Commit 79e4bb8d authored by Kamil Trzcinski's avatar Kamil Trzcinski

Refactor Gitlab::Auth to simplify the data flow

parent 11337217
module Gitlab module Gitlab
module Auth module Auth
Result = Struct.new(:user, :project, :type, :capabilities) class Result
attr_reader :user, :project, :type, :capabilities
def initialize?(user = nil, project = nil, type = nil, capabilities = nil)
@user, @project, @type, @capabilities = user, project, type, capabilities
end
def success?
user.present? || [:ci, :missing_personal_token].include?(type)
end
end
class << self class << self
def find_for_git_client(login, password, project:, ip:) def find_for_git_client(login, password, project:, ip:)
raise "Must provide an IP for rate limiting" if ip.nil? raise "Must provide an IP for rate limiting" if ip.nil?
result = Result.new result = service_access_token_check(login, password, project) ||
build_access_token_check(login, password) ||
if valid_ci_request?(login, password, project) user_with_password_for_git(login, password) ||
result = Result.new(nil, project, :ci, restricted_capabilities) oauth_access_token_check(login, password) ||
else personal_access_token_check(login, password) ||
result = populate_result(login, password) Result.new
end
success = result.user.present? || [:ci, :missing_personal_token].include?(result.type) rate_limit!(ip, success: result.success?, login: login)
rate_limit!(ip, success: success, login: login)
result result
end end
...@@ -57,10 +65,10 @@ module Gitlab ...@@ -57,10 +65,10 @@ module Gitlab
private private
def valid_ci_request?(login, password, project) def service_access_token_check(login, password, project)
matched_login = /(?<service>^[a-zA-Z]*-ci)-token$/.match(login) matched_login = /(?<service>^[a-zA-Z]*-ci)-token$/.match(login)
return false unless project && matched_login.present? return unless project && matched_login.present?
underscored_service = matched_login['service'].underscore underscored_service = matched_login['service'].underscore
...@@ -69,31 +77,24 @@ module Gitlab ...@@ -69,31 +77,24 @@ module Gitlab
# in the Service.available_services_names whitelist. # in the Service.available_services_names whitelist.
service = project.public_send("#{underscored_service}_service") service = project.public_send("#{underscored_service}_service")
service && service.activated? && service.valid_token?(password) if service && service.activated? && service.valid_token?(password)
end Result.new(nil, project, :ci, restricted_capabilities)
end
def populate_result(login, password)
result =
build_access_token_check(login, password) ||
user_with_password_for_git(login, password) ||
oauth_access_token_check(login, password) ||
personal_access_token_check(login, password)
if result
result.type = nil unless result.capabilities
if result.user && result.user.two_factor_enabled? && result.type == :gitlab_or_ldap
result.type = :missing_personal_token
end end
end end
result || Result.new
end end
def user_with_password_for_git(login, password) def user_with_password_for_git(login, password)
user = find_with_user_password(login, password) user = find_with_user_password(login, password)
Result.new(user, :gitlab_or_ldap, nil, full_capabilities) if user return unless user
type =
if user.two_factor_enabled?
:missing_personal_token
else
:gitlab_or_ldap
end
Result.new(user, type, nil, full_capabilities)
end end
def oauth_access_token_check(login, password) def oauth_access_token_check(login, password)
...@@ -101,7 +102,7 @@ module Gitlab ...@@ -101,7 +102,7 @@ module Gitlab
token = Doorkeeper::AccessToken.by_token(password) token = Doorkeeper::AccessToken.by_token(password)
if token && token.accessible? if token && token.accessible?
user = User.find_by(id: token.resource_owner_id) user = User.find_by(id: token.resource_owner_id)
Result.new(user, nil, :oauth, full_capabilities) Result.new(user, nil, :oauth, read_capabilities)
end end
end end
end end
...@@ -140,11 +141,16 @@ module Gitlab ...@@ -140,11 +141,16 @@ module Gitlab
] ]
end end
def full_capabilities def read_capabilities
restricted_capabilities + [ restricted_capabilities + [
:download_code, :download_code,
:read_container_image
]
end
def full_capabilities
read_capabilities + [
:push_code, :push_code,
:read_container_image,
:update_container_image :update_container_image
] ]
end end
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment