root
/
gitlab-ce
mirror of https://gitlab.com/free-releases/gitlab-ce.git
1
0
Fork 0
Code Issues Actions Packages Projects Releases Wiki Activity
45,569 Commits 9,131 Branches 1,640 Tags 2 GiB
Commit Graph

70 Commits

Author SHA1 Message Date
Drew Blessing 29414ab043 Reduce hits to LDAP on Git HTTP auth by reordering auth mechanisms 
We accept half a dozen different authentication mechanisms for
Git over HTTP. Fairly high in the list we were checking user
password, which would also query LDAP. In the case of LFS,
OAuth tokens or personal access tokens, we were unnecessarily
hitting LDAP when the authentication will not succeed. This
was causing some LDAP/AD systems to lock the account. Now,
user password authentication is the last mechanism tried since
it's the most expensive.
 2017-01-30 13:05:47 -06:00
Timothy Andrew 5becbe2495 Rename the `token_has_scope?` method. 
`valid_api_token?` is a better name. Scopes are just (potentially) one facet of
a "valid" token.
 2016-12-16 16:29:32 +05:30
Timothy Andrew b303948ff5 Convert AccessTokenValidationService into a class. 
- Previously, AccessTokenValidationService was a module, and all its  public
methods accepted a token. It makes sense to convert it to a class which accepts
a token during initialization.

- Also rename the `sufficient_scope?` method to `include_any_scope?`

- Based on feedback from @rymai
 2016-12-16 16:29:32 +05:30
Timothy Andrew dc95bcbb16 Refactor access token validation in `Gitlab::Auth` 
- Based on @dbalexandre's review
- Extract token validity conditions into two separate methods, for
  personal access tokens and OAuth tokens.
 2016-12-16 16:29:32 +05:30
Timothy Andrew 4d6da770de Implement minor changes from @dbalexandre's review. 
- Mainly whitespace changes.

- Require the migration adding the `scope` column to the
  `personal_access_tokens` table to have downtime, since API calls will
  fail if the new code is in place, but the migration hasn't run.

- Minor refactoring - load `@scopes` in a `before_action`, since we're
  doing it in three different places.
 2016-12-16 16:29:31 +05:30
Timothy Andrew 36b3210b9e Validate access token scopes in `Gitlab::Auth` 
- This module is used for git-over-http, as well as JWT.

- The only valid scope here is `api`, currently.
 2016-12-16 16:29:31 +05:30
Timothy Andrew 7fa06ed55d Calls to the API are checked for scope. 
- Move the `Oauth2::AccessTokenValidationService` class to
  `AccessTokenValidationService`, since it is now being used for
  personal access token validation as well.

- Each API endpoint declares the scopes it accepts (if any). Currently,
  the top level API module declares the `api` scope, and the `Users` API
  module declares the `read_user` scope (for GET requests).

- Move the `find_user_by_private_token` from the API `Helpers` module to
  the `APIGuard` module, to avoid littering `Helpers` with more
  auth-related methods to support `find_user_by_private_token`
 2016-12-16 16:29:31 +05:30
Patricio Cano 2772109ac1 Handle LFS token creation and retrieval in the same method, and in the same Redis connection. 
Reset expiry time of token, if token is retrieved again before it expires.
 2016-09-28 12:13:48 -05:00
Kamil Trzcinski 242e77e070 Use early return in lfs_token_check 2016-09-20 09:41:21 +02:00
Kamil Trzcinski 3c1bb3432b Revert "Revert all changes introduced by https://gitlab.com/gitlab-org/gitlab-ce/merge_requests/6043" 
This reverts commit 6d43c95b70.
 2016-09-19 16:34:32 +02:00
Kamil Trzcinski dc29685465 Properly support Gitlab::Auth::Result 2016-09-19 13:50:28 +02:00
Kamil Trzcinski 6d43c95b70 Revert all changes introduced by https://gitlab.com/gitlab-org/gitlab-ce/merge_requests/6043 2016-09-19 13:45:28 +02:00
Kamil Trzcinski 79f60e2b5c Move Gitlab::Auth.Result to separate file 2016-09-19 13:42:10 +02:00
Kamil Trzcinski 5790684d1f Support pushing via SSH 2016-09-19 13:11:11 +02:00
Kamil Trzcinski 0ca43b1b86 Fix permissions for creating container images 2016-09-19 12:37:46 +02:00
Kamil Trzcinski f7ae37c1d0 Simplify checking of allowed abilities in git_http_client_controller 2016-09-16 13:34:05 +02:00
Kamil Trzcinski e941365f3b Rename capabilities to authentication_abilities 2016-09-16 11:12:21 +02:00
Kamil Trzcinski 83b643a014 Merge remote-tracking branch 'origin/lfs-support-for-ssh' into per-build-token 
# Conflicts:
#	app/controllers/projects/git_http_client_controller.rb
#	app/helpers/lfs_helper.rb
#	lib/gitlab/auth.rb
#	spec/requests/lfs_http_spec.rb
 2016-09-15 21:16:38 +02:00
Patricio Cano be09bcf074 Refactored authentication code to make it a bit clearer, added test for wrong SSH key. 2016-09-15 12:21:00 -05:00
Patricio Cano de24075ea5 Further refactoring of authentication code, and code style fixes. 2016-09-15 12:21:00 -05:00
Patricio Cano 71aff7f6a3 Use special characters for `lfs+deploy-key` to prevent a someone from creating a user with this username, and method name refactoring. 2016-09-15 12:21:00 -05:00
Patricio Cano c144db2935 Better authentication handling, syntax fixes and better actor handling for LFS Tokens 2016-09-15 12:21:00 -05:00
Patricio Cano 85152f0291 Improve string handling. 2016-09-15 12:21:00 -05:00
Patricio Cano c25630ee2c Refactored handling of the `LfsToken` and added functionality to it to simplify external code. 2016-09-15 12:21:00 -05:00
Patricio Cano 48f1a61fd5 Refactored LFS auth logic when using SSH to use its own API endpoint `/lfs_authenticate` and added tests. 2016-09-15 12:21:00 -05:00
Patricio Cano cb85cf1f0a Refactor LFS token logic to use a Redis key instead of a DB field, making it a 1 use only token. 2016-09-15 12:21:00 -05:00
Patricio Cano e40e3fdc82 Added LFS support to SSH 
- Required on the GitLab Rails side is mostly authentication and API related.
 2016-09-15 12:21:00 -05:00
Kamil Trzcinski 548169cfb5 Fix most of specs 2016-09-15 15:40:53 +02:00
Kamil Trzcinski 9d1ccd2ad3 Fix existing authorization specs 2016-09-15 13:49:11 +02:00
Kamil Trzcinski 11f87700e8 Add access specs 2016-09-15 11:57:09 +02:00
Kamil Trzcinski 6b381f3fdf Use `build_read_container_image` and use `build_download_code` 2016-09-15 10:34:53 +02:00
Kamil Trzcinski 79e4bb8d0b Refactor Gitlab::Auth to simplify the data flow 2016-09-14 17:28:24 +02:00
Kamil Trzcinski ca8ed65efc Fix result 2016-09-13 15:28:42 +02:00
Kamil Trzcinski 571226f166 Make result to return project and capabilities granted 2016-09-13 15:27:05 +02:00
Kamil Trzcinski 505dc808b3 Use a permissions of user to access all dependent projects from CI jobs (this also includes a container images, and in future LFS files) 2016-09-13 13:30:26 +02:00
Patricio Cano de5f238029 Refactor `find_for_git_client` and its related methods. 2016-08-18 17:15:50 -05:00
Patricio Cano 2f86860a6d Refactor `find_for_git_client` method to not use assignment in conditionals and syntax fixes. 2016-08-17 17:21:18 -05:00
Patricio Cano 5f5d8a8e09 Moved 2FA check to `auth.rb` and cleaned up the flow `authenticate_user` 2016-08-16 11:19:00 -05:00
Patricio Cano c5a7a70d10 Allow Git over HTTP access using Personal Access Tokens 2016-08-16 11:19:00 -05:00
Jacob Vosmaer 0e896ffe4e Improve Gitlab::Auth method names 
Auth.find was a very generic name for a very specific method.
Auth.find_in_gitlab_or_ldap was inaccurate in GitLab EE where it also
looks in Kerberos.
 2016-06-10 14:51:16 +02:00
Jacob Vosmaer 07f49626d0 Fix tests 2016-06-06 17:40:26 +02:00
Jacob Vosmaer 3f3b036def Use public_send 2016-06-03 17:23:34 +02:00
Jacob Vosmaer fa35aea3dd Refactor Gitlab::Auth rate limiting 2016-06-03 17:07:40 +02:00
Jacob Vosmaer 3ffa494ffe Changes after more review from Rémy 2016-06-03 14:57:34 +02:00
Jacob Vosmaer fea591e5c5 Rename finder to find_in_gitlab_or_ldap 2016-06-02 13:42:18 +02:00
Jacob Vosmaer 3dc276b367 Remove parallel assignment 2016-05-03 11:46:14 +02:00
Jacob Vosmaer b1ffc9f0fe Make CI/Oauth/rate limiting reusable 2016-04-29 18:58:55 +02:00
Andrey Krivko bafd30f92c Session API: Use case-insensitive authentication like in UI 2014-10-30 18:29:18 +02:00
Jan-Willem van der Meer 9bf7bfda20 Remove unused methods 2014-10-14 12:09:24 +02:00
Jan-Willem van der Meer 01b791237c Refactor lib files for multiple LDAP groups 2014-10-13 17:24:05 +02:00