summaryrefslogtreecommitdiff
path: root/lib
diff options
context:
space:
mode:
authorGitLab Bot <gitlab-bot@gitlab.com>2020-09-02 17:14:06 +0000
committerGitLab Bot <gitlab-bot@gitlab.com>2020-09-02 17:14:06 +0000
commit702f0d561ce6f90908e2ddd40f183d0007e92217 (patch)
treef528ca51fa8d978c945ba993749c5d2154f11136 /lib
parent90432d32acd69cf91e647fc508045659cae26b1a (diff)
downloadgitlab-ce-702f0d561ce6f90908e2ddd40f183d0007e92217.tar.gz
Add latest changes from gitlab-org/security/gitlab@13-3-stable-ee
Diffstat (limited to 'lib')
-rw-r--r--lib/gitlab/auth.rb23
1 files changed, 21 insertions, 2 deletions
diff --git a/lib/gitlab/auth.rb b/lib/gitlab/auth.rb
index 0c6ed6924bf..ece4946383d 100644
--- a/lib/gitlab/auth.rb
+++ b/lib/gitlab/auth.rb
@@ -65,7 +65,15 @@ module Gitlab
raise Gitlab::Auth::MissingPersonalAccessTokenError
end
- def find_with_user_password(login, password)
+ # Find and return a user if the provided password is valid for various
+ # authenticators (OAuth, LDAP, Local Database).
+ #
+ # Specify `increment_failed_attempts: true` to increment Devise `failed_attempts`.
+ # CAUTION: Avoid incrementing failed attempts when authentication falls through
+ # different mechanisms, as in `.find_for_git_client`. This may lead to
+ # unwanted access locks when the value provided for `password` was actually
+ # a PAT, deploy token, etc.
+ def find_with_user_password(login, password, increment_failed_attempts: false)
# Avoid resource intensive checks if login credentials are not provided
return unless login.present? && password.present?
@@ -96,10 +104,14 @@ module Gitlab
authenticators.compact!
# return found user that was authenticated first for given login credentials
- authenticators.find do |auth|
+ authenticated_user = authenticators.find do |auth|
authenticated_user = auth.login(login, password)
break authenticated_user if authenticated_user
end
+
+ user_auth_attempt!(user, success: !!authenticated_user) if increment_failed_attempts
+
+ authenticated_user
end
end
@@ -357,6 +369,13 @@ module Gitlab
def find_build_by_token(token)
::Ci::Build.running.find_by_token(token)
end
+
+ def user_auth_attempt!(user, success:)
+ return unless user && Gitlab::Database.read_write?
+ return user.unlock_access! if success
+
+ user.increment_failed_attempts!
+ end
end
end
end