Welcome to mirror list, hosted at ThFree Co, Russian Federation.

token_resolver.rb « api_authentication « gitlab « lib - gitlab.com/gitlab-org/gitlab-foss.git - Unnamed repository; edit this file 'description' to name the repository.
summaryrefslogtreecommitdiff
path: root/lib/gitlab/api_authentication/token_resolver.rb
blob: 5b30777b6ec78b2ddc295a228cb567a23ca74fd4 (plain) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87

# frozen_string_literal: true

module Gitlab
  module APIAuthentication
    class TokenResolver
      include ActiveModel::Validations

      attr_reader :token_type

      validates :token_type, inclusion: { in: %i[personal_access_token job_token deploy_token] }

      def initialize(token_type)
        @token_type = token_type
        validate!
      end

      # Existing behavior is known to be inconsistent across authentication
      # methods with regards to whether to silently ignore present but invalid
      # credentials or to raise an error/respond with 401.
      #
      # If a token can be located from the provided credentials, but the token
      # or credentials are in some way invalid, this implementation opts to
      # raise an error.
      #
      # For example, if the raw credentials include a username and password, and
      # a token is resolved from the password, but the username does not match
      # the token, an error will be raised.
      #
      # See https://gitlab.com/gitlab-org/gitlab/-/issues/246569

      def resolve(raw)
        case @token_type
        when :personal_access_token
          resolve_personal_access_token raw

        when :job_token
          resolve_job_token raw

        when :deploy_token
          resolve_deploy_token raw
        end
      end

      private

      def resolve_personal_access_token(raw)
        # Check if the password is a personal access token
        pat = ::PersonalAccessToken.find_by_token(raw.password)
        return unless pat

        # Ensure that the username matches the token. This check is a subtle
        # departure from the existing behavior of #find_personal_access_token_from_http_basic_auth.
        # https://gitlab.com/gitlab-org/gitlab/-/merge_requests/38627#note_435907856
        raise ::Gitlab::Auth::UnauthorizedError unless pat.user.username == raw.username

        pat
      end

      def resolve_job_token(raw)
        # Only look for a job if the username is correct
        return if ::Gitlab::Auth::CI_JOB_USER != raw.username

        job = ::Ci::AuthJobFinder.new(token: raw.password).execute

        # Actively reject credentials with the username `gitlab-ci-token` if
        # the password is not a valid job token. This replicates existing
        # behavior of #find_user_from_job_token.
        raise ::Gitlab::Auth::UnauthorizedError unless job

        job
      end

      def resolve_deploy_token(raw)
        # Check if the password is a deploy token
        token = ::DeployToken.active.find_by_token(raw.password)
        return unless token

        # Ensure that the username matches the token. This check is a subtle
        # departure from the existing behavior of #deploy_token_from_request.
        # https://gitlab.com/gitlab-org/gitlab/-/merge_requests/38627#note_474826205
        raise ::Gitlab::Auth::UnauthorizedError unless token.username == raw.username

        token
      end
    end
  end
end
generated by cgit v1.2.3 (git 2.25.1) at 2024-07-07 17:32:43 +0300