debian-mirror-gitlab/lib/api/api_guard.rb

256 lines
8.5 KiB
Ruby
Raw Permalink Normal View History

2018-12-05 23:21:45 +05:30
# frozen_string_literal: true
2015-04-26 12:48:37 +05:30
# Guard API with OAuth 2.0 Access Token
require 'rack/oauth2'
2016-06-02 11:05:42 +05:30
module API
module APIGuard
extend ActiveSupport::Concern
2020-10-24 23:57:45 +05:30
include Gitlab::Utils::StrongMemoize
2015-04-26 12:48:37 +05:30
2016-06-02 11:05:42 +05:30
included do |base|
# OAuth2 Resource Server Authentication
use Rack::OAuth2::Server::Resource::Bearer, 'The API' do |request|
# The authenticator only fetches the raw token string
2015-04-26 12:48:37 +05:30
2016-06-02 11:05:42 +05:30
# Must yield access token to store it in the env
request.access_token
end
2015-04-26 12:48:37 +05:30
2019-12-21 20:55:43 +05:30
use AdminModeMiddleware
2021-01-03 14:25:43 +05:30
use ResponseCoercerMiddleware
2019-12-21 20:55:43 +05:30
2016-06-02 11:05:42 +05:30
helpers HelperMethods
2015-04-26 12:48:37 +05:30
2016-06-02 11:05:42 +05:30
install_error_responders(base)
end
2015-04-26 12:48:37 +05:30
2017-09-10 17:25:29 +05:30
class_methods do
# Set the authorization scope(s) allowed for an API endpoint.
#
# A call to this method maps the given scope(s) to the current API
# endpoint class. If this method is called multiple times on the same class,
# the scopes are all aggregated.
def allow_access_with_scope(scopes, options = {})
Array(scopes).each do |scope|
allowed_scopes << Scope.new(scope, options)
end
end
def allowed_scopes
@scopes ||= []
end
end
2016-06-02 11:05:42 +05:30
# Helper Methods for Grape Endpoint
module HelperMethods
2020-01-01 13:55:28 +05:30
include Gitlab::Auth::AuthFinders
2015-04-26 12:48:37 +05:30
2020-04-22 19:07:51 +05:30
def access_token
2022-08-27 11:52:29 +05:30
strong_memoize(:api_guard_access_token) do
super || find_personal_access_token_from_http_basic_auth
end
2020-04-22 19:07:51 +05:30
end
2018-03-17 18:26:18 +05:30
def find_current_user!
user = find_user_from_sources
return unless user
2017-08-17 22:00:37 +05:30
2023-04-23 21:23:45 +05:30
Gitlab::Auth::CurrentUserMode.bypass_session!(user.id) if bypass_session_for_admin_mode?(user)
2020-04-08 14:13:33 +05:30
2018-10-15 14:42:47 +05:30
unless api_access_allowed?(user)
forbidden!(api_access_denied_message(user))
end
2017-08-17 22:00:37 +05:30
2018-03-17 18:26:18 +05:30
user
2017-08-17 22:00:37 +05:30
end
2018-03-17 18:26:18 +05:30
def find_user_from_sources
2020-10-24 23:57:45 +05:30
strong_memoize(:find_user_from_sources) do
2021-03-08 18:12:59 +05:30
if try(:namespace_inheritable, :authentication)
user_from_namespace_inheritable ||
user_from_warden
else
deploy_token_from_request ||
find_user_from_bearer_token ||
find_user_from_job_token ||
user_from_warden
end
2020-10-24 23:57:45 +05:30
end
2016-06-02 11:05:42 +05:30
end
2015-04-26 12:48:37 +05:30
2016-06-02 11:05:42 +05:30
private
2015-04-26 12:48:37 +05:30
2023-04-23 21:23:45 +05:30
def bypass_session_for_admin_mode?(user)
return user.is_a?(User) && Gitlab::CurrentSettings.admin_mode if Feature.disabled?(:admin_mode_for_api)
return false unless Gitlab::CurrentSettings.admin_mode
return false unless user.is_a?(User)
Gitlab::Session.with_session(current_request.session) { Gitlab::Auth::CurrentUserMode.new(user).admin_mode? } ||
Gitlab::Auth::RequestAuthenticator.new(current_request).valid_access_token?(scopes: [:admin_mode])
end
2018-03-17 18:26:18 +05:30
# An array of scopes that were registered (using `allow_access_with_scope`)
# for the current endpoint class. It also returns scopes registered on
# `API::API`, since these are meant to apply to all API routes.
def scopes_registered_for_endpoint
@scopes_registered_for_endpoint ||=
begin
endpoint_classes = [options[:for].presence, ::API::API].compact
endpoint_classes.reduce([]) do |memo, endpoint|
if endpoint.respond_to?(:allowed_scopes)
memo.concat(endpoint.allowed_scopes)
else
memo
end
end
end
2016-06-02 11:05:42 +05:30
end
2018-10-15 14:42:47 +05:30
def api_access_allowed?(user)
2020-05-24 23:13:21 +05:30
user_allowed_or_deploy_token?(user) && user.can?(:access_api)
2018-10-15 14:42:47 +05:30
end
def api_access_denied_message(user)
Gitlab::Auth::UserAccessDeniedReason.new(user).rejection_message
end
2020-05-24 23:13:21 +05:30
def user_allowed_or_deploy_token?(user)
Gitlab::UserAccess.new(user).allowed? || user.is_a?(DeployToken)
end
2020-09-03 11:15:55 +05:30
def user_from_warden
user = find_user_from_warden
return unless user
return if two_factor_required_but_not_setup?(user)
user
end
def two_factor_required_but_not_setup?(user)
verifier = Gitlab::Auth::TwoFactorAuthVerifier.new(user)
if verifier.two_factor_authentication_required? && verifier.current_user_needs_to_setup_two_factor?
verifier.two_factor_grace_period_expired?
else
false
end
end
2015-04-26 12:48:37 +05:30
end
2018-11-20 20:47:30 +05:30
class_methods do
2016-06-02 11:05:42 +05:30
private
2015-04-26 12:48:37 +05:30
2016-06-02 11:05:42 +05:30
def install_error_responders(base)
2018-03-17 18:26:18 +05:30
error_classes = [Gitlab::Auth::MissingTokenError,
Gitlab::Auth::TokenNotFoundError,
Gitlab::Auth::ExpiredError,
Gitlab::Auth::RevokedError,
2019-02-15 15:39:39 +05:30
Gitlab::Auth::ImpersonationDisabled,
2018-03-17 18:26:18 +05:30
Gitlab::Auth::InsufficientScopeError]
2015-04-26 12:48:37 +05:30
2018-03-17 18:26:18 +05:30
base.__send__(:rescue_from, *error_classes, oauth2_bearer_token_error_handler) # rubocop:disable GitlabSecurity/PublicSend
2016-06-02 11:05:42 +05:30
end
def oauth2_bearer_token_error_handler
2017-08-17 22:00:37 +05:30
proc do |e|
2016-06-02 11:05:42 +05:30
response =
case e
2018-03-17 18:26:18 +05:30
when Gitlab::Auth::MissingTokenError
2016-06-02 11:05:42 +05:30
Rack::OAuth2::Server::Resource::Bearer::Unauthorized.new
2018-03-17 18:26:18 +05:30
when Gitlab::Auth::TokenNotFoundError
2016-06-02 11:05:42 +05:30
Rack::OAuth2::Server::Resource::Bearer::Unauthorized.new(
:invalid_token,
"Bad Access Token.")
2018-03-17 18:26:18 +05:30
when Gitlab::Auth::ExpiredError
2016-06-02 11:05:42 +05:30
Rack::OAuth2::Server::Resource::Bearer::Unauthorized.new(
:invalid_token,
"Token is expired. You can either do re-authorization or token refresh.")
2018-03-17 18:26:18 +05:30
when Gitlab::Auth::RevokedError
2016-06-02 11:05:42 +05:30
Rack::OAuth2::Server::Resource::Bearer::Unauthorized.new(
:invalid_token,
"Token was revoked. You have to re-authorize from the user.")
2019-02-15 15:39:39 +05:30
when Gitlab::Auth::ImpersonationDisabled
Rack::OAuth2::Server::Resource::Bearer::Unauthorized.new(
:invalid_token,
"Token is an impersonation token but impersonation was disabled.")
2018-03-17 18:26:18 +05:30
when Gitlab::Auth::InsufficientScopeError
2016-06-02 11:05:42 +05:30
# FIXME: ForbiddenError (inherited from Bearer::Forbidden of Rack::Oauth2)
# does not include WWW-Authenticate header, which breaks the standard.
Rack::OAuth2::Server::Resource::Bearer::Forbidden.new(
:insufficient_scope,
Rack::OAuth2::Server::Resource::ErrorMethods::DEFAULT_DESCRIPTION[:insufficient_scope],
{ scope: e.scopes })
end
2020-07-28 23:09:34 +05:30
status, headers, body = response.finish
# Grape expects a Rack::Response
# (https://github.com/ruby-grape/grape/commit/c117bff7d22971675f4b34367d3a98bc31c8fc02),
# so we need to recreate the response again even though
# response.finish already does this.
# (https://github.com/nov/rack-oauth2/blob/40c9a99fd80486ccb8de0e4869ae384547c0d703/lib/rack/oauth2/server/abstract/error.rb#L26).
Rack::Response.new(body, status, headers)
2016-06-02 11:05:42 +05:30
end
2015-04-26 12:48:37 +05:30
end
end
2019-12-21 20:55:43 +05:30
2021-01-03 14:25:43 +05:30
# Prior to Rack v2.1.x, returning a body of [nil] or [201] worked
# because the body was coerced to a string. However, this no longer
# works in Rack v2.1.0+. The Rack spec
# (https://github.com/rack/rack/blob/master/SPEC.rdoc#the-body-)
# says:
#
# The Body must respond to `each` and must only yield String values
#
# Because it's easy to return the wrong body type, this middleware
# will:
#
# 1. Inspect each element of the body if it is an Array.
# 2. Coerce each value to a string if necessary.
# 3. Flag a test and development error.
class ResponseCoercerMiddleware < ::Grape::Middleware::Base
def call(env)
response = super(env)
status = response[0]
body = response[2]
return response if Rack::Utils::STATUS_WITH_NO_ENTITY_BODY[status]
return response unless body.is_a?(Array)
body.map! do |part|
if part.is_a?(String)
part
else
err = ArgumentError.new("The response body should be a String, but it is of type #{part.class}")
Gitlab::ErrorTracking.track_and_raise_for_dev_exception(err)
part.to_s
end
end
response
end
end
2019-12-21 20:55:43 +05:30
class AdminModeMiddleware < ::Grape::Middleware::Base
2020-04-08 14:13:33 +05:30
def after
# Use a Grape middleware since the Grape `after` blocks might run
# before we are finished rendering the `Grape::Entity` classes
2021-04-29 21:17:54 +05:30
Gitlab::Auth::CurrentUserMode.reset_bypass_session! if Gitlab::CurrentSettings.admin_mode
2019-12-21 20:55:43 +05:30
2020-04-08 14:13:33 +05:30
# Explicit nil is needed or the api call return value will be overwritten
nil
2019-12-21 20:55:43 +05:30
end
end
2015-04-26 12:48:37 +05:30
end
end