Module: Gitlab::Auth

Defined in:
lib/gitlab/auth.rb,
lib/gitlab/auth/result.rb,
lib/gitlab/auth/ldap/dn.rb,
lib/gitlab/auth/activity.rb,
lib/gitlab/auth/ldap/user.rb,
lib/gitlab/auth/saml/user.rb,
lib/gitlab/auth/ldap/access.rb,
lib/gitlab/auth/ldap/config.rb,
lib/gitlab/auth/ldap/person.rb,
lib/gitlab/auth/o_auth/user.rb,
lib/gitlab/auth/saml/config.rb,
lib/gitlab/auth/auth_finders.rb,
lib/gitlab/auth/ldap/adapter.rb,
lib/gitlab/auth/too_many_ips.rb,
lib/gitlab/auth/atlassian/user.rb,
lib/gitlab/auth/ldap/auth_hash.rb,
lib/gitlab/auth/o_auth/session.rb,
lib/gitlab/auth/saml/auth_hash.rb,
lib/gitlab/auth/ip_rate_limiter.rb,
lib/gitlab/auth/o_auth/provider.rb,
lib/gitlab/auth/o_auth/auth_hash.rb,
lib/gitlab/auth/current_user_mode.rb,
lib/gitlab/auth/key_status_checker.rb,
lib/gitlab/auth/unique_ips_limiter.rb,
lib/gitlab/auth/atlassian/auth_hash.rb,
lib/gitlab/auth/ldap/authentication.rb,
lib/gitlab/auth/blocked_user_tracker.rb,
lib/gitlab/auth/saml/identity_linker.rb,
lib/gitlab/auth/o_auth/authentication.rb,
lib/gitlab/auth/request_authenticator.rb,
lib/gitlab/auth/saml/origin_validator.rb,
lib/gitlab/auth/o_auth/identity_linker.rb,
lib/gitlab/auth/database/authentication.rb,
lib/gitlab/auth/two_factor_auth_verifier.rb,
lib/gitlab/auth/atlassian/identity_linker.rb,
lib/gitlab/auth/user_access_denied_reason.rb,
lib/gitlab/auth/ldap/ldap_connection_error.rb,
lib/gitlab/auth/omniauth_identity_linker_base.rb

Defined Under Namespace

Modules: Atlassian, AuthFinders, Database, Ldap, OAuth, Saml Classes: Activity, BlockedUserTracker, CurrentUserMode, InsufficientScopeError, IpRateLimiter, KeyStatusChecker, OmniauthIdentityLinkerBase, RequestAuthenticator, Result, TooManyIps, TwoFactorAuthVerifier, UniqueIpsLimiter, UserAccessDeniedReason

Constant Summary collapse

MissingPersonalAccessTokenError =
Class.new(StandardError)
IpBlacklisted =
Class.new(StandardError)
API_SCOPES =

Scopes used for GitLab API access

[:api, :read_user, :read_api].freeze
REPOSITORY_SCOPES =

Scopes used for GitLab Repository access

[:read_repository, :write_repository].freeze
REGISTRY_SCOPES =

Scopes used for GitLab Docker Registry access

[:read_registry, :write_registry].freeze
ADMIN_SCOPES =

Scopes used for GitLab as admin

[:sudo].freeze
OPENID_SCOPES =

Scopes used for OpenID Connect

[:openid].freeze
PROFILE_SCOPES =

OpenID Connect profile scopes

[:profile, :email].freeze
DEFAULT_SCOPES =

Default scopes for OAuth applications that don't define their own

[:api].freeze
CI_JOB_USER =
'gitlab-ci-token'
AuthenticationError =
Class.new(StandardError)
MissingTokenError =
Class.new(AuthenticationError)
TokenNotFoundError =
Class.new(AuthenticationError)
ExpiredError =
Class.new(AuthenticationError)
RevokedError =
Class.new(AuthenticationError)
ImpersonationDisabled =
Class.new(AuthenticationError)
UnauthorizedError =
Class.new(AuthenticationError)

Class Method Summary collapse

Class Method Details

.all_available_scopesObject


342
343
344
# File 'lib/gitlab/auth.rb', line 342

def all_available_scopes
  non_admin_available_scopes + ADMIN_SCOPES
end

.available_scopes_for(current_user) ⇒ Object


336
337
338
339
340
# File 'lib/gitlab/auth.rb', line 336

def available_scopes_for(current_user)
  scopes = non_admin_available_scopes
  scopes += ADMIN_SCOPES if current_user.admin?
  scopes
end

.build_authentication_abilitiesObject


294
295
296
297
298
299
300
301
302
# File 'lib/gitlab/auth.rb', line 294

def build_authentication_abilities
  [
    :read_project,
    :build_download_code,
    :build_read_container_image,
    :build_create_container_image,
    :build_destroy_container_image
  ]
end

.find_for_git_client(login, password, project:, ip:) ⇒ Object

Raises:


38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
# File 'lib/gitlab/auth.rb', line 38

def find_for_git_client(, password, project:, ip:)
  raise "Must provide an IP for rate limiting" if ip.nil?

  rate_limiter = Gitlab::Auth::IpRateLimiter.new(ip)

  raise IpBlacklisted if !skip_rate_limit?(login: ) && rate_limiter.banned?

  # `user_with_password_for_git` should be the last check
  # because it's the most expensive, especially when LDAP
  # is enabled.
  result =
    service_request_check(, password, project) ||
    build_access_token_check(, password) ||
    lfs_token_check(, password, project) ||
    oauth_access_token_check(, password) ||
    personal_access_token_check(password) ||
    deploy_token_check(, password, project) ||
    user_with_password_for_git(, password) ||
    Gitlab::Auth::Result.new

  rate_limit!(rate_limiter, success: result.success?, login: )
  look_to_limit_user(result.actor)

  return result if result.success? || authenticate_using_internal_or_ldap_password?

  # If sign-in is disabled and LDAP is not configured, recommend a
  # personal access token on failed auth attempts
  raise Gitlab::Auth::MissingPersonalAccessTokenError
end

.find_with_user_password(login, password, increment_failed_attempts: false) ⇒ Object

Find and return a user if the provided password is valid for various authenticators (OAuth, LDAP, Local Database).

Specify `increment_failed_attempts: true` to increment Devise `failed_attempts`. CAUTION: Avoid incrementing failed attempts when authentication falls through different mechanisms, as in `.find_for_git_client`. This may lead to unwanted access locks when the value provided for `password` was actually a PAT, deploy token, etc.


76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
# File 'lib/gitlab/auth.rb', line 76

def find_with_user_password(, password, increment_failed_attempts: false)
  # Avoid resource intensive checks if login credentials are not provided
  return unless .present? && password.present?

  # Nothing to do here if internal auth is disabled and LDAP is
  # not configured
  return unless authenticate_using_internal_or_ldap_password?

  Gitlab::Auth::UniqueIpsLimiter.limit_user! do
    user = User.()

    break if user && !user.can?(:log_in)

    authenticators = []

    if user
      authenticators << Gitlab::Auth::OAuth::Provider.authentication(user, 'database')

      # Add authenticators for all identities if user is not nil
      user&.identities&.each do |identity|
        authenticators << Gitlab::Auth::OAuth::Provider.authentication(user, identity.provider)
      end
    else
      # If no user is provided, try LDAP.
      #   LDAP users are only authenticated via LDAP
      authenticators << Gitlab::Auth::Ldap::Authentication
    end

    authenticators.compact!

    # return found user that was authenticated first for given login credentials
    authenticated_user = authenticators.find do |auth|
      authenticated_user = auth.(, password)
      break authenticated_user if authenticated_user
    end

    user_auth_attempt!(user, success: !!authenticated_user) if increment_failed_attempts

    authenticated_user
  end
end

.full_authentication_abilitiesObject


330
331
332
333
334
# File 'lib/gitlab/auth.rb', line 330

def full_authentication_abilities
  read_write_authentication_abilities + [
    :admin_container_image
  ]
end

.omniauth_enabled?Boolean

Returns:

  • (Boolean)

34
35
36
# File 'lib/gitlab/auth.rb', line 34

def omniauth_enabled?
  Gitlab.config.omniauth.enabled
end

.optional_scopesObject

Other available scopes


347
348
349
# File 'lib/gitlab/auth.rb', line 347

def optional_scopes
  all_available_scopes + OPENID_SCOPES + PROFILE_SCOPES - DEFAULT_SCOPES
end

.read_only_authentication_abilitiesObject


317
318
319
320
321
# File 'lib/gitlab/auth.rb', line 317

def read_only_authentication_abilities
  read_only_project_authentication_abilities + [
    :read_container_image
  ]
end

.read_only_project_authentication_abilitiesObject


304
305
306
307
308
309
# File 'lib/gitlab/auth.rb', line 304

def read_only_project_authentication_abilities
  [
    :read_project,
    :download_code
  ]
end

.read_write_authentication_abilitiesObject


323
324
325
326
327
328
# File 'lib/gitlab/auth.rb', line 323

def read_write_authentication_abilities
  read_only_authentication_abilities + [
    :push_code,
    :create_container_image
  ]
end

.read_write_project_authentication_abilitiesObject


311
312
313
314
315
# File 'lib/gitlab/auth.rb', line 311

def read_write_project_authentication_abilities
  read_only_project_authentication_abilities + [
    :push_code
  ]
end

.registry_scopesObject


351
352
353
354
355
# File 'lib/gitlab/auth.rb', line 351

def registry_scopes
  return [] unless Gitlab.config.registry.enabled

  REGISTRY_SCOPES
end

.resource_bot_scopesObject


357
358
359
# File 'lib/gitlab/auth.rb', line 357

def resource_bot_scopes
  Gitlab::Auth::API_SCOPES + Gitlab::Auth::REPOSITORY_SCOPES + Gitlab::Auth.registry_scopes - [:read_user]
end