7 files changed, 150 insertions, 33 deletions

diff --git a/lib/api/api_guard.rb b/lib/api/api_guard.rb
index c4c0fdda665..e79f988f549 100644
--- a/lib/api/api_guard.rb
+++ b/lib/api/api_guard.rb
@@ -75,7 +75,7 @@ module API
           raise RevokedError
 
         when AccessTokenValidationService::VALID
-          @current_user = User.find(access_token.resource_owner_id)
+          User.find(access_token.resource_owner_id)
         end
       end
 
@@ -84,11 +84,13 @@ module API
 
         return nil unless token_string.present?
 
-        find_user_by_authentication_token(token_string) || find_user_by_personal_access_token(token_string, scopes)
-      end
+        user =
+          find_user_by_authentication_token(token_string) ||
+          find_user_by_personal_access_token(token_string, scopes)
+
+        raise UnauthorizedError unless user
 
-      def current_user
-        @current_user
+        user
       end
 
       private
@@ -107,7 +109,16 @@ module API
       end
 
       def find_access_token
-        @access_token ||= Doorkeeper.authenticate(doorkeeper_request, Doorkeeper.configuration.access_token_methods)
+        return @access_token if defined?(@access_token)
+
+        token = Doorkeeper::OAuth::Token.from_request(doorkeeper_request, *Doorkeeper.configuration.access_token_methods)
+        return @access_token = nil unless token
+
+        @access_token = Doorkeeper::AccessToken.by_token(token)
+        raise UnauthorizedError unless @access_token
+
+        @access_token.revoke_previous_refresh_token!
+        @access_token
       end
 
       def doorkeeper_request
@@ -169,6 +180,7 @@ module API
     TokenNotFoundError = Class.new(StandardError)
     ExpiredError = Class.new(StandardError)
     RevokedError = Class.new(StandardError)
+    UnauthorizedError = Class.new(StandardError)
 
     class InsufficientScopeError < StandardError
       attr_reader :scopes
diff --git a/lib/api/custom_attributes_endpoints.rb b/lib/api/custom_attributes_endpoints.rb
new file mode 100644
index 00000000000..5000aa0d9ac
--- /dev/null
+++ b/lib/api/custom_attributes_endpoints.rb
@@ -0,0 +1,77 @@
+module API
+  module CustomAttributesEndpoints
+    extend ActiveSupport::Concern
+
+    included do
+      attributable_class = name.demodulize.singularize
+      attributable_key = attributable_class.underscore
+      attributable_name = attributable_class.humanize(capitalize: false)
+      attributable_finder = "find_#{attributable_key}"
+
+      helpers do
+        params :custom_attributes_key do
+          requires :key, type: String, desc: 'The key of the custom attribute'
+        end
+      end
+
+      desc "Get all custom attributes on a #{attributable_name}" do
+        success Entities::CustomAttribute
+      end
+      get ':id/custom_attributes' do
+        resource = public_send(attributable_finder, params[:id]) # rubocop:disable GitlabSecurity/PublicSend
+        authorize! :read_custom_attribute
+
+        present resource.custom_attributes, with: Entities::CustomAttribute
+      end
+
+      desc "Get a custom attribute on a #{attributable_name}" do
+        success Entities::CustomAttribute
+      end
+      params do
+        use :custom_attributes_key
+      end
+      get ':id/custom_attributes/:key' do
+        resource = public_send(attributable_finder, params[:id]) # rubocop:disable GitlabSecurity/PublicSend
+        authorize! :read_custom_attribute
+
+        custom_attribute = resource.custom_attributes.find_by!(key: params[:key])
+
+        present custom_attribute, with: Entities::CustomAttribute
+      end
+
+      desc "Set a custom attribute on a #{attributable_name}"
+      params do
+        use :custom_attributes_key
+        requires :value, type: String, desc: 'The value of the custom attribute'
+      end
+      put ':id/custom_attributes/:key' do
+        resource = public_send(attributable_finder, params[:id]) # rubocop:disable GitlabSecurity/PublicSend
+        authorize! :update_custom_attribute
+
+        custom_attribute = resource.custom_attributes
+          .find_or_initialize_by(key: params[:key])
+
+        custom_attribute.update(value: params[:value])
+
+        if custom_attribute.valid?
+          present custom_attribute, with: Entities::CustomAttribute
+        else
+          render_validation_error!(custom_attribute)
+        end
+      end
+
+      desc "Delete a custom attribute on a #{attributable_name}"
+      params do
+        use :custom_attributes_key
+      end
+      delete ':id/custom_attributes/:key' do
+        resource = public_send(attributable_finder, params[:id]) # rubocop:disable GitlabSecurity/PublicSend
+        authorize! :update_custom_attribute
+
+        resource.custom_attributes.find_by!(key: params[:key]).destroy
+
+        status 204
+      end
+    end
+  end
+end
diff --git a/lib/api/entities.rb b/lib/api/entities.rb
index 71d358907d1..1c0e6873c37 100644
--- a/lib/api/entities.rb
+++ b/lib/api/entities.rb
@@ -89,6 +89,9 @@ module API
       expose :ssh_url_to_repo, :http_url_to_repo, :web_url
       expose :name, :name_with_namespace
       expose :path, :path_with_namespace
+      expose :avatar_url do |project, options|
+        project.avatar_url(only_path: false)
+      end
       expose :star_count, :forks_count
       expose :created_at, :last_activity_at
     end
@@ -146,9 +149,7 @@ module API
       expose :forked_from_project, using: Entities::BasicProjectDetails, if: lambda { |project, options| project.forked? }
       expose :import_status
       expose :import_error, if: lambda { |_project, options| options[:user_can_admin_project] }
-      expose :avatar_url do |user, options|
-        user.avatar_url(only_path: false)
-      end
+
       expose :open_issues_count, if: lambda { |project, options| project.feature_available?(:issues, options[:current_user]) }
       expose :runners_token, if: lambda { |_project, options| options[:user_can_admin_project] }
       expose :public_builds, as: :public_jobs
@@ -193,8 +194,8 @@ module API
     class Group < Grape::Entity
       expose :id, :name, :path, :description, :visibility
       expose :lfs_enabled?, as: :lfs_enabled
-      expose :avatar_url do |user, options|
-        user.avatar_url(only_path: false)
+      expose :avatar_url do |group, options|
+        group.avatar_url(only_path: false)
       end
       expose :web_url
       expose :request_access_enabled
@@ -234,6 +235,7 @@ module API
     class RepoCommitDetail < RepoCommit
       expose :stats, using: Entities::RepoCommitStats
       expose :status
+      expose :last_pipeline, using: 'API::Entities::PipelineBasic'
     end
 
     class RepoBranch < Grape::Entity
@@ -1036,5 +1038,10 @@ module API
       expose :failing_on_hosts
       expose :total_failures
     end
+
+    class CustomAttribute < Grape::Entity
+      expose :key
+      expose :value
+    end
   end
 end
diff --git a/lib/api/helpers.rb b/lib/api/helpers.rb
index 00dbc2aee7a..4964a76bef6 100644
--- a/lib/api/helpers.rb
+++ b/lib/api/helpers.rb
@@ -3,6 +3,8 @@ module API
     include Gitlab::Utils
     include Helpers::Pagination
 
+    UnauthorizedError = Class.new(StandardError)
+
     SUDO_HEADER = "HTTP_SUDO".freeze
     SUDO_PARAM = :sudo
 
@@ -139,7 +141,7 @@ module API
     end
 
     def authenticate!
-      unauthorized! unless current_user && can?(initial_current_user, :access_api)
+      unauthorized! unless current_user
     end
 
     def authenticate_non_get!
@@ -397,19 +399,27 @@ module API
 
     def initial_current_user
       return @initial_current_user if defined?(@initial_current_user)
-      Gitlab::Auth::UniqueIpsLimiter.limit_user! do
-        @initial_current_user ||= find_user_by_private_token(scopes: scopes_registered_for_endpoint)
-        @initial_current_user ||= doorkeeper_guard(scopes: scopes_registered_for_endpoint)
-        @initial_current_user ||= find_user_from_warden
-
-        unless @initial_current_user && Gitlab::UserAccess.new(@initial_current_user).allowed?
-          @initial_current_user = nil
-        end
 
-        @initial_current_user
+      begin
+        @initial_current_user = Gitlab::Auth::UniqueIpsLimiter.limit_user! { find_current_user }
+      rescue APIGuard::UnauthorizedError, UnauthorizedError
+        unauthorized!
       end
     end
 
+    def find_current_user
+      user =
+        find_user_by_private_token(scopes: scopes_registered_for_endpoint) ||
+        doorkeeper_guard(scopes: scopes_registered_for_endpoint) ||
+        find_user_from_warden
+
+      return nil unless user
+
+      raise UnauthorizedError unless Gitlab::UserAccess.new(user).allowed? && user.can?(:access_api)
+
+      user
+    end
+
     def sudo!
       return unless sudo_identifier
       return unless initial_current_user
@@ -454,10 +464,12 @@ module API
       header(*Gitlab::Workhorse.send_artifacts_entry(build, entry))
     end
 
-    # The Grape Error Middleware only has access to env but no params. We workaround this by
-    # defining a method that returns the right value.
+    # The Grape Error Middleware only has access to `env` but not `params` nor
+    # `request`. We workaround this by defining methods that returns the right
+    # values.
     def define_params_for_grape_middleware
-      self.define_singleton_method(:params) { Rack::Request.new(env).params.symbolize_keys }
+      self.define_singleton_method(:request) { Rack::Request.new(env) }
+      self.define_singleton_method(:params) { request.params.symbolize_keys }
     end
 
     # We could get a Grape or a standard Ruby exception. We should only report anything that
diff --git a/lib/api/internal.rb b/lib/api/internal.rb
index c0fef56378f..6e78ac2c903 100644
--- a/lib/api/internal.rb
+++ b/lib/api/internal.rb
@@ -31,6 +31,12 @@ module API
         protocol = params[:protocol]
 
         actor.update_last_used_at if actor.is_a?(Key)
+        user =
+          if actor.is_a?(Key)
+            actor.user
+          else
+            actor
+          end
 
         access_checker_klass = wiki? ? Gitlab::GitAccessWiki : Gitlab::GitAccess
         access_checker = access_checker_klass
@@ -47,6 +53,7 @@ module API
         {
           status: true,
           gl_repository: gl_repository,
+          gl_username: user&.username,
           repository_path: repository_path,
           gitaly: gitaly_payload(params[:action])
         }
@@ -136,7 +143,7 @@ module API
 
         codes = nil
 
-        ::Users::UpdateService.new(user).execute! do |user|
+        ::Users::UpdateService.new(current_user, user: user).execute! do |user|
           codes = user.generate_otp_backup_codes!
         end
 
diff --git a/lib/api/notification_settings.rb b/lib/api/notification_settings.rb
index bcc0833aa5c..0266bf2f717 100644
--- a/lib/api/notification_settings.rb
+++ b/lib/api/notification_settings.rb
@@ -35,7 +35,7 @@ module API
             new_notification_email = params.delete(:notification_email)
 
             if new_notification_email
-              ::Users::UpdateService.new(current_user, notification_email: new_notification_email).execute
+              ::Users::UpdateService.new(current_user, user: current_user, notification_email: new_notification_email).execute
             end
 
             notification_setting.update(declared_params(include_missing: false))
diff --git a/lib/api/users.rb b/lib/api/users.rb
index bdebda58d3f..d07dc302717 100644
--- a/lib/api/users.rb
+++ b/lib/api/users.rb
@@ -6,12 +6,14 @@ module API
     allow_access_with_scope :read_user, if: -> (request) { request.get? }
 
     resource :users, requirements: { uid: /[0-9]*/, id: /[0-9]*/ } do
+      include CustomAttributesEndpoints
+
       before do
         authenticate_non_get!
       end
 
       helpers do
-        def find_user(params)
+        def find_user_by_id(params)
           id = params[:user_id] || params[:id]
           User.find_by(id: id) || not_found!('User')
         end
@@ -166,7 +168,7 @@ module API
 
         user_params[:password_expires_at] = Time.now if user_params[:password].present?
 
-        result = ::Users::UpdateService.new(user, user_params.except(:extern_uid, :provider)).execute
+        result = ::Users::UpdateService.new(current_user, user_params.except(:extern_uid, :provider).merge(user: user)).execute
 
         if result[:status] == :success
           present user, with: Entities::UserPublic
@@ -326,7 +328,7 @@ module API
         user = User.find_by(id: params.delete(:id))
         not_found!('User') unless user
 
-        email = Emails::CreateService.new(user, declared_params(include_missing: false)).execute
+        email = Emails::CreateService.new(current_user, declared_params(include_missing: false).merge(user: user)).execute
 
         if email.errors.blank?
           NotificationService.new.new_email(email)
@@ -367,7 +369,7 @@ module API
         not_found!('Email') unless email
 
         destroy_conditionally!(email) do |email|
-          Emails::DestroyService.new(current_user, email: email.email).execute
+          Emails::DestroyService.new(current_user, user: user, email: email.email).execute
         end
 
         user.update_secondary_emails!
@@ -430,7 +432,7 @@ module API
         resource :impersonation_tokens do
           helpers do
             def finder(options = {})
-              user = find_user(params)
+              user = find_user_by_id(params)
               PersonalAccessTokensFinder.new({ user: user, impersonation: true }.merge(options))
             end
 
@@ -672,7 +674,7 @@ module API
         requires :email, type: String, desc: 'The new email'
       end
       post "emails" do
-        email = Emails::CreateService.new(current_user, declared_params).execute
+        email = Emails::CreateService.new(current_user, declared_params.merge(user: current_user)).execute
 
         if email.errors.blank?
           NotificationService.new.new_email(email)
@@ -691,7 +693,7 @@ module API
         not_found!('Email') unless email
 
         destroy_conditionally!(email) do |email|
-          Emails::DestroyService.new(current_user, email: email.email).execute
+          Emails::DestroyService.new(current_user, user: current_user, email: email.email).execute
         end
 
         current_user.update_secondary_emails!