From 41ebd06ddc837c80ba6ca95c6d5fea2b76cef8d2 Mon Sep 17 00:00:00 2001
From: Francisco Lopez <fjlopez@gitlab.com>
Date: Tue, 7 Nov 2017 19:17:41 +0100
Subject: Some fixes after rebase

---
 app/controllers/application_controller.rb | 24 ----------
 lib/api/api_guard.rb                      | 31 +++---------
 lib/gitlab/auth/request_authenticator.rb  |  4 +-
 lib/gitlab/auth/user_auth_finders.rb      | 78 +++++++++++++------------------
 4 files changed, 41 insertions(+), 96 deletions(-)

diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb
index cd7b2a463fd..bab5ae05ce9 100644
--- a/app/controllers/application_controller.rb
+++ b/app/controllers/application_controller.rb
@@ -99,36 +99,12 @@ class ApplicationController < ActionController::Base
     return try(:authenticated_user)
   end
 
-<<<<<<< HEAD
-  def authenticate_user_from_personal_access_token!
-    token = params[:private_token].presence || request.headers['PRIVATE-TOKEN'].presence
-
-    return unless token.present?
-
-    user = User.find_by_personal_access_token(token)
-
-    sessionless_sign_in(user)
-  end
-
-  # This filter handles authentication for atom request with an rss_token
-  def authenticate_user_from_rss_token!
-    return unless request.format.atom?
-
-    token = params[:rss_token].presence
-
-    return unless token.present?
-
-    user = User.find_by_rss_token(token)
-
-    sessionless_sign_in(user)
-=======
   # This filter handles private tokens, personal access tokens, and atom
   # requests with rss tokens
   def authenticate_sessionless_user!
     user = Gitlab::Auth::RequestAuthenticator.new(request).find_sessionless_user
 
     sessionless_sign_in(user) if user
->>>>>>> Add request throttles
   end
 
   def log_exception(exception)
diff --git a/lib/api/api_guard.rb b/lib/api/api_guard.rb
index 66ad2b77f75..9ada2d5ebb1 100644
--- a/lib/api/api_guard.rb
+++ b/lib/api/api_guard.rb
@@ -72,33 +72,16 @@ module API
         end
       end
 
-      def raise_unauthorized_error!
-        raise UnauthorizedError
-      end
+      private
 
-      # If token is presented and valid, then it sets @current_user.
-      #
-      # If the token does not have sufficient scopes to cover the requred scopes,
-      # then it raises InsufficientScopeError.
-      #
-      # If the token is expired, then it raises ExpiredError.
-      #
-      # If the token is revoked, then it raises RevokedError.
-      #
-      # If the token is not found (nil), then it returns nil
-      #
-      # Arguments:
-      #
-      #   scopes: (optional) scopes required for this guard.
-      #           Defaults to empty array.
-      def find_user_by_access_token(access_token)
-        scopes = scopes_registered_for_endpoint
+      def handle_return_value!(value, &block)
+        raise UnauthorizedError unless value
 
-        # Expiration, revocation and scopes are verified in `find_user_by_access_token`
-        access_token = PersonalAccessToken.find_by(token: token)
-        raise UnauthorizedError unless access_token
+        block_given? ? yield(value) : value
+      end
 
-        access_token
+      def private_token
+        params[PRIVATE_TOKEN_PARAM].presence || env[PRIVATE_TOKEN_HEADER].presence
       end
 
       # An array of scopes that were registered (using `allow_access_with_scope`)
diff --git a/lib/gitlab/auth/request_authenticator.rb b/lib/gitlab/auth/request_authenticator.rb
index 123a39dea75..eb16701bad5 100644
--- a/lib/gitlab/auth/request_authenticator.rb
+++ b/lib/gitlab/auth/request_authenticator.rb
@@ -12,11 +12,11 @@ module Gitlab
       end
 
       def user
-        find_sessionless_user || find_session_user
+        find_sessionless_user || find_user_from_warden
       end
 
       def find_sessionless_user
-        find_user_by_private_token || find_user_by_rss_token || find_user_by_oauth_token
+        find_user_from_access_token || find_user_by_rss_token
       end
     end
   end
diff --git a/lib/gitlab/auth/user_auth_finders.rb b/lib/gitlab/auth/user_auth_finders.rb
index d1f5bf84873..93f3cae0a95 100644
--- a/lib/gitlab/auth/user_auth_finders.rb
+++ b/lib/gitlab/auth/user_auth_finders.rb
@@ -2,77 +2,67 @@ module Gitlab
   module Auth
     module UserAuthFinders
       # Check the Rails session for valid authentication details
-      def find_session_user
+      def find_user_from_warden
         request.env['warden']&.authenticate if verified_request?
       end
 
-      def find_user_by_private_token
-        token = private_token
-        return unless token.present?
-
-        user =
-          find_user_by_authentication_token(token) ||
-          find_user_by_personal_access_token(token)
+      def find_user_by_rss_token
+        return unless request.format.atom?
 
-        raise_unauthorized_error! unless user
+        token = request.params[:rss_token].presence
+        return unless token.present?
 
-        user
+        handle_return_value!(User.find_by_rss_token(token))
       end
 
-      def find_user_by_rss_token
-        return unless request.path.ends_with?('atom') || request.format.atom?
+      def find_user_from_access_token
+        return unless access_token
 
-        token = request.params[:rss_token].presence
-        return unless token.present?
+        validate_access_token!
 
-        user = User.find_by_rss_token(token)
-        raise_unauthorized_error! unless user
+        handle_return_value!(access_token&.user)
+      end
 
-        user
+      def validate_access_token!(scopes: [])
       end
 
-      def find_user_by_oauth_token
-        access_token = find_oauth_access_token
+      private
 
-        return unless access_token
+      def handle_return_value!(value, &block)
+        return unless value
 
-        find_user_by_access_token(access_token)
+        block_given? ? yield(value) : value
       end
 
-      private
+      def access_token
+        return @access_token if defined?(@access_token)
+
+        @access_token = find_oauth_access_token || find_personal_access_token
+      end
 
       def private_token
         request.params[:private_token].presence ||
           request.headers['PRIVATE-TOKEN'].presence
       end
 
-      def find_user_by_authentication_token(token_string)
-        User.find_by_authentication_token(token_string)
-      end
-
-      def find_user_by_personal_access_token(token_string)
-        access_token = PersonalAccessToken.find_by_token(token_string)
-        return unless access_token
+      def find_personal_access_token
+        token = private_token.to_s
+        return unless token.present?
 
-        find_user_by_access_token(access_token)
+        # Expiration, revocation and scopes are verified in `validate_access_token!`
+        handle_return_value!(PersonalAccessToken.find_by(token: token))
       end
 
       def find_oauth_access_token
-        return @oauth_access_token if defined?(@oauth_access_token)
-
         current_request = ensure_action_dispatch_request(request)
         token = Doorkeeper::OAuth::Token.from_request(current_request, *Doorkeeper.configuration.access_token_methods)
-        return @oauth_access_token = nil unless token
-
-        @oauth_access_token = OauthAccessToken.by_token(token)
-        raise_unauthorized_error! unless @oauth_access_token
-
-        @oauth_access_token.revoke_previous_refresh_token!
-        @oauth_access_token
-      end
+        return unless token
 
-      def find_user_by_access_token(access_token)
-        access_token&.user
+        # Expiration, revocation and scopes are verified in `validate_access_token!`
+        handle_return_value!(OauthAccessToken.by_token(token)) do |oauth_token|
+          oauth_token.revoke_previous_refresh_token!
+          oauth_token
+        end
       end
 
       # Check if the request is GET/HEAD, or if CSRF token is valid.
@@ -85,10 +75,6 @@ module Gitlab
 
         ActionDispatch::Request.new(request.env)
       end
-
-      def raise_unauthorized_error!
-        return nil
-      end
     end
   end
 end
-- 
cgit v1.2.1