root
/
gitlab-ce
mirror of https://gitlab.com/free-releases/gitlab-ce.git
1
0
Fork 0
Code Issues Actions Packages Projects Releases Wiki Activity
115,420 Commits 9,131 Branches 1,640 Tags 2 GiB
Commit Graph

228 Commits

Author SHA1 Message Date
Pawel Chojnacki 0ef8a64348 Remove unecessary calls to limit_user!, UniqueIps Middleware, and address MR review 
- cleanup formating in haml
 - clarify time window is in seconds
 - cleanup straneous chunks in db/schema
 - rename count_uniqe_ips to update_and_return_ips_count
 - other
 2017-03-06 15:41:25 +01:00
Pawel Chojnacki 8993801f0c Test various login scenarios if the limit gets enforced 2017-03-06 15:41:25 +01:00
Pawel Chojnacki e5cf3f51fb Allow limiting logging in users from too many different IPs. 2017-03-06 15:41:24 +01:00
Sean McGivern 811e598f60 Enable and autocorrect the CustomErrorClass cop 2017-03-01 15:28:10 +00:00
Tiago Botelho 2b474dc2b2 refactors finder and correlated code 2017-03-01 13:11:11 +00:00
Tiago Botelho 9f2e4742e3 applies relevant changes to the code and code structure 2017-02-28 22:15:40 +00:00
Simon Vocella a3dfb58e7f add impersonation token 2017-02-28 22:15:39 +00:00
Douwe Maan b7d8df503c Enable Style/MutableConstant 2017-02-23 09:31:56 -06:00
Drew Blessing 29414ab043 Reduce hits to LDAP on Git HTTP auth by reordering auth mechanisms 
We accept half a dozen different authentication mechanisms for
Git over HTTP. Fairly high in the list we were checking user
password, which would also query LDAP. In the case of LFS,
OAuth tokens or personal access tokens, we were unnecessarily
hitting LDAP when the authentication will not succeed. This
was causing some LDAP/AD systems to lock the account. Now,
user password authentication is the last mechanism tried since
it's the most expensive.
 2017-01-30 13:05:47 -06:00
Timothy Andrew 5becbe2495 Rename the `token_has_scope?` method. 
`valid_api_token?` is a better name. Scopes are just (potentially) one facet of
a "valid" token.
 2016-12-16 16:29:32 +05:30
Timothy Andrew b303948ff5 Convert AccessTokenValidationService into a class. 
- Previously, AccessTokenValidationService was a module, and all its  public
methods accepted a token. It makes sense to convert it to a class which accepts
a token during initialization.

- Also rename the `sufficient_scope?` method to `include_any_scope?`

- Based on feedback from @rymai
 2016-12-16 16:29:32 +05:30
Timothy Andrew dc95bcbb16 Refactor access token validation in `Gitlab::Auth` 
- Based on @dbalexandre's review
- Extract token validity conditions into two separate methods, for
  personal access tokens and OAuth tokens.
 2016-12-16 16:29:32 +05:30
Timothy Andrew 4d6da770de Implement minor changes from @dbalexandre's review. 
- Mainly whitespace changes.

- Require the migration adding the `scope` column to the
  `personal_access_tokens` table to have downtime, since API calls will
  fail if the new code is in place, but the migration hasn't run.

- Minor refactoring - load `@scopes` in a `before_action`, since we're
  doing it in three different places.
 2016-12-16 16:29:31 +05:30
Timothy Andrew 36b3210b9e Validate access token scopes in `Gitlab::Auth` 
- This module is used for git-over-http, as well as JWT.

- The only valid scope here is `api`, currently.
 2016-12-16 16:29:31 +05:30
Timothy Andrew 7fa06ed55d Calls to the API are checked for scope. 
- Move the `Oauth2::AccessTokenValidationService` class to
  `AccessTokenValidationService`, since it is now being used for
  personal access token validation as well.

- Each API endpoint declares the scopes it accepts (if any). Currently,
  the top level API module declares the `api` scope, and the `Users` API
  module declares the `read_user` scope (for GET requests).

- Move the `find_user_by_private_token` from the API `Helpers` module to
  the `APIGuard` module, to avoid littering `Helpers` with more
  auth-related methods to support `find_user_by_private_token`
 2016-12-16 16:29:31 +05:30
Patricio Cano 2772109ac1 Handle LFS token creation and retrieval in the same method, and in the same Redis connection. 
Reset expiry time of token, if token is retrieved again before it expires.
 2016-09-28 12:13:48 -05:00
Kamil Trzcinski 242e77e070 Use early return in lfs_token_check 2016-09-20 09:41:21 +02:00
Kamil Trzcinski 3c1bb3432b Revert "Revert all changes introduced by https://gitlab.com/gitlab-org/gitlab-ce/merge_requests/6043" 
This reverts commit 6d43c95b70.
 2016-09-19 16:34:32 +02:00
Kamil Trzcinski dc29685465 Properly support Gitlab::Auth::Result 2016-09-19 13:50:28 +02:00
Kamil Trzcinski 6d43c95b70 Revert all changes introduced by https://gitlab.com/gitlab-org/gitlab-ce/merge_requests/6043 2016-09-19 13:45:28 +02:00
Kamil Trzcinski 79f60e2b5c Move Gitlab::Auth.Result to separate file 2016-09-19 13:42:10 +02:00
Kamil Trzcinski 5790684d1f Support pushing via SSH 2016-09-19 13:11:11 +02:00
Kamil Trzcinski 0ca43b1b86 Fix permissions for creating container images 2016-09-19 12:37:46 +02:00
Kamil Trzcinski f7ae37c1d0 Simplify checking of allowed abilities in git_http_client_controller 2016-09-16 13:34:05 +02:00
Kamil Trzcinski e941365f3b Rename capabilities to authentication_abilities 2016-09-16 11:12:21 +02:00
Kamil Trzcinski 83b643a014 Merge remote-tracking branch 'origin/lfs-support-for-ssh' into per-build-token 
# Conflicts:
#	app/controllers/projects/git_http_client_controller.rb
#	app/helpers/lfs_helper.rb
#	lib/gitlab/auth.rb
#	spec/requests/lfs_http_spec.rb
 2016-09-15 21:16:38 +02:00
Patricio Cano be09bcf074 Refactored authentication code to make it a bit clearer, added test for wrong SSH key. 2016-09-15 12:21:00 -05:00
Patricio Cano de24075ea5 Further refactoring of authentication code, and code style fixes. 2016-09-15 12:21:00 -05:00
Patricio Cano 71aff7f6a3 Use special characters for `lfs+deploy-key` to prevent a someone from creating a user with this username, and method name refactoring. 2016-09-15 12:21:00 -05:00
Patricio Cano c144db2935 Better authentication handling, syntax fixes and better actor handling for LFS Tokens 2016-09-15 12:21:00 -05:00
Patricio Cano 85152f0291 Improve string handling. 2016-09-15 12:21:00 -05:00
Patricio Cano c25630ee2c Refactored handling of the `LfsToken` and added functionality to it to simplify external code. 2016-09-15 12:21:00 -05:00
Patricio Cano 48f1a61fd5 Refactored LFS auth logic when using SSH to use its own API endpoint `/lfs_authenticate` and added tests. 2016-09-15 12:21:00 -05:00
Patricio Cano cb85cf1f0a Refactor LFS token logic to use a Redis key instead of a DB field, making it a 1 use only token. 2016-09-15 12:21:00 -05:00
Patricio Cano e40e3fdc82 Added LFS support to SSH 
- Required on the GitLab Rails side is mostly authentication and API related.
 2016-09-15 12:21:00 -05:00
Kamil Trzcinski 548169cfb5 Fix most of specs 2016-09-15 15:40:53 +02:00
Kamil Trzcinski 9d1ccd2ad3 Fix existing authorization specs 2016-09-15 13:49:11 +02:00
Kamil Trzcinski 11f87700e8 Add access specs 2016-09-15 11:57:09 +02:00
Kamil Trzcinski 6b381f3fdf Use `build_read_container_image` and use `build_download_code` 2016-09-15 10:34:53 +02:00
Kamil Trzcinski 79e4bb8d0b Refactor Gitlab::Auth to simplify the data flow 2016-09-14 17:28:24 +02:00
Kamil Trzcinski ca8ed65efc Fix result 2016-09-13 15:28:42 +02:00
Kamil Trzcinski 571226f166 Make result to return project and capabilities granted 2016-09-13 15:27:05 +02:00
Kamil Trzcinski 505dc808b3 Use a permissions of user to access all dependent projects from CI jobs (this also includes a container images, and in future LFS files) 2016-09-13 13:30:26 +02:00
Patricio Cano de5f238029 Refactor `find_for_git_client` and its related methods. 2016-08-18 17:15:50 -05:00
Patricio Cano 2f86860a6d Refactor `find_for_git_client` method to not use assignment in conditionals and syntax fixes. 2016-08-17 17:21:18 -05:00
Patricio Cano 5f5d8a8e09 Moved 2FA check to `auth.rb` and cleaned up the flow `authenticate_user` 2016-08-16 11:19:00 -05:00
Patricio Cano c5a7a70d10 Allow Git over HTTP access using Personal Access Tokens 2016-08-16 11:19:00 -05:00
Jacob Vosmaer 0e896ffe4e Improve Gitlab::Auth method names 
Auth.find was a very generic name for a very specific method.
Auth.find_in_gitlab_or_ldap was inaccurate in GitLab EE where it also
looks in Kerberos.
 2016-06-10 14:51:16 +02:00
Jacob Vosmaer 07f49626d0 Fix tests 2016-06-06 17:40:26 +02:00
Jacob Vosmaer 3f3b036def Use public_send 2016-06-03 17:23:34 +02:00
Jacob Vosmaer fa35aea3dd Refactor Gitlab::Auth rate limiting 2016-06-03 17:07:40 +02:00
Jacob Vosmaer 3ffa494ffe Changes after more review from Rémy 2016-06-03 14:57:34 +02:00
Jacob Vosmaer fea591e5c5 Rename finder to find_in_gitlab_or_ldap 2016-06-02 13:42:18 +02:00
Jacob Vosmaer 3dc276b367 Remove parallel assignment 2016-05-03 11:46:14 +02:00
Jacob Vosmaer b1ffc9f0fe Make CI/Oauth/rate limiting reusable 2016-04-29 18:58:55 +02:00
Andrey Krivko bafd30f92c Session API: Use case-insensitive authentication like in UI 2014-10-30 18:29:18 +02:00
Jan-Willem van der Meer 9bf7bfda20 Remove unused methods 2014-10-14 12:09:24 +02:00
Jan-Willem van der Meer 01b791237c Refactor lib files for multiple LDAP groups 2014-10-13 17:24:05 +02:00
skv a3f645ef51 Remove deprecated finders 2014-01-19 23:39:56 +04:00
Dmitriy Zaporozhets 4f9098032c Remove code that was accidently added in 5dae40f579 2013-09-14 10:14:55 +03:00
Izaak Alpert 5dae40f579 Update to only provide one way to get a default user 
-calling build_user will now apply defaults and only override them if as: :admin is set

Change-Id: Id1d938c0967752ecc14370af54f2d88128d18c44
 2013-09-11 14:04:15 -04:00
Dmitriy Zaporozhets 3707cc119b Refactor Gitlab::Auth 2013-09-04 00:12:00 +03:00
Dmitriy Zaporozhets 71abf70458 Move ldap auth to LDAP::User. Removed unused code 2013-09-02 23:50:45 +03:00
Dmitriy Zaporozhets 6bf117c601 Mode User+LDAP functionality from Gitlab::Auth 2013-09-02 23:35:40 +03:00
Dmitriy Zaporozhets 559e83d300 Add LDAP support to /api/session 2013-07-16 11:28:19 +03:00
Dmitriy Zaporozhets ec1055076c Merge branch 'add-defaults-create-group-team' of https://github.com/dmedvinsky/gitlabhq into dmedvinsky-add-defaults-create-group-team 
Conflicts:
	config/gitlab.yml.example
 2013-05-27 15:17:06 +03:00
Dmitriy Zaporozhets 63c6f30aba Fix ldap auth for http push 2013-05-24 20:36:28 +03:00
Dmitry Medvinsky 22279bc558 Add settings for user permission defaults 
“Can create groups” and “Can create teams” had hardcoded defaults to
`true`. Sometimes it is desirable to prohibit these for newly created
users by default.
 2013-05-16 18:02:22 +04:00
Andrey Kumanyaev 67ccc8b52a Replace old hashes with new 1.9 ruby hashes (rebase) 2013-05-05 18:01:10 +04:00
Andrew8xx8 0d9a6fe7b1 User's blocked field refactored to use state machine 2013-03-04 18:52:30 +04:00
Dmitriy Zaporozhets 369dbaf396 Merge pull request #1586 from Bregor/ber_to_string 
Auth: Net::BER::BerIdentifiedStrings to Strings
 2013-01-16 04:55:52 -08:00
Riyad Preukschas 19eb637419 Update uses of Gitolite.config.foo settings 2012-12-20 16:54:28 +01:00
Dmitriy Zaporozhets c50ec72b52 Deprecate code for Project. Use title and path 2012-11-23 21:11:09 +03:00
Godric 054c15e7b5 enable Oauth login for existing regular users 
fix: https://github.com/gitlabhq/gitlabhq/issues/1620
 2012-10-20 00:38:07 +03:00
Maxim Filatov 93cb01ea9b Auth: Net::BER::BerIdentifiedStrings to Strings 2012-09-28 18:08:13 +04:00
Nihad Abbasov 4629cc44d6 fix mass assignment error in create_from_omniauth after a6a229a 2012-09-26 11:18:25 -07:00
Robert Speicher 0d77209ea0 Be more resilient in the case of missing omniauth settings 
Should no longer freak out when omniauth settings aren't present in
gitlab.yml. People who aren't using it shouldn't even have to put a
'false' entry in their config for it (and probably wouldn't, after an
upgrade).
 2012-09-12 18:11:59 -04:00
Dmitriy Zaporozhets 048d47e626 Refactorn oauth & ldap 2012-09-12 09:23:16 +03:00