Newer
Older
Result = Struct.new(:actor, :project, :type, :authentication_abilities) do
def ci?
type == :ci
end
def lfs_deploy_token?
type == :lfs_deploy_token
end
Patricio Cano
committed
def success?
actor.present? || type == :ci
Patricio Cano
committed
class MissingPersonalTokenError < StandardError; end
def find_for_git_client(login, password, project:, ip:)
raise "Must provide an IP for rate limiting" if ip.nil?
Patricio Cano
committed
result =
Kamil Trzcinski
committed
service_request_check(login, password, project) ||
build_access_token_check(login, password) ||
user_with_password_for_git(login, password) ||
oauth_access_token_check(login, password) ||
Patricio Cano
committed
lfs_token_check(login, password) ||
personal_access_token_check(login, password) ||
Result.new
Kamil Trzcinski
committed
rate_limit!(ip, success: result.success?, login: login)
Patricio Cano
committed
def find_with_user_password(login, password)
user = User.by_login(login)
# If no user is found, or it's an LDAP server, try LDAP.
# LDAP users are only authenticated via LDAP
if user.nil? || user.ldap_user?
# Second chance - try LDAP authentication
return nil unless Gitlab::LDAP::Config.enabled?
Gitlab::LDAP::Authentication.login(login, password)
else
user if user.valid_password?(password)
end
end
def rate_limit!(ip, success:, login:)
rate_limiter = Gitlab::Auth::IpRateLimiter.new(ip)
return unless rate_limiter.enabled?
if success
# Repeated login 'failures' are normal behavior for some Git clients so
# it is important to reset the ban counter once the client has proven
# they are not a 'bad guy'.
rate_limiter.reset!
else
# Register a login failure so that Rack::Attack can block the next
# request from this IP if needed.
rate_limiter.register_fail!
if rate_limiter.banned?
Rails.logger.info "IP #{ip} failed to login " \
"as #{login} but has been temporarily banned from Git auth"
end
end
end
Kamil Trzcinski
committed
def service_request_check(login, password, project)
matched_login = /(?<service>^[a-zA-Z]*-ci)-token$/.match(login)
return unless project && matched_login.present?
underscored_service = matched_login['service'].underscore
Kamil Trzcinski
committed
if Service.available_services_names.include?(underscored_service)
# We treat underscored_service as a trusted input because it is included
# in the Service.available_services_names whitelist.
service = project.public_send("#{underscored_service}_service")
if service && service.activated? && service.valid_token?(password)
Result.new(nil, project, :ci, build_authentication_abilities)
end
end
end
def user_with_password_for_git(login, password)
user = find_with_user_password(login, password)
Kamil Trzcinski
committed
raise Gitlab::Auth::MissingPersonalTokenError if user.two_factor_enabled?
Result.new(user, nil, :gitlab_or_ldap, full_authentication_abilities)
def oauth_access_token_check(login, password)
if login == "oauth2" && password.present?
token = Doorkeeper::AccessToken.by_token(password)
Patricio Cano
committed
if token && token.accessible?
user = User.find_by(id: token.resource_owner_id)
Result.new(user, nil, :oauth, read_authentication_abilities)
Patricio Cano
committed
end
def personal_access_token_check(login, password)
if login && password
user = User.find_by_personal_access_token(password)
Patricio Cano
committed
validation = User.by_login(login)
Result.new(user, nil, :personal_token, full_authentication_abilities) if user.present? && user == validation
Patricio Cano
committed
end
end
deploy_key_matches = login.match(/\Alfs\+deploy-key-(\d+)\z/)
Patricio Cano
committed
actor =
if deploy_key_matches
DeployKey.find(deploy_key_matches[1])
Patricio Cano
committed
else
User.by_login(login)
Patricio Cano
committed
Patricio Cano
committed
if actor
token_handler = Gitlab::LfsToken.new(actor)
Patricio Cano
committed
Result.new(actor, nil, token_handler.type, read_authentication_abilities) if Devise.secure_compare(token_handler.value, password)
Kamil Trzcinski
committed
end
end
def build_access_token_check(login, password)
return unless login == 'gitlab-ci-token'
return unless password
build = ::Ci::Build.running.find_by_token(password)
Kamil Trzcinski
committed
return unless build
Kamil Trzcinski
committed
if build.user
# If user is assigned to build, use restricted credentials of user
Result.new(build.user, build.project, :build, build_authentication_abilities)
Kamil Trzcinski
committed
else
# Otherwise use generic CI credentials (backward compatibility)
Result.new(nil, build.project, :ci, build_authentication_abilities)
Patricio Cano
committed
end
end
public
def build_authentication_abilities
[
:read_project,
:build_download_code,
:build_read_container_image,
:build_create_container_image
def read_authentication_abilities
[
:read_project,
:download_code,
:read_container_image
]
end
def full_authentication_abilities
read_authentication_abilities + [
:push_code,
:update_container_image
]
end