c858f70d07
Enable frozen string for lib/gitlab/*.rb
2018-10-22 07:00:50 +00:00
2039c8280d
Disable existing offenses for the CodeReuse cops
...
This whitelists all existing offenses for the various CodeReuse cops, of
which most are triggered by the CodeReuse/ActiveRecord cop.
2018-09-11 17:32:00 +02:00
d0afab482f
Disable SAML if OmniAuth is disabled
...
We also try to unify the way we setup OmniAuth, and how we check
if it's enabled or not.
2018-07-20 18:54:46 +08:00
1e3cea1a0f
Bring back the EE changes to CE to authentication of builds
2018-06-04 22:25:46 +02:00
1e2b6cf514
Introduce Gitlab::Auth.omniauth_setup_providers
...
Which could extend from EE
2018-06-01 14:30:10 +08:00
39b6f31c66
Eliminate constants warnings by:
...
* Replace `require` or `require_relative` with `require_dependency`
* Remove unneeded `autoload`
2018-06-01 13:46:46 +08:00
c6b1043e9d
Resolve "Make a Rubocop that forbids returning from a block"
2018-04-18 09:19:40 +00:00
b38439a3ae
Use proper auth_scope for deploy token
2018-04-07 10:35:00 +02:00
c4f56a8802
Increase test suite around deploy tokens behavior
...
Also, fixes broken specs
2018-04-06 21:20:17 -05:00
a475411f43
Fixes broken schema and minor changes
2018-04-06 21:20:16 -05:00
8315861c9a
Include ProjectDeployTokens
...
Also:
- Changes scopes from serializer to use boolean columns
- Fixes broken specs
2018-04-06 21:20:16 -05:00
72220a99d1
Support Deploy Tokens properly without hacking abilities
2018-04-06 21:20:16 -05:00
171b2625b1
Addreses backend review suggestions
...
- Remove extra method for authorize_admin_project
- Ensure project presence
- Rename 'read_repo' to 'read_repository' to be more verbose
2018-04-06 21:20:16 -05:00
7deab31722
Removes logic from Jwt and handle different scenarios on Gitlab::Auth
...
- When using 'read_repo' password and project are sent, so we used both
of them to fetch for the token
- When using 'read_registry' only the password is sent, so we only use
that for fetching the token
2018-04-06 21:20:16 -05:00
370fc05da7
Implement 'read_repo' for DeployTokens
...
This will allow to download a repo using the token from the DeployToken
2018-04-06 21:20:16 -05:00
7d01792614
Fix LDAP login without user in DB
2018-03-27 09:21:17 +02:00
6d3cb7e22e
Make oauth provider login generic
2018-03-05 22:26:40 +00:00
1ad5df49b1
Moved o_auth/saml/ldap modules under gitlab/auth
2018-02-28 16:53:02 +01:00
eaada9d706
use Gitlab::UserSettings directly as a singleton instead of including/extending it
2018-02-02 18:39:55 +00:00
89c9d2ad6b
Merge branch 'dm-fix-registry-with-sudo-token' into 'master'
...
Fix pulling and pushing using a personal access token with the sudo scope
Closes #40466
See merge request gitlab-org/gitlab-ce!15571
2017-11-24 09:09:38 +00:00
453b178093
Fix pulling and pushing using a personal access token with the sudo scope
2017-11-23 16:32:08 +01:00
257fd57134
Allow password authentication to be disabled entirely
2017-11-23 13:16:14 +00:00
0232450c8a
Fix Error 500 when pushing LFS objects with a write deploy key
2017-11-08 16:21:39 +00:00
3f24f9ed18
Add sudo API scope
2017-11-02 11:39:03 +01:00
a1781a4941
Consistently use PersonalAccessToken instead of PersonalToken
2017-11-02 11:39:02 +01:00
0013e6c00d
Clean up read_registry scope changes
...
Closes #37789
2017-09-18 08:39:01 -04:00
2602cc0c36
Merge branch 'hide-read-registry-scope-when-registry-disabled' into 'master'
...
Hide read_registry scope when registry is disabled on instance
See merge request !13314
2017-09-12 09:57:48 +00:00
7d3e888d06
Merge branch '37202-revert-changes-to-signing-enabled' into 'master'
...
Rollback changes made to signing_enabled.
Closes #37202
See merge request !13956
2017-09-01 11:49:22 +00:00
37383d9a9d
Rollsback changes made to signing_enabled.
2017-09-01 10:51:40 +01:00
5883ce95ef
`current_application_settings` belongs on `Gitlab::CurrentSettings`
...
The initializers including this were doing so at the top level, so every object
loaded after them had a `current_application_settings` method. However, if
someone had rack-attack enabled (which was loaded before these initializers), it
would try to load the API, and fail, because `Gitlab::CurrentSettings` didn't
have that method.
To fix this:
1. Don't include `Gitlab::CurrentSettings` at the top level. We do not need
`Object.new.current_application_settings` to work.
2. Make `Gitlab::CurrentSettings` explicitly `extend self`, as we already use it
like that in several places.
3. Change the initializers to use that new form.
2017-08-31 13:38:33 +01:00
62ef67acc3
Hide read_registry scope when registry is disabled on instance
2017-08-21 18:13:32 -04:00
260c8da060
Whitelist or fix additional `Gitlab/PublicSend` cop violations
...
An upcoming update to rubocop-gitlab-security added additional
violations.
2017-08-14 12:14:11 -04:00
b3e058996c
Cleanup tests and add admin_container_image to
...
full_authentication_abilities. This is fine because
we're going to check with can?(..) anyway
2017-08-02 17:51:29 +08:00
672a68d372
Fixes needed when GitLab sign-in is not enabled
...
When sign-in is disabled:
- skip password expiration checks
- prevent password reset requests
- don’t show Password tab in User Settings
- don’t allow login with username/password for Git over HTTP requests
- render 404 on requests to Profiles::PasswordsController
2017-07-13 10:08:27 -04:00
afbc7520c2
`AccessTokenValidationService` accepts `String` or `API::Scope` scopes.
...
- There's no need to use `API::Scope` for scopes that don't have `if`
conditions, such as in `lib/gitlab/auth.rb`.
2017-06-30 07:32:25 +00:00
b8ec1f4201
Extract a `Gitlab::Scope` class.
...
- To represent an authorization scope, such as `api` or `read_user`
- This is a better abstraction than the hash we were previously using.
2017-06-29 06:15:57 +00:00
c1fcd730cc
Implement review comments from @DouweM for !12300 .
...
- Use a struct for scopes, so we can call `scope.if` instead of `scope[:if]`
- Refactor the "remove scopes whose :if condition returns false" logic to use a
`select` rather than a `reject`.
2017-06-28 07:17:13 +00:00
1b8223dd51
Fix remaining spec failures for !12300 .
...
1. Get the spec for `lib/gitlab/auth.rb` passing.
- Make the `request` argument to `AccessTokenValidationService` optional -
`auth.rb` doesn't need to pass in a request.
- Pass in scopes in the format `[{ name: 'api' }]` rather than `['api']`, which
is what `AccessTokenValidationService` now expects.
2. Get the spec for `API::V3::Users` passing
2. Get the spec for `AccessTokenValidationService` passing
2017-06-28 07:17:13 +00:00
cb5a5eb892
Instruct user to use a personal access token for Git over HTTP
...
If internal auth is disabled and LDAP is not configured on the instance,
present the user with a message to create a personal access token if his
Git over HTTP auth attempt fails.
2017-06-07 21:12:51 -04:00
9fcc3e5982
Fix test failures
2017-06-06 16:19:15 +02:00
0b81b5ace0
Create read_registry scope with JWT auth
...
This is the first commit doing mainly 3 things:
1. create a new scope and allow users to use it
2. Have the JWTController respond correctly on this
3. Updates documentation to suggest usage of PATs
There is one gotcha, there will be no support for impersonation tokens, as this
seems not needed.
Fixes gitlab-org/gitlab-ce#19219
2017-06-05 12:26:49 +02:00
9735ce15de
Avoid resource intensive login checks if password is not provided
...
Fixes #32598
2017-05-21 17:58:32 +02:00
bee780e8fd
Allow OAuth clients to push code
...
- We currently support fetching code with username = 'oauth2' and
password = <access_token>.
- Trying to _push_ code with the same credentials fails with an authentication
error.
- There's no reason this shouldn't be enabled, especially since we allow the
OAuth client to create deploy keys with push access:
https://docs.gitlab.com/ce/api/deploy_keys.html#add-deploy-key
2017-04-13 13:13:22 +00:00
de37dcee90
Merge branch 'siemens/gitlab-ce-feature/openid-connect'
2017-03-07 16:16:08 +00:00
6a52cda31d
Merge remote-tracking branch 'origin/personal_access_token_api_and_impersonation_token'
2017-03-07 09:29:55 -06:00
8699c8338f
Require explicit scopes on personal access tokens
...
Gitlab::Auth and API::APIGuard already check for at least one valid
scope on personal access tokens, so if the scopes are empty the token
will always fail validation.
2017-03-07 15:00:29 +01:00
eefbc83730
Only use API scopes for personal access tokens
2017-03-07 15:00:29 +01:00
93daeee164
Don't allow blocked users to authenticate through other means
...
Gitlab::Auth.find_with_user_password is currently used in these places:
- resource_owner_from_credentials in config/initializers/doorkeeper.rb,
which is used for the OAuth Resource Owner Password Credentials flow
- the /session API call in lib/api/session.rb, which is used to reveal
the user's current authentication_token
In both cases users should only be authenticated if they're in the
active state.
2017-03-07 15:00:29 +01:00
c498289048
Implement OpenID Connect identity provider
2017-03-07 14:54:35 +01:00
005749a616
apply codestyle and implementation changes to the respective feature code
2017-03-06 19:18:26 +00:00
0ef8a64348
Remove unecessary calls to limit_user!, UniqueIps Middleware, and address MR review
...
- cleanup formating in haml
- clarify time window is in seconds
- cleanup straneous chunks in db/schema
- rename count_uniqe_ips to update_and_return_ips_count
- other
2017-03-06 15:41:25 +01:00
8993801f0c
Test various login scenarios if the limit gets enforced
2017-03-06 15:41:25 +01:00
e5cf3f51fb
Allow limiting logging in users from too many different IPs.
2017-03-06 15:41:24 +01:00
811e598f60
Enable and autocorrect the CustomErrorClass cop
2017-03-01 15:28:10 +00:00
2b474dc2b2
refactors finder and correlated code
2017-03-01 13:11:11 +00:00
9f2e4742e3
applies relevant changes to the code and code structure
2017-02-28 22:15:40 +00:00
a3dfb58e7f
add impersonation token
2017-02-28 22:15:39 +00:00
b7d8df503c
Enable Style/MutableConstant
2017-02-23 09:31:56 -06:00
29414ab043
Reduce hits to LDAP on Git HTTP auth by reordering auth mechanisms
...
We accept half a dozen different authentication mechanisms for
Git over HTTP. Fairly high in the list we were checking user
password, which would also query LDAP. In the case of LFS,
OAuth tokens or personal access tokens, we were unnecessarily
hitting LDAP when the authentication will not succeed. This
was causing some LDAP/AD systems to lock the account. Now,
user password authentication is the last mechanism tried since
it's the most expensive.
2017-01-30 13:05:47 -06:00
5becbe2495
Rename the `token_has_scope?` method.
...
`valid_api_token?` is a better name. Scopes are just (potentially) one facet of
a "valid" token.
2016-12-16 16:29:32 +05:30
b303948ff5
Convert AccessTokenValidationService into a class.
...
- Previously, AccessTokenValidationService was a module, and all its public
methods accepted a token. It makes sense to convert it to a class which accepts
a token during initialization.
- Also rename the `sufficient_scope?` method to `include_any_scope?`
- Based on feedback from @rymai
2016-12-16 16:29:32 +05:30
dc95bcbb16
Refactor access token validation in `Gitlab::Auth`
...
- Based on @dbalexandre's review
- Extract token validity conditions into two separate methods, for
personal access tokens and OAuth tokens.
2016-12-16 16:29:32 +05:30
4d6da770de
Implement minor changes from @dbalexandre's review.
...
- Mainly whitespace changes.
- Require the migration adding the `scope` column to the
`personal_access_tokens` table to have downtime, since API calls will
fail if the new code is in place, but the migration hasn't run.
- Minor refactoring - load `@scopes` in a `before_action`, since we're
doing it in three different places.
2016-12-16 16:29:31 +05:30
36b3210b9e
Validate access token scopes in `Gitlab::Auth`
...
- This module is used for git-over-http, as well as JWT.
- The only valid scope here is `api`, currently.
2016-12-16 16:29:31 +05:30
7fa06ed55d
Calls to the API are checked for scope.
...
- Move the `Oauth2::AccessTokenValidationService` class to
`AccessTokenValidationService`, since it is now being used for
personal access token validation as well.
- Each API endpoint declares the scopes it accepts (if any). Currently,
the top level API module declares the `api` scope, and the `Users` API
module declares the `read_user` scope (for GET requests).
- Move the `find_user_by_private_token` from the API `Helpers` module to
the `APIGuard` module, to avoid littering `Helpers` with more
auth-related methods to support `find_user_by_private_token`
2016-12-16 16:29:31 +05:30
2772109ac1
Handle LFS token creation and retrieval in the same method, and in the same Redis connection.
...
Reset expiry time of token, if token is retrieved again before it expires.
2016-09-28 12:13:48 -05:00
242e77e070
Use early return in lfs_token_check
2016-09-20 09:41:21 +02:00
3c1bb3432b
Revert "Revert all changes introduced by https://gitlab.com/gitlab-org/gitlab-ce/merge_requests/6043 "
...
This reverts commit 6d43c95b70
2016-09-19 16:34:32 +02:00
dc29685465
Properly support Gitlab::Auth::Result
2016-09-19 13:50:28 +02:00
6d43c95b70
Revert all changes introduced by https://gitlab.com/gitlab-org/gitlab-ce/merge_requests/6043
2016-09-19 13:45:28 +02:00
79f60e2b5c
Move Gitlab::Auth.Result to separate file
2016-09-19 13:42:10 +02:00
5790684d1f
Support pushing via SSH
2016-09-19 13:11:11 +02:00
0ca43b1b86
Fix permissions for creating container images
2016-09-19 12:37:46 +02:00
f7ae37c1d0
Simplify checking of allowed abilities in git_http_client_controller
2016-09-16 13:34:05 +02:00
e941365f3b
Rename capabilities to authentication_abilities
2016-09-16 11:12:21 +02:00
83b643a014
Merge remote-tracking branch 'origin/lfs-support-for-ssh' into per-build-token
...
# Conflicts:
# app/controllers/projects/git_http_client_controller.rb
# app/helpers/lfs_helper.rb
# lib/gitlab/auth.rb
# spec/requests/lfs_http_spec.rb
2016-09-15 21:16:38 +02:00
be09bcf074
Refactored authentication code to make it a bit clearer, added test for wrong SSH key.
2016-09-15 12:21:00 -05:00
de24075ea5
Further refactoring of authentication code, and code style fixes.
2016-09-15 12:21:00 -05:00
71aff7f6a3
Use special characters for `lfs+deploy-key` to prevent a someone from creating a user with this username, and method name refactoring.
2016-09-15 12:21:00 -05:00
c144db2935
Better authentication handling, syntax fixes and better actor handling for LFS Tokens
2016-09-15 12:21:00 -05:00
85152f0291
Improve string handling.
2016-09-15 12:21:00 -05:00
c25630ee2c
Refactored handling of the `LfsToken` and added functionality to it to simplify external code.
2016-09-15 12:21:00 -05:00
48f1a61fd5
Refactored LFS auth logic when using SSH to use its own API endpoint `/lfs_authenticate` and added tests.
2016-09-15 12:21:00 -05:00
cb85cf1f0a
Refactor LFS token logic to use a Redis key instead of a DB field, making it a 1 use only token.
2016-09-15 12:21:00 -05:00
e40e3fdc82
Added LFS support to SSH
...
- Required on the GitLab Rails side is mostly authentication and API related.
2016-09-15 12:21:00 -05:00
548169cfb5
Fix most of specs
2016-09-15 15:40:53 +02:00
9d1ccd2ad3
Fix existing authorization specs
2016-09-15 13:49:11 +02:00
11f87700e8
Add access specs
2016-09-15 11:57:09 +02:00
6b381f3fdf
Use `build_read_container_image` and use `build_download_code`
2016-09-15 10:34:53 +02:00
79e4bb8d0b
Refactor Gitlab::Auth to simplify the data flow
2016-09-14 17:28:24 +02:00
ca8ed65efc
Fix result
2016-09-13 15:28:42 +02:00
571226f166
Make result to return project and capabilities granted
2016-09-13 15:27:05 +02:00
505dc808b3
Use a permissions of user to access all dependent projects from CI jobs (this also includes a container images, and in future LFS files)
2016-09-13 13:30:26 +02:00
de5f238029
Refactor `find_for_git_client` and its related methods.
2016-08-18 17:15:50 -05:00
2f86860a6d
Refactor `find_for_git_client` method to not use assignment in conditionals and syntax fixes.
2016-08-17 17:21:18 -05:00
5f5d8a8e09
Moved 2FA check to `auth.rb` and cleaned up the flow `authenticate_user`
2016-08-16 11:19:00 -05:00
c5a7a70d10
Allow Git over HTTP access using Personal Access Tokens
2016-08-16 11:19:00 -05:00
0e896ffe4e
Improve Gitlab::Auth method names
...
Auth.find was a very generic name for a very specific method.
Auth.find_in_gitlab_or_ldap was inaccurate in GitLab EE where it also
looks in Kerberos.
2016-06-10 14:51:16 +02:00
07f49626d0
Fix tests
2016-06-06 17:40:26 +02:00
3f3b036def
Use public_send
2016-06-03 17:23:34 +02:00
fa35aea3dd
Refactor Gitlab::Auth rate limiting
2016-06-03 17:07:40 +02:00
3ffa494ffe
Changes after more review from Rémy
2016-06-03 14:57:34 +02:00
fea591e5c5
Rename finder to find_in_gitlab_or_ldap
2016-06-02 13:42:18 +02:00
3dc276b367
Remove parallel assignment
2016-05-03 11:46:14 +02:00
b1ffc9f0fe
Make CI/Oauth/rate limiting reusable
2016-04-29 18:58:55 +02:00
bafd30f92c
Session API: Use case-insensitive authentication like in UI
2014-10-30 18:29:18 +02:00
9bf7bfda20
Remove unused methods
2014-10-14 12:09:24 +02:00
01b791237c
Refactor lib files for multiple LDAP groups
2014-10-13 17:24:05 +02:00
a3f645ef51
Remove deprecated finders
2014-01-19 23:39:56 +04:00
4f9098032c
Remove code that was accidently added in 5dae40f579
2013-09-14 10:14:55 +03:00
5dae40f579
Update to only provide one way to get a default user
...
-calling build_user will now apply defaults and only override them if as: :admin is set
Change-Id: Id1d938c0967752ecc14370af54f2d88128d18c44
2013-09-11 14:04:15 -04:00
3707cc119b
Refactor Gitlab::Auth
2013-09-04 00:12:00 +03:00
71abf70458
Move ldap auth to LDAP::User. Removed unused code
2013-09-02 23:50:45 +03:00
6bf117c601
Mode User+LDAP functionality from Gitlab::Auth
2013-09-02 23:35:40 +03:00
559e83d300
Add LDAP support to /api/session
2013-07-16 11:28:19 +03:00
ec1055076c
Merge branch 'add-defaults-create-group-team' of https://github.com/dmedvinsky/gitlabhq into dmedvinsky-add-defaults-create-group-team
...
Conflicts:
config/gitlab.yml.example
2013-05-27 15:17:06 +03:00
63c6f30aba
Fix ldap auth for http push
2013-05-24 20:36:28 +03:00
22279bc558
Add settings for user permission defaults
...
“Can create groups” and “Can create teams” had hardcoded defaults to
`true`. Sometimes it is desirable to prohibit these for newly created
users by default.
2013-05-16 18:02:22 +04:00
67ccc8b52a
Replace old hashes with new 1.9 ruby hashes (rebase)
2013-05-05 18:01:10 +04:00
0d9a6fe7b1
User's blocked field refactored to use state machine
2013-03-04 18:52:30 +04:00
369dbaf396
Merge pull request #1586 from Bregor/ber_to_string
...
Auth: Net::BER::BerIdentifiedStrings to Strings
2013-01-16 04:55:52 -08:00
19eb637419
Update uses of Gitolite.config.foo settings
2012-12-20 16:54:28 +01:00
c50ec72b52
Deprecate code for Project. Use title and path
2012-11-23 21:11:09 +03:00
054c15e7b5
enable Oauth login for existing regular users
...
fix: https://github.com/gitlabhq/gitlabhq/issues/1620
2012-10-20 00:38:07 +03:00
93cb01ea9b
Auth: Net::BER::BerIdentifiedStrings to Strings
2012-09-28 18:08:13 +04:00
4629cc44d6
fix mass assignment error in create_from_omniauth after a6a229a
2012-09-26 11:18:25 -07:00
0d77209ea0
Be more resilient in the case of missing omniauth settings
...
Should no longer freak out when omniauth settings aren't present in
gitlab.yml. People who aren't using it shouldn't even have to put a
'false' entry in their config for it (and probably wouldn't, after an
upgrade).
2012-09-12 18:11:59 -04:00
048d47e626
Refactorn oauth & ldap
2012-09-12 09:23:16 +03:00
gfyoung
Yorick Peterse
Lin Jen-Shin
Kamil Trzciński
🙈 jacopo beschi 🙉
Mayra Cabrera
Horatiu Eugen Vlad
Mario de la Ossa
Sean McGivern
Douwe Maan
Markus Koller
Stan Hu
Robin Bobbitt
Douwe Maan
Tiago Botelho
Sean McGivern
Robert Speicher
Timothy Andrew
Z.J. van de Weg
Pawel Chojnacki
Simon Vocella
Drew Blessing
Patricio Cano
Jacob Vosmaer
Jacob Vosmaer
Andrey Krivko
Jan-Willem van der Meer
skv
Dmitriy Zaporozhets
Izaak Alpert
Dmitry Medvinsky
Andrey Kumanyaev
Andrew8xx8
Riyad Preukschas
Godric
Maxim Filatov
Nihad Abbasov