auth.rb 2.9 KB
Newer Older
D
Dmitriy Zaporozhets 已提交
1
module Gitlab
2
  module Auth
3 4
    Result = Struct.new(:user, :type)

5 6 7 8
    class << self
      def find(login, password, project:, ip:)
        raise "Must provide an IP for rate limiting" if ip.nil?

9
        result = Result.new
10 11

        if valid_ci_request?(login, password, project)
12 13 14 15 16
          result.type = :ci
        elsif result.user = find_in_gitlab_or_ldap(login, password)
          result.type = :gitlab_or_ldap
        elsif result.user = oauth_access_token_check(login, password)
          result.type = :oauth
17 18
        end

19 20
        rate_limit!(ip, success: !!result.user || (result.type == :ci), login: login)
        result
21 22
      end

23
      def find_in_gitlab_or_ldap(login, password)
24 25 26 27 28 29 30 31 32 33 34 35 36 37
        user = User.by_login(login)

        # If no user is found, or it's an LDAP server, try LDAP.
        #   LDAP users are only authenticated via LDAP
        if user.nil? || user.ldap_user?
          # Second chance - try LDAP authentication
          return nil unless Gitlab::LDAP::Config.enabled?

          Gitlab::LDAP::Authentication.login(login, password)
        else
          user if user.valid_password?(password)
        end
      end

J
Jacob Vosmaer 已提交
38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58
      def rate_limit!(ip, success:, login:)
        rate_limiter = Gitlab::Auth::IpRateLimiter.new(ip)
        return unless rate_limiter.enabled?

        if success
          # Repeated login 'failures' are normal behavior for some Git clients so
          # it is important to reset the ban counter once the client has proven
          # they are not a 'bad guy'.
          rate_limiter.reset!
        else
          # Register a login failure so that Rack::Attack can block the next
          # request from this IP if needed.
          rate_limiter.register_fail!

          if rate_limiter.banned?
            Rails.logger.info "IP #{ip} failed to login " \
              "as #{login} but has been temporarily banned from Git auth"
          end
        end
      end

59 60 61 62 63 64 65 66 67 68 69 70 71 72
      private

      def valid_ci_request?(login, password, project)
        matched_login = /(?<service>^[a-zA-Z]*-ci)-token$/.match(login)

        return false unless project && matched_login.present?

        underscored_service = matched_login['service'].underscore

        if underscored_service == 'gitlab_ci'
          project && project.valid_build_token?(password)
        elsif Service.available_services_names.include?(underscored_service)
          # We treat underscored_service as a trusted input because it is included
          # in the Service.available_services_names whitelist.
J
Jacob Vosmaer 已提交
73
          service = project.public_send("#{underscored_service}_service")
74 75 76 77 78 79 80 81 82 83 84

          service && service.activated? && service.valid_token?(password)
        end
      end

      def oauth_access_token_check(login, password)
        if login == "oauth2" && password.present?
          token = Doorkeeper::AccessToken.by_token(password)
          token && token.accessible? && User.find_by(id: token.resource_owner_id)
        end
      end
85
    end
D
Dmitriy Zaporozhets 已提交
86 87
  end
end