Skip to content
体验新版
项目
组织
正在加载...
登录
切换导航
打开侧边栏
李少辉-开发者
gitlab-foss
提交
de24075e
G
gitlab-foss
项目概览
李少辉-开发者
/
gitlab-foss
通知
15
Star
0
Fork
0
代码
文件
提交
分支
Tags
贡献者
分支图
Diff
Issue
0
列表
看板
标记
里程碑
合并请求
0
Wiki
0
Wiki
分析
仓库
DevOps
项目成员
Pages
G
gitlab-foss
项目概览
项目概览
详情
发布
仓库
仓库
文件
提交
分支
标签
贡献者
分支图
比较
Issue
0
Issue
0
列表
看板
标记
里程碑
合并请求
0
合并请求
0
Pages
分析
分析
仓库分析
DevOps
Wiki
0
Wiki
成员
成员
收起侧边栏
关闭侧边栏
动态
分支图
创建新Issue
提交
Issue看板
体验新版 GitCode,发现更多精彩内容 >>
提交
de24075e
编写于
9月 08, 2016
作者:
P
Patricio Cano
浏览文件
操作
浏览文件
下载
电子邮件补丁
差异文件
Further refactoring of authentication code, and code style fixes.
上级
71aff7f6
变更
3
隐藏空白更改
内联
并排
Showing
3 changed file
with
48 addition
and
47 deletion
+48
-47
app/controllers/projects/git_http_client_controller.rb
app/controllers/projects/git_http_client_controller.rb
+12
-8
lib/gitlab/auth.rb
lib/gitlab/auth.rb
+27
-26
lib/gitlab/lfs_token.rb
lib/gitlab/lfs_token.rb
+9
-13
未找到文件。
app/controllers/projects/git_http_client_controller.rb
浏览文件 @
de24075e
...
...
@@ -4,7 +4,7 @@ class Projects::GitHttpClientController < Projects::ApplicationController
include
ActionController
::
HttpAuthentication
::
Basic
include
KerberosSpnegoHelper
attr_reader
:user
attr_reader
:user
,
:actor
# Git clients will not know what authenticity token to send along
skip_before_action
:verify_authenticity_token
...
...
@@ -24,13 +24,13 @@ class Projects::GitHttpClientController < Projects::ApplicationController
handle_basic_authentication
(
login
,
password
)
if
ci?
||
use
r
if
ci?
||
acto
r
return
# Allow access
end
elsif
allow_kerberos_spnego_auth?
&&
spnego_provided?
@
use
r
=
find_kerberos_user
@
acto
r
=
find_kerberos_user
if
use
r
if
acto
r
send_final_spnego_response
return
# Allow access
end
...
...
@@ -110,6 +110,10 @@ class Projects::GitHttpClientController < Projects::ApplicationController
@ci
.
present?
end
def
user
@actor
end
def
handle_basic_authentication
(
login
,
password
)
auth_result
=
Gitlab
::
Auth
.
find_for_git_client
(
login
,
password
,
project:
project
,
ip:
request
.
ip
)
...
...
@@ -117,21 +121,21 @@ class Projects::GitHttpClientController < Projects::ApplicationController
when
:ci
@ci
=
true
if
download_request?
when
:oauth
@
user
=
auth_result
.
use
r
if
download_request?
@
actor
=
auth_result
.
acto
r
if
download_request?
when
:lfs_deploy_token
if
download_request?
@lfs_deploy_key
=
true
@
user
=
auth_result
.
use
r
@
actor
=
auth_result
.
acto
r
end
when
:lfs_token
,
:personal_token
,
:gitlab_or_ldap
@
user
=
auth_result
.
use
r
@
actor
=
auth_result
.
acto
r
else
# Not allowed
end
end
def
lfs_deploy_key?
@lfs_deploy_key
.
present?
&&
(
user
&&
user
.
projects
.
include?
(
project
)
)
@lfs_deploy_key
.
present?
&&
actor
&&
actor
.
projects
.
include?
(
project
)
end
def
verify_workhorse_api!
...
...
lib/gitlab/auth.rb
浏览文件 @
de24075e
module
Gitlab
module
Auth
Result
=
Struct
.
new
(
:
use
r
,
:type
)
Result
=
Struct
.
new
(
:
acto
r
,
:type
)
class
MissingPersonalTokenError
<
StandardError
;
end
...
...
@@ -49,6 +49,24 @@ module Gitlab
private
def
populate_result
(
login
,
password
,
project
,
ip
)
result
=
ci_request_check
(
login
,
password
,
project
)
||
user_with_password_for_git
(
login
,
password
)
||
oauth_access_token_check
(
login
,
password
)
||
lfs_token_check
(
login
,
password
)
||
personal_access_token_check
(
login
,
password
)
if
result
&&
result
.
type
!=
:ci
result
.
type
=
nil
unless
result
.
actor
end
success
=
result
?
result
.
actor
.
present?
||
result
.
type
==
:ci
:
false
rate_limit!
(
ip
,
success:
success
,
login:
login
)
result
||
Result
.
new
end
def
valid_ci_request?
(
login
,
password
,
project
)
matched_login
=
/(?<service>^[a-zA-Z]*-ci)-token$/
.
match
(
login
)
...
...
@@ -67,31 +85,14 @@ module Gitlab
end
end
def
populate_result
(
login
,
password
,
project
,
ip
)
result
=
Result
.
new
(
nil
,
:ci
)
if
valid_ci_request?
(
login
,
password
,
project
)
result
||=
user_with_password_for_git
(
login
,
password
)
||
oauth_access_token_check
(
login
,
password
)
||
lfs_token_check
(
login
,
password
)
||
personal_access_token_check
(
login
,
password
)
if
result
&&
result
.
type
!=
:ci
result
.
type
=
nil
unless
result
.
user
if
result
.
user
&&
result
.
type
==
:gitlab_or_ldap
&&
result
.
user
.
two_factor_enabled?
raise
Gitlab
::
Auth
::
MissingPersonalTokenError
end
end
success
=
result
?
result
.
user
.
present?
||
[
:ci
].
include?
(
result
.
type
)
:
false
rate_limit!
(
ip
,
success:
success
,
login:
login
)
result
||
Result
.
new
def
ci_request_check
(
login
,
password
,
project
)
Result
.
new
(
nil
,
:ci
)
if
valid_ci_request?
(
login
,
password
,
project
)
end
def
user_with_password_for_git
(
login
,
password
)
user
=
find_with_user_password
(
login
,
password
)
raise
Gitlab
::
Auth
::
MissingPersonalTokenError
if
user
&&
user
.
two_factor_enabled?
Result
.
new
(
user
,
:gitlab_or_ldap
)
if
user
end
...
...
@@ -114,11 +115,11 @@ module Gitlab
end
def
lfs_token_check
(
login
,
password
)
deploy_key_matches
=
login
.
match
(
/\Alfs\+deploy-key-(\d+)\z/
)
actor
=
if
login
=~
/\Alfs\+deploy-key-\d+\Z/
/\d+\Z/
.
match
(
login
)
do
|
id
|
DeployKey
.
find
(
id
[
0
])
end
if
deploy_key_matches
DeployKey
.
find
(
deploy_key_matches
[
1
])
else
User
.
by_login
(
login
)
end
...
...
lib/gitlab/lfs_token.rb
浏览文件 @
de24075e
...
...
@@ -6,7 +6,15 @@ module Gitlab
EXPIRY_TIME
=
1800
def
initialize
(
actor
)
set_actor
(
actor
)
@actor
=
case
actor
when
DeployKey
,
User
actor
when
Key
actor
.
user
else
#
end
end
def
generate
...
...
@@ -38,17 +46,5 @@ module Gitlab
def
redis_key
"gitlab:lfs_token:
#{
actor
.
class
.
name
.
underscore
}
_
#{
actor
.
id
}
"
if
actor
end
def
set_actor
(
actor
)
@actor
=
case
actor
when
DeployKey
,
User
actor
when
Key
actor
.
user
else
#
end
end
end
end
编辑
预览
Markdown
is supported
0%
请重试
或
添加新附件
.
添加附件
取消
You are about to add
0
people
to the discussion. Proceed with caution.
先完成此消息的编辑!
取消
想要评论请
注册
或
登录