diff options
| author | Andreas Brandl <abrandl@gitlab.com> | 2019-04-05 16:02:56 +0300 |
|---|---|---|
| committer | Andreas Brandl <abrandl@gitlab.com> | 2019-04-05 16:02:56 +0300 |
| commit | 46b1b9c1d61c269588bd3cd4203420608ddd7f0b (patch) | |
| tree | a877f5366d3367e1264e96f3f5e8a4b23bdbd62a /lib/gitlab/external_authorization | |
| parent | 7a48a06cf3b454021aa466464686fee8c82d6862 (diff) | |
Revert "Merge branch 'if-57131-external_auth_to_ce' into 'master'"
This reverts merge request !26823
Diffstat (limited to 'lib/gitlab/external_authorization')
| -rw-r--r-- | lib/gitlab/external_authorization/access.rb | 55 | ||||
| -rw-r--r-- | lib/gitlab/external_authorization/cache.rb | 62 | ||||
| -rw-r--r-- | lib/gitlab/external_authorization/client.rb | 63 | ||||
| -rw-r--r-- | lib/gitlab/external_authorization/config.rb | 47 | ||||
| -rw-r--r-- | lib/gitlab/external_authorization/logger.rb | 21 | ||||
| -rw-r--r-- | lib/gitlab/external_authorization/response.rb | 38 |
6 files changed, 0 insertions, 286 deletions
diff --git a/lib/gitlab/external_authorization/access.rb b/lib/gitlab/external_authorization/access.rb deleted file mode 100644 index e111c41fcc2..00000000000 --- a/lib/gitlab/external_authorization/access.rb +++ /dev/null @@ -1,55 +0,0 @@ -# frozen_string_literal: true - -module Gitlab - module ExternalAuthorization - class Access - attr_reader :user, - :reason, - :loaded_at, - :label, - :load_type - - def initialize(user, label) - @user, @label = user, label - end - - def loaded? - loaded_at && (loaded_at > ExternalAuthorization::Cache::VALIDITY_TIME.ago) - end - - def has_access? - @access - end - - def load! - load_from_cache - load_from_service unless loaded? - self - end - - private - - def load_from_cache - @load_type = :cache - @access, @reason, @loaded_at = cache.load - end - - def load_from_service - @load_type = :request - response = Client.new(@user, @label).request_access - @access = response.successful? - @reason = response.reason - @loaded_at = Time.now - cache.store(@access, @reason, @loaded_at) if response.valid? - rescue ::Gitlab::ExternalAuthorization::RequestFailed => e - @access = false - @reason = e.message - @loaded_at = Time.now - end - - def cache - @cache ||= ExternalAuthorization::Cache.new(@user, @label) - end - end - end -end diff --git a/lib/gitlab/external_authorization/cache.rb b/lib/gitlab/external_authorization/cache.rb deleted file mode 100644 index acdc028b4dc..00000000000 --- a/lib/gitlab/external_authorization/cache.rb +++ /dev/null @@ -1,62 +0,0 @@ -# frozen_string_literal: true - -module Gitlab - module ExternalAuthorization - class Cache - VALIDITY_TIME = 6.hours - - def initialize(user, label) - @user, @label = user, label - end - - def load - @access, @reason, @refreshed_at = ::Gitlab::Redis::Cache.with do |redis| - redis.hmget(cache_key, :access, :reason, :refreshed_at) - end - - [access, reason, refreshed_at] - end - - def store(new_access, new_reason, new_refreshed_at) - ::Gitlab::Redis::Cache.with do |redis| - redis.pipelined do - redis.mapped_hmset( - cache_key, - { - access: new_access.to_s, - reason: new_reason.to_s, - refreshed_at: new_refreshed_at.to_s - } - ) - - redis.expire(cache_key, VALIDITY_TIME) - end - end - end - - private - - def access - ::Gitlab::Utils.to_boolean(@access) - end - - def reason - # `nil` if the cached value was an empty string - return unless @reason.present? - - @reason - end - - def refreshed_at - # Don't try to parse a time if there was no cache - return unless @refreshed_at.present? - - Time.parse(@refreshed_at) - end - - def cache_key - "external_authorization:user-#{@user.id}:label-#{@label}" - end - end - end -end diff --git a/lib/gitlab/external_authorization/client.rb b/lib/gitlab/external_authorization/client.rb deleted file mode 100644 index 60aab2e7044..00000000000 --- a/lib/gitlab/external_authorization/client.rb +++ /dev/null @@ -1,63 +0,0 @@ -# frozen_string_literal: true - -Excon.defaults[:ssl_verify_peer] = false - -module Gitlab - module ExternalAuthorization - class Client - include ExternalAuthorization::Config - - REQUEST_HEADERS = { - 'Content-Type' => 'application/json', - 'Accept' => 'application/json' - }.freeze - - def initialize(user, label) - @user, @label = user, label - end - - def request_access - response = Excon.post( - service_url, - post_params - ) - ::Gitlab::ExternalAuthorization::Response.new(response) - rescue Excon::Error => e - raise ::Gitlab::ExternalAuthorization::RequestFailed.new(e) - end - - private - - def post_params - params = { headers: REQUEST_HEADERS, - body: body.to_json, - connect_timeout: timeout, - read_timeout: timeout, - write_timeout: timeout } - - if has_tls? - params[:client_cert_data] = client_cert - params[:client_key_data] = client_key - params[:client_key_pass] = client_key_pass - end - - params - end - - def body - @body ||= begin - body = { - user_identifier: @user.email, - project_classification_label: @label - } - - if @user.ldap_identity - body[:user_ldap_dn] = @user.ldap_identity.extern_uid - end - - body - end - end - end - end -end diff --git a/lib/gitlab/external_authorization/config.rb b/lib/gitlab/external_authorization/config.rb deleted file mode 100644 index 8654a8c1e2e..00000000000 --- a/lib/gitlab/external_authorization/config.rb +++ /dev/null @@ -1,47 +0,0 @@ -# frozen_string_literal: true - -module Gitlab - module ExternalAuthorization - module Config - extend self - - def timeout - application_settings.external_authorization_service_timeout - end - - def service_url - application_settings.external_authorization_service_url - end - - def enabled? - application_settings.external_authorization_service_enabled - end - - def perform_check? - enabled? && service_url.present? - end - - def client_cert - application_settings.external_auth_client_cert - end - - def client_key - application_settings.external_auth_client_key - end - - def client_key_pass - application_settings.external_auth_client_key_pass - end - - def has_tls? - client_cert.present? && client_key.present? - end - - private - - def application_settings - ::Gitlab::CurrentSettings.current_application_settings - end - end - end -end diff --git a/lib/gitlab/external_authorization/logger.rb b/lib/gitlab/external_authorization/logger.rb deleted file mode 100644 index 61246cd870e..00000000000 --- a/lib/gitlab/external_authorization/logger.rb +++ /dev/null @@ -1,21 +0,0 @@ -# frozen_string_literal: true - -module Gitlab - module ExternalAuthorization - class Logger < ::Gitlab::Logger - def self.log_access(access, project_path) - status = access.has_access? ? "GRANTED" : "DENIED" - message = ["#{status} #{access.user.email} access to '#{access.label}'"] - - message << "(#{project_path})" if project_path.present? - message << "- #{access.load_type} #{access.loaded_at}" if access.load_type == :cache - - info(message.join(' ')) - end - - def self.file_name_noext - 'external-policy-access-control' - end - end - end -end diff --git a/lib/gitlab/external_authorization/response.rb b/lib/gitlab/external_authorization/response.rb deleted file mode 100644 index 4f3fe5882db..00000000000 --- a/lib/gitlab/external_authorization/response.rb +++ /dev/null @@ -1,38 +0,0 @@ -# frozen_string_literal: true - -module Gitlab - module ExternalAuthorization - class Response - include ::Gitlab::Utils::StrongMemoize - - def initialize(excon_response) - @excon_response = excon_response - end - - def valid? - @excon_response && [200, 401, 403].include?(@excon_response.status) - end - - def successful? - valid? && @excon_response.status == 200 - end - - def reason - parsed_response['reason'] if parsed_response - end - - private - - def parsed_response - strong_memoize(:parsed_response) { parse_response! } - end - - def parse_response! - JSON.parse(@excon_response.body) - rescue JSON::JSONError - # The JSON response is optional, so don't fail when it's missing - nil - end - end - end -end |