Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Support
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
G
gitlab-ce
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Issues
0
Issues
0
List
Boards
Labels
Milestones
Merge Requests
0
Merge Requests
0
Analytics
Analytics
Repository
Value Stream
Wiki
Wiki
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Create a new issue
Commits
Issue Boards
Open sidebar
Kirill Smelkov
gitlab-ce
Commits
b1ffc9f0
Commit
b1ffc9f0
authored
Apr 29, 2016
by
Jacob Vosmaer
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
Make CI/Oauth/rate limiting reusable
parent
9ef50db6
Changes
6
Show whitespace changes
Inline
Side-by-side
Showing
6 changed files
with
158 additions
and
95 deletions
+158
-95
app/controllers/projects/git_http_controller.rb
app/controllers/projects/git_http_controller.rb
+8
-70
config/initializers/doorkeeper.rb
config/initializers/doorkeeper.rb
+1
-1
lib/api/session.rb
lib/api/session.rb
+6
-2
lib/gitlab/auth.rb
lib/gitlab/auth.rb
+95
-12
lib/gitlab/backend/grack_auth.rb
lib/gitlab/backend/grack_auth.rb
+1
-1
spec/lib/gitlab/auth_spec.rb
spec/lib/gitlab/auth_spec.rb
+47
-9
No files found.
app/controllers/projects/git_http_controller.rb
View file @
b1ffc9f0
...
@@ -41,82 +41,20 @@ class Projects::GitHttpController < Projects::ApplicationController
...
@@ -41,82 +41,20 @@ class Projects::GitHttpController < Projects::ApplicationController
return
if
project
&&
project
.
public?
&&
upload_pack?
return
if
project
&&
project
.
public?
&&
upload_pack?
authenticate_or_request_with_http_basic
do
|
login
,
password
|
authenticate_or_request_with_http_basic
do
|
login
,
password
|
return
@ci
=
true
if
valid_ci_request?
(
login
,
password
)
user
,
type
=
Gitlab
::
Auth
.
find
(
login
,
password
,
project:
project
,
ip:
request
.
ip
)
@user
=
Gitlab
::
Auth
.
new
.
find
(
login
,
password
)
if
(
type
==
:ci
)
&&
upload_pack?
@user
||=
oauth_access_token_check
(
login
,
password
)
@ci
=
true
rate_limit_ip!
(
login
,
@user
)
elsif
(
type
==
:oauth
)
&&
!
upload_pack?
end
@user
=
nil
end
def
ensure_project_found!
render_not_found
if
project
.
blank?
end
def
valid_ci_request?
(
login
,
password
)
matched_login
=
/(?<service>^[a-zA-Z]*-ci)-token$/
.
match
(
login
)
unless
project
&&
matched_login
.
present?
&&
upload_pack?
return
false
end
underscored_service
=
matched_login
[
'service'
].
underscore
if
underscored_service
==
'gitlab_ci'
project
&&
project
.
valid_build_token?
(
password
)
elsif
Service
.
available_services_names
.
include?
(
underscored_service
)
# We treat underscored_service as a trusted input because it is included
# in the Service.available_services_names whitelist.
service_method
=
"
#{
underscored_service
}
_service"
service
=
project
.
send
(
service_method
)
service
&&
service
.
activated?
&&
service
.
valid_token?
(
password
)
end
end
def
oauth_access_token_check
(
login
,
password
)
if
login
==
"oauth2"
&&
upload_pack?
&&
password
.
present?
token
=
Doorkeeper
::
AccessToken
.
by_token
(
password
)
token
&&
token
.
accessible?
&&
User
.
find_by
(
id:
token
.
resource_owner_id
)
end
end
def
rate_limit_ip!
(
login
,
user
)
# If the user authenticated successfully, we reset the auth failure count
# from Rack::Attack for that IP. A client may attempt to authenticate
# with a username and blank password first, and only after it receives
# a 401 error does it present a password. Resetting the count prevents
# false positives from occurring.
#
# Otherwise, we let Rack::Attack know there was a failed authentication
# attempt from this IP. This information is stored in the Rails cache
# (Redis) and will be used by the Rack::Attack middleware to decide
# whether to block requests from this IP.
config
=
Gitlab
.
config
.
rack_attack
.
git_basic_auth
return
user
unless
config
.
enabled
if
user
# A successful login will reset the auth failure count from this IP
Rack
::
Attack
::
Allow2Ban
.
reset
(
request
.
ip
,
config
)
else
else
banned
=
Rack
::
Attack
::
Allow2Ban
.
filter
(
request
.
ip
,
config
)
do
@user
=
user
# Unless the IP is whitelisted, return true so that Allow2Ban
# increments the counter (stored in Rails.cache) for the IP
if
config
.
ip_whitelist
.
include?
(
request
.
ip
)
false
else
true
end
end
end
if
banned
Rails
.
logger
.
info
"IP
#{
request
.
ip
}
failed to login "
\
"as
#{
login
}
but has been temporarily banned from Git auth"
end
end
end
end
user
def
ensure_project_found!
render_not_found
if
project
.
blank?
end
end
def
project
def
project
...
...
config/initializers/doorkeeper.rb
View file @
b1ffc9f0
...
@@ -12,7 +12,7 @@ Doorkeeper.configure do
...
@@ -12,7 +12,7 @@ Doorkeeper.configure do
end
end
resource_owner_from_credentials
do
|
routes
|
resource_owner_from_credentials
do
|
routes
|
Gitlab
::
Auth
.
new
.
find
(
params
[
:username
],
params
[
:password
])
Gitlab
::
Auth
.
find_by_master_or_ldap
(
params
[
:username
],
params
[
:password
])
end
end
# If you want to restrict access to the web interface for adding oauth authorized applications, you need to declare the block below.
# If you want to restrict access to the web interface for adding oauth authorized applications, you need to declare the block below.
...
...
lib/api/session.rb
View file @
b1ffc9f0
...
@@ -11,8 +11,12 @@ module API
...
@@ -11,8 +11,12 @@ module API
# Example Request:
# Example Request:
# POST /session
# POST /session
post
"/session"
do
post
"/session"
do
auth
=
Gitlab
::
Auth
.
new
user
,
_
=
Gitlab
::
Auth
.
find
(
user
=
auth
.
find
(
params
[
:email
]
||
params
[
:login
],
params
[
:password
])
params
[
:email
]
||
params
[
:login
],
params
[
:password
],
project:
nil
,
ip:
request
.
ip
)
return
unauthorized!
unless
user
return
unauthorized!
unless
user
present
user
,
with:
Entities
::
UserLogin
present
user
,
with:
Entities
::
UserLogin
...
...
lib/gitlab/auth.rb
View file @
b1ffc9f0
module
Gitlab
module
Gitlab
class
Auth
class
Auth
def
find
(
login
,
password
)
class
<<
self
def
find
(
login
,
password
,
project
:,
ip
:)
raise
"Must provide an IP for rate limiting"
if
ip
.
nil?
user
,
type
=
nil
,
nil
if
valid_ci_request?
(
login
,
password
,
project
)
type
=
:ci
elsif
user
=
find_by_master_or_ldap
(
login
,
password
)
type
=
:master_or_ldap
elsif
user
=
oauth_access_token_check
(
login
,
password
)
type
=
:oauth
end
rate_limit!
(
ip
,
success:
!!
user
||
(
type
==
:ci
),
login:
login
)
[
user
,
type
]
end
def
find_by_master_or_ldap
(
login
,
password
)
user
=
User
.
by_login
(
login
)
user
=
User
.
by_login
(
login
)
# If no user is found, or it's an LDAP server, try LDAP.
# If no user is found, or it's an LDAP server, try LDAP.
...
@@ -14,5 +32,70 @@ module Gitlab
...
@@ -14,5 +32,70 @@ module Gitlab
user
if
user
.
valid_password?
(
password
)
user
if
user
.
valid_password?
(
password
)
end
end
end
end
private
def
valid_ci_request?
(
login
,
password
,
project
)
matched_login
=
/(?<service>^[a-zA-Z]*-ci)-token$/
.
match
(
login
)
return
false
unless
project
&&
matched_login
.
present?
underscored_service
=
matched_login
[
'service'
].
underscore
if
underscored_service
==
'gitlab_ci'
project
&&
project
.
valid_build_token?
(
password
)
elsif
Service
.
available_services_names
.
include?
(
underscored_service
)
# We treat underscored_service as a trusted input because it is included
# in the Service.available_services_names whitelist.
service_method
=
"
#{
underscored_service
}
_service"
service
=
project
.
send
(
service_method
)
service
&&
service
.
activated?
&&
service
.
valid_token?
(
password
)
end
end
def
oauth_access_token_check
(
login
,
password
)
if
login
==
"oauth2"
&&
password
.
present?
token
=
Doorkeeper
::
AccessToken
.
by_token
(
password
)
token
&&
token
.
accessible?
&&
User
.
find_by
(
id:
token
.
resource_owner_id
)
end
end
def
rate_limit!
(
ip
,
success
:,
login
:)
# If the user authenticated successfully, we reset the auth failure count
# from Rack::Attack for that IP. A client may attempt to authenticate
# with a username and blank password first, and only after it receives
# a 401 error does it present a password. Resetting the count prevents
# false positives from occurring.
#
# Otherwise, we let Rack::Attack know there was a failed authentication
# attempt from this IP. This information is stored in the Rails cache
# (Redis) and will be used by the Rack::Attack middleware to decide
# whether to block requests from this IP.
config
=
Gitlab
.
config
.
rack_attack
.
git_basic_auth
return
unless
config
.
enabled
if
success
# A successful login will reset the auth failure count from this IP
Rack
::
Attack
::
Allow2Ban
.
reset
(
ip
,
config
)
else
banned
=
Rack
::
Attack
::
Allow2Ban
.
filter
(
ip
,
config
)
do
# Unless the IP is whitelisted, return true so that Allow2Ban
# increments the counter (stored in Rails.cache) for the IP
if
config
.
ip_whitelist
.
include?
(
ip
)
false
else
true
end
end
if
banned
Rails
.
logger
.
info
"IP
#{
ip
}
failed to login "
\
"as
#{
login
}
but has been temporarily banned from Git auth"
end
end
end
end
end
end
end
end
lib/gitlab/backend/grack_auth.rb
View file @
b1ffc9f0
...
@@ -95,7 +95,7 @@ module Grack
...
@@ -95,7 +95,7 @@ module Grack
end
end
def
authenticate_user
(
login
,
password
)
def
authenticate_user
(
login
,
password
)
user
=
Gitlab
::
Auth
.
new
.
find
(
login
,
password
)
user
,
_
=
Gitlab
::
Auth
.
new
.
find_by_master_or_ldap
(
login
,
password
)
unless
user
unless
user
user
=
oauth_access_token_check
(
login
,
password
)
user
=
oauth_access_token_check
(
login
,
password
)
...
...
spec/lib/gitlab/auth_spec.rb
View file @
b1ffc9f0
require
'spec_helper'
require
'spec_helper'
describe
Gitlab
::
Auth
,
lib:
true
do
describe
Gitlab
::
Auth
,
lib:
true
do
let
(
:gl_auth
)
{
Gitlab
::
Auth
.
new
}
let
(
:gl_auth
)
{
described_class
}
describe
:find
do
describe
'find'
do
it
'recognizes CI'
do
token
=
'123'
project
=
create
(
:empty_project
)
project
.
update_attributes
(
runners_token:
token
,
builds_enabled:
true
)
ip
=
'ip'
expect
(
gl_auth
).
to
receive
(
:rate_limit!
).
with
(
ip
,
success:
true
,
login:
'gitlab-ci-token'
)
expect
(
gl_auth
.
find
(
'gitlab-ci-token'
,
token
,
project:
project
,
ip:
ip
)).
to
eq
([
nil
,
:ci
])
end
it
'recognizes master passwords'
do
user
=
create
(
:user
,
password:
'password'
)
ip
=
'ip'
expect
(
gl_auth
).
to
receive
(
:rate_limit!
).
with
(
ip
,
success:
true
,
login:
user
.
username
)
expect
(
gl_auth
.
find
(
user
.
username
,
'password'
,
project:
nil
,
ip:
ip
)).
to
eq
([
user
,
:master_or_ldap
])
end
it
'recognizes OAuth tokens'
do
user
=
create
(
:user
)
application
=
Doorkeeper
::
Application
.
create!
(
name:
"MyApp"
,
redirect_uri:
"https://app.com"
,
owner:
user
)
token
=
Doorkeeper
::
AccessToken
.
create!
(
application_id:
application
.
id
,
resource_owner_id:
user
.
id
)
ip
=
'ip'
expect
(
gl_auth
).
to
receive
(
:rate_limit!
).
with
(
ip
,
success:
true
,
login:
'oauth2'
)
expect
(
gl_auth
.
find
(
"oauth2"
,
token
.
token
,
project:
nil
,
ip:
ip
)).
to
eq
([
user
,
:oauth
])
end
it
'returns double nil for invalid credentials'
do
login
=
'foo'
ip
=
'ip'
expect
(
gl_auth
).
to
receive
(
:rate_limit!
).
with
(
ip
,
success:
false
,
login:
login
)
expect
(
gl_auth
.
find
(
login
,
'bar'
,
project:
nil
,
ip:
ip
)).
to
eq
([
nil
,
nil
])
end
end
describe
'find_by_master_or_ldap'
do
let!
(
:user
)
do
let!
(
:user
)
do
create
(
:user
,
create
(
:user
,
username:
username
,
username:
username
,
...
@@ -14,25 +52,25 @@ describe Gitlab::Auth, lib: true do
...
@@ -14,25 +52,25 @@ describe Gitlab::Auth, lib: true do
let
(
:password
)
{
'my-secret'
}
let
(
:password
)
{
'my-secret'
}
it
"should find user by valid login/password"
do
it
"should find user by valid login/password"
do
expect
(
gl_auth
.
find
(
username
,
password
)
).
to
eql
user
expect
(
gl_auth
.
find
_by_master_or_ldap
(
username
,
password
)
).
to
eql
user
end
end
it
'should find user by valid email/password with case-insensitive email'
do
it
'should find user by valid email/password with case-insensitive email'
do
expect
(
gl_auth
.
find
(
user
.
email
.
upcase
,
password
)).
to
eql
user
expect
(
gl_auth
.
find
_by_master_or_ldap
(
user
.
email
.
upcase
,
password
)).
to
eql
user
end
end
it
'should find user by valid username/password with case-insensitive username'
do
it
'should find user by valid username/password with case-insensitive username'
do
expect
(
gl_auth
.
find
(
username
.
upcase
,
password
)).
to
eql
user
expect
(
gl_auth
.
find
_by_master_or_ldap
(
username
.
upcase
,
password
)).
to
eql
user
end
end
it
"should not find user with invalid password"
do
it
"should not find user with invalid password"
do
password
=
'wrong'
password
=
'wrong'
expect
(
gl_auth
.
find
(
username
,
password
)
).
not_to
eql
user
expect
(
gl_auth
.
find
_by_master_or_ldap
(
username
,
password
)
).
not_to
eql
user
end
end
it
"should not find user with invalid login"
do
it
"should not find user with invalid login"
do
user
=
'wrong'
user
=
'wrong'
expect
(
gl_auth
.
find
(
username
,
password
)
).
not_to
eql
user
expect
(
gl_auth
.
find
_by_master_or_ldap
(
username
,
password
)
).
not_to
eql
user
end
end
context
"with ldap enabled"
do
context
"with ldap enabled"
do
...
@@ -43,13 +81,13 @@ describe Gitlab::Auth, lib: true do
...
@@ -43,13 +81,13 @@ describe Gitlab::Auth, lib: true do
it
"tries to autheticate with db before ldap"
do
it
"tries to autheticate with db before ldap"
do
expect
(
Gitlab
::
LDAP
::
Authentication
).
not_to
receive
(
:login
)
expect
(
Gitlab
::
LDAP
::
Authentication
).
not_to
receive
(
:login
)
gl_auth
.
find
(
username
,
password
)
gl_auth
.
find
_by_master_or_ldap
(
username
,
password
)
end
end
it
"uses ldap as fallback to for authentication"
do
it
"uses ldap as fallback to for authentication"
do
expect
(
Gitlab
::
LDAP
::
Authentication
).
to
receive
(
:login
)
expect
(
Gitlab
::
LDAP
::
Authentication
).
to
receive
(
:login
)
gl_auth
.
find
(
'ldap_user'
,
'password'
)
gl_auth
.
find
_by_master_or_ldap
(
'ldap_user'
,
'password'
)
end
end
end
end
end
end
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment