Add latest changes from gitlab-org/gitlab@master

3 files changed, 71 insertions, 9 deletions

diff --git a/lib/gitlab/auth/user_auth_finders.rb b/lib/gitlab/auth/auth_finders.rb
index 983682baab1..6210aca739a 100644
--- a/lib/gitlab/auth/user_auth_finders.rb
+++ b/lib/gitlab/auth/auth_finders.rb
@@ -17,8 +17,8 @@ module Gitlab
       end
     end
 
-    module UserAuthFinders
-      prepend_if_ee('::EE::Gitlab::Auth::UserAuthFinders') # rubocop: disable Cop/InjectEnterpriseEditionModule
+    module AuthFinders
+      prepend_if_ee('::EE::Gitlab::Auth::AuthFinders') # rubocop: disable Cop/InjectEnterpriseEditionModule
 
       include Gitlab::Utils::StrongMemoize
 
@@ -26,6 +26,7 @@ module Gitlab
       PRIVATE_TOKEN_PARAM = :private_token
       JOB_TOKEN_HEADER = "HTTP_JOB_TOKEN".freeze
       JOB_TOKEN_PARAM = :job_token
+      RUNNER_TOKEN_PARAM = :token
 
       # Check the Rails session for valid authentication details
       def find_user_from_warden
@@ -85,6 +86,15 @@ module Gitlab
         access_token.user || raise(UnauthorizedError)
       end
 
+      def find_runner_from_token
+        return unless api_request?
+
+        token = current_request.params[RUNNER_TOKEN_PARAM].presence
+        return unless token
+
+        ::Ci::Runner.find_by_token(token) || raise(UnauthorizedError)
+      end
+
       def validate_access_token!(scopes: [])
         return unless access_token
 
@@ -201,7 +211,7 @@ module Gitlab
       end
 
       def api_request?
-        current_request.path.starts_with?("/api/")
+        current_request.path.starts_with?('/api/')
       end
 
       def archive_request?
diff --git a/lib/gitlab/auth/current_user_mode.rb b/lib/gitlab/auth/current_user_mode.rb
index df5039f50c1..cb39baaa6cc 100644
--- a/lib/gitlab/auth/current_user_mode.rb
+++ b/lib/gitlab/auth/current_user_mode.rb
@@ -8,9 +8,13 @@ module Gitlab
     # an administrator must have explicitly enabled admin-mode
     # e.g. on web access require re-authentication
     class CurrentUserMode
+      NotRequestedError = Class.new(StandardError)
+
       SESSION_STORE_KEY = :current_user_mode
       ADMIN_MODE_START_TIME_KEY = 'admin_mode'
+      ADMIN_MODE_REQUESTED_TIME_KEY = 'admin_mode_requested'
       MAX_ADMIN_MODE_TIME = 6.hours
+      ADMIN_MODE_REQUESTED_GRACE_PERIOD = 5.minutes
 
       def initialize(user)
         @user = user
@@ -19,8 +23,16 @@ module Gitlab
       def admin_mode?
         return false unless user
 
-        Gitlab::SafeRequestStore.fetch(request_store_key) do
-          user&.admin? && any_session_with_admin_mode?
+        Gitlab::SafeRequestStore.fetch(admin_mode_rs_key) do
+          user.admin? && any_session_with_admin_mode?
+        end
+      end
+
+      def admin_mode_requested?
+        return false unless user
+
+        Gitlab::SafeRequestStore.fetch(admin_mode_requested_rs_key) do
+          user.admin? && admin_mode_requested_in_grace_period?
         end
       end
 
@@ -28,20 +40,45 @@ module Gitlab
         return unless user&.admin?
         return unless skip_password_validation || user&.valid_password?(password)
 
+        raise NotRequestedError unless admin_mode_requested?
+
+        reset_request_store
+
+        current_session_data[ADMIN_MODE_REQUESTED_TIME_KEY] = nil
         current_session_data[ADMIN_MODE_START_TIME_KEY] = Time.now
       end
 
+      def enable_sessionless_admin_mode!
+        request_admin_mode! && enable_admin_mode!(skip_password_validation: true)
+      end
+
       def disable_admin_mode!
+        return unless user&.admin?
+
+        reset_request_store
+
+        current_session_data[ADMIN_MODE_REQUESTED_TIME_KEY] = nil
         current_session_data[ADMIN_MODE_START_TIME_KEY] = nil
-        Gitlab::SafeRequestStore.delete(request_store_key)
+      end
+
+      def request_admin_mode!
+        return unless user&.admin?
+
+        reset_request_store
+
+        current_session_data[ADMIN_MODE_REQUESTED_TIME_KEY] = Time.now
       end
 
       private
 
       attr_reader :user
 
-      def request_store_key
-        @request_store_key ||= { res: :current_user_mode, user: user.id }
+      def admin_mode_rs_key
+        @admin_mode_rs_key ||= { res: :current_user_mode, user: user.id, method: :admin_mode? }
+      end
+
+      def admin_mode_requested_rs_key
+        @admin_mode_requested_rs_key ||= { res: :current_user_mode, user: user.id, method: :admin_mode_requested? }
       end
 
       def current_session_data
@@ -61,6 +98,15 @@ module Gitlab
           Gitlab::NamespacedSessionStore.new(SESSION_STORE_KEY, session.with_indifferent_access )
         end
       end
+
+      def admin_mode_requested_in_grace_period?
+        current_session_data[ADMIN_MODE_REQUESTED_TIME_KEY].to_i > ADMIN_MODE_REQUESTED_GRACE_PERIOD.ago.to_i
+      end
+
+      def reset_request_store
+        Gitlab::SafeRequestStore.delete(admin_mode_rs_key)
+        Gitlab::SafeRequestStore.delete(admin_mode_requested_rs_key)
+      end
     end
   end
 end
diff --git a/lib/gitlab/auth/request_authenticator.rb b/lib/gitlab/auth/request_authenticator.rb
index aca8804b04c..9b1b7b8e879 100644
--- a/lib/gitlab/auth/request_authenticator.rb
+++ b/lib/gitlab/auth/request_authenticator.rb
@@ -5,7 +5,7 @@
 module Gitlab
   module Auth
     class RequestAuthenticator
-      include UserAuthFinders
+      include AuthFinders
 
       attr_reader :request
 
@@ -23,6 +23,12 @@ module Gitlab
         find_user_from_warden
       end
 
+      def runner
+        find_runner_from_token
+      rescue Gitlab::Auth::AuthenticationError
+        nil
+      end
+
       def find_sessionless_user(request_format)
         find_user_from_web_access_token(request_format) ||
           find_user_from_feed_token(request_format) ||