diff options
author | GitLab Bot <gitlab-bot@gitlab.com> | 2019-12-11 12:08:10 +0000 |
---|---|---|
committer | GitLab Bot <gitlab-bot@gitlab.com> | 2019-12-11 12:08:10 +0000 |
commit | b86f474bf51e20d2db4cf0895d0a8e0894e31c08 (patch) | |
tree | 061d2a4c749924f5a35fe6199dd1d8982c4b0b27 /lib/gitlab/auth | |
parent | 6b8040dc25fdc5fe614c3796a147517dd50bc7d8 (diff) | |
download | gitlab-ce-b86f474bf51e20d2db4cf0895d0a8e0894e31c08.tar.gz |
Add latest changes from gitlab-org/gitlab@master
Diffstat (limited to 'lib/gitlab/auth')
-rw-r--r-- | lib/gitlab/auth/auth_finders.rb (renamed from lib/gitlab/auth/user_auth_finders.rb) | 16 | ||||
-rw-r--r-- | lib/gitlab/auth/current_user_mode.rb | 56 | ||||
-rw-r--r-- | lib/gitlab/auth/request_authenticator.rb | 8 |
3 files changed, 71 insertions, 9 deletions
diff --git a/lib/gitlab/auth/user_auth_finders.rb b/lib/gitlab/auth/auth_finders.rb index 983682baab1..6210aca739a 100644 --- a/lib/gitlab/auth/user_auth_finders.rb +++ b/lib/gitlab/auth/auth_finders.rb @@ -17,8 +17,8 @@ module Gitlab end end - module UserAuthFinders - prepend_if_ee('::EE::Gitlab::Auth::UserAuthFinders') # rubocop: disable Cop/InjectEnterpriseEditionModule + module AuthFinders + prepend_if_ee('::EE::Gitlab::Auth::AuthFinders') # rubocop: disable Cop/InjectEnterpriseEditionModule include Gitlab::Utils::StrongMemoize @@ -26,6 +26,7 @@ module Gitlab PRIVATE_TOKEN_PARAM = :private_token JOB_TOKEN_HEADER = "HTTP_JOB_TOKEN".freeze JOB_TOKEN_PARAM = :job_token + RUNNER_TOKEN_PARAM = :token # Check the Rails session for valid authentication details def find_user_from_warden @@ -85,6 +86,15 @@ module Gitlab access_token.user || raise(UnauthorizedError) end + def find_runner_from_token + return unless api_request? + + token = current_request.params[RUNNER_TOKEN_PARAM].presence + return unless token + + ::Ci::Runner.find_by_token(token) || raise(UnauthorizedError) + end + def validate_access_token!(scopes: []) return unless access_token @@ -201,7 +211,7 @@ module Gitlab end def api_request? - current_request.path.starts_with?("/api/") + current_request.path.starts_with?('/api/') end def archive_request? diff --git a/lib/gitlab/auth/current_user_mode.rb b/lib/gitlab/auth/current_user_mode.rb index df5039f50c1..cb39baaa6cc 100644 --- a/lib/gitlab/auth/current_user_mode.rb +++ b/lib/gitlab/auth/current_user_mode.rb @@ -8,9 +8,13 @@ module Gitlab # an administrator must have explicitly enabled admin-mode # e.g. on web access require re-authentication class CurrentUserMode + NotRequestedError = Class.new(StandardError) + SESSION_STORE_KEY = :current_user_mode ADMIN_MODE_START_TIME_KEY = 'admin_mode' + ADMIN_MODE_REQUESTED_TIME_KEY = 'admin_mode_requested' MAX_ADMIN_MODE_TIME = 6.hours + ADMIN_MODE_REQUESTED_GRACE_PERIOD = 5.minutes def initialize(user) @user = user @@ -19,8 +23,16 @@ module Gitlab def admin_mode? return false unless user - Gitlab::SafeRequestStore.fetch(request_store_key) do - user&.admin? && any_session_with_admin_mode? + Gitlab::SafeRequestStore.fetch(admin_mode_rs_key) do + user.admin? && any_session_with_admin_mode? + end + end + + def admin_mode_requested? + return false unless user + + Gitlab::SafeRequestStore.fetch(admin_mode_requested_rs_key) do + user.admin? && admin_mode_requested_in_grace_period? end end @@ -28,20 +40,45 @@ module Gitlab return unless user&.admin? return unless skip_password_validation || user&.valid_password?(password) + raise NotRequestedError unless admin_mode_requested? + + reset_request_store + + current_session_data[ADMIN_MODE_REQUESTED_TIME_KEY] = nil current_session_data[ADMIN_MODE_START_TIME_KEY] = Time.now end + def enable_sessionless_admin_mode! + request_admin_mode! && enable_admin_mode!(skip_password_validation: true) + end + def disable_admin_mode! + return unless user&.admin? + + reset_request_store + + current_session_data[ADMIN_MODE_REQUESTED_TIME_KEY] = nil current_session_data[ADMIN_MODE_START_TIME_KEY] = nil - Gitlab::SafeRequestStore.delete(request_store_key) + end + + def request_admin_mode! + return unless user&.admin? + + reset_request_store + + current_session_data[ADMIN_MODE_REQUESTED_TIME_KEY] = Time.now end private attr_reader :user - def request_store_key - @request_store_key ||= { res: :current_user_mode, user: user.id } + def admin_mode_rs_key + @admin_mode_rs_key ||= { res: :current_user_mode, user: user.id, method: :admin_mode? } + end + + def admin_mode_requested_rs_key + @admin_mode_requested_rs_key ||= { res: :current_user_mode, user: user.id, method: :admin_mode_requested? } end def current_session_data @@ -61,6 +98,15 @@ module Gitlab Gitlab::NamespacedSessionStore.new(SESSION_STORE_KEY, session.with_indifferent_access ) end end + + def admin_mode_requested_in_grace_period? + current_session_data[ADMIN_MODE_REQUESTED_TIME_KEY].to_i > ADMIN_MODE_REQUESTED_GRACE_PERIOD.ago.to_i + end + + def reset_request_store + Gitlab::SafeRequestStore.delete(admin_mode_rs_key) + Gitlab::SafeRequestStore.delete(admin_mode_requested_rs_key) + end end end end diff --git a/lib/gitlab/auth/request_authenticator.rb b/lib/gitlab/auth/request_authenticator.rb index aca8804b04c..9b1b7b8e879 100644 --- a/lib/gitlab/auth/request_authenticator.rb +++ b/lib/gitlab/auth/request_authenticator.rb @@ -5,7 +5,7 @@ module Gitlab module Auth class RequestAuthenticator - include UserAuthFinders + include AuthFinders attr_reader :request @@ -23,6 +23,12 @@ module Gitlab find_user_from_warden end + def runner + find_runner_from_token + rescue Gitlab::Auth::AuthenticationError + nil + end + def find_sessionless_user(request_format) find_user_from_web_access_token(request_format) || find_user_from_feed_token(request_format) || |