gitlab-org--gitlab-foss/lib/gitlab/backend/grack_auth.rb

require_relative 'shell_env'

module Grack
  class Auth < Rack::Auth::Basic

    attr_accessor :user, :project, :env

    def call(env)
      @env = env
      @request = Rack::Request.new(env)
      @auth = Request.new(env)

      @gitlab_ci = false

      # Need this patch due to the rails mount
      # Need this if under RELATIVE_URL_ROOT
      unless Gitlab.config.gitlab.relative_url_root.empty?
        # If website is mounted using relative_url_root need to remove it first
        @env['PATH_INFO'] = @request.path.sub(Gitlab.config.gitlab.relative_url_root,'')
      else
        @env['PATH_INFO'] = @request.path
      end

      @env['SCRIPT_NAME'] = ""

      auth!

      if project && authorized_request?
        @app.call(env)
      elsif @user.nil? && !@gitlab_ci
        unauthorized
      else
        render_not_found
      end
    end

    private

    def auth!
      return unless @auth.provided?

      return bad_request unless @auth.basic?

      # Authentication with username and password
      login, password = @auth.credentials

      # Allow authentication for GitLab CI service
      # if valid token passed
      if gitlab_ci_request?(login, password)
        @gitlab_ci = true
        return
      end

      @user = authenticate_user(login, password)

      if @user
        Gitlab::ShellEnv.set_env(@user)
        @env['REMOTE_USER'] = @auth.username
      end
    end

    def gitlab_ci_request?(login, password)
      if login == "gitlab-ci-token" && project && project.gitlab_ci?
        token = project.gitlab_ci_service.token

        if token.present? && token == password && git_cmd == 'git-upload-pack'
          return true
        end
      end

      false
    end

    def oauth_access_token_check(login, password)
      if login == "oauth2" && git_cmd == 'git-upload-pack' && password.present?
        token = Doorkeeper::AccessToken.by_token(password)
        token && token.accessible? && User.find_by(id: token.resource_owner_id)
      end
    end

    def authenticate_user(login, password)
      user = Gitlab::Auth.new.find(login, password)

      unless user
        user = oauth_access_token_check(login, password)
      end

      return user if user.present?

      # At this point, we know the credentials were wrong. We let Rack::Attack
      # know there was a failed authentication attempt from this IP. This
      # information is stored in the Rails cache (Redis) and will be used by
      # the Rack::Attack middleware to decide whether to block requests from
      # this IP.
      config = Gitlab.config.rack_attack.git_basic_auth
      Rack::Attack::Allow2Ban.filter(@request.ip, config) do
        # Unless the IP is whitelisted, return true so that Allow2Ban
        # increments the counter (stored in Rails.cache) for the IP
        if config.ip_whitelist.include?(@request.ip)
          false
        else
          true
        end
      end

      nil # No user was found
    end

    def authorized_request?
      return true if @gitlab_ci

      case git_cmd
      when *Gitlab::GitAccess::DOWNLOAD_COMMANDS
        if user
          Gitlab::GitAccess.new.download_access_check(user, project).allowed?
        elsif project.public?
          # Allow clone/fetch for public projects
          true
        else
          false
        end
      when *Gitlab::GitAccess::PUSH_COMMANDS
        if user
          # Skip user authorization on upload request.
          # It will be done by the pre-receive hook in the repository.
          true
        else
          false
        end
      else
        false
      end
    end

    def git_cmd
      if @request.get?
        @request.params['service']
      elsif @request.post?
        File.basename(@request.path)
      else
        nil
      end
    end

    def project
      return @project if defined?(@project)

      @project = project_by_path(@request.path_info)
    end

    def project_by_path(path)
      if m = /^([\w\.\/-]+)\.git/.match(path).to_a
        path_with_namespace = m.last
        path_with_namespace.gsub!(/\.wiki$/, '')

        path_with_namespace[0] = '' if path_with_namespace.start_with?('/')
        Project.find_with_namespace(path_with_namespace)
      end
    end

    def render_not_found
      [404, { "Content-Type" => "text/plain" }, ["Not Found"]]
    end
  end
end
require missing lib 2013-02-14 08:25:55 -05:00			`require_relative 'shell_env'`

mount grack to git, u can 'git clone http://localhost/git/xx.git' now 2012-06-28 23:30:31 -04:00			`module Grack`
			`class Auth < Rack::Auth::Basic`
Refactor grack auth module. Add git over http wiki support 2013-06-14 07:42:55 -04:00
push via http now served via /allowed API Signed-off-by: Dmitriy Zaporozhets <dmitriy.zaporozhets@gmail.com> 2014-03-19 15:02:39 -04:00			`attr_accessor :user, :project, :env`
mount grack to git, u can 'git clone http://localhost/git/xx.git' now 2012-06-28 23:30:31 -04:00
Public HTTP clones and remove auth request for public projects 2013-01-14 09:46:55 -05:00			`def call(env)`
			`@env = env`
			`@request = Rack::Request.new(env)`
			`@auth = Request.new(env)`
Public git read-only access via http 2013-01-10 13:17:57 -05:00
Don't leak information about private project existence via Git-over-SSH/HTTP. 2015-02-23 17:14:57 -05:00			`@gitlab_ci = false`
Fix issue when developers are able to push to protected branch When that branch contain a '/' in the branch name. Fix for git over HTTP 2013-08-26 05:54:57 -04:00
Don't leak information about private project existence via Git-over-SSH/HTTP. 2015-02-23 17:14:57 -05:00			`# Need this patch due to the rails mount`
Fixes grack authentification under relative_url_root Ref: https://github.com/gitlabhq/gitlabhq/commit/e6159b8725f99af78f446f8d33fa0e52b7780430 Ref: https://github.com/gitlabhq/gitlabhq/pull/3204 Ref: https://github.com/gitlabhq/gitlabhq/issues/1228 Add Rails' variable in application.rb to support relative url This variable is used by assets compilation and other modules. Note that user needs to change application.rb too Restrict session cookie to the relative path if set. Ref: https://github.com/gitlabhq/gitlabhq/commit/2c2f1e31856a4decdae469974f5bea8245316f7e Fix Update attachment_uploader.rb bug with relative URL See: https://github.com/gitlabhq/gitlabhq/commit/161afda3fa4fca58f396e9c3acbd72bc14490ace Fix Wall relative bug with attachement files (javascript) 2013-07-30 10:48:00 -04:00			`# Need this if under RELATIVE_URL_ROOT`
			`unless Gitlab.config.gitlab.relative_url_root.empty?`
			`# If website is mounted using relative_url_root need to remove it first`
			`@env['PATH_INFO'] = @request.path.sub(Gitlab.config.gitlab.relative_url_root,'')`
			`else`
			`@env['PATH_INFO'] = @request.path`
			`end`
Fix issue when developers are able to push to protected branch When that branch contain a '/' in the branch name. Fix for git over HTTP 2013-08-26 05:54:57 -04:00
Public HTTP clones and remove auth request for public projects 2013-01-14 09:46:55 -05:00			`@env['SCRIPT_NAME'] = ""`
Fix http push with namespaces. Allow use of username as login 2012-11-26 04:23:08 -05:00
Don't leak information about private project existence via Git-over-SSH/HTTP. 2015-02-23 17:14:57 -05:00			`auth!`

			`if project && authorized_request?`
			`@app.call(env)`
			`elsif @user.nil? && !@gitlab_ci`
			`unauthorized`
Fix http clone for public project Signed-off-by: Dmitriy Zaporozhets <dmitriy.zaporozhets@gmail.com> 2014-03-21 08:52:30 -04:00			`else`
			`render_not_found`
			`end`
Public HTTP clones and remove auth request for public projects 2013-01-14 09:46:55 -05:00			`end`
fix a npe, and need a patch for path_info 2012-06-29 09:40:23 -04:00
Refactor grack auth module. Add git over http wiki support 2013-06-14 07:42:55 -04:00			`private`

			`def auth!`
Don't leak information about private project existence via Git-over-SSH/HTTP. 2015-02-23 17:14:57 -05:00			`return unless @auth.provided?`
Fix ldap auth for http push 2013-05-24 13:36:28 -04:00
Don't leak information about private project existence via Git-over-SSH/HTTP. 2015-02-23 17:14:57 -05:00			`return bad_request unless @auth.basic?`
Allow git clone with http for GitLab CI service: If you enable GitLab CI for project you will be able to clone project source code with next command: git clone http://gitlab-ci-token:XXXXXXXXXXXX@host:project.git Requires for GitLab CI 4.0 2013-10-24 10:17:22 -04:00
Don't leak information about private project existence via Git-over-SSH/HTTP. 2015-02-23 17:14:57 -05:00			`# Authentication with username and password`
			`login, password = @auth.credentials`
Fix ldap auth for http push 2013-05-24 13:36:28 -04:00
Don't leak information about private project existence via Git-over-SSH/HTTP. 2015-02-23 17:14:57 -05:00			`# Allow authentication for GitLab CI service`
			`# if valid token passed`
			`if gitlab_ci_request?(login, password)`
			`@gitlab_ci = true`
			`return`
Public HTTP clones and remove auth request for public projects 2013-01-14 09:46:55 -05:00			`end`
bypass gitolite update hook, and set an GL_USER variable. 2012-07-02 04:44:45 -04:00
Don't leak information about private project existence via Git-over-SSH/HTTP. 2015-02-23 17:14:57 -05:00			`@user = authenticate_user(login, password)`

			`if @user`
			`Gitlab::ShellEnv.set_env(@user)`
			`@env['REMOTE_USER'] = @auth.username`
Refactor grack auth module. Add git over http wiki support 2013-06-14 07:42:55 -04:00			`end`
			`end`

Fix http clone for public project Signed-off-by: Dmitriy Zaporozhets <dmitriy.zaporozhets@gmail.com> 2014-03-21 08:52:30 -04:00			`def gitlab_ci_request?(login, password)`
Don't leak information about private project existence via Git-over-SSH/HTTP. 2015-02-23 17:14:57 -05:00			`if login == "gitlab-ci-token" && project && project.gitlab_ci?`
Fix http clone for public project Signed-off-by: Dmitriy Zaporozhets <dmitriy.zaporozhets@gmail.com> 2014-03-21 08:52:30 -04:00			`token = project.gitlab_ci_service.token`

			`if token.present? && token == password && git_cmd == 'git-upload-pack'`
Fix gitlab-ci integration Signed-off-by: Dmitriy Zaporozhets <dmitriy.zaporozhets@gmail.com> 2014-03-21 17:04:57 -04:00			`return true`
Fix http clone for public project Signed-off-by: Dmitriy Zaporozhets <dmitriy.zaporozhets@gmail.com> 2014-03-21 08:52:30 -04:00			`end`
			`end`

			`false`
Security for online editor. Replace dev_access?, master_access? with can? method usage 2012-10-21 05:12:14 -04:00			`end`

an ability to clone project with oauth2 token 2015-01-27 18:37:19 -05:00			`def oauth_access_token_check(login, password)`
			`if login == "oauth2" && git_cmd == 'git-upload-pack' && password.present?`
			`token = Doorkeeper::AccessToken.by_token(password)`
			`token && token.accessible? && User.find_by(id: token.resource_owner_id)`
			`end`
			`end`

Refactor grack auth module. Add git over http wiki support 2013-06-14 07:42:55 -04:00			`def authenticate_user(login, password)`
Block Git HTTP Basic Auth after 10 failed attempts 2014-12-15 12:47:26 -05:00			`user = Gitlab::Auth.new.find(login, password)`
Rubocop enabled for: Use spaces inside hash literal braces 2015-02-02 23:36:54 -05:00
an ability to clone project with oauth2 token 2015-01-27 18:37:19 -05:00			`unless user`
			`user = oauth_access_token_check(login, password)`
			`end`
Rubocop enabled for: Use spaces inside hash literal braces 2015-02-02 23:36:54 -05:00
Block Git HTTP Basic Auth after 10 failed attempts 2014-12-15 12:47:26 -05:00			`return user if user.present?`

			`# At this point, we know the credentials were wrong. We let Rack::Attack`
Add more comments explaining how we block IPs 2014-12-18 05:08:11 -05:00			`# know there was a failed authentication attempt from this IP. This`
			`# information is stored in the Rails cache (Redis) and will be used by`
			`# the Rack::Attack middleware to decide whether to block requests from`
			`# this IP.`
White-list requests from 127.0.0.1 On some misconfigured GitLab servers, if you look in production.log it looks like all requests come from 127.0.0.1. To avoid unwanted banning we white-list 127.0.0.1 with this commit. 2015-01-06 10:56:56 -05:00			`config = Gitlab.config.rack_attack.git_basic_auth`
			`Rack::Attack::Allow2Ban.filter(@request.ip, config) do`
			`# Unless the IP is whitelisted, return true so that Allow2Ban`
			`# increments the counter (stored in Rails.cache) for the IP`
			`if config.ip_whitelist.include?(@request.ip)`
			`false`
			`else`
			`true`
			`end`
Block Git HTTP Basic Auth after 10 failed attempts 2014-12-15 12:47:26 -05:00			`end`

			`nil # No user was found`
Fix ldap auth for http push 2013-05-24 13:36:28 -04:00			`end`

Fix http clone for public project Signed-off-by: Dmitriy Zaporozhets <dmitriy.zaporozhets@gmail.com> 2014-03-21 08:52:30 -04:00			`def authorized_request?`
Don't leak information about private project existence via Git-over-SSH/HTTP. 2015-02-23 17:14:57 -05:00			`return true if @gitlab_ci`

Fix http clone for public project Signed-off-by: Dmitriy Zaporozhets <dmitriy.zaporozhets@gmail.com> 2014-03-21 08:52:30 -04:00			`case git_cmd`
Improve grack auth Signed-off-by: Dmitriy Zaporozhets <dmitriy.zaporozhets@gmail.com> 2014-03-20 04:53:03 -04:00			`when *Gitlab::GitAccess::DOWNLOAD_COMMANDS`
Fix http clone for public project Signed-off-by: Dmitriy Zaporozhets <dmitriy.zaporozhets@gmail.com> 2014-03-21 08:52:30 -04:00			`if user`
Better message for failed pushes because of git hooks Conflicts: lib/gitlab/git_access.rb spec/lib/gitlab/git_access_spec.rb 2014-11-14 11:23:55 -05:00			`Gitlab::GitAccess.new.download_access_check(user, project).allowed?`
Fix http clone for public project Signed-off-by: Dmitriy Zaporozhets <dmitriy.zaporozhets@gmail.com> 2014-03-21 08:52:30 -04:00			`elsif project.public?`
			`# Allow clone/fetch for public projects`
			`true`
			`else`
			`false`
			`end`
Improve grack auth Signed-off-by: Dmitriy Zaporozhets <dmitriy.zaporozhets@gmail.com> 2014-03-20 04:53:03 -04:00			`when *Gitlab::GitAccess::PUSH_COMMANDS`
Fix http clone for public project Signed-off-by: Dmitriy Zaporozhets <dmitriy.zaporozhets@gmail.com> 2014-03-21 08:52:30 -04:00			`if user`
			`# Skip user authorization on upload request.`
Improve grack auth hooks comment. 2014-10-21 06:36:09 -04:00			`# It will be done by the pre-receive hook in the repository.`
Fix http clone for public project Signed-off-by: Dmitriy Zaporozhets <dmitriy.zaporozhets@gmail.com> 2014-03-21 08:52:30 -04:00			`true`
			`else`
			`false`
			`end`
Improve grack auth Signed-off-by: Dmitriy Zaporozhets <dmitriy.zaporozhets@gmail.com> 2014-03-20 04:53:03 -04:00			`else`
			`false`
Security for online editor. Replace dev_access?, master_access? with can? method usage 2012-10-21 05:12:14 -04:00			`end`
			`end`
implements protected branches to smart http protocal 2012-06-29 06:11:37 -04:00
Fix http clone for public project Signed-off-by: Dmitriy Zaporozhets <dmitriy.zaporozhets@gmail.com> 2014-03-21 08:52:30 -04:00			`def git_cmd`
Allow git clone with http for GitLab CI service: If you enable GitLab CI for project you will be able to clone project source code with next command: git clone http://gitlab-ci-token:XXXXXXXXXXXX@host:project.git Requires for GitLab CI 4.0 2013-10-24 10:17:22 -04:00			`if @request.get?`
			`@request.params['service']`
			`elsif @request.post?`
			`File.basename(@request.path)`
			`else`
			`nil`
			`end`
			`end`

Public HTTP clones and remove auth request for public projects 2013-01-14 09:46:55 -05:00			`def project`
Don't leak information about private project existence via Git-over-SSH/HTTP. 2015-02-23 17:14:57 -05:00			`return @project if defined?(@project)`

			`@project = project_by_path(@request.path_info)`
Public HTTP clones and remove auth request for public projects 2013-01-14 09:46:55 -05:00			`end`
Improve grack auth Signed-off-by: Dmitriy Zaporozhets <dmitriy.zaporozhets@gmail.com> 2014-03-20 04:53:03 -04:00
			`def project_by_path(path)`
			`if m = /^([\w\.\/-]+)\.git/.match(path).to_a`
			`path_with_namespace = m.last`
			`path_with_namespace.gsub!(/\.wiki$/, '')`

Fix git-over-http 2015-02-23 13:05:18 -05:00			`path_with_namespace[0] = '' if path_with_namespace.start_with?('/')`
Improve grack auth Signed-off-by: Dmitriy Zaporozhets <dmitriy.zaporozhets@gmail.com> 2014-03-20 04:53:03 -04:00			`Project.find_with_namespace(path_with_namespace)`
			`end`
			`end`

			`def render_not_found`
Rubocop enabled for: Use spaces inside hash literal braces 2015-02-02 23:36:54 -05:00			`[404, { "Content-Type" => "text/plain" }, ["Not Found"]]`
Improve grack auth Signed-off-by: Dmitriy Zaporozhets <dmitriy.zaporozhets@gmail.com> 2014-03-20 04:53:03 -04:00			`end`
Refactor grack auth module. Add git over http wiki support 2013-06-14 07:42:55 -04:00			`end`
			`end`