
# If no user is found, or it's an LDAP server, try LDAP.
# LDAP users are only authenticated via LDAP
if user.nil? || user.ldap_user?
# Second chance - try LDAP authentication
return nil unless Gitlab::LDAP::Config.enabled?
Gitlab::LDAP::Authentication.login(login, password)
else
user if user.valid_password?(password)
end
end
2016-06-06 11:40:26 -04:00
def rate_limit!(ip, success:, login:)
rate_limiter = Gitlab::Auth::IpRateLimiter.new(ip)
return unless rate_limiter.enabled?
if success
# Repeated login 'failures' are normal behavior for some Git clients so
# it is important to reset the ban counter once the client has proven
# they are not a 'bad guy'.
rate_limiter.reset!
else
# Register a login failure so that Rack::Attack can block the next
# request from this IP if needed.
rate_limiter.register_fail!
if rate_limiter.banned?
Rails.logger.info "IP #{ip} failed to login " \
"as #{login} but has been temporarily banned from Git auth"
end
end
end
2016-04-29 12:58:55 -04:00
private
def valid_ci_request?(login, password, project)
matched_login = /(?<service>^[a-zA-Z]*-ci)-token$/.match(login)
return false unless project && matched_login.present?
underscored_service = matched_login['service'].underscore
if underscored_service == 'gitlab_ci'
project && project.valid_build_token?(password)
elsif Service.available_services_names.include?(underscored_service)
# We treat underscored_service as a trusted input because it is included
# in the Service.available_services_names whitelist.
2016-06-03 11:23:34 -04:00
service = project.public_send("#{underscored_service}_service")
2016-04-29 12:58:55 -04:00
service && service.activated? && service.valid_token?(password)
end
end
def populate_result(login, password)
result =
user_with_password_for_git(login, password) ||
oauth_access_token_check(login, password) ||
personal_access_token_check(login, password)
if result
result.type = nil unless result.user
if result.user && result.user.two_factor_enabled? && result.type == :gitlab_or_ldap
result.type = :missing_personal_token
end
end
result || Result.new
end
def user_with_password_for_git(login, password)
user = find_with_user_password(login, password)
Result.new(user, :gitlab_or_ldap) if user
end
2016-04-29 12:58:55 -04:00
def oauth_access_token_check(login, password)
if login == "oauth2" && password.present?
token = Doorkeeper::AccessToken.by_token(password)
if token && token.accessible?
user = User.find_by(id: token.resource_owner_id)
Result.new(user, :oauth)
end
2016-04-29 12:58:55 -04:00
end
end
def personal_access_token_check(login, password)
if login && password
user = User.find_by_personal_access_token(password)
validation = User.by_login(login)
Result.new(user, :personal_token) if user == validation
end
end
2013-07-16 04:28:19 -04:00
end
2012-09-12 02:23:16 -04:00
end
end