diff options
| author | GitLab Release Tools Bot <delivery-team+release-tools@gitlab.com> | 2020-09-02 12:39:03 +0000 |
|---|---|---|
| committer | GitLab Release Tools Bot <delivery-team+release-tools@gitlab.com> | 2020-09-02 12:39:03 +0000 |
| commit | 90432d32acd69cf91e647fc508045659cae26b1a (patch) | |
| tree | 2b2da74ca70007a0343a131ed187dcdbdbfeb7dd /lib | |
| parent | f4a969f7f495978a7e656c69c929c9fdac111cff (diff) | |
| parent | 417a126de5e49fb7c63bb3f23b22bc4a484ac359 (diff) | |
| download | gitlab-ce-90432d32acd69cf91e647fc508045659cae26b1a.tar.gz | |
Merge remote-tracking branch 'dev/13-3-stable' into 13-3-stable
Diffstat (limited to 'lib')
| -rw-r--r-- | lib/api/api_guard.rb | 21 | ||||
| -rw-r--r-- | lib/api/badges.rb | 7 | ||||
| -rw-r--r-- | lib/api/conan_packages.rb | 10 | ||||
| -rw-r--r-- | lib/api/helpers/badges_helpers.rb | 8 | ||||
| -rw-r--r-- | lib/api/helpers/packages/conan/api_helpers.rb | 8 | ||||
| -rw-r--r-- | lib/api/helpers/packages_manager_clients_helpers.rb | 2 | ||||
| -rw-r--r-- | lib/gitlab/application_rate_limiter.rb | 4 | ||||
| -rw-r--r-- | lib/gitlab/auth.rb | 2 | ||||
| -rw-r--r-- | lib/gitlab/auth/auth_finders.rb | 16 | ||||
| -rw-r--r-- | lib/gitlab/auth/two_factor_auth_verifier.rb | 36 | ||||
| -rw-r--r-- | lib/gitlab/git_access.rb | 9 | ||||
| -rw-r--r-- | lib/gitlab/regex.rb | 5 |
12 files changed, 98 insertions, 30 deletions
diff --git a/lib/api/api_guard.rb b/lib/api/api_guard.rb index 59978962b1d..46b69214877 100644 --- a/lib/api/api_guard.rb +++ b/lib/api/api_guard.rb @@ -69,7 +69,7 @@ module API deploy_token_from_request || find_user_from_bearer_token || find_user_from_job_token || - find_user_from_warden + user_from_warden end end @@ -103,6 +103,25 @@ module API def user_allowed_or_deploy_token?(user) Gitlab::UserAccess.new(user).allowed? || user.is_a?(DeployToken) end + + def user_from_warden + user = find_user_from_warden + + return unless user + return if two_factor_required_but_not_setup?(user) + + user + end + + def two_factor_required_but_not_setup?(user) + verifier = Gitlab::Auth::TwoFactorAuthVerifier.new(user) + + if verifier.two_factor_authentication_required? && verifier.current_user_needs_to_setup_two_factor? + verifier.two_factor_grace_period_expired? + else + false + end + end end class_methods do diff --git a/lib/api/badges.rb b/lib/api/badges.rb index f6cd3f83ff3..f9728ffc446 100644 --- a/lib/api/badges.rb +++ b/lib/api/badges.rb @@ -109,9 +109,10 @@ module API end put ":id/badges/:badge_id" do source = find_source_if_admin(source_type) + badge = find_badge(source) badge = ::Badges::UpdateService.new(declared_params(include_missing: false)) - .execute(find_badge(source)) + .execute(badge) if badge.valid? present_badges(source, badge) @@ -130,10 +131,6 @@ module API source = find_source_if_admin(source_type) badge = find_badge(source) - if badge.is_a?(GroupBadge) && source.is_a?(Project) - error!('To delete a Group badge please use the Group endpoint', 403) - end - destroy_conditionally!(badge) end end diff --git a/lib/api/conan_packages.rb b/lib/api/conan_packages.rb index 6923d252fbd..7f2afea9931 100644 --- a/lib/api/conan_packages.rb +++ b/lib/api/conan_packages.rb @@ -26,6 +26,8 @@ module API PACKAGE_COMPONENT_REGEX = Gitlab::Regex.conan_recipe_component_regex CONAN_REVISION_REGEX = Gitlab::Regex.conan_revision_regex + CONAN_FILES = (Gitlab::Regex::Packages::CONAN_RECIPE_FILES + Gitlab::Regex::Packages::CONAN_PACKAGE_FILES).freeze + before do require_packages_enabled! @@ -259,7 +261,7 @@ module API end params do - requires :file_name, type: String, desc: 'Package file name', regexp: Gitlab::Regex.conan_file_name_regex + requires :file_name, type: String, desc: 'Package file name', values: CONAN_FILES end namespace 'export/:file_name', requirements: FILE_NAME_REQUIREMENTS do desc 'Download recipe files' do @@ -277,7 +279,7 @@ module API end params do - use :workhorse_upload_params + requires :file, type: ::API::Validations::Types::WorkhorseFile, desc: 'The package file to be published (generated by Multipart middleware)' end route_setting :authentication, job_token_allowed: true, basic_auth_personal_access_token: true @@ -300,7 +302,7 @@ module API params do requires :conan_package_reference, type: String, desc: 'Conan Package ID' requires :package_revision, type: String, desc: 'Conan Package Revision' - requires :file_name, type: String, desc: 'Package file name', regexp: Gitlab::Regex.conan_file_name_regex + requires :file_name, type: String, desc: 'Package file name', values: CONAN_FILES end namespace 'package/:conan_package_reference/:package_revision/:file_name', requirements: FILE_NAME_REQUIREMENTS do desc 'Download package files' do @@ -328,7 +330,7 @@ module API end params do - use :workhorse_upload_params + requires :file, type: ::API::Validations::Types::WorkhorseFile, desc: 'The package file to be published (generated by Multipart middleware)' end route_setting :authentication, job_token_allowed: true, basic_auth_personal_access_token: true diff --git a/lib/api/helpers/badges_helpers.rb b/lib/api/helpers/badges_helpers.rb index 46ce5b4e7b5..f402c603c87 100644 --- a/lib/api/helpers/badges_helpers.rb +++ b/lib/api/helpers/badges_helpers.rb @@ -6,7 +6,13 @@ module API include ::API::Helpers::MembersHelpers def find_badge(source) - source.badges.find(params[:badge_id]) + badge_id = params[:badge_id] + + if source.is_a?(Project) + source.project_badges.find(badge_id) + else + source.badges.find(badge_id) + end end def present_badges(source, records, options = {}) diff --git a/lib/api/helpers/packages/conan/api_helpers.rb b/lib/api/helpers/packages/conan/api_helpers.rb index a5fde1af41e..c9c2f66ef62 100644 --- a/lib/api/helpers/packages/conan/api_helpers.rb +++ b/lib/api/helpers/packages/conan/api_helpers.rb @@ -133,7 +133,7 @@ module API end def track_push_package_event - if params[:file_name] == ::Packages::Conan::FileMetadatum::PACKAGE_BINARY && params['file.size'] > 0 + if params[:file_name] == ::Packages::Conan::FileMetadatum::PACKAGE_BINARY && params[:file].size > 0 # rubocop: disable Style/ZeroLengthPredicate track_event('push_package') end end @@ -147,9 +147,9 @@ module API end def create_package_file_with_type(file_type, current_package) - unless params['file.size'] == 0 + unless params[:file].size == 0 # rubocop: disable Style/ZeroLengthPredicate # conan sends two upload requests, the first has no file, so we skip record creation if file.size == 0 - ::Packages::Conan::CreatePackageFileService.new(current_package, uploaded_package_file, params.merge(conan_file_type: file_type)).execute + ::Packages::Conan::CreatePackageFileService.new(current_package, params[:file], params.merge(conan_file_type: file_type)).execute end end @@ -220,7 +220,7 @@ module API return unless token - ::Ci::Build.find_by_token(token.access_token_id.to_s) + ::Ci::AuthJobFinder.new(token: token.access_token_id.to_s).execute end def decode_oauth_token_from_jwt diff --git a/lib/api/helpers/packages_manager_clients_helpers.rb b/lib/api/helpers/packages_manager_clients_helpers.rb index ae16b65aaa8..955d21cb44f 100644 --- a/lib/api/helpers/packages_manager_clients_helpers.rb +++ b/lib/api/helpers/packages_manager_clients_helpers.rb @@ -23,7 +23,7 @@ module API return unless token - ::Ci::Build.find_by_token(token) + ::Ci::AuthJobFinder.new(token: token).execute end def find_deploy_token_from_http_basic_auth diff --git a/lib/gitlab/application_rate_limiter.rb b/lib/gitlab/application_rate_limiter.rb index ed963476524..4eeec534fc0 100644 --- a/lib/gitlab/application_rate_limiter.rb +++ b/lib/gitlab/application_rate_limiter.rb @@ -25,11 +25,13 @@ module Gitlab project_repositories_archive: { threshold: 5, interval: 1.minute }, project_generate_new_export: { threshold: -> { application_settings.project_export_limit }, interval: 1.minute }, project_import: { threshold: -> { application_settings.project_import_limit }, interval: 1.minute }, + project_testing_hook: { threshold: 5, interval: 1.minute }, play_pipeline_schedule: { threshold: 1, interval: 1.minute }, show_raw_controller: { threshold: -> { application_settings.raw_blob_request_limit }, interval: 1.minute }, group_export: { threshold: -> { application_settings.group_export_limit }, interval: 1.minute }, group_download_export: { threshold: -> { application_settings.group_download_export_limit }, interval: 1.minute }, - group_import: { threshold: -> { application_settings.group_import_limit }, interval: 1.minute } + group_import: { threshold: -> { application_settings.group_import_limit }, interval: 1.minute }, + group_testing_hook: { threshold: 5, interval: 1.minute } }.freeze end diff --git a/lib/gitlab/auth.rb b/lib/gitlab/auth.rb index 332d0bc1478..0c6ed6924bf 100644 --- a/lib/gitlab/auth.rb +++ b/lib/gitlab/auth.rb @@ -222,6 +222,8 @@ module Gitlab # Registry access (with jwt) does not have access to project return if project && !token.has_access_to?(project) + # When repository is disabled, no resources are accessible via Deploy Token + return if project&.repository_access_level == ::ProjectFeature::DISABLED scopes = abilities_for_scopes(token.scopes) diff --git a/lib/gitlab/auth/auth_finders.rb b/lib/gitlab/auth/auth_finders.rb index f3d0c053880..ccf52bae9a5 100644 --- a/lib/gitlab/auth/auth_finders.rb +++ b/lib/gitlab/auth/auth_finders.rb @@ -69,9 +69,7 @@ module Gitlab current_request.env[JOB_TOKEN_HEADER].presence return unless token - job = ::Ci::Build.find_by_token(token) - raise UnauthorizedError unless job - + job = find_valid_running_job_by_token!(token) @current_authenticated_job = job # rubocop:disable Gitlab/ModuleWithInstanceVariables job.user @@ -84,9 +82,7 @@ module Gitlab return unless login.present? && password.present? return unless ::Gitlab::Auth::CI_JOB_USER == login - job = ::Ci::Build.find_by_token(password) - raise UnauthorizedError unless job - + job = find_valid_running_job_by_token!(password) job.user end @@ -179,7 +175,7 @@ module Gitlab token = parsed_oauth_token return unless token - job = ::Ci::Build.find_by_token(token) + job = ::Ci::AuthJobFinder.new(token: token).execute return unless job @current_authenticated_job = job # rubocop:disable Gitlab/ModuleWithInstanceVariables @@ -304,6 +300,12 @@ module Gitlab def blob_request? current_request.path.include?('/raw/') end + + def find_valid_running_job_by_token!(token) + ::Ci::AuthJobFinder.new(token: token).execute.tap do |job| + raise UnauthorizedError unless job + end + end end end end diff --git a/lib/gitlab/auth/two_factor_auth_verifier.rb b/lib/gitlab/auth/two_factor_auth_verifier.rb new file mode 100644 index 00000000000..86552ef1267 --- /dev/null +++ b/lib/gitlab/auth/two_factor_auth_verifier.rb @@ -0,0 +1,36 @@ +# frozen_string_literal: true + +module Gitlab + module Auth + class TwoFactorAuthVerifier + attr_reader :current_user + + def initialize(current_user) + @current_user = current_user + end + + def two_factor_authentication_required? + Gitlab::CurrentSettings.require_two_factor_authentication? || + current_user&.require_two_factor_authentication_from_group? + end + + def current_user_needs_to_setup_two_factor? + current_user && !current_user.temp_oauth_email? && !current_user.two_factor_enabled? + end + + def two_factor_grace_period + periods = [Gitlab::CurrentSettings.two_factor_grace_period] + periods << current_user.two_factor_grace_period if current_user&.require_two_factor_authentication_from_group? + periods.min + end + + def two_factor_grace_period_expired? + time = current_user&.otp_grace_period_started_at + + return false unless time + + two_factor_grace_period.hours.since(time) < Time.current + end + end + end +end diff --git a/lib/gitlab/git_access.rb b/lib/gitlab/git_access.rb index f3b53a2ba0b..b67b3a37440 100644 --- a/lib/gitlab/git_access.rb +++ b/lib/gitlab/git_access.rb @@ -98,6 +98,13 @@ module Gitlab Guest.can?(download_ability, container) end + def deploy_key_can_download_code? + authentication_abilities.include?(:download_code) && + deploy_key? && + deploy_key.has_access_to?(container) && + (project? && project&.repository_access_level != ::Featurable::DISABLED) + end + def user_can_download_code? authentication_abilities.include?(:download_code) && user_access.can_do_action?(download_ability) @@ -257,7 +264,7 @@ module Gitlab end def check_download_access! - passed = deploy_key? || + passed = deploy_key_can_download_code? || deploy_token? || user_can_download_code? || build_can_download_code? || diff --git a/lib/gitlab/regex.rb b/lib/gitlab/regex.rb index 1e1e0d856b7..2d625737e05 100644 --- a/lib/gitlab/regex.rb +++ b/lib/gitlab/regex.rb @@ -6,11 +6,6 @@ module Gitlab CONAN_RECIPE_FILES = %w[conanfile.py conanmanifest.txt conan_sources.tgz conan_export.tgz].freeze CONAN_PACKAGE_FILES = %w[conaninfo.txt conanmanifest.txt conan_package.tgz].freeze - def conan_file_name_regex - @conan_file_name_regex ||= - %r{\A#{(CONAN_RECIPE_FILES + CONAN_PACKAGE_FILES).join("|")}\z}.freeze - end - def conan_package_reference_regex @conan_package_reference_regex ||= %r{\A[A-Za-z0-9]+\z}.freeze end |