Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Support
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
G
gitlab-ce
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Issues
0
Issues
0
List
Boards
Labels
Milestones
Merge Requests
0
Merge Requests
0
Analytics
Analytics
Repository
Value Stream
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Create a new issue
Commits
Issue Boards
Open sidebar
Jérome Perrin
gitlab-ce
Commits
de24075e
Commit
de24075e
authored
Sep 08, 2016
by
Patricio Cano
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
Further refactoring of authentication code, and code style fixes.
parent
71aff7f6
Changes
3
Hide whitespace changes
Inline
Side-by-side
Showing
3 changed files
with
48 additions
and
47 deletions
+48
-47
app/controllers/projects/git_http_client_controller.rb
app/controllers/projects/git_http_client_controller.rb
+12
-8
lib/gitlab/auth.rb
lib/gitlab/auth.rb
+27
-26
lib/gitlab/lfs_token.rb
lib/gitlab/lfs_token.rb
+9
-13
No files found.
app/controllers/projects/git_http_client_controller.rb
View file @
de24075e
...
...
@@ -4,7 +4,7 @@ class Projects::GitHttpClientController < Projects::ApplicationController
include
ActionController
::
HttpAuthentication
::
Basic
include
KerberosSpnegoHelper
attr_reader
:user
attr_reader
:user
,
:actor
# Git clients will not know what authenticity token to send along
skip_before_action
:verify_authenticity_token
...
...
@@ -24,13 +24,13 @@ class Projects::GitHttpClientController < Projects::ApplicationController
handle_basic_authentication
(
login
,
password
)
if
ci?
||
use
r
if
ci?
||
acto
r
return
# Allow access
end
elsif
allow_kerberos_spnego_auth?
&&
spnego_provided?
@
use
r
=
find_kerberos_user
@
acto
r
=
find_kerberos_user
if
use
r
if
acto
r
send_final_spnego_response
return
# Allow access
end
...
...
@@ -110,6 +110,10 @@ class Projects::GitHttpClientController < Projects::ApplicationController
@ci
.
present?
end
def
user
@actor
end
def
handle_basic_authentication
(
login
,
password
)
auth_result
=
Gitlab
::
Auth
.
find_for_git_client
(
login
,
password
,
project:
project
,
ip:
request
.
ip
)
...
...
@@ -117,21 +121,21 @@ class Projects::GitHttpClientController < Projects::ApplicationController
when
:ci
@ci
=
true
if
download_request?
when
:oauth
@
user
=
auth_result
.
use
r
if
download_request?
@
actor
=
auth_result
.
acto
r
if
download_request?
when
:lfs_deploy_token
if
download_request?
@lfs_deploy_key
=
true
@
user
=
auth_result
.
use
r
@
actor
=
auth_result
.
acto
r
end
when
:lfs_token
,
:personal_token
,
:gitlab_or_ldap
@
user
=
auth_result
.
use
r
@
actor
=
auth_result
.
acto
r
else
# Not allowed
end
end
def
lfs_deploy_key?
@lfs_deploy_key
.
present?
&&
(
user
&&
user
.
projects
.
include?
(
project
)
)
@lfs_deploy_key
.
present?
&&
actor
&&
actor
.
projects
.
include?
(
project
)
end
def
verify_workhorse_api!
...
...
lib/gitlab/auth.rb
View file @
de24075e
module
Gitlab
module
Auth
Result
=
Struct
.
new
(
:
use
r
,
:type
)
Result
=
Struct
.
new
(
:
acto
r
,
:type
)
class
MissingPersonalTokenError
<
StandardError
;
end
...
...
@@ -49,6 +49,24 @@ module Gitlab
private
def
populate_result
(
login
,
password
,
project
,
ip
)
result
=
ci_request_check
(
login
,
password
,
project
)
||
user_with_password_for_git
(
login
,
password
)
||
oauth_access_token_check
(
login
,
password
)
||
lfs_token_check
(
login
,
password
)
||
personal_access_token_check
(
login
,
password
)
if
result
&&
result
.
type
!=
:ci
result
.
type
=
nil
unless
result
.
actor
end
success
=
result
?
result
.
actor
.
present?
||
result
.
type
==
:ci
:
false
rate_limit!
(
ip
,
success:
success
,
login:
login
)
result
||
Result
.
new
end
def
valid_ci_request?
(
login
,
password
,
project
)
matched_login
=
/(?<service>^[a-zA-Z]*-ci)-token$/
.
match
(
login
)
...
...
@@ -67,31 +85,14 @@ module Gitlab
end
end
def
populate_result
(
login
,
password
,
project
,
ip
)
result
=
Result
.
new
(
nil
,
:ci
)
if
valid_ci_request?
(
login
,
password
,
project
)
result
||=
user_with_password_for_git
(
login
,
password
)
||
oauth_access_token_check
(
login
,
password
)
||
lfs_token_check
(
login
,
password
)
||
personal_access_token_check
(
login
,
password
)
if
result
&&
result
.
type
!=
:ci
result
.
type
=
nil
unless
result
.
user
if
result
.
user
&&
result
.
type
==
:gitlab_or_ldap
&&
result
.
user
.
two_factor_enabled?
raise
Gitlab
::
Auth
::
MissingPersonalTokenError
end
end
success
=
result
?
result
.
user
.
present?
||
[
:ci
].
include?
(
result
.
type
)
:
false
rate_limit!
(
ip
,
success:
success
,
login:
login
)
result
||
Result
.
new
def
ci_request_check
(
login
,
password
,
project
)
Result
.
new
(
nil
,
:ci
)
if
valid_ci_request?
(
login
,
password
,
project
)
end
def
user_with_password_for_git
(
login
,
password
)
user
=
find_with_user_password
(
login
,
password
)
raise
Gitlab
::
Auth
::
MissingPersonalTokenError
if
user
&&
user
.
two_factor_enabled?
Result
.
new
(
user
,
:gitlab_or_ldap
)
if
user
end
...
...
@@ -114,11 +115,11 @@ module Gitlab
end
def
lfs_token_check
(
login
,
password
)
deploy_key_matches
=
login
.
match
(
/\Alfs\+deploy-key-(\d+)\z/
)
actor
=
if
login
=~
/\Alfs\+deploy-key-\d+\Z/
/\d+\Z/
.
match
(
login
)
do
|
id
|
DeployKey
.
find
(
id
[
0
])
end
if
deploy_key_matches
DeployKey
.
find
(
deploy_key_matches
[
1
])
else
User
.
by_login
(
login
)
end
...
...
lib/gitlab/lfs_token.rb
View file @
de24075e
...
...
@@ -6,7 +6,15 @@ module Gitlab
EXPIRY_TIME
=
1800
def
initialize
(
actor
)
set_actor
(
actor
)
@actor
=
case
actor
when
DeployKey
,
User
actor
when
Key
actor
.
user
else
#
end
end
def
generate
...
...
@@ -38,17 +46,5 @@ module Gitlab
def
redis_key
"gitlab:lfs_token:
#{
actor
.
class
.
name
.
underscore
}
_
#{
actor
.
id
}
"
if
actor
end
def
set_actor
(
actor
)
@actor
=
case
actor
when
DeployKey
,
User
actor
when
Key
actor
.
user
else
#
end
end
end
end
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment