Welcome to mirror list, hosted at ThFree Co, Russian Federation.

gitlab.com/gitlab-org/gitlab-foss.git - Unnamed repository; edit this file 'description' to name the repository.
summaryrefslogtreecommitdiff
path: root/lib/api/internal/kubernetes.rb
diff options
context:
space:
mode:
Diffstat (limited to 'lib/api/internal/kubernetes.rb')
-rw-r--r--lib/api/internal/kubernetes.rb45
1 files changed, 44 insertions, 1 deletions
diff --git a/lib/api/internal/kubernetes.rb b/lib/api/internal/kubernetes.rb
index 5f12275b7a0..bf9612db6bf 100644
--- a/lib/api/internal/kubernetes.rb
+++ b/lib/api/internal/kubernetes.rb
@@ -47,7 +47,7 @@ module API
end
def check_feature_enabled
- not_found! unless Feature.enabled?(:kubernetes_agent_internal_api, type: :ops)
+ not_found!('Internal API not found') unless Feature.enabled?(:kubernetes_agent_internal_api, type: :ops)
end
def check_agent_token
@@ -135,6 +135,49 @@ module API
end
end
+ namespace 'kubernetes/authorize_proxy_user' do
+ desc 'Authorize a proxy user request'
+ params do
+ requires :agent_id, type: Integer, desc: 'ID of the agent accessed'
+ requires :access_type, type: String, values: ['session_cookie'], desc: 'The type of the access key being verified.'
+ requires :access_key, type: String, desc: 'The authentication secret for the given access type.'
+ given access_type: ->(val) { val == 'session_cookie' } do
+ requires :csrf_token, type: String, allow_blank: false, desc: 'CSRF token that must be checked when access_type is "session_cookie", to ensure the request originates from a GitLab browsing session.'
+ end
+ end
+ post '/', feature_category: :kubernetes_management do
+ # Load session
+ public_session_id_string =
+ begin
+ Gitlab::Kas::UserAccess.decrypt_public_session_id(params[:access_key])
+ rescue StandardError
+ bad_request!('Invalid access_key')
+ end
+
+ session_id = Rack::Session::SessionId.new(public_session_id_string)
+ session = ActiveSession.sessions_from_ids([session_id.private_id]).first
+ unauthorized!('Invalid session') unless session
+
+ # CSRF check
+ unless ::Gitlab::Kas::UserAccess.valid_authenticity_token?(session.symbolize_keys, params[:csrf_token])
+ unauthorized!('CSRF token does not match')
+ end
+
+ # Load user
+ user = Warden::SessionSerializer.new('rack.session' => session).fetch(:user)
+ unauthorized!('Invalid user in session') unless user
+
+ # Load agent
+ agent = ::Clusters::Agent.find(params[:agent_id])
+ unauthorized!('Feature disabled for agent') unless ::Gitlab::Kas::UserAccess.enabled_for?(agent)
+
+ service_response = ::Clusters::Agents::AuthorizeProxyUserService.new(user, agent).execute
+ render_api_error!(service_response[:message], service_response[:reason]) unless service_response.success?
+
+ service_response.payload
+ end
+ end
+
namespace 'kubernetes/usage_metrics' do
desc 'POST usage metrics' do
detail 'Updates usage metrics for agent'
generated by cgit v1.2.3 (git 2.25.1) at 2024-08-02 01:08:17 +0300