gitlab-org--gitlab-foss/lib/gitlab/auth/request_authenticator.rb

# frozen_string_literal: true

# Use for authentication only, in particular for Rack::Attack.
# Does not perform authorization of scopes, etc.
module Gitlab
  module Auth
    class RequestAuthenticator
      include UserAuthFinders

      attr_reader :request

      def initialize(request)
        @request = request
      end

      def user(request_formats)
        request_formats.each do |format|
          user = find_sessionless_user(format)

          return user if user
        end

        find_user_from_warden
      end

      def find_sessionless_user(request_format)
        find_user_from_web_access_token(request_format) || find_user_from_feed_token(request_format)
      rescue Gitlab::Auth::AuthenticationError
        nil
      end

      def valid_access_token?(scopes: [])
        validate_access_token!(scopes: scopes)

        true
      rescue Gitlab::Auth::AuthenticationError
        false
      end
    end
  end
end
Enable some frozen string in lib/gitlab Enable frozen string for the following files: * lib/gitlab/auth/*/.rb * lib/gitlab/badge/*/.rb * lib/gitlab/bare_repository_import/*/.rb * lib/gitlab/bitbucket_import/*/.rb * lib/gitlab/bitbucket_server_import/*/.rb * lib/gitlab/cache/*/.rb * lib/gitlab/checks/*/.rb Partially addresses #47424. 2018-10-11 16:12:21 -04:00			`# frozen_string_literal: true`

Fix OAuth API and RSS rate limiting 2017-10-13 20:05:18 -04:00			`# Use for authentication only, in particular for Rack::Attack.`
			`# Does not perform authorization of scopes, etc.`
			`module Gitlab`
			`module Auth`
			`class RequestAuthenticator`
First refactor 2017-11-07 04:52:05 -05:00			`include UserAuthFinders`

			`attr_reader :request`

Fix OAuth API and RSS rate limiting 2017-10-13 20:05:18 -04:00			`def initialize(request)`
Applied some code review comments 2017-11-08 13:41:07 -05:00			`@request = request`
Fix OAuth API and RSS rate limiting 2017-10-13 20:05:18 -04:00			`end`

Merge branch 'security-fix-pat-web-access' into 'master' [master] Resolve "Personal access token with only `read_user` scope can be used to authenticate any web request" See merge request gitlab/gitlabhq!2583 2018-11-28 14:06:02 -05:00			`def user(request_formats)`
			`request_formats.each do \|format\|`
			`user = find_sessionless_user(format)`

			`return user if user`
			`end`

			`find_user_from_warden`
Fix OAuth API and RSS rate limiting 2017-10-13 20:05:18 -04:00			`end`

Merge branch 'security-fix-pat-web-access' into 'master' [master] Resolve "Personal access token with only `read_user` scope can be used to authenticate any web request" See merge request gitlab/gitlabhq!2583 2018-11-28 14:06:02 -05:00			`def find_sessionless_user(request_format)`
			`find_user_from_web_access_token(request_format) \|\| find_user_from_feed_token(request_format)`
Renaming AuthenticationException to AuthenticationError 2017-11-17 07:33:21 -05:00			`rescue Gitlab::Auth::AuthenticationError`
Applied some code review comments 2017-11-08 13:41:07 -05:00			`nil`
Fix OAuth API and RSS rate limiting 2017-10-13 20:05:18 -04:00			`end`
Allow token authentication on go-get request 2018-02-23 05:33:46 -05:00
			`def valid_access_token?(scopes: [])`
			`validate_access_token!(scopes: scopes)`

			`true`
			`rescue Gitlab::Auth::AuthenticationError`
			`false`
			`end`
Fix OAuth API and RSS rate limiting 2017-10-13 20:05:18 -04:00			`end`
			`end`
			`end`