app/controllers/groups/dependency_proxy/application_controller.rb


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66

# frozen_string_literal: true

module Groups
  module DependencyProxy
    class ApplicationController < ::ApplicationController
      EMPTY_AUTH_RESULT = Gitlab::Auth::Result.new(nil, nil, nil, nil).freeze

      delegate :actor, to: :@authentication_result, allow_nil: true

      # This allows auth_user to be set in the base ApplicationController
      alias_method :authenticated_user, :actor

      # We disable `authenticate_user!` since the `DependencyProxy::ApplicationController` performs auth using JWT token
      skip_before_action :authenticate_user!, raise: false

      prepend_before_action :authenticate_user_from_jwt_token!

      def authenticate_user_from_jwt_token!
        return unless dependency_proxy_for_private_groups?

        authenticate_with_http_token do |token, _|
          @authentication_result = EMPTY_AUTH_RESULT

          found_user = user_from_token(token)
          sign_in(found_user) if found_user.is_a?(User)
        end

        request_bearer_token! unless authenticated_user
      end

      private

      def dependency_proxy_for_private_groups?
        Feature.enabled?(:dependency_proxy_for_private_groups, default_enabled: true)
      end

      def request_bearer_token!
        # unfortunately, we cannot use https://api.rubyonrails.org/classes/ActionController/HttpAuthentication/Token.html#method-i-authentication_request
        response.headers['WWW-Authenticate'] = ::DependencyProxy::Registry.authenticate_header
        render plain: '', status: :unauthorized
      end

      def user_from_token(token)
        token_payload = ::DependencyProxy::AuthTokenService.decoded_token_payload(token)

        if token_payload['user_id']
          token_user = User.find(token_payload['user_id'])
          return unless token_user

          @authentication_result = Gitlab::Auth::Result.new(token_user, nil, :user, [])
          return token_user
        elsif token_payload['deploy_token']
          deploy_token = DeployToken.active.find_by_token(token_payload['deploy_token'])
          return unless deploy_token

          @authentication_result = Gitlab::Auth::Result.new(deploy_token, nil, :deploy_token, [])
          return deploy_token
        end

        nil
      rescue JWT::DecodeError, JWT::ExpiredSignature, JWT::ImmatureSignature
        nil
      end
    end
  end
end