Class: Gitlab::Auth::RequestAuthenticator

Inherits:

Object

Object
Gitlab::Auth::RequestAuthenticator

Includes:: AuthFinders

Defined in:: lib/gitlab/auth/request_authenticator.rb

Constant Summary

Constants included from AuthFinders

AuthFinders::DEPLOY_TOKEN_HEADER, AuthFinders::JOB_TOKEN_HEADER, AuthFinders::JOB_TOKEN_PARAM, AuthFinders::PRIVATE_TOKEN_HEADER, AuthFinders::PRIVATE_TOKEN_PARAM, AuthFinders::RUNNER_JOB_TOKEN_PARAM, AuthFinders::RUNNER_TOKEN_PARAM

Instance Attribute Summary collapse

#request ⇒ Object readonly

Returns the value of attribute request.

Instance Method Summary collapse

#can_sign_in_bot?(user) ⇒ Boolean
#find_authenticated_requester(request_formats) ⇒ Object
#find_sessionless_user(request_format) ⇒ Object
#find_user_for_git_or_lfs_request ⇒ Object

To prevent Rack Attack from incorrectly rate limiting authenticated Git activity, we need to authenticate the user from other means (e.g. HTTP Basic Authentication) only if the request originated from a Git or Git LFS request.
#find_user_from_personal_access_token_for_api_or_git ⇒ Object
#initialize(request) ⇒ RequestAuthenticator constructor

A new instance of RequestAuthenticator.
#runner ⇒ Object
#user(request_formats) ⇒ Object
#valid_access_token?(scopes: []) ⇒ Boolean

Methods included from AuthFinders

#cluster_agent_token_from_authorization_token, #deploy_token_from_request, #find_runner_from_token, #find_user_from_access_token, #find_user_from_basic_auth_job, #find_user_from_basic_auth_password, #find_user_from_bearer_token, #find_user_from_feed_token, #find_user_from_job_token, #find_user_from_lfs_token, #find_user_from_personal_access_token, #find_user_from_static_object_token, #find_user_from_warden, #find_user_from_web_access_token, #validate_access_token!

Methods included from Utils::StrongMemoize

#clear_memoization, included, normalize_key, #strong_memoize, #strong_memoize_with, #strong_memoized?

Constructor Details

#initialize(request) ⇒ `RequestAuthenticator`

Returns a new instance of RequestAuthenticator.



12
13
14

# File 'lib/gitlab/auth/request_authenticator.rb', line 12

def initialize(request)
  @request = request
end

Instance Attribute Details

#request ⇒ `Object` (readonly)

Returns the value of attribute request.



10
11
12

# File 'lib/gitlab/auth/request_authenticator.rb', line 10

def request
  @request
end

Instance Method Details

#can_sign_in_bot?(user) ⇒ `Boolean`

Returns:

(Boolean)



49
50
51

# File 'lib/gitlab/auth/request_authenticator.rb', line 49

def can_sign_in_bot?(user)
  user&.project_bot? && api_request?
end

#find_authenticated_requester(request_formats) ⇒ `Object`



16
17
18

# File 'lib/gitlab/auth/request_authenticator.rb', line 16

def find_authenticated_requester(request_formats)
  user(request_formats) || deploy_token_from_request
end

#find_sessionless_user(request_format) ⇒ `Object`

# File 'lib/gitlab/auth/request_authenticator.rb', line 36

def find_sessionless_user(request_format)
  find_user_from_dependency_proxy_token ||
    find_user_from_web_access_token(request_format, scopes: [:api, :read_api]) ||
    find_user_from_feed_token(request_format) ||
    find_user_from_static_object_token(request_format) ||
    find_user_from_basic_auth_job ||
    find_user_from_job_token ||
    find_user_from_personal_access_token_for_api_or_git ||
    find_user_for_git_or_lfs_request
rescue Gitlab::Auth::AuthenticationError
  nil
end

#find_user_for_git_or_lfs_request ⇒ `Object`

To prevent Rack Attack from incorrectly rate limiting authenticated Git activity, we need to authenticate the user from other means (e.g. HTTP Basic Authentication) only if the request originated from a Git or Git LFS request. Repositories::GitHttpClientController or Repositories::LfsApiController normally does the authentication, but Rack Attack runs before those controllers.

# File 'lib/gitlab/auth/request_authenticator.rb', line 60

def find_user_for_git_or_lfs_request
  return unless git_or_lfs_request?

  find_user_from_lfs_token || find_user_from_basic_auth_password
end

#find_user_from_personal_access_token_for_api_or_git ⇒ `Object`

# File 'lib/gitlab/auth/request_authenticator.rb', line 66

def find_user_from_personal_access_token_for_api_or_git
  return unless api_request? || git_or_lfs_request?

  find_user_from_personal_access_token
end

#runner ⇒ `Object`

# File 'lib/gitlab/auth/request_authenticator.rb', line 30

def runner
  find_runner_from_token
rescue Gitlab::Auth::AuthenticationError
  nil
end

#user(request_formats) ⇒ `Object`

# File 'lib/gitlab/auth/request_authenticator.rb', line 20

def user(request_formats)
  request_formats.each do |format|
    user = find_sessionless_user(format)

    return user if user
  end

  find_user_from_warden
end

#valid_access_token?(scopes: []) ⇒ `Boolean`

Returns:

(Boolean)

# File 'lib/gitlab/auth/request_authenticator.rb', line 72

def valid_access_token?(scopes: [])
  validate_access_token!(scopes: scopes)

  true
rescue Gitlab::Auth::AuthenticationError
  false
end

Class: Gitlab::Auth::RequestAuthenticator

Constant Summary

Constants included from AuthFinders

Instance Attribute Summary collapse

Instance Method Summary collapse

Methods included from AuthFinders

Methods included from Utils::StrongMemoize

Constructor Details

#initialize(request) ⇒ RequestAuthenticator

Instance Attribute Details

#request ⇒ Object (readonly)

Instance Method Details

#can_sign_in_bot?(user) ⇒ Boolean

#find_authenticated_requester(request_formats) ⇒ Object

#find_sessionless_user(request_format) ⇒ Object

#find_user_for_git_or_lfs_request ⇒ Object

#find_user_from_personal_access_token_for_api_or_git ⇒ Object

#runner ⇒ Object

#user(request_formats) ⇒ Object

#valid_access_token?(scopes: []) ⇒ Boolean