diff options
author | GitLab Bot <gitlab-bot@gitlab.com> | 2020-09-01 19:52:41 +0300 |
---|---|---|
committer | GitLab Bot <gitlab-bot@gitlab.com> | 2020-09-01 19:52:41 +0300 |
commit | a986819a7bce2002018dfafed3900dc3f2e8fb81 (patch) | |
tree | 15c063738d999a0aff035c4842885276a9ab6ac4 /lib/gitlab | |
parent | 92d5172ad42ebc62eb78cac21b1e236ad6ace580 (diff) |
Add latest changes from gitlab-org/security/gitlab@13-3-stable-ee
Diffstat (limited to 'lib/gitlab')
-rw-r--r-- | lib/gitlab/application_rate_limiter.rb | 4 | ||||
-rw-r--r-- | lib/gitlab/auth.rb | 2 | ||||
-rw-r--r-- | lib/gitlab/auth/two_factor_auth_verifier.rb | 36 | ||||
-rw-r--r-- | lib/gitlab/git_access.rb | 9 |
4 files changed, 49 insertions, 2 deletions
diff --git a/lib/gitlab/application_rate_limiter.rb b/lib/gitlab/application_rate_limiter.rb index ed963476524..4eeec534fc0 100644 --- a/lib/gitlab/application_rate_limiter.rb +++ b/lib/gitlab/application_rate_limiter.rb @@ -25,11 +25,13 @@ module Gitlab project_repositories_archive: { threshold: 5, interval: 1.minute }, project_generate_new_export: { threshold: -> { application_settings.project_export_limit }, interval: 1.minute }, project_import: { threshold: -> { application_settings.project_import_limit }, interval: 1.minute }, + project_testing_hook: { threshold: 5, interval: 1.minute }, play_pipeline_schedule: { threshold: 1, interval: 1.minute }, show_raw_controller: { threshold: -> { application_settings.raw_blob_request_limit }, interval: 1.minute }, group_export: { threshold: -> { application_settings.group_export_limit }, interval: 1.minute }, group_download_export: { threshold: -> { application_settings.group_download_export_limit }, interval: 1.minute }, - group_import: { threshold: -> { application_settings.group_import_limit }, interval: 1.minute } + group_import: { threshold: -> { application_settings.group_import_limit }, interval: 1.minute }, + group_testing_hook: { threshold: 5, interval: 1.minute } }.freeze end diff --git a/lib/gitlab/auth.rb b/lib/gitlab/auth.rb index 332d0bc1478..0c6ed6924bf 100644 --- a/lib/gitlab/auth.rb +++ b/lib/gitlab/auth.rb @@ -222,6 +222,8 @@ module Gitlab # Registry access (with jwt) does not have access to project return if project && !token.has_access_to?(project) + # When repository is disabled, no resources are accessible via Deploy Token + return if project&.repository_access_level == ::ProjectFeature::DISABLED scopes = abilities_for_scopes(token.scopes) diff --git a/lib/gitlab/auth/two_factor_auth_verifier.rb b/lib/gitlab/auth/two_factor_auth_verifier.rb new file mode 100644 index 00000000000..86552ef1267 --- /dev/null +++ b/lib/gitlab/auth/two_factor_auth_verifier.rb @@ -0,0 +1,36 @@ +# frozen_string_literal: true + +module Gitlab + module Auth + class TwoFactorAuthVerifier + attr_reader :current_user + + def initialize(current_user) + @current_user = current_user + end + + def two_factor_authentication_required? + Gitlab::CurrentSettings.require_two_factor_authentication? || + current_user&.require_two_factor_authentication_from_group? + end + + def current_user_needs_to_setup_two_factor? + current_user && !current_user.temp_oauth_email? && !current_user.two_factor_enabled? + end + + def two_factor_grace_period + periods = [Gitlab::CurrentSettings.two_factor_grace_period] + periods << current_user.two_factor_grace_period if current_user&.require_two_factor_authentication_from_group? + periods.min + end + + def two_factor_grace_period_expired? + time = current_user&.otp_grace_period_started_at + + return false unless time + + two_factor_grace_period.hours.since(time) < Time.current + end + end + end +end diff --git a/lib/gitlab/git_access.rb b/lib/gitlab/git_access.rb index f3b53a2ba0b..b67b3a37440 100644 --- a/lib/gitlab/git_access.rb +++ b/lib/gitlab/git_access.rb @@ -98,6 +98,13 @@ module Gitlab Guest.can?(download_ability, container) end + def deploy_key_can_download_code? + authentication_abilities.include?(:download_code) && + deploy_key? && + deploy_key.has_access_to?(container) && + (project? && project&.repository_access_level != ::Featurable::DISABLED) + end + def user_can_download_code? authentication_abilities.include?(:download_code) && user_access.can_do_action?(download_ability) @@ -257,7 +264,7 @@ module Gitlab end def check_download_access! - passed = deploy_key? || + passed = deploy_key_can_download_code? || deploy_token? || user_can_download_code? || build_can_download_code? || |