diff options
Diffstat (limited to 'lib/api/internal/base.rb')
-rw-r--r-- | lib/api/internal/base.rb | 61 |
1 files changed, 39 insertions, 22 deletions
diff --git a/lib/api/internal/base.rb b/lib/api/internal/base.rb index a3fee49cd8f..4dcfc0cf7eb 100644 --- a/lib/api/internal/base.rb +++ b/lib/api/internal/base.rb @@ -15,7 +15,7 @@ module API Gitlab::ApplicationContext.push( user: -> { actor&.user }, project: -> { project }, - caller_id: route.origin, + caller_id: api_endpoint.endpoint_id, remote_ip: request.ip, feature_category: feature_category ) @@ -23,7 +23,7 @@ module API helpers ::API::Helpers::InternalHelpers - UNKNOWN_CHECK_RESULT_ERROR = 'Unknown check result'.freeze + UNKNOWN_CHECK_RESULT_ERROR = 'Unknown check result' VALID_PAT_SCOPES = Set.new( Gitlab::Auth::API_SCOPES + Gitlab::Auth::REPOSITORY_SCOPES + Gitlab::Auth::REGISTRY_SCOPES @@ -52,20 +52,20 @@ module API actor.update_last_used_at! check_result = begin - Gitlab::Auth::CurrentUserMode.bypass_session!(actor.user&.id) do - access_check!(actor, params) - end - rescue Gitlab::GitAccess::ForbiddenError => e - # The return code needs to be 401. If we return 403 - # the custom message we return won't be shown to the user - # and, instead, the default message 'GitLab: API is not accessible' - # will be displayed - return response_with_status(code: 401, success: false, message: e.message) - rescue Gitlab::GitAccess::TimeoutError => e - return response_with_status(code: 503, success: false, message: e.message) - rescue Gitlab::GitAccess::NotFoundError => e - return response_with_status(code: 404, success: false, message: e.message) - end + with_admin_mode_bypass!(actor.user&.id) do + access_check!(actor, params) + end + rescue Gitlab::GitAccess::ForbiddenError => e + # The return code needs to be 401. If we return 403 + # the custom message we return won't be shown to the user + # and, instead, the default message 'GitLab: API is not accessible' + # will be displayed + return response_with_status(code: 401, success: false, message: e.message) + rescue Gitlab::GitAccess::TimeoutError => e + return response_with_status(code: 503, success: false, message: e.message) + rescue Gitlab::GitAccess::NotFoundError => e + return response_with_status(code: 404, success: false, message: e.message) + end log_user_activity(actor.user) @@ -109,9 +109,7 @@ module API end end - def validate_actor_key(actor, key_id) - return 'Could not find a user without a key' unless key_id - + def validate_actor(actor) return 'Could not find the given key' unless actor.key 'Could not find a user for the given key' unless actor.user @@ -120,6 +118,19 @@ module API def two_factor_otp_check { success: false, message: 'Feature is not available' } end + + def with_admin_mode_bypass!(actor_id) + return yield unless Gitlab::CurrentSettings.admin_mode + + Gitlab::Auth::CurrentUserMode.bypass_session!(actor_id) do + yield + end + end + + # Overridden in EE + def geo_proxy + {} + end end namespace 'internal' do @@ -193,7 +204,7 @@ module API actor.update_last_used_at! user = actor.user - error_message = validate_actor_key(actor, params[:key_id]) + error_message = validate_actor(actor) if params[:user_id] && user.nil? break { success: false, message: 'Could not find the given user' } @@ -222,7 +233,7 @@ module API actor.update_last_used_at! user = actor.user - error_message = validate_actor_key(actor, params[:key_id]) + error_message = validate_actor(actor) break { success: false, message: 'Deploy keys cannot be used to create personal access tokens' } if actor.key.is_a?(DeployKey) @@ -295,7 +306,7 @@ module API actor.update_last_used_at! user = actor.user - error_message = validate_actor_key(actor, params[:key_id]) + error_message = validate_actor(actor) if error_message { success: false, message: error_message } @@ -314,6 +325,12 @@ module API two_factor_otp_check end + + # Workhorse calls this to determine if it is a Geo secondary site + # that should proxy requests. FOSS can quickly return empty data. + get '/geo_proxy', feature_category: :geo_replication do + geo_proxy + end end end end |