gitlab-org--gitlab-foss/lib/gitlab/auth/user_auth_finders.rb

# frozen_string_literal: true

module Gitlab
  module Auth
    AuthenticationError = Class.new(StandardError)
    MissingTokenError = Class.new(AuthenticationError)
    TokenNotFoundError = Class.new(AuthenticationError)
    ExpiredError = Class.new(AuthenticationError)
    RevokedError = Class.new(AuthenticationError)
    UnauthorizedError = Class.new(AuthenticationError)

    class InsufficientScopeError < AuthenticationError
      attr_reader :scopes
      def initialize(scopes)
        @scopes = scopes.map { |s| s.try(:name) || s }
      end
    end

    module UserAuthFinders
      include Gitlab::Utils::StrongMemoize

      PRIVATE_TOKEN_HEADER = 'HTTP_PRIVATE_TOKEN'.freeze
      PRIVATE_TOKEN_PARAM = :private_token

      # Check the Rails session for valid authentication details
      def find_user_from_warden
        current_request.env['warden']&.authenticate if verified_request?
      end

      def find_user_from_feed_token
        return unless rss_request? || ics_request?

        # NOTE: feed_token was renamed from rss_token but both needs to be supported because
        #       users might have already added the feed to their RSS reader before the rename
        token = current_request.params[:feed_token].presence || current_request.params[:rss_token].presence
        return unless token

        User.find_by_feed_token(token) || raise(UnauthorizedError)
      end

      def find_user_from_access_token
        return unless access_token

        validate_access_token!

        access_token.user || raise(UnauthorizedError)
      end

      def validate_access_token!(scopes: [])
        return unless access_token

        case AccessTokenValidationService.new(access_token, request: request).validate(scopes: scopes)
        when AccessTokenValidationService::INSUFFICIENT_SCOPE
          raise InsufficientScopeError.new(scopes)
        when AccessTokenValidationService::EXPIRED
          raise ExpiredError
        when AccessTokenValidationService::REVOKED
          raise RevokedError
        end
      end

      private

      def route_authentication_setting
        return {} unless respond_to?(:route_setting)

        route_setting(:authentication) || {}
      end

      def access_token
        strong_memoize(:access_token) do
          find_oauth_access_token || find_personal_access_token
        end
      end

      def find_personal_access_token
        token =
          current_request.params[PRIVATE_TOKEN_PARAM].presence ||
          current_request.env[PRIVATE_TOKEN_HEADER].presence

        return unless token

        # Expiration, revocation and scopes are verified in `validate_access_token!`
        PersonalAccessToken.find_by_token(token) || raise(UnauthorizedError)
      end

      def find_oauth_access_token
        token = Doorkeeper::OAuth::Token.from_request(current_request, *Doorkeeper.configuration.access_token_methods)
        return unless token

        # Expiration, revocation and scopes are verified in `validate_access_token!`
        oauth_token = OauthAccessToken.by_token(token)
        raise UnauthorizedError unless oauth_token

        oauth_token.revoke_previous_refresh_token!
        oauth_token
      end

      # Check if the request is GET/HEAD, or if CSRF token is valid.
      def verified_request?
        Gitlab::RequestForgeryProtection.verified?(current_request.env)
      end

      def ensure_action_dispatch_request(request)
        ActionDispatch::Request.new(request.env.dup)
      end

      def current_request
        @current_request ||= ensure_action_dispatch_request(request)
      end

      def rss_request?
        current_request.path.ends_with?('.atom') || current_request.format.atom?
      end

      def ics_request?
        current_request.path.ends_with?('.ics') || current_request.format.ics?
      end
    end
  end
end
Enable some frozen string in lib/gitlab Enable frozen string for the following files: * lib/gitlab/auth/*/.rb * lib/gitlab/badge/*/.rb * lib/gitlab/bare_repository_import/*/.rb * lib/gitlab/bitbucket_import/*/.rb * lib/gitlab/bitbucket_server_import/*/.rb * lib/gitlab/cache/*/.rb * lib/gitlab/checks/*/.rb Partially addresses #47424. 2018-10-11 20:12:21 +00:00			`# frozen_string_literal: true`

First refactor 2017-11-07 09:52:05 +00:00			`module Gitlab`
			`module Auth`
Renaming AuthenticationException to AuthenticationError 2017-11-17 12:33:21 +00:00			`AuthenticationError = Class.new(StandardError)`
			`MissingTokenError = Class.new(AuthenticationError)`
			`TokenNotFoundError = Class.new(AuthenticationError)`
			`ExpiredError = Class.new(AuthenticationError)`
			`RevokedError = Class.new(AuthenticationError)`
			`UnauthorizedError = Class.new(AuthenticationError)`

			`class InsufficientScopeError < AuthenticationError`
Moved Exceptions to Gitlab::Auth 2017-11-16 16:03:19 +00:00			`attr_reader :scopes`
			`def initialize(scopes)`
			`@scopes = scopes.map { \|s\| s.try(:name) \|\| s }`
			`end`
			`end`

First refactor 2017-11-07 09:52:05 +00:00			`module UserAuthFinders`
Changes after rebase 2017-11-17 09:09:56 +00:00			`include Gitlab::Utils::StrongMemoize`

Applied some code review comments 2017-11-08 18:41:07 +00:00			`PRIVATE_TOKEN_HEADER = 'HTTP_PRIVATE_TOKEN'.freeze`
			`PRIVATE_TOKEN_PARAM = :private_token`

First refactor 2017-11-07 09:52:05 +00:00			`# Check the Rails session for valid authentication details`
Some fixes after rebase 2017-11-07 18:17:41 +00:00			`def find_user_from_warden`
Homogenising the type of the request handled by UserAuthFinder. Also tests fixed 2017-11-09 18:04:19 +00:00			`current_request.env['warden']&.authenticate if verified_request?`
First refactor 2017-11-07 09:52:05 +00:00			`end`

Export assigned issues in iCalendar feed 2018-05-31 14:01:04 +00:00			`def find_user_from_feed_token`
			`return unless rss_request? \|\| ics_request?`
First refactor 2017-11-07 09:52:05 +00:00
Export assigned issues in iCalendar feed 2018-05-31 14:01:04 +00:00			`# NOTE: feed_token was renamed from rss_token but both needs to be supported because`
			`# users might have already added the feed to their RSS reader before the rename`
			`token = current_request.params[:feed_token].presence \|\| current_request.params[:rss_token].presence`
Applied some code review comments 2017-11-08 18:41:07 +00:00			`return unless token`
First refactor 2017-11-07 09:52:05 +00:00
Export assigned issues in iCalendar feed 2018-05-31 14:01:04 +00:00			`User.find_by_feed_token(token) \|\| raise(UnauthorizedError)`
First refactor 2017-11-07 09:52:05 +00:00			`end`

Some fixes after rebase 2017-11-07 18:17:41 +00:00			`def find_user_from_access_token`
			`return unless access_token`
First refactor 2017-11-07 09:52:05 +00:00
Some fixes after rebase 2017-11-07 18:17:41 +00:00			`validate_access_token!`
First refactor 2017-11-07 09:52:05 +00:00
Moving exceptions to UserAuthFinders 2017-11-16 14:39:30 +00:00			`access_token.user \|\| raise(UnauthorizedError)`
Some fixes after rebase 2017-11-07 18:17:41 +00:00			`end`
First refactor 2017-11-07 09:52:05 +00:00
Some fixes after rebase 2017-11-07 18:17:41 +00:00			`def validate_access_token!(scopes: [])`
Applied some code review comments 2017-11-08 18:41:07 +00:00			`return unless access_token`

			`case AccessTokenValidationService.new(access_token, request: request).validate(scopes: scopes)`
			`when AccessTokenValidationService::INSUFFICIENT_SCOPE`
Moving exceptions to UserAuthFinders 2017-11-16 14:39:30 +00:00			`raise InsufficientScopeError.new(scopes)`
Applied some code review comments 2017-11-08 18:41:07 +00:00			`when AccessTokenValidationService::EXPIRED`
Moving exceptions to UserAuthFinders 2017-11-16 14:39:30 +00:00			`raise ExpiredError`
Applied some code review comments 2017-11-08 18:41:07 +00:00			`when AccessTokenValidationService::REVOKED`
Moving exceptions to UserAuthFinders 2017-11-16 14:39:30 +00:00			`raise RevokedError`
Applied some code review comments 2017-11-08 18:41:07 +00:00			`end`
First refactor 2017-11-07 09:52:05 +00:00			`end`

Some fixes after rebase 2017-11-07 18:17:41 +00:00			`private`
First refactor 2017-11-07 09:52:05 +00:00
Minimize CE/EE difference in Gitlab::Auth::UserAuthFinders Signed-off-by: Rémy Coutable <remy@rymai.me> 2018-05-18 12:00:44 +00:00			`def route_authentication_setting`
			`return {} unless respond_to?(:route_setting)`

			`route_setting(:authentication) \|\| {}`
			`end`

Some fixes after rebase 2017-11-07 18:17:41 +00:00			`def access_token`
Changes after rebase 2017-11-17 09:09:56 +00:00			`strong_memoize(:access_token) do`
			`find_oauth_access_token \|\| find_personal_access_token`
			`end`
Some fixes after rebase 2017-11-07 18:17:41 +00:00			`end`
Updated refactor and pushing to see if test fails 2017-11-07 15:13:00 +00:00
Added some more comments 2017-11-10 10:41:33 +00:00			`def find_personal_access_token`
			`token =`
			`current_request.params[PRIVATE_TOKEN_PARAM].presence \|\|`
Homogenising the type of the request handled by UserAuthFinder. Also tests fixed 2017-11-09 18:04:19 +00:00			`current_request.env[PRIVATE_TOKEN_HEADER].presence`
Updated refactor and pushing to see if test fails 2017-11-07 15:13:00 +00:00
Applied some code review comments 2017-11-08 18:41:07 +00:00			`return unless token`
Updated refactor and pushing to see if test fails 2017-11-07 15:13:00 +00:00
Some fixes after rebase 2017-11-07 18:17:41 +00:00			# Expiration, revocation and scopes are verified in `validate_access_token!`
[master] Persist only SHA digest of PersonalAccessToken#token 2018-10-29 16:06:45 +00:00			`PersonalAccessToken.find_by_token(token) \|\| raise(UnauthorizedError)`
Updated refactor and pushing to see if test fails 2017-11-07 15:13:00 +00:00			`end`

First refactor 2017-11-07 09:52:05 +00:00			`def find_oauth_access_token`
			`token = Doorkeeper::OAuth::Token.from_request(current_request, *Doorkeeper.configuration.access_token_methods)`
Some fixes after rebase 2017-11-07 18:17:41 +00:00			`return unless token`
First refactor 2017-11-07 09:52:05 +00:00
Some fixes after rebase 2017-11-07 18:17:41 +00:00			# Expiration, revocation and scopes are verified in `validate_access_token!`
Removed method handle_return_value 2017-11-10 10:12:37 +00:00			`oauth_token = OauthAccessToken.by_token(token)`
Moving exceptions to UserAuthFinders 2017-11-16 14:39:30 +00:00			`raise UnauthorizedError unless oauth_token`
Removed method handle_return_value 2017-11-10 10:12:37 +00:00
			`oauth_token.revoke_previous_refresh_token!`
			`oauth_token`
First refactor 2017-11-07 09:52:05 +00:00			`end`

			`# Check if the request is GET/HEAD, or if CSRF token is valid.`
			`def verified_request?`
Homogenising the type of the request handled by UserAuthFinder. Also tests fixed 2017-11-09 18:04:19 +00:00			`Gitlab::RequestForgeryProtection.verified?(current_request.env)`
First refactor 2017-11-07 09:52:05 +00:00			`end`

			`def ensure_action_dispatch_request(request)`
Fixing request json mime type 2018-01-15 09:09:21 +00:00			`ActionDispatch::Request.new(request.env.dup)`
First refactor 2017-11-07 09:52:05 +00:00			`end`
Homogenising the type of the request handled by UserAuthFinder. Also tests fixed 2017-11-09 18:04:19 +00:00
			`def current_request`
			`@current_request \|\|= ensure_action_dispatch_request(request)`
			`end`
Export assigned issues in iCalendar feed 2018-05-31 14:01:04 +00:00
			`def rss_request?`
			`current_request.path.ends_with?('.atom') \|\| current_request.format.atom?`
			`end`

			`def ics_request?`
			`current_request.path.ends_with?('.ics') \|\| current_request.format.ics?`
			`end`
First refactor 2017-11-07 09:52:05 +00:00			`end`
			`end`
			`end`