Skip to content

G
gitlab-ce
Commit d39a9b2f authored by Gabriel Mazetto's avatar Gabriel Mazetto
Browse files
Options

Geo OAuth authentication refactor

parent e50eb47d
Show whitespace changes
Inline Side-by-side
Showing with 42 additions and 34 deletions
app/controllers/oauth/geo_auth_controller.rb
View file @ d39a9b2f
class Oauth::GeoAuthController < ActionController::Base class Oauth::GeoAuthController < ActionController::Base
# skip_before_action :authenticate_user!
def auth def auth
oauth = Geo::OauthSession.new(state: params[:state]) oauth = Geo::OauthSession.new(state: params[:state])
...@@ -8,10 +7,7 @@ class Oauth::GeoAuthController < ActionController::Base ...@@ -8,10 +7,7 @@ class Oauth::GeoAuthController < ActionController::Base
return return
end end
redirect_to client.auth_code.authorize_url({ redirect_to oauth.authorize_url(redirect_uri: oauth_geo_callback_url, state: params[:state])
redirect_uri: oauth_geo_callback_url,
state: params[:state]
})
end end
def callback def callback
...@@ -21,15 +17,13 @@ class Oauth::GeoAuthController < ActionController::Base ...@@ -21,15 +17,13 @@ class Oauth::GeoAuthController < ActionController::Base
return return
end end
token = client.auth_code.get_token(params[:code], redirect_uri: oauth_geo_callback_url).token token = oauth.get_token(params[:code], redirect_uri: oauth_geo_callback_url)
remote_user = oauth.authenticate(access_token: token)
@user_session = Geo::OauthSession.new(state: params[:state])
remote_user = @user_session.authenticate(access_token: token)
user = User.find(remote_user['id']) user = User.find(remote_user['id'])
if user && sign_in(user) if user && sign_in(user)
return_to = @user_session.get_oauth_state_return_to return_to = oauth.get_oauth_state_return_to
redirect_to(return_to || root_path) redirect_to(return_to || root_path)
else else
@error = 'Invalid credentials' @error = 'Invalid credentials'
...@@ -37,18 +31,4 @@ class Oauth::GeoAuthController < ActionController::Base ...@@ -37,18 +31,4 @@ class Oauth::GeoAuthController < ActionController::Base
end end
end end
private
def client
app = Gitlab::Geo.oauth_authentication
@client ||= ::OAuth2::Client.new(
app.uid,
app.secret,
{
site: Gitlab::Geo.primary_node.url,
authorize_url: 'oauth/authorize',
token_url: 'oauth/token'
}
)
end
end end
app/controllers/sessions_controller.rb
View file @ d39a9b2f
...@@ -112,7 +112,7 @@ class SessionsController < Devise::SessionsController ...@@ -112,7 +112,7 @@ class SessionsController < Devise::SessionsController
oauth = Geo::OauthSession.new oauth = Geo::OauthSession.new
# share full url with primary node by shared session # share full url with primary node by shared session
user_return_to = URI.join(root_url, session[:user_return_to]).to_s user_return_to = URI.join(root_url, session[:user_return_to].to_s).to_s
oauth.return_to = @redirect_to || user_return_to oauth.return_to = @redirect_to || user_return_to
redirect_to oauth_geo_auth_url(state: oauth.generate_oauth_state) redirect_to oauth_geo_auth_url(state: oauth.generate_oauth_state)
......
app/models/geo/oauth_session.rb
View file @ d39a9b2f
...@@ -17,9 +17,8 @@ class Geo::OauthSession ...@@ -17,9 +17,8 @@ class Geo::OauthSession
def generate_oauth_state def generate_oauth_state
return unless return_to return unless return_to
salt = generate_oauth_salt hmac = generate_oauth_hmac(oauth_salt, return_to)
hmac = generate_oauth_hmac(salt, return_to) "#{oauth_salt}:#{hmac}:#{return_to}"
"#{salt}:#{hmac}:#{return_to}"
end end
def get_oauth_state_return_to def get_oauth_state_return_to
...@@ -30,18 +29,21 @@ class Geo::OauthSession ...@@ -30,18 +29,21 @@ class Geo::OauthSession
opts = { opts = {
query: access_token query: access_token
} }
endpoint = File.join(primary_node_url, API_PREFIX, 'user') response = self.class.get(authenticate_endpoint, default_opts.merge(opts))
response = self.class.get(endpoint, default_opts.merge(opts))
build_response(response) build_response(response)
end end
private def authorize_url(params = {})
oauth_client.auth_code.authorize_url(params)
end
def generate_oauth_salt def get_token(code, params = {}, opts = {})
SecureRandom.hex(16) oauth_client.auth_code.get_token(code, params, opts).token
end end
private
def generate_oauth_hmac(salt, return_to) def generate_oauth_hmac(salt, return_to)
return false unless return_to return false unless return_to
digest = OpenSSL::Digest.new('sha256') digest = OpenSSL::Digest.new('sha256')
...@@ -49,6 +51,32 @@ class Geo::OauthSession ...@@ -49,6 +51,32 @@ class Geo::OauthSession
OpenSSL::HMAC.hexdigest(digest, key, return_to) OpenSSL::HMAC.hexdigest(digest, key, return_to)
end end
def oauth_salt
@salt ||= SecureRandom.hex(16)
end
def oauth_client
@client ||= begin
::OAuth2::Client.new(
oauth_app.uid,
oauth_app.secret,
{
site: primary_node_url,
authorize_url: 'oauth/authorize',
token_url: 'oauth/token'
}
)
end
end
def oauth_app
Gitlab::Geo.oauth_authentication
end
def authenticate_endpoint
File.join(primary_node_url, API_PREFIX, 'user')
end
def primary_node_url def primary_node_url
Gitlab::Geo.primary_node.url Gitlab::Geo.primary_node.url
end end
......
lib/gitlab/geo.rb
View file @ d39a9b2f
...@@ -43,7 +43,7 @@ module Gitlab ...@@ -43,7 +43,7 @@ module Gitlab
def self.oauth_authentication def self.oauth_authentication
return false unless Gitlab::Geo.secondary? return false unless Gitlab::Geo.secondary?
Gitlab::Geo.current_node.oauth_application RequestStore.store[:geo_oauth_application] ||= Gitlab::Geo.current_node.oauth_application
end end
end end
end end
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment
GitLab Nexedi Edition | About GitLab | About Nexedi | 沪ICP备2021021310号-2 | 沪ICP备2021021310号-7