Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Support
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
G
gitlab-ce
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Issues
0
Issues
0
List
Boards
Labels
Milestones
Merge Requests
0
Merge Requests
0
Analytics
Analytics
Repository
Value Stream
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Create a new issue
Commits
Issue Boards
Open sidebar
Tatuya Kamada
gitlab-ce
Commits
de24075e
Commit
de24075e
authored
Sep 08, 2016
by
Patricio Cano
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
Further refactoring of authentication code, and code style fixes.
parent
71aff7f6
Changes
3
Hide whitespace changes
Inline
Side-by-side
Showing
3 changed files
with
48 additions
and
47 deletions
+48
-47
app/controllers/projects/git_http_client_controller.rb
app/controllers/projects/git_http_client_controller.rb
+12
-8
lib/gitlab/auth.rb
lib/gitlab/auth.rb
+27
-26
lib/gitlab/lfs_token.rb
lib/gitlab/lfs_token.rb
+9
-13
No files found.
app/controllers/projects/git_http_client_controller.rb
View file @
de24075e
...
@@ -4,7 +4,7 @@ class Projects::GitHttpClientController < Projects::ApplicationController
...
@@ -4,7 +4,7 @@ class Projects::GitHttpClientController < Projects::ApplicationController
include
ActionController
::
HttpAuthentication
::
Basic
include
ActionController
::
HttpAuthentication
::
Basic
include
KerberosSpnegoHelper
include
KerberosSpnegoHelper
attr_reader
:user
attr_reader
:user
,
:actor
# Git clients will not know what authenticity token to send along
# Git clients will not know what authenticity token to send along
skip_before_action
:verify_authenticity_token
skip_before_action
:verify_authenticity_token
...
@@ -24,13 +24,13 @@ class Projects::GitHttpClientController < Projects::ApplicationController
...
@@ -24,13 +24,13 @@ class Projects::GitHttpClientController < Projects::ApplicationController
handle_basic_authentication
(
login
,
password
)
handle_basic_authentication
(
login
,
password
)
if
ci?
||
use
r
if
ci?
||
acto
r
return
# Allow access
return
# Allow access
end
end
elsif
allow_kerberos_spnego_auth?
&&
spnego_provided?
elsif
allow_kerberos_spnego_auth?
&&
spnego_provided?
@
use
r
=
find_kerberos_user
@
acto
r
=
find_kerberos_user
if
use
r
if
acto
r
send_final_spnego_response
send_final_spnego_response
return
# Allow access
return
# Allow access
end
end
...
@@ -110,6 +110,10 @@ class Projects::GitHttpClientController < Projects::ApplicationController
...
@@ -110,6 +110,10 @@ class Projects::GitHttpClientController < Projects::ApplicationController
@ci
.
present?
@ci
.
present?
end
end
def
user
@actor
end
def
handle_basic_authentication
(
login
,
password
)
def
handle_basic_authentication
(
login
,
password
)
auth_result
=
Gitlab
::
Auth
.
find_for_git_client
(
login
,
password
,
project:
project
,
ip:
request
.
ip
)
auth_result
=
Gitlab
::
Auth
.
find_for_git_client
(
login
,
password
,
project:
project
,
ip:
request
.
ip
)
...
@@ -117,21 +121,21 @@ class Projects::GitHttpClientController < Projects::ApplicationController
...
@@ -117,21 +121,21 @@ class Projects::GitHttpClientController < Projects::ApplicationController
when
:ci
when
:ci
@ci
=
true
if
download_request?
@ci
=
true
if
download_request?
when
:oauth
when
:oauth
@
user
=
auth_result
.
use
r
if
download_request?
@
actor
=
auth_result
.
acto
r
if
download_request?
when
:lfs_deploy_token
when
:lfs_deploy_token
if
download_request?
if
download_request?
@lfs_deploy_key
=
true
@lfs_deploy_key
=
true
@
user
=
auth_result
.
use
r
@
actor
=
auth_result
.
acto
r
end
end
when
:lfs_token
,
:personal_token
,
:gitlab_or_ldap
when
:lfs_token
,
:personal_token
,
:gitlab_or_ldap
@
user
=
auth_result
.
use
r
@
actor
=
auth_result
.
acto
r
else
else
# Not allowed
# Not allowed
end
end
end
end
def
lfs_deploy_key?
def
lfs_deploy_key?
@lfs_deploy_key
.
present?
&&
(
user
&&
user
.
projects
.
include?
(
project
)
)
@lfs_deploy_key
.
present?
&&
actor
&&
actor
.
projects
.
include?
(
project
)
end
end
def
verify_workhorse_api!
def
verify_workhorse_api!
...
...
lib/gitlab/auth.rb
View file @
de24075e
module
Gitlab
module
Gitlab
module
Auth
module
Auth
Result
=
Struct
.
new
(
:
use
r
,
:type
)
Result
=
Struct
.
new
(
:
acto
r
,
:type
)
class
MissingPersonalTokenError
<
StandardError
;
end
class
MissingPersonalTokenError
<
StandardError
;
end
...
@@ -49,6 +49,24 @@ module Gitlab
...
@@ -49,6 +49,24 @@ module Gitlab
private
private
def
populate_result
(
login
,
password
,
project
,
ip
)
result
=
ci_request_check
(
login
,
password
,
project
)
||
user_with_password_for_git
(
login
,
password
)
||
oauth_access_token_check
(
login
,
password
)
||
lfs_token_check
(
login
,
password
)
||
personal_access_token_check
(
login
,
password
)
if
result
&&
result
.
type
!=
:ci
result
.
type
=
nil
unless
result
.
actor
end
success
=
result
?
result
.
actor
.
present?
||
result
.
type
==
:ci
:
false
rate_limit!
(
ip
,
success:
success
,
login:
login
)
result
||
Result
.
new
end
def
valid_ci_request?
(
login
,
password
,
project
)
def
valid_ci_request?
(
login
,
password
,
project
)
matched_login
=
/(?<service>^[a-zA-Z]*-ci)-token$/
.
match
(
login
)
matched_login
=
/(?<service>^[a-zA-Z]*-ci)-token$/
.
match
(
login
)
...
@@ -67,31 +85,14 @@ module Gitlab
...
@@ -67,31 +85,14 @@ module Gitlab
end
end
end
end
def
populate_result
(
login
,
password
,
project
,
ip
)
def
ci_request_check
(
login
,
password
,
project
)
result
=
Result
.
new
(
nil
,
:ci
)
if
valid_ci_request?
(
login
,
password
,
project
)
Result
.
new
(
nil
,
:ci
)
if
valid_ci_request?
(
login
,
password
,
project
)
result
||=
user_with_password_for_git
(
login
,
password
)
||
oauth_access_token_check
(
login
,
password
)
||
lfs_token_check
(
login
,
password
)
||
personal_access_token_check
(
login
,
password
)
if
result
&&
result
.
type
!=
:ci
result
.
type
=
nil
unless
result
.
user
if
result
.
user
&&
result
.
type
==
:gitlab_or_ldap
&&
result
.
user
.
two_factor_enabled?
raise
Gitlab
::
Auth
::
MissingPersonalTokenError
end
end
success
=
result
?
result
.
user
.
present?
||
[
:ci
].
include?
(
result
.
type
)
:
false
rate_limit!
(
ip
,
success:
success
,
login:
login
)
result
||
Result
.
new
end
end
def
user_with_password_for_git
(
login
,
password
)
def
user_with_password_for_git
(
login
,
password
)
user
=
find_with_user_password
(
login
,
password
)
user
=
find_with_user_password
(
login
,
password
)
raise
Gitlab
::
Auth
::
MissingPersonalTokenError
if
user
&&
user
.
two_factor_enabled?
Result
.
new
(
user
,
:gitlab_or_ldap
)
if
user
Result
.
new
(
user
,
:gitlab_or_ldap
)
if
user
end
end
...
@@ -114,11 +115,11 @@ module Gitlab
...
@@ -114,11 +115,11 @@ module Gitlab
end
end
def
lfs_token_check
(
login
,
password
)
def
lfs_token_check
(
login
,
password
)
deploy_key_matches
=
login
.
match
(
/\Alfs\+deploy-key-(\d+)\z/
)
actor
=
actor
=
if
login
=~
/\Alfs\+deploy-key-\d+\Z/
if
deploy_key_matches
/\d+\Z/
.
match
(
login
)
do
|
id
|
DeployKey
.
find
(
deploy_key_matches
[
1
])
DeployKey
.
find
(
id
[
0
])
end
else
else
User
.
by_login
(
login
)
User
.
by_login
(
login
)
end
end
...
...
lib/gitlab/lfs_token.rb
View file @
de24075e
...
@@ -6,7 +6,15 @@ module Gitlab
...
@@ -6,7 +6,15 @@ module Gitlab
EXPIRY_TIME
=
1800
EXPIRY_TIME
=
1800
def
initialize
(
actor
)
def
initialize
(
actor
)
set_actor
(
actor
)
@actor
=
case
actor
when
DeployKey
,
User
actor
when
Key
actor
.
user
else
#
end
end
end
def
generate
def
generate
...
@@ -38,17 +46,5 @@ module Gitlab
...
@@ -38,17 +46,5 @@ module Gitlab
def
redis_key
def
redis_key
"gitlab:lfs_token:
#{
actor
.
class
.
name
.
underscore
}
_
#{
actor
.
id
}
"
if
actor
"gitlab:lfs_token:
#{
actor
.
class
.
name
.
underscore
}
_
#{
actor
.
id
}
"
if
actor
end
end
def
set_actor
(
actor
)
@actor
=
case
actor
when
DeployKey
,
User
actor
when
Key
actor
.
user
else
#
end
end
end
end
end
end
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment