Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Support
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
G
gitlab-ce
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Issues
0
Issues
0
List
Boards
Labels
Milestones
Merge Requests
0
Merge Requests
0
Analytics
Analytics
Repository
Value Stream
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Create a new issue
Commits
Issue Boards
Open sidebar
Tatuya Kamada
gitlab-ce
Commits
1dea54c2
Commit
1dea54c2
authored
May 09, 2016
by
Kamil Trzcinski
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
Remove unused parts
parent
0094d8f1
Changes
4
Show whitespace changes
Inline
Side-by-side
Showing
4 changed files
with
0 additions
and
190 deletions
+0
-190
config/gitlab.yml.example
config/gitlab.yml.example
+0
-1
config/initializers/1_settings.rb
config/initializers/1_settings.rb
+0
-1
lib/api/api.rb
lib/api/api.rb
+0
-1
lib/api/auth.rb
lib/api/auth.rb
+0
-187
No files found.
config/gitlab.yml.example
View file @
1dea54c2
...
@@ -184,7 +184,6 @@ production: &base
...
@@ -184,7 +184,6 @@ production: &base
# internal_host: localhost
# internal_host: localhost
# key: config/registry.key
# key: config/registry.key
# issuer: omnibus-certificate
# issuer: omnibus-certificate
# path: shared/registry
#
#
# 2. GitLab CI settings
# 2. GitLab CI settings
...
...
config/initializers/1_settings.rb
View file @
1dea54c2
...
@@ -272,7 +272,6 @@ Settings.artifacts['max_size'] ||= 100 # in megabytes
...
@@ -272,7 +272,6 @@ Settings.artifacts['max_size'] ||= 100 # in megabytes
#
#
Settings
[
'registry'
]
||=
Settingslogic
.
new
({})
Settings
[
'registry'
]
||=
Settingslogic
.
new
({})
Settings
.
registry
[
'registry'
]
=
false
if
Settings
.
registry
[
'enabled'
].
nil?
Settings
.
registry
[
'registry'
]
=
false
if
Settings
.
registry
[
'enabled'
].
nil?
Settings
.
registry
[
'path'
]
=
File
.
expand_path
(
Settings
.
registry
[
'path'
]
||
File
.
join
(
Settings
.
shared
[
'path'
],
"registry"
),
Rails
.
root
)
Settings
.
registry
[
'host'
]
||=
"example.com"
Settings
.
registry
[
'host'
]
||=
"example.com"
Settings
.
registry
[
'internal_host'
]
||=
"localhost"
Settings
.
registry
[
'internal_host'
]
||=
"localhost"
Settings
.
registry
[
'key'
]
||=
nil
Settings
.
registry
[
'key'
]
||=
nil
...
...
lib/api/api.rb
View file @
1dea54c2
...
@@ -58,6 +58,5 @@ module API
...
@@ -58,6 +58,5 @@ module API
mount
Variables
mount
Variables
mount
Runners
mount
Runners
mount
Licenses
mount
Licenses
mount
Auth
end
end
end
end
lib/api/auth.rb
deleted
100644 → 0
View file @
0094d8f1
module
API
# Projects builds API
class
Auth
<
Grape
::
API
namespace
'auth'
do
get
'token'
do
required_attributes!
[
:service
]
keys
=
attributes_for_keys
[
:offline_token
,
:scope
,
:service
]
case
keys
[
:service
]
when
'docker'
docker_token_auth
(
keys
[
:scope
],
keys
[
:offline_token
])
else
not_found!
end
end
end
helpers
do
def
docker_token_auth
(
scope
,
offline_token
)
auth!
if
offline_token
forbidden!
unless
@user
elsif
scope
@type
,
@path
,
actions
=
scope
.
split
(
':'
,
3
)
bad_request!
(
"invalid type:
#{
@type
}
"
)
unless
@type
==
'repository'
@actions
=
actions
.
split
(
','
)
bad_request!
(
'missing actions'
)
if
@actions
.
empty?
@project
=
Project
.
find_with_namespace
(
@path
)
not_found!
(
'Project'
)
unless
@project
authorize_actions!
(
@actions
)
end
{
token:
encode
(
docker_payload
)
}
end
def
auth!
auth
=
BasicRequest
.
new
(
request
.
env
)
return
unless
auth
.
provided?
return
bad_request
unless
auth
.
basic?
# Authentication with username and password
login
,
password
=
auth
.
credentials
if
ci_request?
(
login
,
password
)
@ci
=
true
return
end
@user
=
authenticate_user
(
login
,
password
)
if
@user
request
.
env
[
'REMOTE_USER'
]
=
@user
.
username
end
end
def
ci_request?
(
login
,
password
)
matched_login
=
/(?<s>^[a-zA-Z]*-ci)-token$/
.
match
(
login
)
if
@project
&&
matched_login
.
present?
underscored_service
=
matched_login
[
's'
].
underscore
if
underscored_service
==
'gitlab_ci'
return
@project
.
valid_build_token?
(
password
)
end
end
false
end
def
authenticate_user
(
login
,
password
)
user
=
Gitlab
::
Auth
.
new
.
find
(
login
,
password
)
# If the user authenticated successfully, we reset the auth failure count
# from Rack::Attack for that IP. A client may attempt to authenticate
# with a username and blank password first, and only after it receives
# a 401 error does it present a password. Resetting the count prevents
# false positives from occurring.
#
# Otherwise, we let Rack::Attack know there was a failed authentication
# attempt from this IP. This information is stored in the Rails cache
# (Redis) and will be used by the Rack::Attack middleware to decide
# whether to block requests from this IP.
config
=
Gitlab
.
config
.
rack_attack
.
git_basic_auth
if
config
.
enabled
if
user
# A successful login will reset the auth failure count from this IP
Rack
::
Attack
::
Allow2Ban
.
reset
(
@request
.
ip
,
config
)
else
banned
=
Rack
::
Attack
::
Allow2Ban
.
filter
(
@request
.
ip
,
config
)
do
# Unless the IP is whitelisted, return true so that Allow2Ban
# increments the counter (stored in Rails.cache) for the IP
if
config
.
ip_whitelist
.
include?
(
@request
.
ip
)
false
else
true
end
end
if
banned
Rails
.
logger
.
info
"IP
#{
@request
.
ip
}
failed to login "
\
"as
#{
login
}
but has been temporarily banned from Git auth"
end
end
end
user
end
def
docker_payload
issued_at
=
Time
.
now
{
access:
[
type:
@type
,
name:
@path
,
actions:
@actions
],
iss:
Gitlab
.
config
.
registry
.
issuer
,
aud:
"docker"
,
sub:
@user
.
try
(
:username
),
aud:
@service
,
iat:
issued_at
,
nbf:
issued_at
-
5
.
seconds
,
exp:
issued_at
+
60
.
minutes
,
jti:
SecureRandom
.
uuid
,
exp:
Time
.
now
.
to_i
+
3600
}.
compact
end
def
private_key
@private_key
||=
OpenSSL
::
PKey
::
RSA
.
new
File
.
read
Gitlab
.
config
.
registry
.
key
end
def
encode
(
payload
)
headers
=
{
kid:
kid
(
private_key
)
}
JWT
.
encode
(
payload
,
private_key
,
'RS256'
,
headers
)
end
def
authorize_actions!
(
actions
)
actions
.
each
do
|
action
|
forbidden!
unless
can_access?
(
action
)
end
end
def
can_access?
(
action
)
case
action
when
'pull'
@ci
||
can?
(
@user
,
:download_code
,
@project
)
when
'push'
@ci
||
can?
(
@user
,
:push_code
,
@project
)
else
false
end
end
def
kid
(
private_key
)
sha256
=
Digest
::
SHA256
.
new
sha256
.
update
(
private_key
.
public_key
.
to_der
)
payload
=
StringIO
.
new
(
sha256
.
digest
).
read
(
30
)
Base32
.
encode
(
payload
).
split
(
""
).
each_slice
(
4
).
each_with_object
([])
do
|
slice
,
mem
|
mem
<<
slice
.
join
end
.
join
(
":"
)
end
class
BasicRequest
<
Rack
::
Auth
::
AbstractRequest
def
basic?
"basic"
==
scheme
end
def
credentials
@credentials
||=
params
.
unpack
(
"m*"
).
first
.
split
(
/:/
,
2
)
end
def
username
credentials
.
first
end
end
end
end
end
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment