debian-mirror-gitlab/lib/gitlab/backend/grack_auth.rb

191 lines
5.2 KiB
Ruby
Raw Normal View History

2014-09-02 18:07:02 +05:30
require_relative 'shell_env'
module Grack
class Auth < Rack::Auth::Basic
attr_accessor :user, :project, :env
def call(env)
@env = env
@request = Rack::Request.new(env)
@auth = Request.new(env)
2015-04-26 12:48:37 +05:30
@gitlab_ci = false
2014-09-02 18:07:02 +05:30
2015-04-26 12:48:37 +05:30
# Need this patch due to the rails mount
2014-09-02 18:07:02 +05:30
# Need this if under RELATIVE_URL_ROOT
unless Gitlab.config.gitlab.relative_url_root.empty?
# If website is mounted using relative_url_root need to remove it first
@env['PATH_INFO'] = @request.path.sub(Gitlab.config.gitlab.relative_url_root,'')
else
@env['PATH_INFO'] = @request.path
end
@env['SCRIPT_NAME'] = ""
2015-04-26 12:48:37 +05:30
auth!
if project && authorized_request?
2015-09-11 14:41:01 +05:30
if ENV['GITLAB_GRACK_AUTH_ONLY'] == '1'
# Tell gitlab-git-http-server the request is OK, and what the GL_ID is
render_grack_auth_ok
else
@app.call(env)
end
2015-04-26 12:48:37 +05:30
elsif @user.nil? && !@gitlab_ci
unauthorized
2014-09-02 18:07:02 +05:30
else
render_not_found
end
end
private
def auth!
2015-04-26 12:48:37 +05:30
return unless @auth.provided?
2014-09-02 18:07:02 +05:30
2015-04-26 12:48:37 +05:30
return bad_request unless @auth.basic?
2014-09-02 18:07:02 +05:30
2015-04-26 12:48:37 +05:30
# Authentication with username and password
login, password = @auth.credentials
2014-09-02 18:07:02 +05:30
2015-04-26 12:48:37 +05:30
# Allow authentication for GitLab CI service
# if valid token passed
if gitlab_ci_request?(login, password)
@gitlab_ci = true
return
2014-09-02 18:07:02 +05:30
end
2015-04-26 12:48:37 +05:30
@user = authenticate_user(login, password)
if @user
Gitlab::ShellEnv.set_env(@user)
@env['REMOTE_USER'] = @auth.username
2014-09-02 18:07:02 +05:30
end
end
def gitlab_ci_request?(login, password)
2015-04-26 12:48:37 +05:30
if login == "gitlab-ci-token" && project && project.gitlab_ci?
2014-09-02 18:07:02 +05:30
token = project.gitlab_ci_service.token
if token.present? && token == password && git_cmd == 'git-upload-pack'
return true
end
end
false
end
2015-04-26 12:48:37 +05:30
def oauth_access_token_check(login, password)
if login == "oauth2" && git_cmd == 'git-upload-pack' && password.present?
token = Doorkeeper::AccessToken.by_token(password)
token && token.accessible? && User.find_by(id: token.resource_owner_id)
end
end
2014-09-02 18:07:02 +05:30
def authenticate_user(login, password)
2015-04-26 12:48:37 +05:30
user = Gitlab::Auth.new.find(login, password)
unless user
user = oauth_access_token_check(login, password)
end
# If the user authenticated successfully, we reset the auth failure count
# from Rack::Attack for that IP. A client may attempt to authenticate
# with a username and blank password first, and only after it receives
# a 401 error does it present a password. Resetting the count prevents
# false positives from occurring.
#
# Otherwise, we let Rack::Attack know there was a failed authentication
# attempt from this IP. This information is stored in the Rails cache
# (Redis) and will be used by the Rack::Attack middleware to decide
# whether to block requests from this IP.
config = Gitlab.config.rack_attack.git_basic_auth
if config.enabled
if user
# A successful login will reset the auth failure count from this IP
Rack::Attack::Allow2Ban.reset(@request.ip, config)
else
banned = Rack::Attack::Allow2Ban.filter(@request.ip, config) do
# Unless the IP is whitelisted, return true so that Allow2Ban
# increments the counter (stored in Rails.cache) for the IP
if config.ip_whitelist.include?(@request.ip)
false
else
true
end
end
if banned
Rails.logger.info "IP #{@request.ip} failed to login " \
"as #{login} but has been temporarily banned from Git auth"
end
end
end
user
2014-09-02 18:07:02 +05:30
end
def authorized_request?
2015-04-26 12:48:37 +05:30
return true if @gitlab_ci
2014-09-02 18:07:02 +05:30
case git_cmd
when *Gitlab::GitAccess::DOWNLOAD_COMMANDS
if user
2015-04-26 12:48:37 +05:30
Gitlab::GitAccess.new(user, project).download_access_check.allowed?
2014-09-02 18:07:02 +05:30
elsif project.public?
# Allow clone/fetch for public projects
true
else
false
end
when *Gitlab::GitAccess::PUSH_COMMANDS
if user
# Skip user authorization on upload request.
2015-04-26 12:48:37 +05:30
# It will be done by the pre-receive hook in the repository.
2014-09-02 18:07:02 +05:30
true
else
false
end
else
false
end
end
def git_cmd
if @request.get?
@request.params['service']
elsif @request.post?
File.basename(@request.path)
else
nil
end
end
def project
2015-04-26 12:48:37 +05:30
return @project if defined?(@project)
@project = project_by_path(@request.path_info)
2014-09-02 18:07:02 +05:30
end
def project_by_path(path)
if m = /^([\w\.\/-]+)\.git/.match(path).to_a
path_with_namespace = m.last
path_with_namespace.gsub!(/\.wiki$/, '')
2015-04-26 12:48:37 +05:30
path_with_namespace[0] = '' if path_with_namespace.start_with?('/')
2014-09-02 18:07:02 +05:30
Project.find_with_namespace(path_with_namespace)
end
end
2015-09-11 14:41:01 +05:30
def render_grack_auth_ok
[200, { "Content-Type" => "application/json" }, [JSON.dump({ 'GL_ID' => Gitlab::ShellEnv.gl_id(@user) })]]
end
2014-09-02 18:07:02 +05:30
def render_not_found
2015-04-26 12:48:37 +05:30
[404, { "Content-Type" => "text/plain" }, ["Not Found"]]
2014-09-02 18:07:02 +05:30
end
end
end