diff options
| author | Francisco Lopez <fjlopez@gitlab.com> | 2017-11-16 15:39:30 +0100 |
|---|---|---|
| committer | Francisco Lopez <fjlopez@gitlab.com> | 2017-11-17 10:02:11 +0100 |
| commit | aa84ef1e1af0bac40279e02e4ce889cb660ed9d0 (patch) | |
| tree | 3fe0bd2c53236abd49f017c7711decd1980900b5 /lib | |
| parent | 98f7982ceccd6f7996774911632943e9f43df6e3 (diff) | |
| download | gitlab-ce-aa84ef1e1af0bac40279e02e4ce889cb660ed9d0.tar.gz | |
Moving exceptions to UserAuthFinders
Diffstat (limited to 'lib')
| -rw-r--r-- | lib/api/api_guard.rb | 35 | ||||
| -rw-r--r-- | lib/api/helpers.rb | 2 | ||||
| -rw-r--r-- | lib/gitlab/auth/user_auth_finders.rb | 32 |
3 files changed, 36 insertions, 33 deletions
diff --git a/lib/api/api_guard.rb b/lib/api/api_guard.rb index 0caf2aa25bc..a07015406b1 100644 --- a/lib/api/api_guard.rb +++ b/lib/api/api_guard.rb @@ -93,8 +93,11 @@ module API private def install_error_responders(base) - error_classes = [MissingTokenError, TokenNotFoundError, - ExpiredError, RevokedError, InsufficientScopeError] + error_classes = [Gitlab::Auth::UserAuthFinders::MissingTokenError, + Gitlab::Auth::UserAuthFinders::TokenNotFoundError, + Gitlab::Auth::UserAuthFinders::ExpiredError, + Gitlab::Auth::UserAuthFinders::RevokedError, + Gitlab::Auth::UserAuthFinders::InsufficientScopeError] base.__send__(:rescue_from, *error_classes, oauth2_bearer_token_error_handler) # rubocop:disable GitlabSecurity/PublicSend end @@ -103,25 +106,25 @@ module API proc do |e| response = case e - when MissingTokenError + when Gitlab::Auth::UserAuthFinders::MissingTokenError Rack::OAuth2::Server::Resource::Bearer::Unauthorized.new - when TokenNotFoundError + when Gitlab::Auth::UserAuthFinders::TokenNotFoundError Rack::OAuth2::Server::Resource::Bearer::Unauthorized.new( :invalid_token, "Bad Access Token.") - when ExpiredError + when Gitlab::Auth::UserAuthFinders::ExpiredError Rack::OAuth2::Server::Resource::Bearer::Unauthorized.new( :invalid_token, "Token is expired. You can either do re-authorization or token refresh.") - when RevokedError + when Gitlab::Auth::UserAuthFinders::RevokedError Rack::OAuth2::Server::Resource::Bearer::Unauthorized.new( :invalid_token, "Token was revoked. You have to re-authorize from the user.") - when InsufficientScopeError + when Gitlab::Auth::UserAuthFinders::InsufficientScopeError # FIXME: ForbiddenError (inherited from Bearer::Forbidden of Rack::Oauth2) # does not include WWW-Authenticate header, which breaks the standard. Rack::OAuth2::Server::Resource::Bearer::Forbidden.new( @@ -134,23 +137,5 @@ module API end end end - - # - # Exceptions - # - - AuthenticationException = Class.new(StandardError) - MissingTokenError = Class.new(AuthenticationException) - TokenNotFoundError = Class.new(AuthenticationException) - ExpiredError = Class.new(AuthenticationException) - RevokedError = Class.new(AuthenticationException) - UnauthorizedError = Class.new(AuthenticationException) - - class InsufficientScopeError < AuthenticationException - attr_reader :scopes - def initialize(scopes) - @scopes = scopes.map { |s| s.try(:name) || s } - end - end end end diff --git a/lib/api/helpers.rb b/lib/api/helpers.rb index 3c8960cb1ab..09e9753b010 100644 --- a/lib/api/helpers.rb +++ b/lib/api/helpers.rb @@ -398,7 +398,7 @@ module API begin @initial_current_user = Gitlab::Auth::UniqueIpsLimiter.limit_user! { find_current_user! } - rescue APIGuard::UnauthorizedError + rescue Gitlab::Auth::UserAuthFinders::UnauthorizedError unauthorized! end end diff --git a/lib/gitlab/auth/user_auth_finders.rb b/lib/gitlab/auth/user_auth_finders.rb index 06b934fa042..6ee957a0cd6 100644 --- a/lib/gitlab/auth/user_auth_finders.rb +++ b/lib/gitlab/auth/user_auth_finders.rb @@ -4,6 +4,24 @@ module Gitlab PRIVATE_TOKEN_HEADER = 'HTTP_PRIVATE_TOKEN'.freeze PRIVATE_TOKEN_PARAM = :private_token + # + # Exceptions + # + + AuthenticationException = Class.new(StandardError) + MissingTokenError = Class.new(AuthenticationException) + TokenNotFoundError = Class.new(AuthenticationException) + ExpiredError = Class.new(AuthenticationException) + RevokedError = Class.new(AuthenticationException) + UnauthorizedError = Class.new(AuthenticationException) + + class InsufficientScopeError < AuthenticationException + attr_reader :scopes + def initialize(scopes) + @scopes = scopes.map { |s| s.try(:name) || s } + end + end + # Check the Rails session for valid authentication details def find_user_from_warden current_request.env['warden']&.authenticate if verified_request? @@ -15,7 +33,7 @@ module Gitlab token = current_request.params[:rss_token].presence return unless token - User.find_by_rss_token(token) || raise(API::APIGuard::UnauthorizedError) + User.find_by_rss_token(token) || raise(UnauthorizedError) end def find_user_from_access_token @@ -23,7 +41,7 @@ module Gitlab validate_access_token! - access_token.user || raise(API::APIGuard::UnauthorizedError) + access_token.user || raise(UnauthorizedError) end def validate_access_token!(scopes: []) @@ -31,11 +49,11 @@ module Gitlab case AccessTokenValidationService.new(access_token, request: request).validate(scopes: scopes) when AccessTokenValidationService::INSUFFICIENT_SCOPE - raise API::APIGuard::InsufficientScopeError.new(scopes) + raise InsufficientScopeError.new(scopes) when AccessTokenValidationService::EXPIRED - raise API::APIGuard::ExpiredError + raise ExpiredError when AccessTokenValidationService::REVOKED - raise API::APIGuard::RevokedError + raise RevokedError end end @@ -55,7 +73,7 @@ module Gitlab return unless token # Expiration, revocation and scopes are verified in `validate_access_token!` - PersonalAccessToken.find_by(token: token) || raise(API::APIGuard::UnauthorizedError) + PersonalAccessToken.find_by(token: token) || raise(UnauthorizedError) end def find_oauth_access_token @@ -64,7 +82,7 @@ module Gitlab # Expiration, revocation and scopes are verified in `validate_access_token!` oauth_token = OauthAccessToken.by_token(token) - raise API::APIGuard::UnauthorizedError unless oauth_token + raise UnauthorizedError unless oauth_token oauth_token.revoke_previous_refresh_token! oauth_token |