debian-mirror-gitlab/lib/gitlab/kas/user_access.rb

# frozen_string_literal: true

module Gitlab
  module Kas
    # The name of the cookie that will be used for the KAS cookie
    COOKIE_KEY = '_gitlab_kas'
    DEFAULT_ENCRYPTED_COOKIE_CIPHER = 'aes-256-gcm'

    class UserAccess
      class << self
        def enabled?
          ::Gitlab::Kas.enabled? && ::Feature.enabled?(:kas_user_access)
        end

        def enabled_for?(agent)
          enabled? && ::Feature.enabled?(:kas_user_access_project, agent.project)
        end

        def encrypt_public_session_id(data)
          encryptor.encrypt_and_sign(data.to_json, purpose: public_session_id_purpose)
        end

        def decrypt_public_session_id(data)
          decrypted = encryptor.decrypt_and_verify(data, purpose: public_session_id_purpose)
          ::Gitlab::Json.parse(decrypted)
        end

        def valid_authenticity_token?(session, masked_authenticity_token)
          # rubocop:disable GitlabSecurity/PublicSend
          ActionController::Base.new.send(:valid_authenticity_token?, session, masked_authenticity_token)
          # rubocop:enable GitlabSecurity/PublicSend
        end

        def cookie_data(public_session_id)
          uri = URI(::Gitlab::Kas.tunnel_url)

          cookie = {
            value: encrypt_public_session_id(public_session_id),
            expires: 1.day,
            httponly: true,
            path: uri.path.presence || '/',
            secure: Gitlab.config.gitlab.https
          }
          # Only set domain attribute if KAS is on a subdomain.
          # When on the same domain, we can omit the attribute.
          gitlab_host = Gitlab.config.gitlab.host
          cookie[:domain] = gitlab_host if uri.host.end_with?(".#{gitlab_host}")

          cookie
        end

        private

        def encryptor
          action_dispatch_config = Gitlab::Application.config.action_dispatch
          serializer = ActiveSupport::MessageEncryptor::NullSerializer
          key_generator = ::Gitlab::Application.key_generator

          cipher = action_dispatch_config.encrypted_cookie_cipher || DEFAULT_ENCRYPTED_COOKIE_CIPHER
          salt = action_dispatch_config.authenticated_encrypted_cookie_salt
          key_len = ActiveSupport::MessageEncryptor.key_len(cipher)
          secret = key_generator.generate_key(salt, key_len)

          ActiveSupport::MessageEncryptor.new(secret, cipher: cipher, serializer: serializer)
        end

        def public_session_id_purpose
          "kas.user_public_session_id"
        end
      end
    end
  end
end
New upstream version 15.10.7+ds1 2023-05-27 22:25:52 +05:30			`# frozen_string_literal: true`

			`module Gitlab`
			`module Kas`
			`# The name of the cookie that will be used for the KAS cookie`
			`COOKIE_KEY = '_gitlab_kas'`
			`DEFAULT_ENCRYPTED_COOKIE_CIPHER = 'aes-256-gcm'`

			`class UserAccess`
			`class << self`
			`def enabled?`
			`::Gitlab::Kas.enabled? && ::Feature.enabled?(:kas_user_access)`
			`end`

			`def enabled_for?(agent)`
			`enabled? && ::Feature.enabled?(:kas_user_access_project, agent.project)`
			`end`

			`def encrypt_public_session_id(data)`
			`encryptor.encrypt_and_sign(data.to_json, purpose: public_session_id_purpose)`
			`end`

			`def decrypt_public_session_id(data)`
			`decrypted = encryptor.decrypt_and_verify(data, purpose: public_session_id_purpose)`
			`::Gitlab::Json.parse(decrypted)`
			`end`

			`def valid_authenticity_token?(session, masked_authenticity_token)`
			`# rubocop:disable GitlabSecurity/PublicSend`
			`ActionController::Base.new.send(:valid_authenticity_token?, session, masked_authenticity_token)`
			`# rubocop:enable GitlabSecurity/PublicSend`
			`end`

			`def cookie_data(public_session_id)`
			`uri = URI(::Gitlab::Kas.tunnel_url)`

			`cookie = {`
			`value: encrypt_public_session_id(public_session_id),`
			`expires: 1.day,`
			`httponly: true,`
			`path: uri.path.presence \|\| '/',`
			`secure: Gitlab.config.gitlab.https`
			`}`
			`# Only set domain attribute if KAS is on a subdomain.`
			`# When on the same domain, we can omit the attribute.`
			`gitlab_host = Gitlab.config.gitlab.host`
			`cookie[:domain] = gitlab_host if uri.host.end_with?(".#{gitlab_host}")`

			`cookie`
			`end`

			`private`

			`def encryptor`
			`action_dispatch_config = Gitlab::Application.config.action_dispatch`
			`serializer = ActiveSupport::MessageEncryptor::NullSerializer`
			`key_generator = ::Gitlab::Application.key_generator`

			`cipher = action_dispatch_config.encrypted_cookie_cipher \|\| DEFAULT_ENCRYPTED_COOKIE_CIPHER`
			`salt = action_dispatch_config.authenticated_encrypted_cookie_salt`
			`key_len = ActiveSupport::MessageEncryptor.key_len(cipher)`
			`secret = key_generator.generate_key(salt, key_len)`

			`ActiveSupport::MessageEncryptor.new(secret, cipher: cipher, serializer: serializer)`
			`end`

			`def public_session_id_purpose`
			`"kas.user_public_session_id"`
			`end`
			`end`
			`end`
			`end`
			`end`