2 files changed, 43 insertions, 24 deletions

diff --git a/lib/api/internal/base.rb b/lib/api/internal/base.rb
index a3fee49cd8f..4dcfc0cf7eb 100644
--- a/lib/api/internal/base.rb
+++ b/lib/api/internal/base.rb
@@ -15,7 +15,7 @@ module API
         Gitlab::ApplicationContext.push(
           user: -> { actor&.user },
           project: -> { project },
-          caller_id: route.origin,
+          caller_id: api_endpoint.endpoint_id,
           remote_ip: request.ip,
           feature_category: feature_category
         )
@@ -23,7 +23,7 @@ module API
 
       helpers ::API::Helpers::InternalHelpers
 
-      UNKNOWN_CHECK_RESULT_ERROR = 'Unknown check result'.freeze
+      UNKNOWN_CHECK_RESULT_ERROR = 'Unknown check result'
 
       VALID_PAT_SCOPES = Set.new(
         Gitlab::Auth::API_SCOPES + Gitlab::Auth::REPOSITORY_SCOPES + Gitlab::Auth::REGISTRY_SCOPES
@@ -52,20 +52,20 @@ module API
           actor.update_last_used_at!
 
           check_result = begin
-                           Gitlab::Auth::CurrentUserMode.bypass_session!(actor.user&.id) do
-                             access_check!(actor, params)
-                           end
-                         rescue Gitlab::GitAccess::ForbiddenError => e
-                           # The return code needs to be 401. If we return 403
-                           # the custom message we return won't be shown to the user
-                           # and, instead, the default message 'GitLab: API is not accessible'
-                           # will be displayed
-                           return response_with_status(code: 401, success: false, message: e.message)
-                         rescue Gitlab::GitAccess::TimeoutError => e
-                           return response_with_status(code: 503, success: false, message: e.message)
-                         rescue Gitlab::GitAccess::NotFoundError => e
-                           return response_with_status(code: 404, success: false, message: e.message)
-                         end
+            with_admin_mode_bypass!(actor.user&.id) do
+              access_check!(actor, params)
+            end
+          rescue Gitlab::GitAccess::ForbiddenError => e
+            # The return code needs to be 401. If we return 403
+            # the custom message we return won't be shown to the user
+            # and, instead, the default message 'GitLab: API is not accessible'
+            # will be displayed
+            return response_with_status(code: 401, success: false, message: e.message)
+          rescue Gitlab::GitAccess::TimeoutError => e
+            return response_with_status(code: 503, success: false, message: e.message)
+          rescue Gitlab::GitAccess::NotFoundError => e
+            return response_with_status(code: 404, success: false, message: e.message)
+          end
 
           log_user_activity(actor.user)
 
@@ -109,9 +109,7 @@ module API
           end
         end
 
-        def validate_actor_key(actor, key_id)
-          return 'Could not find a user without a key' unless key_id
-
+        def validate_actor(actor)
           return 'Could not find the given key' unless actor.key
 
           'Could not find a user for the given key' unless actor.user
@@ -120,6 +118,19 @@ module API
         def two_factor_otp_check
           { success: false, message: 'Feature is not available' }
         end
+
+        def with_admin_mode_bypass!(actor_id)
+          return yield unless Gitlab::CurrentSettings.admin_mode
+
+          Gitlab::Auth::CurrentUserMode.bypass_session!(actor_id) do
+            yield
+          end
+        end
+
+        # Overridden in EE
+        def geo_proxy
+          {}
+        end
       end
 
       namespace 'internal' do
@@ -193,7 +204,7 @@ module API
           actor.update_last_used_at!
           user = actor.user
 
-          error_message = validate_actor_key(actor, params[:key_id])
+          error_message = validate_actor(actor)
 
           if params[:user_id] && user.nil?
             break { success: false, message: 'Could not find the given user' }
@@ -222,7 +233,7 @@ module API
           actor.update_last_used_at!
           user = actor.user
 
-          error_message = validate_actor_key(actor, params[:key_id])
+          error_message = validate_actor(actor)
 
           break { success: false, message: 'Deploy keys cannot be used to create personal access tokens' } if actor.key.is_a?(DeployKey)
 
@@ -295,7 +306,7 @@ module API
           actor.update_last_used_at!
           user = actor.user
 
-          error_message = validate_actor_key(actor, params[:key_id])
+          error_message = validate_actor(actor)
 
           if error_message
             { success: false, message: error_message }
@@ -314,6 +325,12 @@ module API
 
           two_factor_otp_check
         end
+
+        # Workhorse calls this to determine if it is a Geo secondary site
+        # that should proxy requests. FOSS can quickly return empty data.
+        get '/geo_proxy', feature_category: :geo_replication do
+          geo_proxy
+        end
       end
     end
   end
diff --git a/lib/api/internal/kubernetes.rb b/lib/api/internal/kubernetes.rb
index 87ad79d601f..af2c53dd778 100644
--- a/lib/api/internal/kubernetes.rb
+++ b/lib/api/internal/kubernetes.rb
@@ -13,7 +13,7 @@ module API
 
       helpers do
         def authenticate_gitlab_kas_request!
-          unauthorized! unless Gitlab::Kas.verify_api_request(headers)
+          render_api_error!('KAS JWT authentication invalid', 401) unless Gitlab::Kas.verify_api_request(headers)
         end
 
         def agent_token
@@ -51,9 +51,11 @@ module API
         end
 
         def check_agent_token
-          forbidden! unless agent_token
+          unauthorized! unless agent_token
 
           forbidden! unless Gitlab::Kas.included_in_gitlab_com_rollout?(agent.project)
+
+          agent_token.track_usage
         end
       end