diff options
author | GitLab Bot <gitlab-bot@gitlab.com> | 2020-10-21 10:08:36 +0300 |
---|---|---|
committer | GitLab Bot <gitlab-bot@gitlab.com> | 2020-10-21 10:08:36 +0300 |
commit | 48aff82709769b098321c738f3444b9bdaa694c6 (patch) | |
tree | e00c7c43e2d9b603a5a6af576b1685e400410dee /lib/gitlab/auth | |
parent | 879f5329ee916a948223f8f43d77fba4da6cd028 (diff) |
Add latest changes from gitlab-org/gitlab@13-5-stable-eev13.5.0-rc42
Diffstat (limited to 'lib/gitlab/auth')
-rw-r--r-- | lib/gitlab/auth/auth_finders.rb | 2 | ||||
-rw-r--r-- | lib/gitlab/auth/otp/strategies/base.rb | 32 | ||||
-rw-r--r-- | lib/gitlab/auth/otp/strategies/devise.rb | 15 | ||||
-rw-r--r-- | lib/gitlab/auth/otp/strategies/forti_authenticator.rb | 41 | ||||
-rw-r--r-- | lib/gitlab/auth/user_access_denied_reason.rb | 4 |
5 files changed, 93 insertions, 1 deletions
diff --git a/lib/gitlab/auth/auth_finders.rb b/lib/gitlab/auth/auth_finders.rb index ccf52bae9a5..3d3f7212053 100644 --- a/lib/gitlab/auth/auth_finders.rb +++ b/lib/gitlab/auth/auth_finders.rb @@ -290,7 +290,7 @@ module Gitlab end def api_request? - current_request.path.starts_with?('/api/') + current_request.path.starts_with?(Gitlab::Utils.append_path(Gitlab.config.gitlab.relative_url_root, '/api/')) end def archive_request? diff --git a/lib/gitlab/auth/otp/strategies/base.rb b/lib/gitlab/auth/otp/strategies/base.rb new file mode 100644 index 00000000000..718630e0e31 --- /dev/null +++ b/lib/gitlab/auth/otp/strategies/base.rb @@ -0,0 +1,32 @@ +# frozen_string_literal: true + +module Gitlab + module Auth + module Otp + module Strategies + class Base + def initialize(user) + @user = user + end + + private + + attr_reader :user + + def success + { status: :success } + end + + def error(message, http_status = nil) + result = { message: message, + status: :error } + + result[:http_status] = http_status if http_status + + result + end + end + end + end + end +end diff --git a/lib/gitlab/auth/otp/strategies/devise.rb b/lib/gitlab/auth/otp/strategies/devise.rb new file mode 100644 index 00000000000..93068d6c9b0 --- /dev/null +++ b/lib/gitlab/auth/otp/strategies/devise.rb @@ -0,0 +1,15 @@ +# frozen_string_literal: true + +module Gitlab + module Auth + module Otp + module Strategies + class Devise < Base + def validate(otp_code) + user.validate_and_consume_otp!(otp_code) ? success : error('invalid OTP code') + end + end + end + end + end +end diff --git a/lib/gitlab/auth/otp/strategies/forti_authenticator.rb b/lib/gitlab/auth/otp/strategies/forti_authenticator.rb new file mode 100644 index 00000000000..fbcb9fd8cdb --- /dev/null +++ b/lib/gitlab/auth/otp/strategies/forti_authenticator.rb @@ -0,0 +1,41 @@ +# frozen_string_literal: true + +module Gitlab + module Auth + module Otp + module Strategies + class FortiAuthenticator < Base + def validate(otp_code) + body = { username: user.username, + token_code: otp_code } + + response = Gitlab::HTTP.post( + auth_url, + headers: { 'Content-Type': 'application/json' }, + body: body.to_json, + basic_auth: api_credentials) + + # Successful authentication results in HTTP 200: OK + # https://docs.fortinet.com/document/fortiauthenticator/6.2.0/rest-api-solution-guide/704555/authentication-auth + response.ok? ? success : error(message: response.message, http_status: response.code) + end + + private + + def auth_url + host = ::Gitlab.config.forti_authenticator.host + port = ::Gitlab.config.forti_authenticator.port + path = 'api/v1/auth/' + + "https://#{host}:#{port}/#{path}" + end + + def api_credentials + { username: ::Gitlab.config.forti_authenticator.username, + password: ::Gitlab.config.forti_authenticator.token } + end + end + end + end + end +end diff --git a/lib/gitlab/auth/user_access_denied_reason.rb b/lib/gitlab/auth/user_access_denied_reason.rb index cc4b8d887ff..36b54ba2e46 100644 --- a/lib/gitlab/auth/user_access_denied_reason.rb +++ b/lib/gitlab/auth/user_access_denied_reason.rb @@ -11,6 +11,8 @@ module Gitlab case rejection_type when :internal "This action cannot be performed by internal users" + when :blocked_pending_approval + "Your account is pending approval from your administrator and hence blocked." when :terms_not_accepted "You (#{@user.to_reference}) must accept the Terms of Service in order to perform this action. "\ "Please access GitLab from a web browser to accept these terms." @@ -31,6 +33,8 @@ module Gitlab def rejection_type if @user.internal? :internal + elsif @user.blocked_pending_approval? + :blocked_pending_approval elsif @user.required_terms_not_accepted? :terms_not_accepted elsif @user.deactivated? |