Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Support
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
G
gitlab-ce
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Issues
0
Issues
0
List
Boards
Labels
Milestones
Merge Requests
0
Merge Requests
0
Analytics
Analytics
Repository
Value Stream
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Create a new issue
Commits
Issue Boards
Open sidebar
Jérome Perrin
gitlab-ce
Commits
79e4bb8d
Commit
79e4bb8d
authored
Sep 14, 2016
by
Kamil Trzcinski
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
Refactor Gitlab::Auth to simplify the data flow
parent
11337217
Changes
1
Hide whitespace changes
Inline
Side-by-side
Showing
1 changed file
with
40 additions
and
34 deletions
+40
-34
lib/gitlab/auth.rb
lib/gitlab/auth.rb
+40
-34
No files found.
lib/gitlab/auth.rb
View file @
79e4bb8d
module
Gitlab
module
Gitlab
module
Auth
module
Auth
Result
=
Struct
.
new
(
:user
,
:project
,
:type
,
:capabilities
)
class
Result
attr_reader
:user
,
:project
,
:type
,
:capabilities
def
initialize?
(
user
=
nil
,
project
=
nil
,
type
=
nil
,
capabilities
=
nil
)
@user
,
@project
,
@type
,
@capabilities
=
user
,
project
,
type
,
capabilities
end
def
success?
user
.
present?
||
[
:ci
,
:missing_personal_token
].
include?
(
type
)
end
end
class
<<
self
class
<<
self
def
find_for_git_client
(
login
,
password
,
project
:,
ip
:)
def
find_for_git_client
(
login
,
password
,
project
:,
ip
:)
raise
"Must provide an IP for rate limiting"
if
ip
.
nil?
raise
"Must provide an IP for rate limiting"
if
ip
.
nil?
result
=
Result
.
new
result
=
service_access_token_check
(
login
,
password
,
project
)
||
build_access_token_check
(
login
,
password
)
||
if
valid_ci_request?
(
login
,
password
,
project
)
user_with_password_for_git
(
login
,
password
)
||
result
=
Result
.
new
(
nil
,
project
,
:ci
,
restricted_capabilities
)
oauth_access_token_check
(
login
,
password
)
||
else
personal_access_token_check
(
login
,
password
)
||
result
=
populate_result
(
login
,
password
)
Result
.
new
end
success
=
result
.
user
.
present?
||
[
:ci
,
:missing_personal_token
].
include?
(
result
.
type
)
rate_limit!
(
ip
,
success:
result
.
success?
,
login:
login
)
rate_limit!
(
ip
,
success:
success
,
login:
login
)
result
result
end
end
...
@@ -57,10 +65,10 @@ module Gitlab
...
@@ -57,10 +65,10 @@ module Gitlab
private
private
def
valid_ci_request?
(
login
,
password
,
project
)
def
service_access_token_check
(
login
,
password
,
project
)
matched_login
=
/(?<service>^[a-zA-Z]*-ci)-token$/
.
match
(
login
)
matched_login
=
/(?<service>^[a-zA-Z]*-ci)-token$/
.
match
(
login
)
return
false
unless
project
&&
matched_login
.
present?
return
unless
project
&&
matched_login
.
present?
underscored_service
=
matched_login
[
'service'
].
underscore
underscored_service
=
matched_login
[
'service'
].
underscore
...
@@ -69,31 +77,24 @@ module Gitlab
...
@@ -69,31 +77,24 @@ module Gitlab
# in the Service.available_services_names whitelist.
# in the Service.available_services_names whitelist.
service
=
project
.
public_send
(
"
#{
underscored_service
}
_service"
)
service
=
project
.
public_send
(
"
#{
underscored_service
}
_service"
)
service
&&
service
.
activated?
&&
service
.
valid_token?
(
password
)
if
service
&&
service
.
activated?
&&
service
.
valid_token?
(
password
)
end
Result
.
new
(
nil
,
project
,
:ci
,
restricted_capabilities
)
end
def
populate_result
(
login
,
password
)
result
=
build_access_token_check
(
login
,
password
)
||
user_with_password_for_git
(
login
,
password
)
||
oauth_access_token_check
(
login
,
password
)
||
personal_access_token_check
(
login
,
password
)
if
result
result
.
type
=
nil
unless
result
.
capabilities
if
result
.
user
&&
result
.
user
.
two_factor_enabled?
&&
result
.
type
==
:gitlab_or_ldap
result
.
type
=
:missing_personal_token
end
end
end
end
result
||
Result
.
new
end
end
def
user_with_password_for_git
(
login
,
password
)
def
user_with_password_for_git
(
login
,
password
)
user
=
find_with_user_password
(
login
,
password
)
user
=
find_with_user_password
(
login
,
password
)
Result
.
new
(
user
,
:gitlab_or_ldap
,
nil
,
full_capabilities
)
if
user
return
unless
user
type
=
if
user
.
two_factor_enabled?
:missing_personal_token
else
:gitlab_or_ldap
end
Result
.
new
(
user
,
type
,
nil
,
full_capabilities
)
end
end
def
oauth_access_token_check
(
login
,
password
)
def
oauth_access_token_check
(
login
,
password
)
...
@@ -101,7 +102,7 @@ module Gitlab
...
@@ -101,7 +102,7 @@ module Gitlab
token
=
Doorkeeper
::
AccessToken
.
by_token
(
password
)
token
=
Doorkeeper
::
AccessToken
.
by_token
(
password
)
if
token
&&
token
.
accessible?
if
token
&&
token
.
accessible?
user
=
User
.
find_by
(
id:
token
.
resource_owner_id
)
user
=
User
.
find_by
(
id:
token
.
resource_owner_id
)
Result
.
new
(
user
,
nil
,
:oauth
,
full
_capabilities
)
Result
.
new
(
user
,
nil
,
:oauth
,
read
_capabilities
)
end
end
end
end
end
end
...
@@ -140,11 +141,16 @@ module Gitlab
...
@@ -140,11 +141,16 @@ module Gitlab
]
]
end
end
def
full
_capabilities
def
read
_capabilities
restricted_capabilities
+
[
restricted_capabilities
+
[
:download_code
,
:download_code
,
:read_container_image
]
end
def
full_capabilities
read_capabilities
+
[
:push_code
,
:push_code
,
:read_container_image
,
:update_container_image
:update_container_image
]
]
end
end
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment