debian-mirror-gitlab/lib/gitlab/auth.rb

416 lines
14 KiB
Ruby
Raw Normal View History

2018-12-13 13:39:08 +05:30
# frozen_string_literal: true
2014-09-02 18:07:02 +05:30
module Gitlab
module Auth
2018-03-17 18:26:18 +05:30
MissingPersonalAccessTokenError = Class.new(StandardError)
2020-01-01 13:55:28 +05:30
IpBlacklisted = Class.new(StandardError)
2017-08-17 22:00:37 +05:30
2019-07-31 22:56:46 +05:30
# Scopes used for GitLab API access
2020-04-22 19:07:51 +05:30
API_SCOPES = [:api, :read_user, :read_api].freeze
2019-07-31 22:56:46 +05:30
# Scopes used for GitLab Repository access
REPOSITORY_SCOPES = [:read_repository, :write_repository].freeze
# Scopes used for GitLab Docker Registry access
2020-04-22 19:07:51 +05:30
REGISTRY_SCOPES = [:read_registry, :write_registry].freeze
2017-09-10 17:25:29 +05:30
2019-07-31 22:56:46 +05:30
# Scopes used for GitLab as admin
ADMIN_SCOPES = [:sudo].freeze
2017-08-17 22:00:37 +05:30
# Scopes used for OpenID Connect
OPENID_SCOPES = [:openid].freeze
2019-03-02 22:35:43 +05:30
# OpenID Connect profile scopes
PROFILE_SCOPES = [:profile, :email].freeze
2017-08-17 22:00:37 +05:30
# Default scopes for OAuth applications that don't define their own
DEFAULT_SCOPES = [:api].freeze
2020-10-24 23:57:45 +05:30
CI_JOB_USER = 'gitlab-ci-token'
class << self
2021-06-08 01:23:25 +05:30
prepend_mod_with('Gitlab::Auth') # rubocop: disable Cop/InjectEnterpriseEditionModule
2019-12-04 20:38:33 +05:30
2018-11-18 11:00:15 +05:30
def omniauth_enabled?
Gitlab.config.omniauth.enabled
2018-11-08 19:23:39 +05:30
end
def find_for_git_client(login, password, project:, ip:)
raise "Must provide an IP for rate limiting" if ip.nil?
2020-01-01 13:55:28 +05:30
rate_limiter = Gitlab::Auth::IpRateLimiter.new(ip)
raise IpBlacklisted if !skip_rate_limit?(login: login) && rate_limiter.banned?
2017-08-17 22:00:37 +05:30
# `user_with_password_for_git` should be the last check
# because it's the most expensive, especially when LDAP
# is enabled.
2016-09-29 09:46:39 +05:30
result =
service_request_check(login, password, project) ||
build_access_token_check(login, password) ||
2018-03-17 18:26:18 +05:30
lfs_token_check(login, password, project) ||
2017-08-17 22:00:37 +05:30
oauth_access_token_check(login, password) ||
2020-11-24 15:15:51 +05:30
personal_access_token_check(password, project) ||
2020-03-13 15:44:24 +05:30
deploy_token_check(login, password, project) ||
2017-09-10 17:25:29 +05:30
user_with_password_for_git(login, password) ||
2021-10-27 15:23:28 +05:30
Gitlab::Auth::Result::EMPTY
2020-01-01 13:55:28 +05:30
rate_limit!(rate_limiter, success: result.success?, login: login)
2020-03-13 15:44:24 +05:30
look_to_limit_user(result.actor)
2018-03-17 18:26:18 +05:30
return result if result.success? || authenticate_using_internal_or_ldap_password?
2017-09-10 17:25:29 +05:30
# If sign-in is disabled and LDAP is not configured, recommend a
# personal access token on failed auth attempts
2018-03-17 18:26:18 +05:30
raise Gitlab::Auth::MissingPersonalAccessTokenError
end
2020-09-03 11:15:55 +05:30
# Find and return a user if the provided password is valid for various
# authenticators (OAuth, LDAP, Local Database).
#
# Specify `increment_failed_attempts: true` to increment Devise `failed_attempts`.
# CAUTION: Avoid incrementing failed attempts when authentication falls through
# different mechanisms, as in `.find_for_git_client`. This may lead to
# unwanted access locks when the value provided for `password` was actually
# a PAT, deploy token, etc.
def find_with_user_password(login, password, increment_failed_attempts: false)
2018-03-27 19:54:05 +05:30
# Avoid resource intensive checks if login credentials are not provided
return unless login.present? && password.present?
2017-09-10 17:25:29 +05:30
2018-03-17 18:26:18 +05:30
# Nothing to do here if internal auth is disabled and LDAP is
# not configured
return unless authenticate_using_internal_or_ldap_password?
2017-08-17 22:00:37 +05:30
Gitlab::Auth::UniqueIpsLimiter.limit_user! do
user = User.by_login(login)
2021-06-02 17:11:27 +05:30
break if user && !can_user_login_with_non_expired_password?(user)
2018-03-27 19:54:05 +05:30
authenticators = []
if user
authenticators << Gitlab::Auth::OAuth::Provider.authentication(user, 'database')
# Add authenticators for all identities if user is not nil
user&.identities&.each do |identity|
authenticators << Gitlab::Auth::OAuth::Provider.authentication(user, identity.provider)
end
else
# If no user is provided, try LDAP.
# LDAP users are only authenticated via LDAP
2020-04-08 14:13:33 +05:30
authenticators << Gitlab::Auth::Ldap::Authentication
2017-08-17 22:00:37 +05:30
end
2018-03-27 19:54:05 +05:30
authenticators.compact!
2018-04-04 21:44:52 +05:30
# return found user that was authenticated first for given login credentials
2020-09-03 11:15:55 +05:30
authenticated_user = authenticators.find do |auth|
2018-04-04 21:44:52 +05:30
authenticated_user = auth.login(login, password)
break authenticated_user if authenticated_user
end
2020-09-03 11:15:55 +05:30
user_auth_attempt!(user, success: !!authenticated_user) if increment_failed_attempts
authenticated_user
end
end
2020-01-01 13:55:28 +05:30
private
def rate_limit!(rate_limiter, success:, login:)
return if skip_rate_limit?(login: login)
if success
# Repeated login 'failures' are normal behavior for some Git clients so
# it is important to reset the ban counter once the client has proven
# they are not a 'bad guy'.
rate_limiter.reset!
else
# Register a login failure so that Rack::Attack can block the next
# request from this IP if needed.
2020-01-01 13:55:28 +05:30
# This returns true when the failures are over the threshold and the IP
# is banned.
if rate_limiter.register_fail!
2020-11-24 15:15:51 +05:30
Gitlab::AppLogger.info "IP #{rate_limiter.ip} failed to login " \
"as #{login} but has been temporarily banned from Git auth"
end
end
end
2019-12-04 20:38:33 +05:30
def skip_rate_limit?(login:)
2020-10-24 23:57:45 +05:30
CI_JOB_USER == login
2019-12-04 20:38:33 +05:30
end
2020-03-13 15:44:24 +05:30
def look_to_limit_user(actor)
Gitlab::Auth::UniqueIpsLimiter.limit_user!(actor) if actor.is_a?(User)
end
2018-03-17 18:26:18 +05:30
def authenticate_using_internal_or_ldap_password?
2020-04-08 14:13:33 +05:30
Gitlab::CurrentSettings.password_authentication_enabled_for_git? || Gitlab::Auth::Ldap::Config.enabled?
2018-03-17 18:26:18 +05:30
end
2016-09-29 09:46:39 +05:30
def service_request_check(login, password, project)
matched_login = /(?<service>^[a-zA-Z]*-ci)-token$/.match(login)
2016-09-29 09:46:39 +05:30
return unless project && matched_login.present?
underscored_service = matched_login['service'].underscore
2021-09-30 23:02:18 +05:30
return unless Integration.available_integration_names.include?(underscored_service)
2021-09-04 01:27:46 +05:30
# We treat underscored_service as a trusted input because it is included
2021-09-30 23:02:18 +05:30
# in the Integration.available_integration_names allowlist.
2021-09-04 01:27:46 +05:30
accessor = Project.integration_association_name(underscored_service)
service = project.public_send(accessor) # rubocop:disable GitlabSecurity/PublicSend
return unless service && service.activated? && service.valid_token?(password)
Gitlab::Auth::Result.new(nil, project, :ci, build_authentication_abilities)
2016-09-13 17:45:13 +05:30
end
def user_with_password_for_git(login, password)
user = find_with_user_password(login, password)
2016-09-29 09:46:39 +05:30
return unless user
2021-09-30 23:02:18 +05:30
verifier = TwoFactorAuthVerifier.new(user)
if user.two_factor_enabled? || verifier.two_factor_authentication_enforced?
raise Gitlab::Auth::MissingPersonalAccessTokenError
end
2016-09-29 09:46:39 +05:30
Gitlab::Auth::Result.new(user, nil, :gitlab_or_ldap, full_authentication_abilities)
2016-09-13 17:45:13 +05:30
end
def oauth_access_token_check(login, password)
if login == "oauth2" && password.present?
token = Doorkeeper::AccessToken.by_token(password)
2017-09-10 17:25:29 +05:30
2017-08-17 22:00:37 +05:30
if valid_oauth_token?(token)
2020-04-22 19:07:51 +05:30
user = User.id_in(token.resource_owner_id).first
2021-06-02 17:11:27 +05:30
return unless user && can_user_login_with_non_expired_password?(user)
2020-03-28 13:19:24 +05:30
2017-08-17 22:00:37 +05:30
Gitlab::Auth::Result.new(user, nil, :oauth, full_authentication_abilities)
2016-09-13 17:45:13 +05:30
end
end
end
2020-11-24 15:15:51 +05:30
def personal_access_token_check(password, project)
2017-08-17 22:00:37 +05:30
return unless password.present?
2021-08-04 16:29:09 +05:30
finder_options = { state: 'active' }
finder_options[:impersonation] = false unless Gitlab.config.gitlab.impersonation_enabled
token = PersonalAccessTokensFinder.new(finder_options).find_by_token(password)
2017-08-17 22:00:37 +05:30
2020-11-24 15:15:51 +05:30
return unless token
return unless valid_scoped_token?(token, all_available_scopes)
2021-10-27 15:23:28 +05:30
if project && token.user.project_bot?
return unless token_bot_in_project?(token.user, project) || token_bot_in_group?(token.user, project)
end
2021-02-22 17:27:13 +05:30
2021-06-02 17:11:27 +05:30
if can_user_login_with_non_expired_password?(token.user) || token.user.project_bot?
2018-03-17 18:26:18 +05:30
Gitlab::Auth::Result.new(token.user, nil, :personal_access_token, abilities_for_scopes(token.scopes))
2016-09-29 09:46:39 +05:30
end
end
2021-10-27 15:23:28 +05:30
def token_bot_in_project?(user, project)
project.bots.include?(user)
end
# rubocop: disable CodeReuse/ActiveRecord
# A workaround for adding group-level automation is to add the bot user of a project access token as a group member.
# In order to make project access tokens work this way during git authentication, we need to add an additional check for group membership.
# This is a temporary workaround until service accounts are implemented.
def token_bot_in_group?(user, project)
project.group && project.group.members_with_parents.where(user_id: user.id).exists?
end
# rubocop: enable CodeReuse/ActiveRecord
2017-08-17 22:00:37 +05:30
def valid_oauth_token?(token)
2017-09-10 17:25:29 +05:30
token && token.accessible? && valid_scoped_token?(token, [:api])
end
def valid_scoped_token?(token, scopes)
AccessTokenValidationService.new(token).include_any_scope?(scopes)
2017-08-17 22:00:37 +05:30
end
2018-03-17 18:26:18 +05:30
def abilities_for_scopes(scopes)
abilities_by_scope = {
api: full_authentication_abilities,
2020-04-22 19:07:51 +05:30
read_api: read_only_authentication_abilities,
2018-05-09 12:01:36 +05:30
read_registry: [:read_container_image],
2020-04-22 19:07:51 +05:30
write_registry: [:create_container_image],
2019-07-31 22:56:46 +05:30
read_repository: [:download_code],
write_repository: [:download_code, :push_code]
2018-03-17 18:26:18 +05:30
}
scopes.flat_map do |scope|
abilities_by_scope.fetch(scope.to_sym, [])
end.uniq
2017-08-17 22:00:37 +05:30
end
2020-03-13 15:44:24 +05:30
def deploy_token_check(login, password, project)
2018-05-09 12:01:36 +05:30
return unless password.present?
2019-12-04 20:38:33 +05:30
token = DeployToken.active.find_by_token(password)
2018-05-09 12:01:36 +05:30
return unless token && login
return if login != token.username
2020-08-19 02:56:42 +05:30
# Registry access (with jwt) does not have access to project
return if project && !token.has_access_to?(project)
2020-09-03 11:15:55 +05:30
# When repository is disabled, no resources are accessible via Deploy Token
return if project&.repository_access_level == ::ProjectFeature::DISABLED
2020-08-19 02:56:42 +05:30
2018-05-09 12:01:36 +05:30
scopes = abilities_for_scopes(token.scopes)
2019-07-31 22:56:46 +05:30
if valid_scoped_token?(token, all_available_scopes)
2020-03-13 15:44:24 +05:30
Gitlab::Auth::Result.new(token, project, :deploy_token, scopes)
2018-05-09 12:01:36 +05:30
end
end
2019-02-15 15:39:39 +05:30
def lfs_token_check(login, encoded_token, project)
2016-09-29 09:46:39 +05:30
deploy_key_matches = login.match(/\Alfs\+deploy-key-(\d+)\z/)
actor =
if deploy_key_matches
DeployKey.find(deploy_key_matches[1])
else
User.by_login(login)
end
return unless actor
token_handler = Gitlab::LfsToken.new(actor)
authentication_abilities =
if token_handler.user?
2019-12-21 20:55:43 +05:30
read_write_project_authentication_abilities
2018-03-17 18:26:18 +05:30
elsif token_handler.deploy_key_pushable?(project)
read_write_authentication_abilities
2016-09-29 09:46:39 +05:30
else
2019-07-31 22:56:46 +05:30
read_only_authentication_abilities
2016-09-29 09:46:39 +05:30
end
2019-02-15 15:39:39 +05:30
if token_handler.token_valid?(encoded_token)
2017-08-17 22:00:37 +05:30
Gitlab::Auth::Result.new(actor, nil, token_handler.type, authentication_abilities)
end
2016-09-29 09:46:39 +05:30
end
def build_access_token_check(login, password)
2020-10-24 23:57:45 +05:30
return unless login == CI_JOB_USER
2016-09-29 09:46:39 +05:30
return unless password
2018-11-08 19:23:39 +05:30
build = find_build_by_token(password)
2016-09-29 09:46:39 +05:30
return unless build
return unless build.project.builds_enabled?
if build.user
2021-06-02 17:11:27 +05:30
return unless can_user_login_with_non_expired_password?(build.user) || (build.user.project_bot? && build.project.bots&.include?(build.user))
2020-03-28 13:19:24 +05:30
2016-09-29 09:46:39 +05:30
# If user is assigned to build, use restricted credentials of user
Gitlab::Auth::Result.new(build.user, build.project, :build, build_authentication_abilities)
else
# Otherwise use generic CI credentials (backward compatibility)
Gitlab::Auth::Result.new(nil, build.project, :ci, build_authentication_abilities)
end
2014-09-02 18:07:02 +05:30
end
2016-09-29 09:46:39 +05:30
public
def build_authentication_abilities
[
:read_project,
:build_download_code,
:build_read_container_image,
2019-12-04 20:38:33 +05:30
:build_create_container_image,
:build_destroy_container_image
2016-09-29 09:46:39 +05:30
]
end
2019-12-21 20:55:43 +05:30
def read_only_project_authentication_abilities
2016-09-29 09:46:39 +05:30
[
:read_project,
2019-12-21 20:55:43 +05:30
:download_code
]
end
def read_write_project_authentication_abilities
read_only_project_authentication_abilities + [
:push_code
]
end
def read_only_authentication_abilities
read_only_project_authentication_abilities + [
2016-09-29 09:46:39 +05:30
:read_container_image
]
end
2018-03-17 18:26:18 +05:30
def read_write_authentication_abilities
2019-07-31 22:56:46 +05:30
read_only_authentication_abilities + [
2016-09-29 09:46:39 +05:30
:push_code,
2018-03-17 18:26:18 +05:30
:create_container_image
]
end
def full_authentication_abilities
read_write_authentication_abilities + [
2017-09-10 17:25:29 +05:30
:admin_container_image
2016-09-29 09:46:39 +05:30
]
end
2017-09-10 17:25:29 +05:30
2019-07-31 22:56:46 +05:30
def available_scopes_for(current_user)
scopes = non_admin_available_scopes
scopes += ADMIN_SCOPES if current_user.admin?
2018-03-17 18:26:18 +05:30
scopes
end
2019-07-31 22:56:46 +05:30
def all_available_scopes
non_admin_available_scopes + ADMIN_SCOPES
end
2018-03-17 18:26:18 +05:30
# Other available scopes
def optional_scopes
2019-07-31 22:56:46 +05:30
all_available_scopes + OPENID_SCOPES + PROFILE_SCOPES - DEFAULT_SCOPES
2017-09-10 17:25:29 +05:30
end
2018-03-17 18:26:18 +05:30
def registry_scopes
return [] unless Gitlab.config.registry.enabled
REGISTRY_SCOPES
2017-09-10 17:25:29 +05:30
end
2018-11-08 19:23:39 +05:30
2020-05-24 23:13:21 +05:30
def resource_bot_scopes
Gitlab::Auth::API_SCOPES + Gitlab::Auth::REPOSITORY_SCOPES + Gitlab::Auth.registry_scopes - [:read_user]
end
2018-11-08 19:23:39 +05:30
private
2019-07-31 22:56:46 +05:30
def non_admin_available_scopes
API_SCOPES + REPOSITORY_SCOPES + registry_scopes
end
2018-11-08 19:23:39 +05:30
def find_build_by_token(token)
2021-09-04 01:27:46 +05:30
::Gitlab::Database::LoadBalancing::Session.current.use_primary do
::Ci::AuthJobFinder.new(token: token).execute
end
2018-11-08 19:23:39 +05:30
end
2020-09-03 11:15:55 +05:30
def user_auth_attempt!(user, success:)
return unless user && Gitlab::Database.read_write?
return user.unlock_access! if success
user.increment_failed_attempts!
end
2021-06-02 17:11:27 +05:30
def can_user_login_with_non_expired_password?(user)
2021-07-02 01:05:55 +05:30
user.can?(:log_in) && !user.password_expired_if_applicable?
2021-06-02 17:11:27 +05:30
end
2014-09-02 18:07:02 +05:30
end
end
end