Class: Gitlab::Auth::RequestAuthenticator

Inherits:
Object
  • Object
show all
Includes:
AuthFinders
Defined in:
lib/gitlab/auth/request_authenticator.rb

Constant Summary

Constants included from AuthFinders

AuthFinders::DEPLOY_TOKEN_HEADER, AuthFinders::JOB_TOKEN_HEADER, AuthFinders::JOB_TOKEN_PARAM, AuthFinders::PATH_DEPENDENT_FEED_TOKEN_REGEX, AuthFinders::PRIVATE_TOKEN_HEADER, AuthFinders::PRIVATE_TOKEN_PARAM, AuthFinders::RUNNER_JOB_TOKEN_PARAM, AuthFinders::RUNNER_TOKEN_PARAM

Instance Attribute Summary collapse

Instance Method Summary collapse

Methods included from AuthFinders

#cluster_agent_token_from_authorization_token, #deploy_token_from_request, #find_runner_from_token, #find_user_from_access_token, #find_user_from_basic_auth_job, #find_user_from_basic_auth_password, #find_user_from_bearer_token, #find_user_from_feed_token, #find_user_from_job_token, #find_user_from_lfs_token, #find_user_from_personal_access_token, #find_user_from_static_object_token, #find_user_from_warden, #find_user_from_web_access_token, #validate_access_token!

Constructor Details

#initialize(request) ⇒ RequestAuthenticator

Returns a new instance of RequestAuthenticator.



12
13
14
# File 'lib/gitlab/auth/request_authenticator.rb', line 12

def initialize(request)
  @request = request
end

Instance Attribute Details

#requestObject (readonly)

Returns the value of attribute request.



10
11
12
# File 'lib/gitlab/auth/request_authenticator.rb', line 10

def request
  @request
end

Instance Method Details

#can_sign_in_bot?(user) ⇒ Boolean

Returns:

  • (Boolean)


49
50
51
# File 'lib/gitlab/auth/request_authenticator.rb', line 49

def (user)
  user&.project_bot? && api_request?
end

#find_authenticated_requester(request_formats) ⇒ Object



16
17
18
# File 'lib/gitlab/auth/request_authenticator.rb', line 16

def find_authenticated_requester(request_formats)
  user(request_formats) || deploy_token_from_request
end

#find_sessionless_user(request_format) ⇒ Object



36
37
38
39
40
41
42
43
44
45
46
47
# File 'lib/gitlab/auth/request_authenticator.rb', line 36

def find_sessionless_user(request_format)
  find_user_from_dependency_proxy_token ||
    find_user_from_web_access_token(request_format, scopes: [:api, :read_api]) ||
    find_user_from_feed_token(request_format) ||
    find_user_from_static_object_token(request_format) ||
    find_user_from_basic_auth_job ||
    find_user_from_job_token ||
    find_user_from_personal_access_token_for_api_or_git ||
    find_user_for_git_or_lfs_request
rescue Gitlab::Auth::AuthenticationError
  nil
end

#find_user_for_git_or_lfs_requestObject

To prevent Rack Attack from incorrectly rate limiting authenticated Git activity, we need to authenticate the user from other means (e.g. HTTP Basic Authentication) only if the request originated from a Git or Git LFS request. Repositories::GitHttpClientController or Repositories::LfsApiController normally does the authentication, but Rack Attack runs before those controllers.



60
61
62
63
64
# File 'lib/gitlab/auth/request_authenticator.rb', line 60

def find_user_for_git_or_lfs_request
  return unless git_or_lfs_request?

  find_user_from_lfs_token || find_user_from_basic_auth_password
end

#find_user_from_personal_access_token_for_api_or_gitObject



66
67
68
69
70
# File 'lib/gitlab/auth/request_authenticator.rb', line 66

def find_user_from_personal_access_token_for_api_or_git
  return unless api_request? || git_or_lfs_request?

  find_user_from_personal_access_token
end

#runnerObject



30
31
32
33
34
# File 'lib/gitlab/auth/request_authenticator.rb', line 30

def runner
  find_runner_from_token
rescue Gitlab::Auth::AuthenticationError
  nil
end

#user(request_formats) ⇒ Object



20
21
22
23
24
25
26
27
28
# File 'lib/gitlab/auth/request_authenticator.rb', line 20

def user(request_formats)
  request_formats.each do |format|
    user = find_sessionless_user(format)

    return user if user
  end

  find_user_from_warden
end

#valid_access_token?(scopes: []) ⇒ Boolean

Returns:

  • (Boolean)


72
73
74
75
76
77
78
# File 'lib/gitlab/auth/request_authenticator.rb', line 72

def valid_access_token?(scopes: [])
  validate_access_token!(scopes: scopes)

  true
rescue Gitlab::Auth::AuthenticationError
  false
end