BigW Consortium Gitlab

auth.rb 6.29 KB
Newer Older
1
module Gitlab
2
  module Auth
3
    MissingPersonalTokenError = Class.new(StandardError)
4

5 6
    SCOPES = [:api, :read_user].freeze
    DEFAULT_SCOPES = [:api].freeze
7 8
    OPTIONAL_SCOPES = SCOPES - DEFAULT_SCOPES

9
    class << self
10
      def find_for_git_client(login, password, project:, ip:)
11 12
        raise "Must provide an IP for rate limiting" if ip.nil?

13 14 15
        # `user_with_password_for_git` should be the last check
        # because it's the most expensive, especially when LDAP
        # is enabled.
16
        result =
17
          service_request_check(login, password, project) ||
18
          build_access_token_check(login, password) ||
19
          lfs_token_check(login, password) ||
20
          oauth_access_token_check(login, password) ||
21
          personal_access_token_check(login, password) ||
22
          user_with_password_for_git(login, password) ||
23
          Gitlab::Auth::Result.new
24

25
        rate_limit!(ip, success: result.success?, login: login)
26

27
        result
28 29
      end

30
      def find_with_user_password(login, password)
31 32 33 34 35 36 37 38 39 40 41 42 43 44
        user = User.by_login(login)

        # If no user is found, or it's an LDAP server, try LDAP.
        #   LDAP users are only authenticated via LDAP
        if user.nil? || user.ldap_user?
          # Second chance - try LDAP authentication
          return nil unless Gitlab::LDAP::Config.enabled?

          Gitlab::LDAP::Authentication.login(login, password)
        else
          user if user.valid_password?(password)
        end
      end

Jacob Vosmaer committed
45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65
      def rate_limit!(ip, success:, login:)
        rate_limiter = Gitlab::Auth::IpRateLimiter.new(ip)
        return unless rate_limiter.enabled?

        if success
          # Repeated login 'failures' are normal behavior for some Git clients so
          # it is important to reset the ban counter once the client has proven
          # they are not a 'bad guy'.
          rate_limiter.reset!
        else
          # Register a login failure so that Rack::Attack can block the next
          # request from this IP if needed.
          rate_limiter.register_fail!

          if rate_limiter.banned?
            Rails.logger.info "IP #{ip} failed to login " \
              "as #{login} but has been temporarily banned from Git auth"
          end
        end
      end

66 67
      private

68
      def service_request_check(login, password, project)
69 70
        matched_login = /(?<service>^[a-zA-Z]*-ci)-token$/.match(login)

71
        return unless project && matched_login.present?
72 73 74

        underscored_service = matched_login['service'].underscore

75
        if Service.available_services_names.include?(underscored_service)
76 77
          # We treat underscored_service as a trusted input because it is included
          # in the Service.available_services_names whitelist.
Jacob Vosmaer committed
78
          service = project.public_send("#{underscored_service}_service")
79

80
          if service && service.activated? && service.valid_token?(password)
81
            Gitlab::Auth::Result.new(nil, project, :ci, build_authentication_abilities)
82 83 84 85 86 87
          end
        end
      end

      def user_with_password_for_git(login, password)
        user = find_with_user_password(login, password)
88 89
        return unless user

90
        raise Gitlab::Auth::MissingPersonalTokenError if user.two_factor_enabled?
91

92
        Gitlab::Auth::Result.new(user, nil, :gitlab_or_ldap, full_authentication_abilities)
93 94
      end

95 96 97
      def oauth_access_token_check(login, password)
        if login == "oauth2" && password.present?
          token = Doorkeeper::AccessToken.by_token(password)
98
          if valid_oauth_token?(token)
99
            user = User.find_by(id: token.resource_owner_id)
100
            Gitlab::Auth::Result.new(user, nil, :oauth, read_authentication_abilities)
101
          end
102 103
        end
      end
104 105 106

      def personal_access_token_check(login, password)
        if login && password
107
          token = PersonalAccessToken.active.find_by_token(password)
108
          validation = User.by_login(login)
109

110
          if valid_personal_access_token?(token, validation)
111 112
            Gitlab::Auth::Result.new(validation, nil, :personal_token, full_authentication_abilities)
          end
113 114
        end
      end
115

116
      def valid_oauth_token?(token)
117
        token && token.accessible? && valid_api_token?(token)
118 119 120
      end

      def valid_personal_access_token?(token, user)
121
        token && token.user == user && valid_api_token?(token)
122 123
      end

124
      def valid_api_token?(token)
125
        AccessTokenValidationService.new(token).include_any_scope?(['api'])
126 127
      end

128 129 130 131 132 133 134 135 136 137
      def lfs_token_check(login, password)
        deploy_key_matches = login.match(/\Alfs\+deploy-key-(\d+)\z/)

        actor =
          if deploy_key_matches
            DeployKey.find(deploy_key_matches[1])
          else
            User.by_login(login)
          end

138
        return unless actor
139

140
        token_handler = Gitlab::LfsToken.new(actor)
141

142 143 144 145 146 147 148
        authentication_abilities =
          if token_handler.user?
            full_authentication_abilities
          else
            read_authentication_abilities
          end

149 150 151
        if Devise.secure_compare(token_handler.token, password)
          Gitlab::Auth::Result.new(actor, nil, token_handler.type, authentication_abilities)
        end
152 153
      end

154 155 156 157
      def build_access_token_check(login, password)
        return unless login == 'gitlab-ci-token'
        return unless password

158
        build = ::Ci::Build.running.find_by_token(password)
159
        return unless build
Kamil Trzcinski committed
160
        return unless build.project.builds_enabled?
161 162 163

        if build.user
          # If user is assigned to build, use restricted credentials of user
164
          Gitlab::Auth::Result.new(build.user, build.project, :build, build_authentication_abilities)
165 166
        else
          # Otherwise use generic CI credentials (backward compatibility)
167
          Gitlab::Auth::Result.new(nil, build.project, :ci, build_authentication_abilities)
168 169
        end
      end
170

171 172
      public

173
      def build_authentication_abilities
174 175
        [
          :read_project,
176 177 178
          :build_download_code,
          :build_read_container_image,
          :build_create_container_image
179 180 181
        ]
      end

182
      def read_authentication_abilities
183 184
        [
          :read_project,
185
          :download_code,
186 187 188 189
          :read_container_image
        ]
      end

190 191
      def full_authentication_abilities
        read_authentication_abilities + [
192
          :push_code,
193
          :create_container_image
194 195
        ]
      end
196
    end
197 198
  end
end