Module: Gitlab::Auth

Defined in:

lib/gitlab/auth.rb,
lib/gitlab/auth/result.rb,
lib/gitlab/auth/ldap/dn.rb,
lib/gitlab/auth/activity.rb,
lib/gitlab/auth/ldap/user.rb,
lib/gitlab/auth/saml/user.rb,
lib/gitlab/auth/ldap/access.rb,
lib/gitlab/auth/ldap/config.rb,
lib/gitlab/auth/ldap/person.rb,
lib/gitlab/auth/o_auth/user.rb,
lib/gitlab/auth/saml/config.rb,
lib/gitlab/auth/auth_finders.rb,
lib/gitlab/auth/ldap/adapter.rb,
lib/gitlab/auth/too_many_ips.rb,
lib/gitlab/auth/atlassian/user.rb,
lib/gitlab/auth/ldap/auth_hash.rb,
lib/gitlab/auth/o_auth/session.rb,
lib/gitlab/auth/saml/auth_hash.rb,
lib/gitlab/auth/ip_rate_limiter.rb,
lib/gitlab/auth/o_auth/provider.rb,
lib/gitlab/auth/o_auth/auth_hash.rb,
lib/gitlab/auth/current_user_mode.rb,
lib/gitlab/auth/key_status_checker.rb,
lib/gitlab/auth/unique_ips_limiter.rb,
lib/gitlab/auth/atlassian/auth_hash.rb,
lib/gitlab/auth/ldap/authentication.rb,
lib/gitlab/auth/blocked_user_tracker.rb,
lib/gitlab/auth/saml/identity_linker.rb,
lib/gitlab/auth/o_auth/authentication.rb,
lib/gitlab/auth/request_authenticator.rb,
lib/gitlab/auth/saml/origin_validator.rb,
lib/gitlab/auth/o_auth/identity_linker.rb,
lib/gitlab/auth/database/authentication.rb,
lib/gitlab/auth/two_factor_auth_verifier.rb,
lib/gitlab/auth/atlassian/identity_linker.rb,
lib/gitlab/auth/user_access_denied_reason.rb,
lib/gitlab/auth/ldap/ldap_connection_error.rb,
lib/gitlab/auth/omniauth_identity_linker_base.rb

Defined Under Namespace

Modules: Atlassian, AuthFinders, Database, Ldap, OAuth, Saml Classes: Activity, BlockedUserTracker, CurrentUserMode, InsufficientScopeError, IpRateLimiter, KeyStatusChecker, OmniauthIdentityLinkerBase, RequestAuthenticator, Result, TooManyIps, TwoFactorAuthVerifier, UniqueIpsLimiter, UserAccessDeniedReason

Constant Summary

MissingPersonalAccessTokenError =

Class.new(StandardError)

IpBlacklisted =

Class.new(StandardError)

API_SCOPES =

Scopes used for GitLab API access

[:api, :read_user, :read_api].freeze

REPOSITORY_SCOPES =

Scopes used for GitLab Repository access

[:read_repository, :write_repository].freeze

REGISTRY_SCOPES =

Scopes used for GitLab Docker Registry access

[:read_registry, :write_registry].freeze

ADMIN_SCOPES =

Scopes used for GitLab as admin

[:sudo].freeze

OPENID_SCOPES =

Scopes used for OpenID Connect

[:openid].freeze

PROFILE_SCOPES =

OpenID Connect profile scopes

[:profile, :email].freeze

DEFAULT_SCOPES =

Default scopes for OAuth applications that don't define their own

[:api].freeze

CI_JOB_USER =

'gitlab-ci-token'

AuthenticationError =

Class.new(StandardError)

MissingTokenError =

Class.new(AuthenticationError)

TokenNotFoundError =

Class.new(AuthenticationError)

ExpiredError =

Class.new(AuthenticationError)

RevokedError =

Class.new(AuthenticationError)

ImpersonationDisabled =

Class.new(AuthenticationError)

UnauthorizedError =

Class.new(AuthenticationError)

Class Method Summary

• .all_available_scopes ⇒ Object
• .available_scopes_for(current_user) ⇒ Object
• .build_authentication_abilities ⇒ Object
• .find_for_git_client(login, password, project:, ip:) ⇒ Object
• .find_with_user_password(login, password, increment_failed_attempts: false) ⇒ Object

  Find and return a user if the provided password is valid for various authenticators (OAuth, LDAP, Local Database).

• .full_authentication_abilities ⇒ Object
• .omniauth_enabled? ⇒ Boolean
• .optional_scopes ⇒ Object

  Other available scopes.

• .read_only_authentication_abilities ⇒ Object
• .read_only_project_authentication_abilities ⇒ Object
• .read_write_authentication_abilities ⇒ Object
• .read_write_project_authentication_abilities ⇒ Object
• .registry_scopes ⇒ Object
• .resource_bot_scopes ⇒ Object

Class Method Details

.all_available_scopes ⇒ Object

# File 'lib/gitlab/auth.rb', line 342

def all_available_scopes
  non_admin_available_scopes + ADMIN_SCOPES
end

.available_scopes_for(current_user) ⇒ Object

# File 'lib/gitlab/auth.rb', line 336

def available_scopes_for(current_user)
  scopes = non_admin_available_scopes
  scopes += ADMIN_SCOPES if current_user.admin?
  scopes
end

.build_authentication_abilities ⇒ Object

# File 'lib/gitlab/auth.rb', line 294

def build_authentication_abilities
  [
    :read_project,
    :build_download_code,
    :build_read_container_image,
    :build_create_container_image,
    :build_destroy_container_image
  ]
end

.find_for_git_client(login, password, project:, ip:) ⇒ Object

Raises:

• (IpBlacklisted)

# File 'lib/gitlab/auth.rb', line 38

def find_for_git_client(login, password, project:, ip:)
  raise "Must provide an IP for rate limiting" if ip.nil?

  rate_limiter = Gitlab::Auth::IpRateLimiter.new(ip)

  raise IpBlacklisted if !skip_rate_limit?(login: login) && rate_limiter.banned?

  # `user_with_password_for_git` should be the last check
  # because it's the most expensive, especially when LDAP
  # is enabled.
  result =
    service_request_check(login, password, project) ||
    build_access_token_check(login, password) ||
    lfs_token_check(login, password, project) ||
    oauth_access_token_check(login, password) ||
    personal_access_token_check(password) ||
    deploy_token_check(login, password, project) ||
    user_with_password_for_git(login, password) ||
    Gitlab::Auth::Result.new

  rate_limit!(rate_limiter, success: result.success?, login: login)
  look_to_limit_user(result.actor)

  return result if result.success? || authenticate_using_internal_or_ldap_password?

  # If sign-in is disabled and LDAP is not configured, recommend a
  # personal access token on failed auth attempts
  raise Gitlab::Auth::MissingPersonalAccessTokenError
end

.find_with_user_password(login, password, increment_failed_attempts: false) ⇒ Object

Find and return a user if the provided password is valid for various authenticators (OAuth, LDAP, Local Database).

Specify `increment_failed_attempts: true` to increment Devise `failed_attempts`. CAUTION: Avoid incrementing failed attempts when authentication falls through different mechanisms, as in `.find_for_git_client`. This may lead to unwanted access locks when the value provided for `password` was actually a PAT, deploy token, etc.

# File 'lib/gitlab/auth.rb', line 76

def find_with_user_password(login, password, increment_failed_attempts: false)
  # Avoid resource intensive checks if login credentials are not provided
  return unless login.present? && password.present?

  # Nothing to do here if internal auth is disabled and LDAP is
  # not configured
  return unless authenticate_using_internal_or_ldap_password?

  Gitlab::Auth::UniqueIpsLimiter.limit_user! do
    user = User.by_login(login)

    break if user && !user.can?(:log_in)

    authenticators = []

    if user
      authenticators << Gitlab::Auth::OAuth::Provider.authentication(user, 'database')

      # Add authenticators for all identities if user is not nil
      user&.identities&.each do |identity|
        authenticators << Gitlab::Auth::OAuth::Provider.authentication(user, identity.provider)
      end
    else
      # If no user is provided, try LDAP.
      #   LDAP users are only authenticated via LDAP
      authenticators << Gitlab::Auth::Ldap::Authentication
    end

    authenticators.compact!

    # return found user that was authenticated first for given login credentials
    authenticated_user = authenticators.find do |auth|
      authenticated_user = auth.login(login, password)
      break authenticated_user if authenticated_user
    end

    user_auth_attempt!(user, success: !!authenticated_user) if increment_failed_attempts

    authenticated_user
  end
end

.full_authentication_abilities ⇒ Object

# File 'lib/gitlab/auth.rb', line 330

def full_authentication_abilities
  read_write_authentication_abilities + [
    :admin_container_image
  ]
end

.omniauth_enabled? ⇒ Boolean

Returns:

• (Boolean)

# File 'lib/gitlab/auth.rb', line 34

def omniauth_enabled?
  Gitlab.config.omniauth.enabled
end

.optional_scopes ⇒ Object

Other available scopes

# File 'lib/gitlab/auth.rb', line 347

def optional_scopes
  all_available_scopes + OPENID_SCOPES + PROFILE_SCOPES - DEFAULT_SCOPES
end

.read_only_authentication_abilities ⇒ Object

# File 'lib/gitlab/auth.rb', line 317

def read_only_authentication_abilities
  read_only_project_authentication_abilities + [
    :read_container_image
  ]
end

.read_only_project_authentication_abilities ⇒ Object

# File 'lib/gitlab/auth.rb', line 304

def read_only_project_authentication_abilities
  [
    :read_project,
    :download_code
  ]
end

.read_write_authentication_abilities ⇒ Object

# File 'lib/gitlab/auth.rb', line 323

def read_write_authentication_abilities
  read_only_authentication_abilities + [
    :push_code,
    :create_container_image
  ]
end

.read_write_project_authentication_abilities ⇒ Object

# File 'lib/gitlab/auth.rb', line 311

def read_write_project_authentication_abilities
  read_only_project_authentication_abilities + [
    :push_code
  ]
end

.registry_scopes ⇒ Object

# File 'lib/gitlab/auth.rb', line 351

def registry_scopes
  return [] unless Gitlab.config.registry.enabled

  REGISTRY_SCOPES
end

.resource_bot_scopes ⇒ Object

# File 'lib/gitlab/auth.rb', line 357

def resource_bot_scopes
  Gitlab::Auth::API_SCOPES + Gitlab::Auth::REPOSITORY_SCOPES + Gitlab::Auth.registry_scopes - [:read_user]
end