Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Support
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
G
gitlab-ce
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Issues
0
Issues
0
List
Boards
Labels
Milestones
Merge Requests
1
Merge Requests
1
Analytics
Analytics
Repository
Value Stream
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Create a new issue
Commits
Issue Boards
Open sidebar
nexedi
gitlab-ce
Commits
aa84ef1e
Commit
aa84ef1e
authored
Nov 16, 2017
by
Francisco Lopez
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
Moving exceptions to UserAuthFinders
parent
98f7982c
Changes
6
Show whitespace changes
Inline
Side-by-side
Showing
6 changed files
with
52 additions
and
49 deletions
+52
-49
lib/api/api_guard.rb
lib/api/api_guard.rb
+10
-25
lib/api/helpers.rb
lib/api/helpers.rb
+1
-1
lib/gitlab/auth/user_auth_finders.rb
lib/gitlab/auth/user_auth_finders.rb
+25
-7
spec/lib/gitlab/auth/request_authenticator_spec.rb
spec/lib/gitlab/auth/request_authenticator_spec.rb
+2
-2
spec/lib/gitlab/auth/user_auth_finders_spec.rb
spec/lib/gitlab/auth/user_auth_finders_spec.rb
+10
-10
spec/requests/api/helpers_spec.rb
spec/requests/api/helpers_spec.rb
+4
-4
No files found.
lib/api/api_guard.rb
View file @
aa84ef1e
...
...
@@ -93,8 +93,11 @@ module API
private
def
install_error_responders
(
base
)
error_classes
=
[
MissingTokenError
,
TokenNotFoundError
,
ExpiredError
,
RevokedError
,
InsufficientScopeError
]
error_classes
=
[
Gitlab
::
Auth
::
UserAuthFinders
::
MissingTokenError
,
Gitlab
::
Auth
::
UserAuthFinders
::
TokenNotFoundError
,
Gitlab
::
Auth
::
UserAuthFinders
::
ExpiredError
,
Gitlab
::
Auth
::
UserAuthFinders
::
RevokedError
,
Gitlab
::
Auth
::
UserAuthFinders
::
InsufficientScopeError
]
base
.
__send__
(
:rescue_from
,
*
error_classes
,
oauth2_bearer_token_error_handler
)
# rubocop:disable GitlabSecurity/PublicSend
end
...
...
@@ -103,25 +106,25 @@ module API
proc
do
|
e
|
response
=
case
e
when
MissingTokenError
when
Gitlab
::
Auth
::
UserAuthFinders
::
MissingTokenError
Rack
::
OAuth2
::
Server
::
Resource
::
Bearer
::
Unauthorized
.
new
when
TokenNotFoundError
when
Gitlab
::
Auth
::
UserAuthFinders
::
TokenNotFoundError
Rack
::
OAuth2
::
Server
::
Resource
::
Bearer
::
Unauthorized
.
new
(
:invalid_token
,
"Bad Access Token."
)
when
ExpiredError
when
Gitlab
::
Auth
::
UserAuthFinders
::
ExpiredError
Rack
::
OAuth2
::
Server
::
Resource
::
Bearer
::
Unauthorized
.
new
(
:invalid_token
,
"Token is expired. You can either do re-authorization or token refresh."
)
when
RevokedError
when
Gitlab
::
Auth
::
UserAuthFinders
::
RevokedError
Rack
::
OAuth2
::
Server
::
Resource
::
Bearer
::
Unauthorized
.
new
(
:invalid_token
,
"Token was revoked. You have to re-authorize from the user."
)
when
InsufficientScopeError
when
Gitlab
::
Auth
::
UserAuthFinders
::
InsufficientScopeError
# FIXME: ForbiddenError (inherited from Bearer::Forbidden of Rack::Oauth2)
# does not include WWW-Authenticate header, which breaks the standard.
Rack
::
OAuth2
::
Server
::
Resource
::
Bearer
::
Forbidden
.
new
(
...
...
@@ -134,23 +137,5 @@ module API
end
end
end
#
# Exceptions
#
AuthenticationException
=
Class
.
new
(
StandardError
)
MissingTokenError
=
Class
.
new
(
AuthenticationException
)
TokenNotFoundError
=
Class
.
new
(
AuthenticationException
)
ExpiredError
=
Class
.
new
(
AuthenticationException
)
RevokedError
=
Class
.
new
(
AuthenticationException
)
UnauthorizedError
=
Class
.
new
(
AuthenticationException
)
class
InsufficientScopeError
<
AuthenticationException
attr_reader
:scopes
def
initialize
(
scopes
)
@scopes
=
scopes
.
map
{
|
s
|
s
.
try
(
:name
)
||
s
}
end
end
end
end
lib/api/helpers.rb
View file @
aa84ef1e
...
...
@@ -398,7 +398,7 @@ module API
begin
@initial_current_user
=
Gitlab
::
Auth
::
UniqueIpsLimiter
.
limit_user!
{
find_current_user!
}
rescue
APIGuard
::
UnauthorizedError
rescue
Gitlab
::
Auth
::
UserAuthFinders
::
UnauthorizedError
unauthorized!
end
end
...
...
lib/gitlab/auth/user_auth_finders.rb
View file @
aa84ef1e
...
...
@@ -4,6 +4,24 @@ module Gitlab
PRIVATE_TOKEN_HEADER
=
'HTTP_PRIVATE_TOKEN'
.
freeze
PRIVATE_TOKEN_PARAM
=
:private_token
#
# Exceptions
#
AuthenticationException
=
Class
.
new
(
StandardError
)
MissingTokenError
=
Class
.
new
(
AuthenticationException
)
TokenNotFoundError
=
Class
.
new
(
AuthenticationException
)
ExpiredError
=
Class
.
new
(
AuthenticationException
)
RevokedError
=
Class
.
new
(
AuthenticationException
)
UnauthorizedError
=
Class
.
new
(
AuthenticationException
)
class
InsufficientScopeError
<
AuthenticationException
attr_reader
:scopes
def
initialize
(
scopes
)
@scopes
=
scopes
.
map
{
|
s
|
s
.
try
(
:name
)
||
s
}
end
end
# Check the Rails session for valid authentication details
def
find_user_from_warden
current_request
.
env
[
'warden'
]
&
.
authenticate
if
verified_request?
...
...
@@ -15,7 +33,7 @@ module Gitlab
token
=
current_request
.
params
[
:rss_token
].
presence
return
unless
token
User
.
find_by_rss_token
(
token
)
||
raise
(
API
::
APIGuard
::
UnauthorizedError
)
User
.
find_by_rss_token
(
token
)
||
raise
(
UnauthorizedError
)
end
def
find_user_from_access_token
...
...
@@ -23,7 +41,7 @@ module Gitlab
validate_access_token!
access_token
.
user
||
raise
(
API
::
APIGuard
::
UnauthorizedError
)
access_token
.
user
||
raise
(
UnauthorizedError
)
end
def
validate_access_token!
(
scopes:
[])
...
...
@@ -31,11 +49,11 @@ module Gitlab
case
AccessTokenValidationService
.
new
(
access_token
,
request:
request
).
validate
(
scopes:
scopes
)
when
AccessTokenValidationService
::
INSUFFICIENT_SCOPE
raise
API
::
APIGuard
::
InsufficientScopeError
.
new
(
scopes
)
raise
InsufficientScopeError
.
new
(
scopes
)
when
AccessTokenValidationService
::
EXPIRED
raise
API
::
APIGuard
::
ExpiredError
raise
ExpiredError
when
AccessTokenValidationService
::
REVOKED
raise
API
::
APIGuard
::
RevokedError
raise
RevokedError
end
end
...
...
@@ -55,7 +73,7 @@ module Gitlab
return
unless
token
# Expiration, revocation and scopes are verified in `validate_access_token!`
PersonalAccessToken
.
find_by
(
token:
token
)
||
raise
(
API
::
APIGuard
::
UnauthorizedError
)
PersonalAccessToken
.
find_by
(
token:
token
)
||
raise
(
UnauthorizedError
)
end
def
find_oauth_access_token
...
...
@@ -64,7 +82,7 @@ module Gitlab
# Expiration, revocation and scopes are verified in `validate_access_token!`
oauth_token
=
OauthAccessToken
.
by_token
(
token
)
raise
API
::
APIGuard
::
UnauthorizedError
unless
oauth_token
raise
UnauthorizedError
unless
oauth_token
oauth_token
.
revoke_previous_refresh_token!
oauth_token
...
...
spec/lib/gitlab/auth/request_authenticator_spec.rb
View file @
aa84ef1e
...
...
@@ -33,7 +33,7 @@ describe Gitlab::Auth::RequestAuthenticator do
end
it
'bubbles up exceptions'
do
allow_any_instance_of
(
described_class
).
to
receive
(
:find_user_from_warden
).
and_raise
(
API
::
APIGuard
::
UnauthorizedError
)
allow_any_instance_of
(
described_class
).
to
receive
(
:find_user_from_warden
).
and_raise
(
Gitlab
::
Auth
::
UserAuthFinders
::
UnauthorizedError
)
end
end
...
...
@@ -59,7 +59,7 @@ describe Gitlab::Auth::RequestAuthenticator do
end
it
'rescue API::APIGuard::AuthenticationException exceptions'
do
allow_any_instance_of
(
described_class
).
to
receive
(
:find_user_from_access_token
).
and_raise
(
API
::
APIGuard
::
UnauthorizedError
)
allow_any_instance_of
(
described_class
).
to
receive
(
:find_user_from_access_token
).
and_raise
(
Gitlab
::
Auth
::
UserAuthFinders
::
UnauthorizedError
)
expect
(
subject
.
find_sessionless_user
).
to
be_blank
end
...
...
spec/lib/gitlab/auth/user_auth_finders_spec.rb
View file @
aa84ef1e
...
...
@@ -65,7 +65,7 @@ describe Gitlab::Auth::UserAuthFinders do
it
'returns exception if invalid rss_token'
do
set_param
(
:rss_token
,
'invalid_token'
)
expect
{
find_user_from_rss_token
}.
to
raise_error
(
API
::
APIGuard
::
UnauthorizedError
)
expect
{
find_user_from_rss_token
}.
to
raise_error
(
Gitlab
::
Auth
::
UserAuthFinders
::
UnauthorizedError
)
end
end
...
...
@@ -96,7 +96,7 @@ describe Gitlab::Auth::UserAuthFinders do
env
[
Gitlab
::
Auth
::
UserAuthFinders
::
PRIVATE_TOKEN_HEADER
]
=
personal_access_token
.
token
allow_any_instance_of
(
PersonalAccessToken
).
to
receive
(
:user
).
and_return
(
nil
)
expect
{
find_user_from_access_token
}.
to
raise_error
(
API
::
APIGuard
::
UnauthorizedError
)
expect
{
find_user_from_access_token
}.
to
raise_error
(
Gitlab
::
Auth
::
UserAuthFinders
::
UnauthorizedError
)
end
end
end
...
...
@@ -127,7 +127,7 @@ describe Gitlab::Auth::UserAuthFinders do
it
'returns exception if invalid personal_access_token'
do
env
[
Gitlab
::
Auth
::
UserAuthFinders
::
PRIVATE_TOKEN_HEADER
]
=
'invalid_token'
expect
{
find_personal_access_token
}.
to
raise_error
(
API
::
APIGuard
::
UnauthorizedError
)
expect
{
find_personal_access_token
}.
to
raise_error
(
Gitlab
::
Auth
::
UserAuthFinders
::
UnauthorizedError
)
end
end
...
...
@@ -158,7 +158,7 @@ describe Gitlab::Auth::UserAuthFinders do
it
'returns exception if invalid oauth_access_token'
do
env
[
'HTTP_AUTHORIZATION'
]
=
"Bearer invalid_token"
expect
{
find_oauth_access_token
}.
to
raise_error
(
API
::
APIGuard
::
UnauthorizedError
)
expect
{
find_oauth_access_token
}.
to
raise_error
(
Gitlab
::
Auth
::
UserAuthFinders
::
UnauthorizedError
)
end
end
...
...
@@ -174,20 +174,20 @@ describe Gitlab::Auth::UserAuthFinders do
allow_any_instance_of
(
described_class
).
to
receive
(
:access_token
).
and_return
(
personal_access_token
)
end
it
'returns
API::APIGuard
::ExpiredError if token expired'
do
it
'returns
Gitlab::Auth::UserAuthFinders
::ExpiredError if token expired'
do
personal_access_token
.
expires_at
=
1
.
day
.
ago
expect
{
validate_access_token!
}.
to
raise_error
(
API
::
APIGuard
::
ExpiredError
)
expect
{
validate_access_token!
}.
to
raise_error
(
Gitlab
::
Auth
::
UserAuthFinders
::
ExpiredError
)
end
it
'returns
API::APIGuard
::RevokedError if token revoked'
do
it
'returns
Gitlab::Auth::UserAuthFinders
::RevokedError if token revoked'
do
personal_access_token
.
revoke!
expect
{
validate_access_token!
}.
to
raise_error
(
API
::
APIGuard
::
RevokedError
)
expect
{
validate_access_token!
}.
to
raise_error
(
Gitlab
::
Auth
::
UserAuthFinders
::
RevokedError
)
end
it
'returns
API::APIGuard
::InsufficientScopeError if invalid token scope'
do
expect
{
validate_access_token!
(
scopes:
[
:sudo
])
}.
to
raise_error
(
API
::
APIGuard
::
InsufficientScopeError
)
it
'returns
Gitlab::Auth::UserAuthFinders
::InsufficientScopeError if invalid token scope'
do
expect
{
validate_access_token!
(
scopes:
[
:sudo
])
}.
to
raise_error
(
Gitlab
::
Auth
::
UserAuthFinders
::
InsufficientScopeError
)
end
end
end
...
...
spec/requests/api/helpers_spec.rb
View file @
aa84ef1e
...
...
@@ -166,21 +166,21 @@ describe API::Helpers do
personal_access_token
=
create
(
:personal_access_token
,
user:
user
,
scopes:
[
'read_user'
])
env
[
Gitlab
::
Auth
::
UserAuthFinders
::
PRIVATE_TOKEN_HEADER
]
=
personal_access_token
.
token
expect
{
current_user
}.
to
raise_error
API
::
APIGuard
::
InsufficientScopeError
expect
{
current_user
}.
to
raise_error
Gitlab
::
Auth
::
UserAuthFinders
::
InsufficientScopeError
end
it
'does not allow revoked tokens'
do
personal_access_token
.
revoke!
env
[
Gitlab
::
Auth
::
UserAuthFinders
::
PRIVATE_TOKEN_HEADER
]
=
personal_access_token
.
token
expect
{
current_user
}.
to
raise_error
API
::
APIGuard
::
RevokedError
expect
{
current_user
}.
to
raise_error
Gitlab
::
Auth
::
UserAuthFinders
::
RevokedError
end
it
'does not allow expired tokens'
do
personal_access_token
.
update_attributes!
(
expires_at:
1
.
day
.
ago
)
env
[
Gitlab
::
Auth
::
UserAuthFinders
::
PRIVATE_TOKEN_HEADER
]
=
personal_access_token
.
token
expect
{
current_user
}.
to
raise_error
API
::
APIGuard
::
ExpiredError
expect
{
current_user
}.
to
raise_error
Gitlab
::
Auth
::
UserAuthFinders
::
ExpiredError
end
end
end
...
...
@@ -392,7 +392,7 @@ describe API::Helpers do
end
it
'raises an error'
do
expect
{
current_user
}.
to
raise_error
API
::
APIGuard
::
InsufficientScopeError
expect
{
current_user
}.
to
raise_error
Gitlab
::
Auth
::
UserAuthFinders
::
InsufficientScopeError
end
end
end
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment