adds impersonator variable and makes sudo usage overall more clear24537-reenable-private-token-with-sudo

4 files changed, 23 insertions, 17 deletions

diff --git a/lib/api/entities.rb b/lib/api/entities.rb
index 1dd191161ef..006d5f9f44e 100644
--- a/lib/api/entities.rb
+++ b/lib/api/entities.rb
@@ -22,7 +22,7 @@ module API
       expose :provider, :extern_uid
     end
 
-    class UserFull < User
+    class UserPublic < User
       expose :last_sign_in_at
       expose :confirmed_at
       expose :email
@@ -32,10 +32,9 @@ module API
       expose :can_create_project?, as: :can_create_project
       expose :two_factor_enabled?, as: :two_factor_enabled
       expose :external
-      expose :private_token, if: lambda { |user, options| user.is_admin? && options[:sudo_identifier] }
     end
 
-    class UserLogin < UserFull
+    class UserWithPrivateToken < UserPublic
       expose :private_token
     end
 
@@ -290,7 +289,7 @@ module API
     end
 
     class SSHKeyWithUser < SSHKey
-      expose :user, using: Entities::UserFull
+      expose :user, using: Entities::UserPublic
     end
 
     class Note < Grape::Entity
diff --git a/lib/api/helpers.rb b/lib/api/helpers.rb
index 7f94ede7940..6a47efc74f0 100644
--- a/lib/api/helpers.rb
+++ b/lib/api/helpers.rb
@@ -44,11 +44,14 @@ module API
         return nil
       end
 
-      identifier = sudo_identifier()
+      identifier = sudo_identifier
 
-      # If the sudo is the current user do nothing
-      if identifier && !(@current_user.id == identifier || @current_user.username == identifier)
+      if identifier
+        # We check for private_token because we cannot allow PAT to be used
         forbidden!('Must be admin to use sudo') unless @current_user.is_admin?
+        forbidden!('Private token must be specified in order to use sudo') unless private_token_used?
+
+        @impersonator = @current_user
         @current_user = User.by_username_or_id(identifier)
         not_found!("No user id or username for: #{identifier}") if @current_user.nil?
       end
@@ -399,6 +402,10 @@ module API
       links.join(', ')
     end
 
+    def private_token_used?
+      private_token == @current_user.private_token
+    end
+
     def secret_token
       Gitlab::Shell.secret_token
     end
diff --git a/lib/api/session.rb b/lib/api/session.rb
index d09400b81f5..002ffd1d154 100644
--- a/lib/api/session.rb
+++ b/lib/api/session.rb
@@ -1,7 +1,7 @@
 module API
   class Session < Grape::API
     desc 'Login to get token' do
-      success Entities::UserLogin
+      success Entities::UserWithPrivateToken
     end
     params do
       optional :login, type: String, desc: 'The username'
@@ -14,7 +14,7 @@ module API
 
       return unauthorized! unless user
       return render_api_error!('401 Unauthorized. You have 2FA enabled. Please use a personal access token to access the API', 401) if user.two_factor_enabled?
-      present user, with: Entities::UserLogin
+      present user, with: Entities::UserWithPrivateToken
     end
   end
 end
diff --git a/lib/api/users.rb b/lib/api/users.rb
index b3870e0c7c8..1dab799dd61 100644
--- a/lib/api/users.rb
+++ b/lib/api/users.rb
@@ -51,7 +51,7 @@ module API
           users = users.external if params[:external] && current_user.is_admin?
         end
 
-        entity = current_user.is_admin? ? Entities::UserFull : Entities::UserBasic
+        entity = current_user.is_admin? ? Entities::UserPublic : Entities::UserBasic
         present paginate(users), with: entity
       end
 
@@ -66,7 +66,7 @@ module API
         not_found!('User') unless user
 
         if current_user && current_user.is_admin?
-          present user, with: Entities::UserFull
+          present user, with: Entities::UserPublic
         elsif can?(current_user, :read_user, user)
           present user, with: Entities::User
         else
@@ -75,7 +75,7 @@ module API
       end
 
       desc 'Create a user. Available only for admins.' do
-        success Entities::UserFull
+        success Entities::UserPublic
       end
       params do
         requires :email, type: String, desc: 'The email of the user'
@@ -99,7 +99,7 @@ module API
         end
 
         if user.save
-          present user, with: Entities::UserFull
+          present user, with: Entities::UserPublic
         else
           conflict!('Email has already been taken') if User.
               where(email: user.email).
@@ -114,7 +114,7 @@ module API
       end
 
       desc 'Update a user. Available only for admins.' do
-        success Entities::UserFull
+        success Entities::UserPublic
       end
       params do
         requires :id, type: Integer, desc: 'The ID of the user'
@@ -161,7 +161,7 @@ module API
         user_params.delete(:provider)
 
         if user.update_attributes(user_params)
-          present user, with: Entities::UserFull
+          present user, with: Entities::UserPublic
         else
           render_validation_error!(user)
         end
@@ -350,10 +350,10 @@ module API
 
     resource :user do
       desc 'Get the currently authenticated user' do
-        success Entities::UserFull
+        success Entities::UserPublic
       end
       get do
-        present current_user, with: Entities::UserFull, sudo_identifier: sudo_identifier
+        present current_user, with: @impersonator ? Entities::UserWithPrivateToken : Entities::UserPublic
       end
 
       desc "Get the currently authenticated user's SSH keys" do