1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
|
module API
# Projects builds API
class Auth < Grape::API
namespace 'auth' do
get 'token' do
required_attributes! [:service]
keys = attributes_for_keys [:offline_token, :scope, :service]
case keys[:service]
when 'docker'
docker_token_auth(keys[:scope], keys[:offline_token])
else
not_found!
end
end
end
helpers do
def docker_token_auth(scope, offline_token)
auth!
if offline_token
forbidden! unless @user
elsif scope
@type, @path, actions = scope.split(':', 3)
bad_request!("invalid type: #{@type}") unless @type == 'repository'
@actions = actions.split(',')
bad_request!('missing actions') if @actions.empty?
@project = Project.find_with_namespace(@path)
not_found!('Project') unless @project
authorize_actions!(@actions)
end
{ token: encode(docker_payload) }
end
def auth!
auth = BasicRequest.new(request.env)
return unless auth.provided?
return bad_request unless auth.basic?
# Authentication with username and password
login, password = auth.credentials
if ci_request?(login, password)
@ci = true
return
end
@user = authenticate_user(login, password)
if @user
request.env['REMOTE_USER'] = @user.username
end
end
def ci_request?(login, password)
matched_login = /(?<s>^[a-zA-Z]*-ci)-token$/.match(login)
if @project && matched_login.present?
underscored_service = matched_login['s'].underscore
if underscored_service == 'gitlab_ci'
return @project.valid_build_token?(password)
end
end
false
end
def authenticate_user(login, password)
user = Gitlab::Auth.new.find(login, password)
# If the user authenticated successfully, we reset the auth failure count
# from Rack::Attack for that IP. A client may attempt to authenticate
# with a username and blank password first, and only after it receives
# a 401 error does it present a password. Resetting the count prevents
# false positives from occurring.
#
# Otherwise, we let Rack::Attack know there was a failed authentication
# attempt from this IP. This information is stored in the Rails cache
# (Redis) and will be used by the Rack::Attack middleware to decide
# whether to block requests from this IP.
config = Gitlab.config.rack_attack.git_basic_auth
if config.enabled
if user
# A successful login will reset the auth failure count from this IP
Rack::Attack::Allow2Ban.reset(@request.ip, config)
else
banned = Rack::Attack::Allow2Ban.filter(@request.ip, config) do
# Unless the IP is whitelisted, return true so that Allow2Ban
# increments the counter (stored in Rails.cache) for the IP
if config.ip_whitelist.include?(@request.ip)
false
else
true
end
end
if banned
Rails.logger.info "IP #{@request.ip} failed to login " \
"as #{login} but has been temporarily banned from Git auth"
end
end
end
user
end
def docker_payload
{
access: [
type: @type,
name: @path,
actions: @actions
],
exp: Time.now.to_i + 3600
}
end
def private_key
@private_key ||= OpenSSL::PKey::RSA.new File.read 'config/registry.key'
end
def encode(payload)
JWT.encode(payload, private_key, 'RS256')
end
def authorize_actions!(actions)
actions.each do |action|
forbidden! unless can_access?(action)
end
end
def can_access?(action)
case action
when 'pull'
@ci || can?(@user, :download_code, @project)
when 'push'
@ci || can?(@user, :push_code, @project)
else
false
end
end
class BasicRequest < Rack::Auth::AbstractRequest
def basic?
"basic" == scheme
end
def credentials
@credentials ||= params.unpack("m*").first.split(/:/, 2)
end
def username
credentials.first
end
end
end
end
end
|
