Commit e900ff97 authored by Kamil Trzcinski's avatar Kamil Trzcinski

Improve JwtController code

parent 9ef9e008
class JwtController < ApplicationController class JwtController < ApplicationController
skip_before_action :authenticate_user! skip_before_action :authenticate_user!
skip_before_action :verify_authenticity_token skip_before_action :verify_authenticity_token
before_action :authenticate_project_or_user
SERVICES = { SERVICES = {
'container_registry' => ::Gitlab::JWT::ContainerRegistryAuthenticationService, 'container_registry' => ::Gitlab::JWT::ContainerRegistryAuthenticationService,
} }
def auth def auth
@authenticated = authenticate_with_http_basic do |login, password|
# if it's possible we first try to authenticate project with login and password
@project = authenticate_project(login, password)
@user = authenticate_user(login, password) unless @project
end
unless @authenticated
head :forbidden if ActionController::HttpAuthentication::Basic.has_basic_credentials?(request)
end
service = SERVICES[params[:service]] service = SERVICES[params[:service]]
head :not_found unless service head :not_found unless service
...@@ -28,21 +19,30 @@ class JwtController < ApplicationController ...@@ -28,21 +19,30 @@ class JwtController < ApplicationController
private private
def authenticate_project_or_user
authenticate_with_http_basic do |login, password|
# if it's possible we first try to authenticate project with login and password
@project = authenticate_project(login, password)
return if @project
@user = authenticate_user(login, password)
return if @user
end
if ActionController::HttpAuthentication::Basic.has_basic_credentials?(request)
head :forbidden
end
end
def auth_params def auth_params
params.permit(:service, :scope, :offline_token, :account, :client_id) params.permit(:service, :scope, :offline_token, :account, :client_id)
end end
def authenticate_project(login, password) def authenticate_project(login, password)
matched_login = /(?<s>^[a-zA-Z]*-ci)-token$/.match(login) if login == 'gitlab_ci_token'
if matched_login.present?
underscored_service = matched_login['s'].underscore
if underscored_service == 'gitlab_ci'
Project.find_by(builds_enabled: true, runners_token: password) Project.find_by(builds_enabled: true, runners_token: password)
end end
end end
end
def authenticate_user(login, password) def authenticate_user(login, password)
user = Gitlab::Auth.new.find(login, password) user = Gitlab::Auth.new.find(login, password)
...@@ -77,6 +77,7 @@ class JwtController < ApplicationController ...@@ -77,6 +77,7 @@ class JwtController < ApplicationController
if banned if banned
Rails.logger.info "IP #{request.ip} failed to login " \ Rails.logger.info "IP #{request.ip} failed to login " \
"as #{login} but has been temporarily banned from Git auth" "as #{login} but has been temporarily banned from Git auth"
return
end end
end end
end end
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment