Merge remote-tracking branch 'upstream/master' into feature/1376-allow-write-access-deploy-keys

* upstream/master: (538 commits) Reject blank environment vcariables in Gitlab::Git::RevList Add online terminal documentation Add changelog entry Add terminal UI and controller actions Fix specs Even out padding on plus button in breadcrumb menu Update font size of detail page header to 14px Update CHANGELOG.md for 8.13.10 Update CHANGELOG.md for 8.14.5 Fix Route#rename_children behavior Remove inline-block styling from status Add terminals to the Kubernetes deployment service Add a ReactiveCaching concern for use in the KubernetesService Add xterm.js 2.1.0 and a wrapper class to the asset pipeline Remove unnecessary hidden svg elements for icons. Fix consistent typo in environment.js Use a block to insert extra check for authenticate_build! Align milestone column header with count number Add Wiki import to BB importer Make CI badge hitboxes better match container ...
author: Lin Jen-Shin <godfat@godfat.org> 2016-12-20 20:54:40 +0800
committer: Lin Jen-Shin <godfat@godfat.org> 2016-12-20 20:54:40 +0800
commit: 0f0738e78867f6822dd15cb26da1f17628acde77 (patch)
tree: 0813c71b448d149afad6802e25c56a219efb0523 /lib/api/helpers.rb
parent: eb839b9af51d411a6a35786a1c1c58954da1a650 (diff)
parent: ad1a1d976c877eca16858368db0c5b3ef800db8b (diff)
download: gitlab-ce-0f0738e78867f6822dd15cb26da1f17628acde77.tar.gz
1 files changed, 69 insertions, 66 deletions
diff --git a/lib/api/helpers.rb b/lib/api/helpers.rb
index 8b0f8deadfa..4be659fc20b 100644
--- a/lib/api/helpers.rb
+++ b/lib/api/helpers.rb
@@ -2,72 +2,26 @@ module API
   module Helpers
     include Gitlab::Utils
 
-    PRIVATE_TOKEN_HEADER = "HTTP_PRIVATE_TOKEN"
-    PRIVATE_TOKEN_PARAM = :private_token
     SUDO_HEADER = "HTTP_SUDO"
     SUDO_PARAM = :sudo
 
-    def private_token
-      params[PRIVATE_TOKEN_PARAM] || env[PRIVATE_TOKEN_HEADER]
-    end
-
-    def warden
-      env['warden']
-    end
-
-    # Check the Rails session for valid authentication details
-    #
-    # Until CSRF protection is added to the API, disallow this method for
-    # state-changing endpoints
-    def find_user_from_warden
-      warden.try(:authenticate) if %w[GET HEAD].include?(env['REQUEST_METHOD'])
-    end
-
     def declared_params(options = {})
       options = { include_parent_namespaces: false }.merge(options)
       declared(params, options).to_h.symbolize_keys
     end
 
-    def find_user_by_private_token
-      token = private_token
-      return nil unless token.present?
-
-      User.find_by_authentication_token(token) || User.find_by_personal_access_token(token)
-    end
-
     def current_user
-      @current_user ||= find_user_by_private_token
-      @current_user ||= doorkeeper_guard
-      @current_user ||= find_user_from_warden
+      return @current_user if defined?(@current_user)
 
-      unless @current_user && Gitlab::UserAccess.new(@current_user).allowed?
-        return nil
-      end
-
-      identifier = sudo_identifier
+      @current_user = initial_current_user
 
-      if identifier
-        # We check for private_token because we cannot allow PAT to be used
-        forbidden!('Must be admin to use sudo') unless @current_user.is_admin?
-        forbidden!('Private token must be specified in order to use sudo') unless private_token_used?
-
-        @impersonator = @current_user
-        @current_user = User.by_username_or_id(identifier)
-        not_found!("No user id or username for: #{identifier}") if @current_user.nil?
-      end
+      sudo!
 
       @current_user
     end
 
-    def sudo_identifier
-      identifier ||= params[SUDO_PARAM] || env[SUDO_HEADER]
-
-      # Regex for integers
-      if !!(identifier =~ /\A[0-9]+\z/)
-        identifier.to_i
-      else
-        identifier
-      end
+    def sudo?
+      initial_current_user != current_user
     end
 
     def user_project
@@ -78,6 +32,14 @@ module API
       @available_labels ||= LabelsFinder.new(current_user, project_id: user_project.id).execute
     end
 
+    def find_user(id)
+      if id =~ /^\d+$/
+        User.find_by(id: id)
+      else
+        User.find_by(username: id)
+      end
+    end
+
     def find_project(id)
       if id =~ /^\d+$/
         Project.find_by(id: id)
@@ -96,17 +58,6 @@ module API
       end
     end
 
-    def project_service(project = user_project)
-      @project_service ||= project.find_or_initialize_service(params[:service_slug].underscore)
-      @project_service || not_found!("Service")
-    end
-
-    def service_attributes
-      @service_attributes ||= project_service.fields.inject([]) do |arr, hash|
-        arr << hash[:name].to_sym
-      end
-    end
-
     def find_group(id)
       if id =~ /^\d+$/
         Group.find_by(id: id)
@@ -354,6 +305,62 @@ module API
 
     private
 
+    def private_token
+      params[APIGuard::PRIVATE_TOKEN_PARAM] || env[APIGuard::PRIVATE_TOKEN_HEADER]
+    end
+
+    def warden
+      env['warden']
+    end
+
+    # Check the Rails session for valid authentication details
+    #
+    # Until CSRF protection is added to the API, disallow this method for
+    # state-changing endpoints
+    def find_user_from_warden
+      warden.try(:authenticate) if %w[GET HEAD].include?(env['REQUEST_METHOD'])
+    end
+
+    def initial_current_user
+      return @initial_current_user if defined?(@initial_current_user)
+
+      @initial_current_user ||= find_user_by_private_token(scopes: @scopes)
+      @initial_current_user ||= doorkeeper_guard(scopes: @scopes)
+      @initial_current_user ||= find_user_from_warden
+
+      unless @initial_current_user && Gitlab::UserAccess.new(@initial_current_user).allowed?
+        @initial_current_user = nil
+      end
+
+      @initial_current_user
+    end
+
+    def sudo!
+      return unless sudo_identifier
+      return unless initial_current_user
+
+      unless initial_current_user.is_admin?
+        forbidden!('Must be admin to use sudo')
+      end
+
+      # Only private tokens should be used for the SUDO feature
+      unless private_token == initial_current_user.private_token
+        forbidden!('Private token must be specified in order to use sudo')
+      end
+
+      sudoed_user = find_user(sudo_identifier)
+
+      if sudoed_user
+        @current_user = sudoed_user
+      else
+        not_found!("No user id or username for: #{sudo_identifier}")
+      end
+    end
+
+    def sudo_identifier
+      @sudo_identifier ||= params[SUDO_PARAM] || env[SUDO_HEADER]
+    end
+
     def add_pagination_headers(paginated_data)
       header 'X-Total',       paginated_data.total_count.to_s
       header 'X-Total-Pages', paginated_data.total_pages.to_s
@@ -386,10 +393,6 @@ module API
       links.join(', ')
     end
 
-    def private_token_used?
-      private_token == @current_user.private_token
-    end
-
     def secret_token
       Gitlab::Shell.secret_token
     end
author	Lin Jen-Shin <godfat@godfat.org>	2016-12-20 20:54:40 +0800
committer	Lin Jen-Shin <godfat@godfat.org>	2016-12-20 20:54:40 +0800
commit	0f0738e78867f6822dd15cb26da1f17628acde77 (patch)
tree	0813c71b448d149afad6802e25c56a219efb0523 /lib/api/helpers.rb
parent	eb839b9af51d411a6a35786a1c1c58954da1a650 (diff)
parent	ad1a1d976c877eca16858368db0c5b3ef800db8b (diff)
download	gitlab-ce-0f0738e78867f6822dd15cb26da1f17628acde77.tar.gz