diff options
Diffstat (limited to 'lib/api/internal/kubernetes.rb')
-rw-r--r-- | lib/api/internal/kubernetes.rb | 45 |
1 files changed, 44 insertions, 1 deletions
diff --git a/lib/api/internal/kubernetes.rb b/lib/api/internal/kubernetes.rb index 5f12275b7a0..bf9612db6bf 100644 --- a/lib/api/internal/kubernetes.rb +++ b/lib/api/internal/kubernetes.rb @@ -47,7 +47,7 @@ module API end def check_feature_enabled - not_found! unless Feature.enabled?(:kubernetes_agent_internal_api, type: :ops) + not_found!('Internal API not found') unless Feature.enabled?(:kubernetes_agent_internal_api, type: :ops) end def check_agent_token @@ -135,6 +135,49 @@ module API end end + namespace 'kubernetes/authorize_proxy_user' do + desc 'Authorize a proxy user request' + params do + requires :agent_id, type: Integer, desc: 'ID of the agent accessed' + requires :access_type, type: String, values: ['session_cookie'], desc: 'The type of the access key being verified.' + requires :access_key, type: String, desc: 'The authentication secret for the given access type.' + given access_type: ->(val) { val == 'session_cookie' } do + requires :csrf_token, type: String, allow_blank: false, desc: 'CSRF token that must be checked when access_type is "session_cookie", to ensure the request originates from a GitLab browsing session.' + end + end + post '/', feature_category: :kubernetes_management do + # Load session + public_session_id_string = + begin + Gitlab::Kas::UserAccess.decrypt_public_session_id(params[:access_key]) + rescue StandardError + bad_request!('Invalid access_key') + end + + session_id = Rack::Session::SessionId.new(public_session_id_string) + session = ActiveSession.sessions_from_ids([session_id.private_id]).first + unauthorized!('Invalid session') unless session + + # CSRF check + unless ::Gitlab::Kas::UserAccess.valid_authenticity_token?(session.symbolize_keys, params[:csrf_token]) + unauthorized!('CSRF token does not match') + end + + # Load user + user = Warden::SessionSerializer.new('rack.session' => session).fetch(:user) + unauthorized!('Invalid user in session') unless user + + # Load agent + agent = ::Clusters::Agent.find(params[:agent_id]) + unauthorized!('Feature disabled for agent') unless ::Gitlab::Kas::UserAccess.enabled_for?(agent) + + service_response = ::Clusters::Agents::AuthorizeProxyUserService.new(user, agent).execute + render_api_error!(service_response[:message], service_response[:reason]) unless service_response.success? + + service_response.payload + end + end + namespace 'kubernetes/usage_metrics' do desc 'POST usage metrics' do detail 'Updates usage metrics for agent' |