summaryrefslogtreecommitdiff
path: root/lib/gitlab/auth.rb
Commit message (Collapse)AuthorAgeFilesLines
* Fix #44332 - Add support for profile and emailGotenXiao2019-02-061-1/+4
|
* Revert "Revert "LfsToken uses JSONWebToken::HMACToken by default""Ash McKenzie2018-12-171-2/+2
| | | | This reverts commit 00acef434031b5dc0bf39576a9e83802c7806842.
* Revert "LfsToken uses JSONWebToken::HMACToken by default"🤖 GitLab Bot 🤖2018-12-051-2/+2
| | | This reverts commit 22954f220231281360377922b709efb904559949
* LfsToken uses JSONWebToken::HMACToken by defaultAsh McKenzie2018-12-051-2/+2
| | | | | LfsToken::HMACToken#token_valid?() will be examined and if false, look in redis via LfsToken::LegacyRedisDeviseToken#token_valid?().
* Merge branch 'fix_pat_auth-11-4' into 'security-11-4'Robert Speicher2018-10-291-3/+1
| | | | | [11.4] Fix Token lookup for Git over HTTP and registry authentication See merge request gitlab/gitlabhq!2577
* Enable frozen string for lib/gitlab/*.rbgfyoung2018-10-221-0/+2
|
* Disable existing offenses for the CodeReuse copsYorick Peterse2018-09-111-0/+6
| | | | | This whitelists all existing offenses for the various CodeReuse cops, of which most are triggered by the CodeReuse/ActiveRecord cop.
* Disable SAML if OmniAuth is disabled48932-disable-saml-if-omniauth-is-disabledLin Jen-Shin2018-07-201-17/+2
| | | | | We also try to unify the way we setup OmniAuth, and how we check if it's enabled or not.
* Bring back the EE changes to CE to authentication of buildsperform-ci-build-auth-always-on-primary-ceKamil Trzciński2018-06-041-1/+7
|
* Introduce Gitlab::Auth.omniauth_setup_providersLin Jen-Shin2018-06-011-2/+17
| | | | Which could extend from EE
* Eliminate constants warnings by:Lin Jen-Shin2018-06-011-0/+4
| | | | | * Replace `require` or `require_relative` with `require_dependency` * Remove unneeded `autoload`
* Resolve "Make a Rubocop that forbids returning from a block"🙈 jacopo beschi 🙉2018-04-181-1/+1
|
* Use proper auth_scope for deploy tokenKamil Trzciński2018-04-071-1/+1
|
* Increase test suite around deploy tokens behaviorMayra Cabrera2018-04-061-5/+3
| | | | Also, fixes broken specs
* Fixes broken schema and minor changesMayra Cabrera2018-04-061-2/+2
|
* Include ProjectDeployTokensMayra Cabrera2018-04-061-2/+2
| | | | | | Also: - Changes scopes from serializer to use boolean columns - Fixes broken specs
* Support Deploy Tokens properly without hacking abilitiesKamil Trzciński2018-04-061-11/+11
|
* Addreses backend review suggestionsMayra Cabrera2018-04-061-2/+2
| | | | | | - Remove extra method for authorize_admin_project - Ensure project presence - Rename 'read_repo' to 'read_repository' to be more verbose
* Removes logic from Jwt and handle different scenarios on Gitlab::AuthMayra Cabrera2018-04-061-5/+13
| | | | | | | - When using 'read_repo' password and project are sent, so we used both of them to fetch for the token - When using 'read_registry' only the password is sent, so we only use that for fetching the token
* Implement 'read_repo' for DeployTokensMayra Cabrera2018-04-061-2/+14
| | | | This will allow to download a repo using the token from the DeployToken
* Fix LDAP login without user in DBHoratiu Eugen Vlad2018-03-271-1/+5
|
* Make oauth provider login genericHoratiu Eugen Vlad2018-03-051-9/+21
|
* Moved o_auth/saml/ldap modules under gitlab/authHoratiu Eugen Vlad2018-02-281-2/+2
|
* use Gitlab::UserSettings directly as a singleton instead of ↵Mario de la Ossa2018-02-021-4/+2
| | | | including/extending it
* Merge branch 'dm-fix-registry-with-sudo-token' into 'master'Sean McGivern2017-11-241-15/+10
|\ | | | | | | | | | | | | Fix pulling and pushing using a personal access token with the sudo scope Closes #40466 See merge request gitlab-org/gitlab-ce!15571
| * Fix pulling and pushing using a personal access token with the sudo scopedm-fix-registry-with-sudo-tokenDouwe Maan2017-11-231-15/+10
| |
* | Allow password authentication to be disabled entirelyMarkus Koller2017-11-231-4/+10
|/
* Fix Error 500 when pushing LFS objects with a write deploy keyStan Hu2017-11-081-4/+11
|
* Add sudo API scopeDouwe Maan2017-11-021-3/+5
|
* Consistently use PersonalAccessToken instead of PersonalTokenDouwe Maan2017-11-021-4/+4
|
* Clean up read_registry scope changesRobin Bobbitt2017-09-181-7/+17
| | | | Closes #37789
* Merge branch 'hide-read-registry-scope-when-registry-disabled' into 'master'Kamil Trzciński2017-09-121-1/+1
|\ | | | | | | | | Hide read_registry scope when registry is disabled on instance See merge request !13314
| * Hide read_registry scope when registry is disabled on instanceRobin Bobbitt2017-08-211-1/+1
| |
* | Merge branch '37202-revert-changes-to-signing-enabled' into 'master'Douwe Maan2017-09-011-4/+0
|\ \ | | | | | | | | | | | | | | | | | | Rollback changes made to signing_enabled. Closes #37202 See merge request !13956
| * | Rollsback changes made to signing_enabled.Tiago Botelho2017-09-011-4/+0
| | |
* | | `current_application_settings` belongs on `Gitlab::CurrentSettings`Sean McGivern2017-08-311-0/+2
|/ / | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The initializers including this were doing so at the top level, so every object loaded after them had a `current_application_settings` method. However, if someone had rack-attack enabled (which was loaded before these initializers), it would try to load the API, and fail, because `Gitlab::CurrentSettings` didn't have that method. To fix this: 1. Don't include `Gitlab::CurrentSettings` at the top level. We do not need `Object.new.current_application_settings` to work. 2. Make `Gitlab::CurrentSettings` explicitly `extend self`, as we already use it like that in several places. 3. Change the initializers to use that new form.
* | Whitelist or fix additional `Gitlab/PublicSend` cop violationsrs-more-public-send-whitelistsRobert Speicher2017-08-141-2/+2
|/ | | | | An upcoming update to rubocop-gitlab-security added additional violations.
* Cleanup tests and add admin_container_image toLin Jen-Shin2017-08-021-1/+2
| | | | | full_authentication_abilities. This is fine because we're going to check with can?(..) anyway
* Fixes needed when GitLab sign-in is not enabledRobin Bobbitt2017-07-131-1/+5
| | | | | | | | | When sign-in is disabled: - skip password expiration checks - prevent password reset requests - don’t show Password tab in User Settings - don’t allow login with username/password for Git over HTTP requests - render 404 on requests to Profiles::PasswordsController
* `AccessTokenValidationService` accepts `String` or `API::Scope` scopes.Timothy Andrew2017-06-301-1/+0
| | | | | - There's no need to use `API::Scope` for scopes that don't have `if` conditions, such as in `lib/gitlab/auth.rb`.
* Extract a `Gitlab::Scope` class.Timothy Andrew2017-06-291-2/+2
| | | | | - To represent an authorization scope, such as `api` or `read_user` - This is a better abstraction than the hash we were previously using.
* Implement review comments from @DouweM for !12300.Timothy Andrew2017-06-281-2/+3
| | | | | | | - Use a struct for scopes, so we can call `scope.if` instead of `scope[:if]` - Refactor the "remove scopes whose :if condition returns false" logic to use a `select` rather than a `reject`.
* Fix remaining spec failures for !12300.Timothy Andrew2017-06-281-2/+2
| | | | | | | | | | | | | | 1. Get the spec for `lib/gitlab/auth.rb` passing. - Make the `request` argument to `AccessTokenValidationService` optional - `auth.rb` doesn't need to pass in a request. - Pass in scopes in the format `[{ name: 'api' }]` rather than `['api']`, which is what `AccessTokenValidationService` now expects. 2. Get the spec for `API::V3::Users` passing 2. Get the spec for `AccessTokenValidationService` passing
* Instruct user to use a personal access token for Git over HTTPRobin Bobbitt2017-06-071-1/+5
| | | | | | If internal auth is disabled and LDAP is not configured on the instance, present the user with a message to create a personal access token if his Git over HTTP auth attempt fails.
* Fix test failureszj-read-registry-patZ.J. van de Weg2017-06-061-16/+23
|
* Create read_registry scope with JWT authZ.J. van de Weg2017-06-051-14/+28
| | | | | | | | | | | | This is the first commit doing mainly 3 things: 1. create a new scope and allow users to use it 2. Have the JWTController respond correctly on this 3. Updates documentation to suggest usage of PATs There is one gotcha, there will be no support for impersonation tokens, as this seems not needed. Fixes gitlab-org/gitlab-ce#19219
* Avoid resource intensive login checks if password is not providedHoratiu Eugen Vlad2017-05-211-1/+4
| | | | Fixes #32598
* Allow OAuth clients to push code30305-oauth-token-push-codeTimothy Andrew2017-04-131-1/+1
| | | | | | | | | | | - We currently support fetching code with username = 'oauth2' and password = <access_token>. - Trying to _push_ code with the same credentials fails with an authentication error. - There's no reason this shouldn't be enabled, especially since we allow the OAuth client to create deploy keys with push access: https://docs.gitlab.com/ce/api/deploy_keys.html#add-deploy-key
* Merge branch 'siemens/gitlab-ce-feature/openid-connect'Sean McGivern2017-03-071-3/+11
|\
| * Require explicit scopes on personal access tokensMarkus Koller2017-03-071-1/+4
| | | | | | | | | | | | Gitlab::Auth and API::APIGuard already check for at least one valid scope on personal access tokens, so if the scopes are empty the token will always fail validation.
View Lorry Controller Status