BigW Consortium Gitlab

Commit 1436598e by Francisco Lopez

Moved Exceptions to Gitlab::Auth

parent aa84ef1e
...@@ -54,7 +54,7 @@ class OmniauthCallbacksController < Devise::OmniauthCallbacksController ...@@ -54,7 +54,7 @@ class OmniauthCallbacksController < Devise::OmniauthCallbacksController
if current_user if current_user
log_audit_event(current_user, with: :saml) log_audit_event(current_user, with: :saml)
# Update SAML identity if data has changed. # Update SAML identity if data has changed.
identity = current_user.identities.find_by(extern_uid: oauth['uid'], provider: :saml) identity = current_user.identities.with_extern_uid(:saml, oauth['uid']).take
if identity.nil? if identity.nil?
current_user.identities.create(extern_uid: oauth['uid'], provider: :saml) current_user.identities.create(extern_uid: oauth['uid'], provider: :saml)
redirect_to profile_account_path, notice: 'Authentication method updated' redirect_to profile_account_path, notice: 'Authentication method updated'
...@@ -98,7 +98,9 @@ class OmniauthCallbacksController < Devise::OmniauthCallbacksController ...@@ -98,7 +98,9 @@ class OmniauthCallbacksController < Devise::OmniauthCallbacksController
def handle_omniauth def handle_omniauth
if current_user if current_user
# Add new authentication method # Add new authentication method
current_user.identities.find_or_create_by(extern_uid: oauth['uid'], provider: oauth['provider']) current_user.identities
.with_extern_uid(oauth['provider'], oauth['uid'])
.first_or_create(extern_uid: oauth['uid'])
log_audit_event(current_user, with: oauth['provider']) log_audit_event(current_user, with: oauth['provider'])
redirect_to profile_account_path, notice: 'Authentication method updated' redirect_to profile_account_path, notice: 'Authentication method updated'
else else
......
...@@ -93,11 +93,11 @@ module API ...@@ -93,11 +93,11 @@ module API
private private
def install_error_responders(base) def install_error_responders(base)
error_classes = [Gitlab::Auth::UserAuthFinders::MissingTokenError, error_classes = [Gitlab::Auth::MissingTokenError,
Gitlab::Auth::UserAuthFinders::TokenNotFoundError, Gitlab::Auth::TokenNotFoundError,
Gitlab::Auth::UserAuthFinders::ExpiredError, Gitlab::Auth::ExpiredError,
Gitlab::Auth::UserAuthFinders::RevokedError, Gitlab::Auth::RevokedError,
Gitlab::Auth::UserAuthFinders::InsufficientScopeError] Gitlab::Auth::InsufficientScopeError]
base.__send__(:rescue_from, *error_classes, oauth2_bearer_token_error_handler) # rubocop:disable GitlabSecurity/PublicSend base.__send__(:rescue_from, *error_classes, oauth2_bearer_token_error_handler) # rubocop:disable GitlabSecurity/PublicSend
end end
...@@ -106,25 +106,25 @@ module API ...@@ -106,25 +106,25 @@ module API
proc do |e| proc do |e|
response = response =
case e case e
when Gitlab::Auth::UserAuthFinders::MissingTokenError when Gitlab::Auth::MissingTokenError
Rack::OAuth2::Server::Resource::Bearer::Unauthorized.new Rack::OAuth2::Server::Resource::Bearer::Unauthorized.new
when Gitlab::Auth::UserAuthFinders::TokenNotFoundError when Gitlab::Auth::TokenNotFoundError
Rack::OAuth2::Server::Resource::Bearer::Unauthorized.new( Rack::OAuth2::Server::Resource::Bearer::Unauthorized.new(
:invalid_token, :invalid_token,
"Bad Access Token.") "Bad Access Token.")
when Gitlab::Auth::UserAuthFinders::ExpiredError when Gitlab::Auth::ExpiredError
Rack::OAuth2::Server::Resource::Bearer::Unauthorized.new( Rack::OAuth2::Server::Resource::Bearer::Unauthorized.new(
:invalid_token, :invalid_token,
"Token is expired. You can either do re-authorization or token refresh.") "Token is expired. You can either do re-authorization or token refresh.")
when Gitlab::Auth::UserAuthFinders::RevokedError when Gitlab::Auth::RevokedError
Rack::OAuth2::Server::Resource::Bearer::Unauthorized.new( Rack::OAuth2::Server::Resource::Bearer::Unauthorized.new(
:invalid_token, :invalid_token,
"Token was revoked. You have to re-authorize from the user.") "Token was revoked. You have to re-authorize from the user.")
when Gitlab::Auth::UserAuthFinders::InsufficientScopeError when Gitlab::Auth::InsufficientScopeError
# FIXME: ForbiddenError (inherited from Bearer::Forbidden of Rack::Oauth2) # FIXME: ForbiddenError (inherited from Bearer::Forbidden of Rack::Oauth2)
# does not include WWW-Authenticate header, which breaks the standard. # does not include WWW-Authenticate header, which breaks the standard.
Rack::OAuth2::Server::Resource::Bearer::Forbidden.new( Rack::OAuth2::Server::Resource::Bearer::Forbidden.new(
......
...@@ -398,7 +398,7 @@ module API ...@@ -398,7 +398,7 @@ module API
begin begin
@initial_current_user = Gitlab::Auth::UniqueIpsLimiter.limit_user! { find_current_user! } @initial_current_user = Gitlab::Auth::UniqueIpsLimiter.limit_user! { find_current_user! }
rescue Gitlab::Auth::UserAuthFinders::UnauthorizedError rescue Gitlab::Auth::UnauthorizedError
unauthorized! unauthorized!
end end
end end
......
...@@ -17,7 +17,7 @@ module Gitlab ...@@ -17,7 +17,7 @@ module Gitlab
def find_sessionless_user def find_sessionless_user
find_user_from_access_token || find_user_from_rss_token find_user_from_access_token || find_user_from_rss_token
rescue API::APIGuard::AuthenticationException rescue Gitlab::Auth::AuthenticationException
nil nil
end end
end end
......
module Gitlab module Gitlab
module Auth module Auth
#
# Exceptions
#
AuthenticationException = Class.new(StandardError)
MissingTokenError = Class.new(AuthenticationException)
TokenNotFoundError = Class.new(AuthenticationException)
ExpiredError = Class.new(AuthenticationException)
RevokedError = Class.new(AuthenticationException)
UnauthorizedError = Class.new(AuthenticationException)
class InsufficientScopeError < AuthenticationException
attr_reader :scopes
def initialize(scopes)
@scopes = scopes.map { |s| s.try(:name) || s }
end
end
module UserAuthFinders module UserAuthFinders
PRIVATE_TOKEN_HEADER = 'HTTP_PRIVATE_TOKEN'.freeze PRIVATE_TOKEN_HEADER = 'HTTP_PRIVATE_TOKEN'.freeze
PRIVATE_TOKEN_PARAM = :private_token PRIVATE_TOKEN_PARAM = :private_token
#
# Exceptions
#
AuthenticationException = Class.new(StandardError)
MissingTokenError = Class.new(AuthenticationException)
TokenNotFoundError = Class.new(AuthenticationException)
ExpiredError = Class.new(AuthenticationException)
RevokedError = Class.new(AuthenticationException)
UnauthorizedError = Class.new(AuthenticationException)
class InsufficientScopeError < AuthenticationException
attr_reader :scopes
def initialize(scopes)
@scopes = scopes.map { |s| s.try(:name) || s }
end
end
# Check the Rails session for valid authentication details # Check the Rails session for valid authentication details
def find_user_from_warden def find_user_from_warden
current_request.env['warden']&.authenticate if verified_request? current_request.env['warden']&.authenticate if verified_request?
......
...@@ -33,7 +33,7 @@ describe Gitlab::Auth::RequestAuthenticator do ...@@ -33,7 +33,7 @@ describe Gitlab::Auth::RequestAuthenticator do
end end
it 'bubbles up exceptions' do it 'bubbles up exceptions' do
allow_any_instance_of(described_class).to receive(:find_user_from_warden).and_raise(Gitlab::Auth::UserAuthFinders::UnauthorizedError) allow_any_instance_of(described_class).to receive(:find_user_from_warden).and_raise(Gitlab::Auth::UnauthorizedError)
end end
end end
...@@ -59,7 +59,7 @@ describe Gitlab::Auth::RequestAuthenticator do ...@@ -59,7 +59,7 @@ describe Gitlab::Auth::RequestAuthenticator do
end end
it 'rescue API::APIGuard::AuthenticationException exceptions' do it 'rescue API::APIGuard::AuthenticationException exceptions' do
allow_any_instance_of(described_class).to receive(:find_user_from_access_token).and_raise(Gitlab::Auth::UserAuthFinders::UnauthorizedError) allow_any_instance_of(described_class).to receive(:find_user_from_access_token).and_raise(Gitlab::Auth::UnauthorizedError)
expect(subject.find_sessionless_user).to be_blank expect(subject.find_sessionless_user).to be_blank
end end
......
...@@ -65,7 +65,7 @@ describe Gitlab::Auth::UserAuthFinders do ...@@ -65,7 +65,7 @@ describe Gitlab::Auth::UserAuthFinders do
it 'returns exception if invalid rss_token' do it 'returns exception if invalid rss_token' do
set_param(:rss_token, 'invalid_token') set_param(:rss_token, 'invalid_token')
expect { find_user_from_rss_token }.to raise_error(Gitlab::Auth::UserAuthFinders::UnauthorizedError) expect { find_user_from_rss_token }.to raise_error(Gitlab::Auth::UnauthorizedError)
end end
end end
...@@ -96,7 +96,7 @@ describe Gitlab::Auth::UserAuthFinders do ...@@ -96,7 +96,7 @@ describe Gitlab::Auth::UserAuthFinders do
env[Gitlab::Auth::UserAuthFinders::PRIVATE_TOKEN_HEADER] = personal_access_token.token env[Gitlab::Auth::UserAuthFinders::PRIVATE_TOKEN_HEADER] = personal_access_token.token
allow_any_instance_of(PersonalAccessToken).to receive(:user).and_return(nil) allow_any_instance_of(PersonalAccessToken).to receive(:user).and_return(nil)
expect { find_user_from_access_token }.to raise_error(Gitlab::Auth::UserAuthFinders::UnauthorizedError) expect { find_user_from_access_token }.to raise_error(Gitlab::Auth::UnauthorizedError)
end end
end end
end end
...@@ -127,7 +127,7 @@ describe Gitlab::Auth::UserAuthFinders do ...@@ -127,7 +127,7 @@ describe Gitlab::Auth::UserAuthFinders do
it 'returns exception if invalid personal_access_token' do it 'returns exception if invalid personal_access_token' do
env[Gitlab::Auth::UserAuthFinders::PRIVATE_TOKEN_HEADER] = 'invalid_token' env[Gitlab::Auth::UserAuthFinders::PRIVATE_TOKEN_HEADER] = 'invalid_token'
expect { find_personal_access_token }.to raise_error(Gitlab::Auth::UserAuthFinders::UnauthorizedError) expect { find_personal_access_token }.to raise_error(Gitlab::Auth::UnauthorizedError)
end end
end end
...@@ -158,7 +158,7 @@ describe Gitlab::Auth::UserAuthFinders do ...@@ -158,7 +158,7 @@ describe Gitlab::Auth::UserAuthFinders do
it 'returns exception if invalid oauth_access_token' do it 'returns exception if invalid oauth_access_token' do
env['HTTP_AUTHORIZATION'] = "Bearer invalid_token" env['HTTP_AUTHORIZATION'] = "Bearer invalid_token"
expect { find_oauth_access_token }.to raise_error(Gitlab::Auth::UserAuthFinders::UnauthorizedError) expect { find_oauth_access_token }.to raise_error(Gitlab::Auth::UnauthorizedError)
end end
end end
...@@ -174,20 +174,20 @@ describe Gitlab::Auth::UserAuthFinders do ...@@ -174,20 +174,20 @@ describe Gitlab::Auth::UserAuthFinders do
allow_any_instance_of(described_class).to receive(:access_token).and_return(personal_access_token) allow_any_instance_of(described_class).to receive(:access_token).and_return(personal_access_token)
end end
it 'returns Gitlab::Auth::UserAuthFinders::ExpiredError if token expired' do it 'returns Gitlab::Auth::ExpiredError if token expired' do
personal_access_token.expires_at = 1.day.ago personal_access_token.expires_at = 1.day.ago
expect { validate_access_token! }.to raise_error(Gitlab::Auth::UserAuthFinders::ExpiredError) expect { validate_access_token! }.to raise_error(Gitlab::Auth::ExpiredError)
end end
it 'returns Gitlab::Auth::UserAuthFinders::RevokedError if token revoked' do it 'returns Gitlab::Auth::RevokedError if token revoked' do
personal_access_token.revoke! personal_access_token.revoke!
expect { validate_access_token! }.to raise_error(Gitlab::Auth::UserAuthFinders::RevokedError) expect { validate_access_token! }.to raise_error(Gitlab::Auth::RevokedError)
end end
it 'returns Gitlab::Auth::UserAuthFinders::InsufficientScopeError if invalid token scope' do it 'returns Gitlab::Auth::InsufficientScopeError if invalid token scope' do
expect { validate_access_token!(scopes: [:sudo]) }.to raise_error(Gitlab::Auth::UserAuthFinders::InsufficientScopeError) expect { validate_access_token!(scopes: [:sudo]) }.to raise_error(Gitlab::Auth::InsufficientScopeError)
end end
end end
end end
......
...@@ -166,21 +166,21 @@ describe API::Helpers do ...@@ -166,21 +166,21 @@ describe API::Helpers do
personal_access_token = create(:personal_access_token, user: user, scopes: ['read_user']) personal_access_token = create(:personal_access_token, user: user, scopes: ['read_user'])
env[Gitlab::Auth::UserAuthFinders::PRIVATE_TOKEN_HEADER] = personal_access_token.token env[Gitlab::Auth::UserAuthFinders::PRIVATE_TOKEN_HEADER] = personal_access_token.token
expect { current_user }.to raise_error Gitlab::Auth::UserAuthFinders::InsufficientScopeError expect { current_user }.to raise_error Gitlab::Auth::InsufficientScopeError
end end
it 'does not allow revoked tokens' do it 'does not allow revoked tokens' do
personal_access_token.revoke! personal_access_token.revoke!
env[Gitlab::Auth::UserAuthFinders::PRIVATE_TOKEN_HEADER] = personal_access_token.token env[Gitlab::Auth::UserAuthFinders::PRIVATE_TOKEN_HEADER] = personal_access_token.token
expect { current_user }.to raise_error Gitlab::Auth::UserAuthFinders::RevokedError expect { current_user }.to raise_error Gitlab::Auth::RevokedError
end end
it 'does not allow expired tokens' do it 'does not allow expired tokens' do
personal_access_token.update_attributes!(expires_at: 1.day.ago) personal_access_token.update_attributes!(expires_at: 1.day.ago)
env[Gitlab::Auth::UserAuthFinders::PRIVATE_TOKEN_HEADER] = personal_access_token.token env[Gitlab::Auth::UserAuthFinders::PRIVATE_TOKEN_HEADER] = personal_access_token.token
expect { current_user }.to raise_error Gitlab::Auth::UserAuthFinders::ExpiredError expect { current_user }.to raise_error Gitlab::Auth::ExpiredError
end end
end end
end end
...@@ -392,7 +392,7 @@ describe API::Helpers do ...@@ -392,7 +392,7 @@ describe API::Helpers do
end end
it 'raises an error' do it 'raises an error' do
expect { current_user }.to raise_error Gitlab::Auth::UserAuthFinders::InsufficientScopeError expect { current_user }.to raise_error Gitlab::Auth::InsufficientScopeError
end end
end end
end end
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment