Memoize job token

c05c3c9f · Giorgenes Gelatti · fd42e347 · c05c3c9f · c05c3c9f
Commit c05c3c9f authored Nov 08, 2019 by Giorgenes Gelatti
Hide whitespace changes
Inline Side-by-side

Showing with 25 additions and 23 deletions

ee/lib/ee/api/helpers.rb ee/lib/ee/api/helpers.rb +5 -1

ee/lib/ee/gitlab/auth/user_auth_finders.rb ee/lib/ee/gitlab/auth/user_auth_finders.rb +20 -22

No files found.
--- a/ee/lib/ee/api/helpers.rb
+++ b/ee/lib/ee/api/helpers.rb
@@ -140,7 +140,11 @@ module EE
      end

      def job_token_authentication?
-        initial_current_user && @job_token_authentication # rubocop:disable Gitlab/ModuleWithInstanceVariables
+        initial_current_user && find_current_job
+      end
+
+      def current_ci_job
+        find_current_job
      end

      def warden

--- a/ee/lib/ee/gitlab/auth/user_auth_finders.rb
+++ b/ee/lib/ee/gitlab/auth/user_auth_finders.rb
@@ -6,27 +6,22 @@ module EE
      module UserAuthFinders
        extend ActiveSupport::Concern
        extend ::Gitlab::Utils::Override
+        include ::Gitlab::Utils::StrongMemoize

        JOB_TOKEN_HEADER = "HTTP_JOB_TOKEN".freeze
        JOB_TOKEN_PARAM = :job_token

        def find_user_from_bearer_token
-          find_user_from_job_bearer_token ||
+          find_current_job&.user ||
            find_user_from_access_token
        end

        def find_user_from_job_token
-          return unless route_authentication_setting[:job_token_allowed]
-
-          token = (params[JOB_TOKEN_PARAM] || env[JOB_TOKEN_HEADER]).to_s
-          return unless token.present?
-
-          job = ::Ci::Build.find_by_token(token)
-          raise ::Gitlab::Auth::UnauthorizedError unless job
+          return unless job_token

-          @job_token_authentication = true # rubocop:disable Gitlab/ModuleWithInstanceVariables
+          raise ::Gitlab::Auth::UnauthorizedError unless find_current_job

-          job.user
+          find_current_job.user
        end

        override :find_oauth_access_token
@@ -38,28 +33,31 @@ module EE

        override :validate_access_token!
        def validate_access_token!(scopes: [])
-          # return early if we've already authenticated via a job token
-          @job_token_authentication.present? || super # rubocop:disable Gitlab/ModuleWithInstanceVariables
+          # if we have a successful job token, don't go ahead and try regular validation as it will fail
+          # for the job token
+          find_current_job || super
        end

        def scim_request?
          current_request.path.starts_with?("/api/scim/")
        end

-        private
+        def find_current_job
+          return unless job_token

-        def find_user_from_job_bearer_token
-          return unless route_authentication_setting[:job_token_allowed]
-
-          token = parsed_oauth_token
-          return unless token
+          strong_memoize(:find_current_job) do
+            ::Ci::Build.find_by_token(job_token)
+          end
+        end

-          job = ::Ci::Build.find_by_token(token)
-          return unless job
+        private

-          @job_token_authentication = true # rubocop:disable Gitlab/ModuleWithInstanceVariables
+        def job_token
+          return unless route_authentication_setting[:job_token_allowed]

-          job.user
+          strong_memoize(:job_token) do
+            (params[JOB_TOKEN_PARAM] || env[JOB_TOKEN_HEADER] || parsed_oauth_token).to_s
+          end
        end
      end
    end