diff options
| author | Kamil Trzcinski <ayufan@ayufan.eu> | 2016-09-15 22:16:38 +0300 |
|---|---|---|
| committer | Kamil Trzcinski <ayufan@ayufan.eu> | 2016-09-15 22:16:38 +0300 |
| commit | 83b643a0145cf3f5b919cc61342ba0a824dfdcc9 (patch) | |
| tree | 41bf105a1b8d28b8385bfbccc033df544b7ebdfe /lib/gitlab/auth.rb | |
| parent | eed5c58d8542cef8cc4012a303c9bb963b7f5f20 (diff) | |
| parent | be09bcf074e6048aa9ba5f8dfb99754e6afbe156 (diff) | |
Merge remote-tracking branch 'origin/lfs-support-for-ssh' into per-build-token
# Conflicts:
# app/controllers/projects/git_http_client_controller.rb
# app/helpers/lfs_helper.rb
# lib/gitlab/auth.rb
# spec/requests/lfs_http_spec.rb
Diffstat (limited to 'lib/gitlab/auth.rb')
| -rw-r--r-- | lib/gitlab/auth.rb | 45 |
1 files changed, 30 insertions, 15 deletions
diff --git a/lib/gitlab/auth.rb b/lib/gitlab/auth.rb index b1427f412b0..b14c4e565d5 100644 --- a/lib/gitlab/auth.rb +++ b/lib/gitlab/auth.rb @@ -1,23 +1,28 @@ module Gitlab module Auth - Result = Struct.new(:user, :project, :type, :capabilities) do - def succeeded? - user.present? || [:ci].include?(type) + Result = Struct.new(:actor, :project, :type, :capabilities) do + def success? + actor.present? || type == :ci end end + class MissingPersonalTokenError < StandardError; end + class << self def find_for_git_client(login, password, project:, ip:) raise "Must provide an IP for rate limiting" if ip.nil? - result = service_access_token_check(login, password, project) || + result = + service_request_check(login, password, project) || build_access_token_check(login, password) || user_with_password_for_git(login, password) || oauth_access_token_check(login, password) || + lfs_token_check(login, password) || personal_access_token_check(login, password) || Result.new - rate_limit!(ip, success: result.succeeded?, login: login) + rate_limit!(ip, success: result.success?, login: login) + result end @@ -59,7 +64,7 @@ module Gitlab private - def service_access_token_check(login, password, project) + def service_request_check(login, password, project) matched_login = /(?<service>^[a-zA-Z]*-ci)-token$/.match(login) return unless project && matched_login.present? @@ -81,14 +86,9 @@ module Gitlab user = find_with_user_password(login, password) return unless user - type = - if user.two_factor_enabled? - :missing_personal_token - else - :gitlab_or_ldap - end + raise Gitlab::Auth::MissingPersonalTokenError if user.two_factor_enabled? - Result.new(user, nil, type, full_capabilities) + Result.new(user, nil, :gitlab_or_ldap, full_capabilities) end def oauth_access_token_check(login, password) @@ -105,9 +105,24 @@ module Gitlab if login && password user = User.find_by_personal_access_token(password) validation = User.by_login(login) - if user && user == validation - Result.new(user, nil, :personal_token, full_capabilities) + Result.new(user, nil, :personal_token, full_capabilities) if user.present? && user == validation + end + end + + def lfs_token_check(login, password) + deploy_key_matches = login.match(/\Alfs\+deploy-key-(\d+)\z/) + + actor = + if deploy_key_matches + DeployKey.find(deploy_key_matches[1]) + else + User.by_login(login) end + + if actor + token_handler = Gitlab::LfsToken.new(actor) + + Result.new(actor, nil, token_handler.type, read_capabilities) if Devise.secure_compare(token_handler.value, password) end end |