Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Support
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
G
gitlab-ce
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Issues
0
Issues
0
List
Boards
Labels
Milestones
Merge Requests
0
Merge Requests
0
Analytics
Analytics
Repository
Value Stream
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Create a new issue
Commits
Issue Boards
Open sidebar
Jérome Perrin
gitlab-ce
Commits
43a682cc
Commit
43a682cc
authored
Oct 13, 2017
by
Michael Kozono
Committed by
Francisco Lopez
Nov 17, 2017
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
Fix OAuth API and RSS rate limiting
parent
d8703071
Changes
5
Expand all
Hide whitespace changes
Inline
Side-by-side
Showing
5 changed files
with
244 additions
and
112 deletions
+244
-112
app/controllers/application_controller.rb
app/controllers/application_controller.rb
+1
-1
config/initializers/rack_attack_global.rb
config/initializers/rack_attack_global.rb
+1
-11
lib/gitlab/auth.rb
lib/gitlab/auth.rb
+0
-30
lib/gitlab/auth/request_authenticator.rb
lib/gitlab/auth/request_authenticator.rb
+64
-0
spec/requests/rack_attack_spec.rb
spec/requests/rack_attack_spec.rb
+178
-70
No files found.
app/controllers/application_controller.rb
View file @
43a682cc
...
@@ -125,7 +125,7 @@ class ApplicationController < ActionController::Base
...
@@ -125,7 +125,7 @@ class ApplicationController < ActionController::Base
# This filter handles private tokens, personal access tokens, and atom
# This filter handles private tokens, personal access tokens, and atom
# requests with rss tokens
# requests with rss tokens
def
authenticate_sessionless_user!
def
authenticate_sessionless_user!
user
=
Gitlab
::
Auth
.
find_sessionless_user
(
request
)
user
=
Gitlab
::
Auth
::
RequestAuthenticator
.
new
(
request
).
find_sessionless_user
sessionless_sign_in
(
user
)
if
user
sessionless_sign_in
(
user
)
if
user
>>>>>>>
Add
request
throttles
>>>>>>>
Add
request
throttles
...
...
config/initializers/rack_attack_global.rb
View file @
43a682cc
...
@@ -45,7 +45,7 @@ class Rack::Attack
...
@@ -45,7 +45,7 @@ class Rack::Attack
end
end
def
authenticated_user_id
def
authenticated_user_id
session_user_id
||
sessionless_user_
id
Gitlab
::
Auth
::
RequestAuthenticator
.
new
(
self
).
user
&
.
id
end
end
def
api_request?
def
api_request?
...
@@ -55,15 +55,5 @@ class Rack::Attack
...
@@ -55,15 +55,5 @@ class Rack::Attack
def
web_request?
def
web_request?
!
api_request?
!
api_request?
end
end
private
def
session_user_id
Gitlab
::
Auth
.
find_session_user
(
self
)
&
.
id
end
def
sessionless_user_id
Gitlab
::
Auth
.
find_sessionless_user
(
self
)
&
.
id
end
end
end
end
end
lib/gitlab/auth.rb
View file @
43a682cc
...
@@ -82,36 +82,6 @@ module Gitlab
...
@@ -82,36 +82,6 @@ module Gitlab
end
end
end
end
# request may be Rack::Attack::Request which is just a Rack::Request, so
# we cannot use ActionDispatch::Request methods.
def
find_user_by_private_token
(
request
)
token
=
request
.
params
[
'private_token'
].
presence
||
request
.
env
[
'HTTP_PRIVATE_TOKEN'
].
presence
return
unless
token
.
present?
User
.
find_by_authentication_token
(
token
)
||
User
.
find_by_personal_access_token
(
token
)
end
# request may be Rack::Attack::Request which is just a Rack::Request, so
# we cannot use ActionDispatch::Request methods.
def
find_user_by_rss_token
(
request
)
return
unless
request
.
params
[
'format'
]
==
'atom'
token
=
request
.
params
[
'rss_token'
].
presence
return
unless
token
.
present?
User
.
find_by_rss_token
(
token
)
end
def
find_session_user
(
request
)
request
.
env
[
'warden'
]
&
.
authenticate
end
def
find_sessionless_user
(
request
)
find_user_by_private_token
(
request
)
||
find_user_by_rss_token
(
request
)
end
private
private
def
service_request_check
(
login
,
password
,
project
)
def
service_request_check
(
login
,
password
,
project
)
...
...
lib/gitlab/auth/request_authenticator.rb
0 → 100644
View file @
43a682cc
# Use for authentication only, in particular for Rack::Attack.
# Does not perform authorization of scopes, etc.
module
Gitlab
module
Auth
class
RequestAuthenticator
def
initialize
(
request
)
@request
=
request
end
def
user
find_sessionless_user
||
find_session_user
end
def
find_sessionless_user
find_user_by_private_token
||
find_user_by_rss_token
||
find_user_by_oauth_token
end
private
def
find_session_user
@request
.
env
[
'warden'
]
&
.
authenticate
if
verified_request?
end
# request may be Rack::Attack::Request which is just a Rack::Request, so
# we cannot use ActionDispatch::Request methods.
def
find_user_by_private_token
token
=
@request
.
params
[
'private_token'
].
presence
||
@request
.
env
[
'HTTP_PRIVATE_TOKEN'
].
presence
return
unless
token
.
present?
User
.
find_by_authentication_token
(
token
)
||
User
.
find_by_personal_access_token
(
token
)
end
# request may be Rack::Attack::Request which is just a Rack::Request, so
# we cannot use ActionDispatch::Request methods.
def
find_user_by_rss_token
return
unless
@request
.
path
.
ends_with?
(
'atom'
)
||
@request
.
env
[
'HTTP_ACCEPT'
]
==
'application/atom+xml'
token
=
@request
.
params
[
'rss_token'
].
presence
return
unless
token
.
present?
User
.
find_by_rss_token
(
token
)
end
def
find_user_by_oauth_token
access_token
=
find_oauth_access_token
access_token
&
.
user
end
def
find_oauth_access_token
token
=
Doorkeeper
::
OAuth
::
Token
.
from_request
(
doorkeeper_request
,
*
Doorkeeper
.
configuration
.
access_token_methods
)
OauthAccessToken
.
by_token
(
token
)
if
token
end
def
doorkeeper_request
ActionDispatch
::
Request
.
new
(
@request
.
env
)
end
# Check if the request is GET/HEAD, or if CSRF token is valid.
def
verified_request?
Gitlab
::
RequestForgeryProtection
.
verified?
(
@request
.
env
)
end
end
end
end
spec/requests/rack_attack_spec.rb
View file @
43a682cc
This diff is collapsed.
Click to expand it.
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment