gitlab-org--gitlab-foss/lib/api/api_guard.rb

# Guard API with OAuth 2.0 Access Token

require 'rack/oauth2'

module API
  module APIGuard
    extend ActiveSupport::Concern

    included do |base|
      # OAuth2 Resource Server Authentication
      use Rack::OAuth2::Server::Resource::Bearer, 'The API' do |request|
        # The authenticator only fetches the raw token string

        # Must yield access token to store it in the env
        request.access_token
      end

      helpers HelperMethods

      install_error_responders(base)
    end

    class_methods do
      # Set the authorization scope(s) allowed for an API endpoint.
      #
      # A call to this method maps the given scope(s) to the current API
      # endpoint class. If this method is called multiple times on the same class,
      # the scopes are all aggregated.
      def allow_access_with_scope(scopes, options = {})
        Array(scopes).each do |scope|
          allowed_scopes << Scope.new(scope, options)
        end
      end

      def allowed_scopes
        @scopes ||= []
      end
    end

    # Helper Methods for Grape Endpoint
    module HelperMethods
      include Gitlab::Auth::UserAuthFinders

      def find_current_user!
        user = find_user_from_sources
        return unless user

        forbidden!('User is blocked') unless Gitlab::UserAccess.new(user).allowed? && user.can?(:access_api)

        user
      end

      def find_user_from_sources
        find_user_from_access_token || find_user_from_warden
      end

      private

      # An array of scopes that were registered (using `allow_access_with_scope`)
      # for the current endpoint class. It also returns scopes registered on
      # `API::API`, since these are meant to apply to all API routes.
      def scopes_registered_for_endpoint
        @scopes_registered_for_endpoint ||=
          begin
            endpoint_classes = [options[:for].presence, ::API::API].compact
            endpoint_classes.reduce([]) do |memo, endpoint|
              if endpoint.respond_to?(:allowed_scopes)
                memo.concat(endpoint.allowed_scopes)
              else
                memo
              end
            end
          end
      end
    end

    module ClassMethods
      private

      def install_error_responders(base)
        error_classes = [Gitlab::Auth::MissingTokenError,
                         Gitlab::Auth::TokenNotFoundError,
                         Gitlab::Auth::ExpiredError,
                         Gitlab::Auth::RevokedError,
                         Gitlab::Auth::InsufficientScopeError]

        base.__send__(:rescue_from, *error_classes, oauth2_bearer_token_error_handler) # rubocop:disable GitlabSecurity/PublicSend
      end

      def oauth2_bearer_token_error_handler
        proc do |e|
          response =
            case e
            when Gitlab::Auth::MissingTokenError
              Rack::OAuth2::Server::Resource::Bearer::Unauthorized.new

            when Gitlab::Auth::TokenNotFoundError
              Rack::OAuth2::Server::Resource::Bearer::Unauthorized.new(
                :invalid_token,
                "Bad Access Token.")

            when Gitlab::Auth::ExpiredError
              Rack::OAuth2::Server::Resource::Bearer::Unauthorized.new(
                :invalid_token,
                "Token is expired. You can either do re-authorization or token refresh.")

            when Gitlab::Auth::RevokedError
              Rack::OAuth2::Server::Resource::Bearer::Unauthorized.new(
                :invalid_token,
                "Token was revoked. You have to re-authorize from the user.")

            when Gitlab::Auth::InsufficientScopeError
              # FIXME: ForbiddenError (inherited from Bearer::Forbidden of Rack::Oauth2)
              # does not include WWW-Authenticate header, which breaks the standard.
              Rack::OAuth2::Server::Resource::Bearer::Forbidden.new(
                :insufficient_scope,
                Rack::OAuth2::Server::Resource::ErrorMethods::DEFAULT_DESCRIPTION[:insufficient_scope],
                { scope: e.scopes })
            end

          response.finish
        end
      end
    end
  end
end
Doorkeeper integration 2014-12-19 09:15:29 -05:00			`# Guard API with OAuth 2.0 Access Token`

			`require 'rack/oauth2'`

Fix a few places where autoloading would fail - Fix naming of API::CommitStatuses - Ensure we use require_dependency instead of require - Ensure the namespace is right in lib/api/api.rb, otherwise, we might require Grape::API::Helpers which defines the `#params` method. This is to avoid requiring a file multiple times and getting an "Already initialized constant" error. Signed-off-by: Rémy Coutable <remy@rymai.me> 2016-04-15 11:35:40 -04:00			`module API`
			`module APIGuard`
			`extend ActiveSupport::Concern`
Doorkeeper integration 2014-12-19 09:15:29 -05:00
Fix a few places where autoloading would fail - Fix naming of API::CommitStatuses - Ensure we use require_dependency instead of require - Ensure the namespace is right in lib/api/api.rb, otherwise, we might require Grape::API::Helpers which defines the `#params` method. This is to avoid requiring a file multiple times and getting an "Already initialized constant" error. Signed-off-by: Rémy Coutable <remy@rymai.me> 2016-04-15 11:35:40 -04:00			`included do \|base\|`
			`# OAuth2 Resource Server Authentication`
			`use Rack::OAuth2::Server::Resource::Bearer, 'The API' do \|request\|`
			`# The authenticator only fetches the raw token string`
Doorkeeper integration 2014-12-19 09:15:29 -05:00
Fix a few places where autoloading would fail - Fix naming of API::CommitStatuses - Ensure we use require_dependency instead of require - Ensure the namespace is right in lib/api/api.rb, otherwise, we might require Grape::API::Helpers which defines the `#params` method. This is to avoid requiring a file multiple times and getting an "Already initialized constant" error. Signed-off-by: Rémy Coutable <remy@rymai.me> 2016-04-15 11:35:40 -04:00			`# Must yield access token to store it in the env`
			`request.access_token`
			`end`
Doorkeeper integration 2014-12-19 09:15:29 -05:00
Fix a few places where autoloading would fail - Fix naming of API::CommitStatuses - Ensure we use require_dependency instead of require - Ensure the namespace is right in lib/api/api.rb, otherwise, we might require Grape::API::Helpers which defines the `#params` method. This is to avoid requiring a file multiple times and getting an "Already initialized constant" error. Signed-off-by: Rémy Coutable <remy@rymai.me> 2016-04-15 11:35:40 -04:00			`helpers HelperMethods`
Doorkeeper integration 2014-12-19 09:15:29 -05:00
Fix a few places where autoloading would fail - Fix naming of API::CommitStatuses - Ensure we use require_dependency instead of require - Ensure the namespace is right in lib/api/api.rb, otherwise, we might require Grape::API::Helpers which defines the `#params` method. This is to avoid requiring a file multiple times and getting an "Already initialized constant" error. Signed-off-by: Rémy Coutable <remy@rymai.me> 2016-04-15 11:35:40 -04:00			`install_error_responders(base)`
			`end`
Doorkeeper integration 2014-12-19 09:15:29 -05:00
Initial attempt at refactoring API scope declarations. - Declaring an endpoint's scopes in a `before` block has proved to be unreliable. For example, if we're accessing the `API::Users` endpoint - code in a `before` block in `API::API` wouldn't be able to see the scopes set in `API::Users` since the `API::API` `before` block runs first. - This commit moves these declarations to the class level, since they don't need to change once set. 2017-06-20 03:40:24 -04:00			`class_methods do`
When verifying scopes, manually include scopes from `API::API`. - They are not included automatically since `API::Users` does not inherit from `API::API`, as I initially assumed. - Scopes declared in `API::API` are considered global (to the API), and need to be included in all cases. 2017-06-20 08:00:57 -04:00			`# Set the authorization scope(s) allowed for an API endpoint.`
Initial attempt at refactoring API scope declarations. - Declaring an endpoint's scopes in a `before` block has proved to be unreliable. For example, if we're accessing the `API::Users` endpoint - code in a `before` block in `API::API` wouldn't be able to see the scopes set in `API::Users` since the `API::API` `before` block runs first. - This commit moves these declarations to the class level, since they don't need to change once set. 2017-06-20 03:40:24 -04:00			`#`
When verifying scopes, manually include scopes from `API::API`. - They are not included automatically since `API::Users` does not inherit from `API::API`, as I initially assumed. - Scopes declared in `API::API` are considered global (to the API), and need to be included in all cases. 2017-06-20 08:00:57 -04:00			`# A call to this method maps the given scope(s) to the current API`
			`# endpoint class. If this method is called multiple times on the same class,`
			`# the scopes are all aggregated.`
Initial attempt at refactoring API scope declarations. - Declaring an endpoint's scopes in a `before` block has proved to be unreliable. For example, if we're accessing the `API::Users` endpoint - code in a `before` block in `API::API` wouldn't be able to see the scopes set in `API::Users` since the `API::API` `before` block runs first. - This commit moves these declarations to the class level, since they don't need to change once set. 2017-06-20 03:40:24 -04:00			`def allow_access_with_scope(scopes, options = {})`
Implement review comments from @dbalexandre for !12300. 2017-06-23 07:18:44 -04:00			`Array(scopes).each do \|scope\|`
Extract a `Gitlab::Scope` class. - To represent an authorization scope, such as `api` or `read_user` - This is a better abstraction than the hash we were previously using. 2017-06-28 03:12:23 -04:00			`allowed_scopes << Scope.new(scope, options)`
Implement review comments from @dbalexandre for !12300. 2017-06-23 07:18:44 -04:00			`end`
Initial attempt at refactoring API scope declarations. - Declaring an endpoint's scopes in a `before` block has proved to be unreliable. For example, if we're accessing the `API::Users` endpoint - code in a `before` block in `API::API` wouldn't be able to see the scopes set in `API::Users` since the `API::API` `before` block runs first. - This commit moves these declarations to the class level, since they don't need to change once set. 2017-06-20 03:40:24 -04:00			`end`

Implement review comments from @dbalexandre for !12300. 2017-06-23 07:18:44 -04:00			`def allowed_scopes`
			`@scopes \|\|= []`
Initial attempt at refactoring API scope declarations. - Declaring an endpoint's scopes in a `before` block has proved to be unreliable. For example, if we're accessing the `API::Users` endpoint - code in a `before` block in `API::API` wouldn't be able to see the scopes set in `API::Users` since the `API::API` `before` block runs first. - This commit moves these declarations to the class level, since they don't need to change once set. 2017-06-20 03:40:24 -04:00			`end`
			`end`

Fix a few places where autoloading would fail - Fix naming of API::CommitStatuses - Ensure we use require_dependency instead of require - Ensure the namespace is right in lib/api/api.rb, otherwise, we might require Grape::API::Helpers which defines the `#params` method. This is to avoid requiring a file multiple times and getting an "Already initialized constant" error. Signed-off-by: Rémy Coutable <remy@rymai.me> 2016-04-15 11:35:40 -04:00			`# Helper Methods for Grape Endpoint`
			`module HelperMethods`
Changes after rebase 2017-11-17 04:09:56 -05:00			`include Gitlab::Auth::UserAuthFinders`
Add Gitlab::Utils::StrongMemoize 2017-11-13 10:27:30 -05:00
Add sudo API scope 2017-10-12 08:38:39 -04:00			`def find_current_user!`
Make find_user_from_sources extensible for EE 2018-02-05 04:44:23 -05:00			`user = find_user_from_sources`
Add sudo API scope 2017-10-12 08:38:39 -04:00			`return unless user`
Move all API authentication code to APIGuard 2017-09-27 09:56:48 -04:00
Add sudo API scope 2017-10-12 08:38:39 -04:00			`forbidden!('User is blocked') unless Gitlab::UserAccess.new(user).allowed? && user.can?(:access_api)`
Move all API authentication code to APIGuard 2017-09-27 09:56:48 -04:00
			`user`
			`end`

Make find_user_from_sources extensible for EE 2018-02-05 04:44:23 -05:00			`def find_user_from_sources`
			`find_user_from_access_token \|\| find_user_from_warden`
			`end`

Some fixes after rebase 2017-11-07 13:17:41 -05:00			`private`
Calls to the API are checked for scope. - Move the `Oauth2::AccessTokenValidationService` class to `AccessTokenValidationService`, since it is now being used for personal access token validation as well. - Each API endpoint declares the scopes it accepts (if any). Currently, the top level API module declares the `api` scope, and the `Users` API module declares the `read_user` scope (for GET requests). - Move the `find_user_by_private_token` from the API `Helpers` module to the `APIGuard` module, to avoid littering `Helpers` with more auth-related methods to support `find_user_by_private_token` 2016-11-22 04:04:23 -05:00
Move all API authentication code to APIGuard 2017-09-27 09:56:48 -04:00			# An array of scopes that were registered (using `allow_access_with_scope`)
			`# for the current endpoint class. It also returns scopes registered on`
			# `API::API`, since these are meant to apply to all API routes.
			`def scopes_registered_for_endpoint`
			`@scopes_registered_for_endpoint \|\|=`
			`begin`
			`endpoint_classes = [options[:for].presence, ::API::API].compact`
			`endpoint_classes.reduce([]) do \|memo, endpoint\|`
			`if endpoint.respond_to?(:allowed_scopes)`
			`memo.concat(endpoint.allowed_scopes)`
			`else`
			`memo`
			`end`
			`end`
			`end`
			`end`
Doorkeeper integration 2014-12-19 09:15:29 -05:00			`end`

Fix a few places where autoloading would fail - Fix naming of API::CommitStatuses - Ensure we use require_dependency instead of require - Ensure the namespace is right in lib/api/api.rb, otherwise, we might require Grape::API::Helpers which defines the `#params` method. This is to avoid requiring a file multiple times and getting an "Already initialized constant" error. Signed-off-by: Rémy Coutable <remy@rymai.me> 2016-04-15 11:35:40 -04:00			`module ClassMethods`
			`private`
Doorkeeper integration 2014-12-19 09:15:29 -05:00
Fix a few places where autoloading would fail - Fix naming of API::CommitStatuses - Ensure we use require_dependency instead of require - Ensure the namespace is right in lib/api/api.rb, otherwise, we might require Grape::API::Helpers which defines the `#params` method. This is to avoid requiring a file multiple times and getting an "Already initialized constant" error. Signed-off-by: Rémy Coutable <remy@rymai.me> 2016-04-15 11:35:40 -04:00			`def install_error_responders(base)`
Moved Exceptions to Gitlab::Auth 2017-11-16 11:03:19 -05:00			`error_classes = [Gitlab::Auth::MissingTokenError,`
			`Gitlab::Auth::TokenNotFoundError,`
			`Gitlab::Auth::ExpiredError,`
			`Gitlab::Auth::RevokedError,`
			`Gitlab::Auth::InsufficientScopeError]`
Doorkeeper integration 2014-12-19 09:15:29 -05:00
Whitelist or fix additional `Gitlab/PublicSend` cop violations An upcoming update to rubocop-gitlab-security added additional violations. 2017-08-10 12:39:26 -04:00			`base.__send__(:rescue_from, *error_classes, oauth2_bearer_token_error_handler) # rubocop:disable GitlabSecurity/PublicSend`
Fix a few places where autoloading would fail - Fix naming of API::CommitStatuses - Ensure we use require_dependency instead of require - Ensure the namespace is right in lib/api/api.rb, otherwise, we might require Grape::API::Helpers which defines the `#params` method. This is to avoid requiring a file multiple times and getting an "Already initialized constant" error. Signed-off-by: Rémy Coutable <remy@rymai.me> 2016-04-15 11:35:40 -04:00			`end`

			`def oauth2_bearer_token_error_handler`
Enable Style/Proc cop for rubocop 2017-03-31 11:11:28 -04:00			`proc do \|e\|`
Fix a few places where autoloading would fail - Fix naming of API::CommitStatuses - Ensure we use require_dependency instead of require - Ensure the namespace is right in lib/api/api.rb, otherwise, we might require Grape::API::Helpers which defines the `#params` method. This is to avoid requiring a file multiple times and getting an "Already initialized constant" error. Signed-off-by: Rémy Coutable <remy@rymai.me> 2016-04-15 11:35:40 -04:00			`response =`
			`case e`
Moved Exceptions to Gitlab::Auth 2017-11-16 11:03:19 -05:00			`when Gitlab::Auth::MissingTokenError`
Fix a few places where autoloading would fail - Fix naming of API::CommitStatuses - Ensure we use require_dependency instead of require - Ensure the namespace is right in lib/api/api.rb, otherwise, we might require Grape::API::Helpers which defines the `#params` method. This is to avoid requiring a file multiple times and getting an "Already initialized constant" error. Signed-off-by: Rémy Coutable <remy@rymai.me> 2016-04-15 11:35:40 -04:00			`Rack::OAuth2::Server::Resource::Bearer::Unauthorized.new`

Moved Exceptions to Gitlab::Auth 2017-11-16 11:03:19 -05:00			`when Gitlab::Auth::TokenNotFoundError`
Fix a few places where autoloading would fail - Fix naming of API::CommitStatuses - Ensure we use require_dependency instead of require - Ensure the namespace is right in lib/api/api.rb, otherwise, we might require Grape::API::Helpers which defines the `#params` method. This is to avoid requiring a file multiple times and getting an "Already initialized constant" error. Signed-off-by: Rémy Coutable <remy@rymai.me> 2016-04-15 11:35:40 -04:00			`Rack::OAuth2::Server::Resource::Bearer::Unauthorized.new(`
			`:invalid_token,`
			`"Bad Access Token.")`

Moved Exceptions to Gitlab::Auth 2017-11-16 11:03:19 -05:00			`when Gitlab::Auth::ExpiredError`
Fix a few places where autoloading would fail - Fix naming of API::CommitStatuses - Ensure we use require_dependency instead of require - Ensure the namespace is right in lib/api/api.rb, otherwise, we might require Grape::API::Helpers which defines the `#params` method. This is to avoid requiring a file multiple times and getting an "Already initialized constant" error. Signed-off-by: Rémy Coutable <remy@rymai.me> 2016-04-15 11:35:40 -04:00			`Rack::OAuth2::Server::Resource::Bearer::Unauthorized.new(`
			`:invalid_token,`
			`"Token is expired. You can either do re-authorization or token refresh.")`

Moved Exceptions to Gitlab::Auth 2017-11-16 11:03:19 -05:00			`when Gitlab::Auth::RevokedError`
Fix a few places where autoloading would fail - Fix naming of API::CommitStatuses - Ensure we use require_dependency instead of require - Ensure the namespace is right in lib/api/api.rb, otherwise, we might require Grape::API::Helpers which defines the `#params` method. This is to avoid requiring a file multiple times and getting an "Already initialized constant" error. Signed-off-by: Rémy Coutable <remy@rymai.me> 2016-04-15 11:35:40 -04:00			`Rack::OAuth2::Server::Resource::Bearer::Unauthorized.new(`
			`:invalid_token,`
			`"Token was revoked. You have to re-authorize from the user.")`

Moved Exceptions to Gitlab::Auth 2017-11-16 11:03:19 -05:00			`when Gitlab::Auth::InsufficientScopeError`
Fix a few places where autoloading would fail - Fix naming of API::CommitStatuses - Ensure we use require_dependency instead of require - Ensure the namespace is right in lib/api/api.rb, otherwise, we might require Grape::API::Helpers which defines the `#params` method. This is to avoid requiring a file multiple times and getting an "Already initialized constant" error. Signed-off-by: Rémy Coutable <remy@rymai.me> 2016-04-15 11:35:40 -04:00			`# FIXME: ForbiddenError (inherited from Bearer::Forbidden of Rack::Oauth2)`
			`# does not include WWW-Authenticate header, which breaks the standard.`
			`Rack::OAuth2::Server::Resource::Bearer::Forbidden.new(`
			`:insufficient_scope,`
			`Rack::OAuth2::Server::Resource::ErrorMethods::DEFAULT_DESCRIPTION[:insufficient_scope],`
			`{ scope: e.scopes })`
			`end`

			`response.finish`
			`end`
Avoid using {...} for multi-line blocks 2015-02-03 00:22:57 -05:00			`end`
Doorkeeper integration 2014-12-19 09:15:29 -05:00			`end`
			`end`
Convert hashes to ruby 1.9 style 2015-02-02 22:30:09 -05:00			`end`