2013-02-14 08:25:55 -05:00
|
|
|
require_relative 'shell_env'
|
|
|
|
|
2012-06-28 23:30:31 -04:00
|
|
|
module Grack
|
|
|
|
class Auth < Rack::Auth::Basic
|
2013-06-14 07:42:55 -04:00
|
|
|
|
2014-03-19 15:02:39 -04:00
|
|
|
attr_accessor :user, :project, :env
|
2012-06-28 23:30:31 -04:00
|
|
|
|
2013-01-14 09:46:55 -05:00
|
|
|
def call(env)
|
|
|
|
@env = env
|
|
|
|
@request = Rack::Request.new(env)
|
|
|
|
@auth = Request.new(env)
|
2013-01-10 13:17:57 -05:00
|
|
|
|
2013-01-14 09:46:55 -05:00
|
|
|
# Need this patch due to the rails mount
|
2013-08-26 05:54:57 -04:00
|
|
|
|
2013-07-30 10:48:00 -04:00
|
|
|
# Need this if under RELATIVE_URL_ROOT
|
|
|
|
unless Gitlab.config.gitlab.relative_url_root.empty?
|
|
|
|
# If website is mounted using relative_url_root need to remove it first
|
|
|
|
@env['PATH_INFO'] = @request.path.sub(Gitlab.config.gitlab.relative_url_root,'')
|
|
|
|
else
|
|
|
|
@env['PATH_INFO'] = @request.path
|
|
|
|
end
|
2013-08-26 05:54:57 -04:00
|
|
|
|
2013-01-14 09:46:55 -05:00
|
|
|
@env['SCRIPT_NAME'] = ""
|
2012-11-26 04:23:08 -05:00
|
|
|
|
2014-03-21 08:52:30 -04:00
|
|
|
if project
|
|
|
|
auth!
|
|
|
|
else
|
|
|
|
render_not_found
|
|
|
|
end
|
2013-01-14 09:46:55 -05:00
|
|
|
end
|
2012-06-29 09:40:23 -04:00
|
|
|
|
2013-06-14 07:42:55 -04:00
|
|
|
private
|
|
|
|
|
|
|
|
def auth!
|
2013-01-14 09:46:55 -05:00
|
|
|
if @auth.provided?
|
2013-06-14 07:42:55 -04:00
|
|
|
return bad_request unless @auth.basic?
|
2015-02-02 23:36:54 -05:00
|
|
|
|
2013-01-14 09:46:55 -05:00
|
|
|
# Authentication with username and password
|
|
|
|
login, password = @auth.credentials
|
2013-05-24 13:36:28 -04:00
|
|
|
|
2013-10-24 10:17:22 -04:00
|
|
|
# Allow authentication for GitLab CI service
|
|
|
|
# if valid token passed
|
2014-03-21 08:52:30 -04:00
|
|
|
if gitlab_ci_request?(login, password)
|
|
|
|
return @app.call(env)
|
2013-10-24 10:17:22 -04:00
|
|
|
end
|
|
|
|
|
2013-06-14 07:42:55 -04:00
|
|
|
@user = authenticate_user(login, password)
|
2013-05-24 13:36:28 -04:00
|
|
|
|
2013-06-14 07:42:55 -04:00
|
|
|
if @user
|
|
|
|
Gitlab::ShellEnv.set_env(@user)
|
|
|
|
@env['REMOTE_USER'] = @auth.username
|
|
|
|
end
|
2013-01-14 09:46:55 -05:00
|
|
|
end
|
2012-07-02 04:44:45 -04:00
|
|
|
|
2014-03-21 08:52:30 -04:00
|
|
|
if authorized_request?
|
2013-06-14 07:42:55 -04:00
|
|
|
@app.call(env)
|
|
|
|
else
|
|
|
|
unauthorized
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
2014-03-21 08:52:30 -04:00
|
|
|
def gitlab_ci_request?(login, password)
|
|
|
|
if login == "gitlab-ci-token" && project.gitlab_ci?
|
|
|
|
token = project.gitlab_ci_service.token
|
|
|
|
|
|
|
|
if token.present? && token == password && git_cmd == 'git-upload-pack'
|
2014-03-21 17:04:57 -04:00
|
|
|
return true
|
2014-03-21 08:52:30 -04:00
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
false
|
2012-10-21 05:12:14 -04:00
|
|
|
end
|
|
|
|
|
2015-01-27 18:37:19 -05:00
|
|
|
def oauth_access_token_check(login, password)
|
|
|
|
if login == "oauth2" && git_cmd == 'git-upload-pack' && password.present?
|
|
|
|
token = Doorkeeper::AccessToken.by_token(password)
|
|
|
|
token && token.accessible? && User.find_by(id: token.resource_owner_id)
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
2013-06-14 07:42:55 -04:00
|
|
|
def authenticate_user(login, password)
|
2014-12-15 12:47:26 -05:00
|
|
|
user = Gitlab::Auth.new.find(login, password)
|
2015-02-02 23:36:54 -05:00
|
|
|
|
2015-01-27 18:37:19 -05:00
|
|
|
unless user
|
|
|
|
user = oauth_access_token_check(login, password)
|
|
|
|
end
|
2015-02-02 23:36:54 -05:00
|
|
|
|
2014-12-15 12:47:26 -05:00
|
|
|
return user if user.present?
|
|
|
|
|
|
|
|
# At this point, we know the credentials were wrong. We let Rack::Attack
|
2014-12-18 05:08:11 -05:00
|
|
|
# know there was a failed authentication attempt from this IP. This
|
|
|
|
# information is stored in the Rails cache (Redis) and will be used by
|
|
|
|
# the Rack::Attack middleware to decide whether to block requests from
|
|
|
|
# this IP.
|
2015-01-06 10:56:56 -05:00
|
|
|
config = Gitlab.config.rack_attack.git_basic_auth
|
|
|
|
Rack::Attack::Allow2Ban.filter(@request.ip, config) do
|
|
|
|
# Unless the IP is whitelisted, return true so that Allow2Ban
|
|
|
|
# increments the counter (stored in Rails.cache) for the IP
|
|
|
|
if config.ip_whitelist.include?(@request.ip)
|
|
|
|
false
|
|
|
|
else
|
|
|
|
true
|
|
|
|
end
|
2014-12-15 12:47:26 -05:00
|
|
|
end
|
|
|
|
|
|
|
|
nil # No user was found
|
2013-05-24 13:36:28 -04:00
|
|
|
end
|
|
|
|
|
2014-03-21 08:52:30 -04:00
|
|
|
def authorized_request?
|
|
|
|
case git_cmd
|
2014-03-20 04:53:03 -04:00
|
|
|
when *Gitlab::GitAccess::DOWNLOAD_COMMANDS
|
2014-03-21 08:52:30 -04:00
|
|
|
if user
|
2014-11-14 11:23:55 -05:00
|
|
|
Gitlab::GitAccess.new.download_access_check(user, project).allowed?
|
2014-03-21 08:52:30 -04:00
|
|
|
elsif project.public?
|
|
|
|
# Allow clone/fetch for public projects
|
|
|
|
true
|
|
|
|
else
|
|
|
|
false
|
|
|
|
end
|
2014-03-20 04:53:03 -04:00
|
|
|
when *Gitlab::GitAccess::PUSH_COMMANDS
|
2014-03-21 08:52:30 -04:00
|
|
|
if user
|
|
|
|
# Skip user authorization on upload request.
|
2014-10-21 06:36:09 -04:00
|
|
|
# It will be done by the pre-receive hook in the repository.
|
2014-03-21 08:52:30 -04:00
|
|
|
true
|
|
|
|
else
|
|
|
|
false
|
|
|
|
end
|
2014-03-20 04:53:03 -04:00
|
|
|
else
|
|
|
|
false
|
2012-10-21 05:12:14 -04:00
|
|
|
end
|
|
|
|
end
|
2012-06-29 06:11:37 -04:00
|
|
|
|
2014-03-21 08:52:30 -04:00
|
|
|
def git_cmd
|
2013-10-24 10:17:22 -04:00
|
|
|
if @request.get?
|
|
|
|
@request.params['service']
|
|
|
|
elsif @request.post?
|
|
|
|
File.basename(@request.path)
|
|
|
|
else
|
|
|
|
nil
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
2013-01-14 09:46:55 -05:00
|
|
|
def project
|
2013-06-14 07:42:55 -04:00
|
|
|
@project ||= project_by_path(@request.path_info)
|
2013-01-14 09:46:55 -05:00
|
|
|
end
|
2014-03-20 04:53:03 -04:00
|
|
|
|
|
|
|
def project_by_path(path)
|
|
|
|
if m = /^([\w\.\/-]+)\.git/.match(path).to_a
|
|
|
|
path_with_namespace = m.last
|
|
|
|
path_with_namespace.gsub!(/\.wiki$/, '')
|
|
|
|
|
|
|
|
Project.find_with_namespace(path_with_namespace)
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
def render_not_found
|
2015-02-02 23:36:54 -05:00
|
|
|
[404, { "Content-Type" => "text/plain" }, ["Not Found"]]
|
2014-03-20 04:53:03 -04:00
|
|
|
end
|
2013-06-14 07:42:55 -04:00
|
|
|
end
|
|
|
|
end
|