diff options
| author | Rémy Coutable <remy@rymai.me> | 2018-11-29 12:53:09 +0300 |
|---|---|---|
| committer | Rémy Coutable <remy@rymai.me> | 2018-11-29 12:53:09 +0300 |
| commit | 70b19fbdefac344641c8087a493bd582d9c57abe (patch) | |
| tree | 9a3c3ff147b1401e3a916fd896133619ba27da23 /lib | |
| parent | 299011313cef8fbeb8d5eeafcc60374211c88ec8 (diff) | |
| parent | bd3a4840329160a64c0cac25ed6c1d3b22f5bdb4 (diff) | |
Merge branch 'if-40385-prohibit_impersonation' into 'master'
Add config to prohibit impersonation
See merge request gitlab-org/gitlab-ce!23338
Diffstat (limited to 'lib')
| -rw-r--r-- | lib/api/api_guard.rb | 6 | ||||
| -rw-r--r-- | lib/gitlab/auth/user_auth_finders.rb | 3 |
2 files changed, 9 insertions, 0 deletions
diff --git a/lib/api/api_guard.rb b/lib/api/api_guard.rb index 61357b3f1d6..af9b519ed9e 100644 --- a/lib/api/api_guard.rb +++ b/lib/api/api_guard.rb @@ -94,6 +94,7 @@ module API Gitlab::Auth::TokenNotFoundError, Gitlab::Auth::ExpiredError, Gitlab::Auth::RevokedError, + Gitlab::Auth::ImpersonationDisabled, Gitlab::Auth::InsufficientScopeError] base.__send__(:rescue_from, *error_classes, oauth2_bearer_token_error_handler) # rubocop:disable GitlabSecurity/PublicSend @@ -121,6 +122,11 @@ module API :invalid_token, "Token was revoked. You have to re-authorize from the user.") + when Gitlab::Auth::ImpersonationDisabled + Rack::OAuth2::Server::Resource::Bearer::Unauthorized.new( + :invalid_token, + "Token is an impersonation token but impersonation was disabled.") + when Gitlab::Auth::InsufficientScopeError # FIXME: ForbiddenError (inherited from Bearer::Forbidden of Rack::Oauth2) # does not include WWW-Authenticate header, which breaks the standard. diff --git a/lib/gitlab/auth/user_auth_finders.rb b/lib/gitlab/auth/user_auth_finders.rb index adba9084845..a5efe33bdc6 100644 --- a/lib/gitlab/auth/user_auth_finders.rb +++ b/lib/gitlab/auth/user_auth_finders.rb @@ -7,6 +7,7 @@ module Gitlab TokenNotFoundError = Class.new(AuthenticationError) ExpiredError = Class.new(AuthenticationError) RevokedError = Class.new(AuthenticationError) + ImpersonationDisabled = Class.new(AuthenticationError) UnauthorizedError = Class.new(AuthenticationError) class InsufficientScopeError < AuthenticationError @@ -67,6 +68,8 @@ module Gitlab raise ExpiredError when AccessTokenValidationService::REVOKED raise RevokedError + when AccessTokenValidationService::IMPERSONATION_DISABLED + raise ImpersonationDisabled end end |