Add latest changes from gitlab-org/gitlab@13-12-stable-eev13.12.0-rc42

author: GitLab Bot <gitlab-bot@gitlab.com> 2021-05-19 18:44:42 +0300
committer: GitLab Bot <gitlab-bot@gitlab.com> 2021-05-19 18:44:42 +0300
commit: 4555e1b21c365ed8303ffb7a3325d773c9b8bf31 (patch)
tree: 5423a1c7516cffe36384133ade12572cf709398d /lib/gitlab/api_authentication
parent: e570267f2f6b326480d284e0164a6464ba4081bc (diff)
2 files changed, 104 insertions, 1 deletions
diff --git a/lib/gitlab/api_authentication/token_locator.rb b/lib/gitlab/api_authentication/token_locator.rb
index 09039f3fc43..df342905d2e 100644
--- a/lib/gitlab/api_authentication/token_locator.rb
+++ b/lib/gitlab/api_authentication/token_locator.rb
@@ -10,7 +10,17 @@ module Gitlab
 
       attr_reader :location
 
-      validates :location, inclusion: { in: %i[http_basic_auth http_token] }
+      validates :location, inclusion: {
+        in: %i[
+          http_basic_auth
+          http_token
+          http_bearer_token
+          http_deploy_token_header
+          http_job_token_header
+          http_private_token_header
+          token_param
+        ]
+      }
 
       def initialize(location)
         @location = location
@@ -23,6 +33,16 @@ module Gitlab
           extract_from_http_basic_auth request
         when :http_token
           extract_from_http_token request
+        when :http_bearer_token
+          extract_from_http_bearer_token request
+        when :http_deploy_token_header
+          extract_from_http_deploy_token_header request
+        when :http_job_token_header
+          extract_from_http_job_token_header request
+        when :http_private_token_header
+          extract_from_http_private_token_header request
+        when :token_param
+          extract_from_token_param request
         end
       end
 
@@ -41,6 +61,41 @@ module Gitlab
 
         UsernameAndPassword.new(nil, password)
       end
+
+      def extract_from_http_bearer_token(request)
+        password = request.headers['Authorization']
+        return unless password.present?
+
+        UsernameAndPassword.new(nil, password.split(' ').last)
+      end
+
+      def extract_from_http_deploy_token_header(request)
+        password = request.headers['Deploy-Token']
+        return unless password.present?
+
+        UsernameAndPassword.new(nil, password)
+      end
+
+      def extract_from_http_job_token_header(request)
+        password = request.headers['Job-Token']
+        return unless password.present?
+
+        UsernameAndPassword.new(nil, password)
+      end
+
+      def extract_from_http_private_token_header(request)
+        password = request.headers['Private-Token']
+        return unless password.present?
+
+        UsernameAndPassword.new(nil, password)
+      end
+
+      def extract_from_token_param(request)
+        password = request.query_parameters['token']
+        return unless password.present?
+
+        UsernameAndPassword.new(nil, password)
+      end
     end
   end
 end
diff --git a/lib/gitlab/api_authentication/token_resolver.rb b/lib/gitlab/api_authentication/token_resolver.rb
index 9234837cdf7..dd9039e37f6 100644
--- a/lib/gitlab/api_authentication/token_resolver.rb
+++ b/lib/gitlab/api_authentication/token_resolver.rb
@@ -15,9 +15,14 @@ module Gitlab
           personal_access_token
           job_token
           deploy_token
+          personal_access_token_from_jwt
+          deploy_token_from_jwt
+          job_token_from_jwt
         ]
       }
 
+      UsernameAndPassword = ::Gitlab::APIAuthentication::TokenLocator::UsernameAndPassword
+
       def initialize(token_type)
         @token_type = token_type
         validate!
@@ -56,6 +61,15 @@ module Gitlab
 
         when :deploy_token_with_username
           resolve_deploy_token_with_username raw
+
+        when :personal_access_token_from_jwt
+          resolve_personal_access_token_from_jwt raw
+
+        when :deploy_token_from_jwt
+          resolve_deploy_token_from_jwt raw
+
+        when :job_token_from_jwt
+          resolve_job_token_from_jwt raw
         end
       end
 
@@ -116,6 +130,33 @@ module Gitlab
         end
       end
 
+      def resolve_personal_access_token_from_jwt(raw)
+        with_jwt_token(raw) do |jwt_token|
+          break unless jwt_token['token'].is_a?(Integer)
+
+          pat = ::PersonalAccessToken.find(jwt_token['token'])
+          break unless pat
+
+          pat
+        end
+      end
+
+      def resolve_deploy_token_from_jwt(raw)
+        with_jwt_token(raw) do |jwt_token|
+          break unless jwt_token['token'].is_a?(String)
+
+          resolve_deploy_token(UsernameAndPassword.new(nil, jwt_token['token']))
+        end
+      end
+
+      def resolve_job_token_from_jwt(raw)
+        with_jwt_token(raw) do |jwt_token|
+          break unless jwt_token['token'].is_a?(String)
+
+          resolve_job_token(UsernameAndPassword.new(nil, jwt_token['token']))
+        end
+      end
+
       def with_personal_access_token(raw, &block)
         pat = ::PersonalAccessToken.find_by_token(raw.password)
         return unless pat
@@ -136,6 +177,13 @@ module Gitlab
 
         yield(job)
       end
+
+      def with_jwt_token(raw, &block)
+        jwt_token = ::Gitlab::JWTToken.decode(raw.password)
+        raise ::Gitlab::Auth::UnauthorizedError unless jwt_token
+
+        yield(jwt_token)
+      end
     end
   end
 end
author	GitLab Bot <gitlab-bot@gitlab.com>	2021-05-19 18:44:42 +0300
committer	GitLab Bot <gitlab-bot@gitlab.com>	2021-05-19 18:44:42 +0300
commit	4555e1b21c365ed8303ffb7a3325d773c9b8bf31 (patch)
tree	5423a1c7516cffe36384133ade12572cf709398d /lib/gitlab/api_authentication
parent	e570267f2f6b326480d284e0164a6464ba4081bc (diff)