Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Support
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
G
gitlab-ce
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Issues
0
Issues
0
List
Boards
Labels
Milestones
Merge Requests
0
Merge Requests
0
Analytics
Analytics
Repository
Value Stream
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Create a new issue
Commits
Issue Boards
Open sidebar
Léo-Paul Géneau
gitlab-ce
Commits
1436598e
Commit
1436598e
authored
Nov 16, 2017
by
Francisco Lopez
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
Moved Exceptions to Gitlab::Auth
parent
aa84ef1e
Changes
8
Hide whitespace changes
Inline
Side-by-side
Showing
8 changed files
with
51 additions
and
48 deletions
+51
-48
app/controllers/omniauth_callbacks_controller.rb
app/controllers/omniauth_callbacks_controller.rb
+4
-2
lib/api/api_guard.rb
lib/api/api_guard.rb
+10
-10
lib/api/helpers.rb
lib/api/helpers.rb
+1
-1
lib/gitlab/auth/request_authenticator.rb
lib/gitlab/auth/request_authenticator.rb
+1
-1
lib/gitlab/auth/user_auth_finders.rb
lib/gitlab/auth/user_auth_finders.rb
+19
-18
spec/lib/gitlab/auth/request_authenticator_spec.rb
spec/lib/gitlab/auth/request_authenticator_spec.rb
+2
-2
spec/lib/gitlab/auth/user_auth_finders_spec.rb
spec/lib/gitlab/auth/user_auth_finders_spec.rb
+10
-10
spec/requests/api/helpers_spec.rb
spec/requests/api/helpers_spec.rb
+4
-4
No files found.
app/controllers/omniauth_callbacks_controller.rb
View file @
1436598e
...
@@ -54,7 +54,7 @@ class OmniauthCallbacksController < Devise::OmniauthCallbacksController
...
@@ -54,7 +54,7 @@ class OmniauthCallbacksController < Devise::OmniauthCallbacksController
if
current_user
if
current_user
log_audit_event
(
current_user
,
with: :saml
)
log_audit_event
(
current_user
,
with: :saml
)
# Update SAML identity if data has changed.
# Update SAML identity if data has changed.
identity
=
current_user
.
identities
.
find_by
(
extern_uid:
oauth
[
'uid'
],
provider: :saml
)
identity
=
current_user
.
identities
.
with_extern_uid
(
:saml
,
oauth
[
'uid'
]).
take
if
identity
.
nil?
if
identity
.
nil?
current_user
.
identities
.
create
(
extern_uid:
oauth
[
'uid'
],
provider: :saml
)
current_user
.
identities
.
create
(
extern_uid:
oauth
[
'uid'
],
provider: :saml
)
redirect_to
profile_account_path
,
notice:
'Authentication method updated'
redirect_to
profile_account_path
,
notice:
'Authentication method updated'
...
@@ -98,7 +98,9 @@ class OmniauthCallbacksController < Devise::OmniauthCallbacksController
...
@@ -98,7 +98,9 @@ class OmniauthCallbacksController < Devise::OmniauthCallbacksController
def
handle_omniauth
def
handle_omniauth
if
current_user
if
current_user
# Add new authentication method
# Add new authentication method
current_user
.
identities
.
find_or_create_by
(
extern_uid:
oauth
[
'uid'
],
provider:
oauth
[
'provider'
])
current_user
.
identities
.
with_extern_uid
(
oauth
[
'provider'
],
oauth
[
'uid'
])
.
first_or_create
(
extern_uid:
oauth
[
'uid'
])
log_audit_event
(
current_user
,
with:
oauth
[
'provider'
])
log_audit_event
(
current_user
,
with:
oauth
[
'provider'
])
redirect_to
profile_account_path
,
notice:
'Authentication method updated'
redirect_to
profile_account_path
,
notice:
'Authentication method updated'
else
else
...
...
lib/api/api_guard.rb
View file @
1436598e
...
@@ -93,11 +93,11 @@ module API
...
@@ -93,11 +93,11 @@ module API
private
private
def
install_error_responders
(
base
)
def
install_error_responders
(
base
)
error_classes
=
[
Gitlab
::
Auth
::
UserAuthFinders
::
MissingTokenError
,
error_classes
=
[
Gitlab
::
Auth
::
MissingTokenError
,
Gitlab
::
Auth
::
UserAuthFinders
::
TokenNotFoundError
,
Gitlab
::
Auth
::
TokenNotFoundError
,
Gitlab
::
Auth
::
UserAuthFinders
::
ExpiredError
,
Gitlab
::
Auth
::
ExpiredError
,
Gitlab
::
Auth
::
UserAuthFinders
::
RevokedError
,
Gitlab
::
Auth
::
RevokedError
,
Gitlab
::
Auth
::
UserAuthFinders
::
InsufficientScopeError
]
Gitlab
::
Auth
::
InsufficientScopeError
]
base
.
__send__
(
:rescue_from
,
*
error_classes
,
oauth2_bearer_token_error_handler
)
# rubocop:disable GitlabSecurity/PublicSend
base
.
__send__
(
:rescue_from
,
*
error_classes
,
oauth2_bearer_token_error_handler
)
# rubocop:disable GitlabSecurity/PublicSend
end
end
...
@@ -106,25 +106,25 @@ module API
...
@@ -106,25 +106,25 @@ module API
proc
do
|
e
|
proc
do
|
e
|
response
=
response
=
case
e
case
e
when
Gitlab
::
Auth
::
UserAuthFinders
::
MissingTokenError
when
Gitlab
::
Auth
::
MissingTokenError
Rack
::
OAuth2
::
Server
::
Resource
::
Bearer
::
Unauthorized
.
new
Rack
::
OAuth2
::
Server
::
Resource
::
Bearer
::
Unauthorized
.
new
when
Gitlab
::
Auth
::
UserAuthFinders
::
TokenNotFoundError
when
Gitlab
::
Auth
::
TokenNotFoundError
Rack
::
OAuth2
::
Server
::
Resource
::
Bearer
::
Unauthorized
.
new
(
Rack
::
OAuth2
::
Server
::
Resource
::
Bearer
::
Unauthorized
.
new
(
:invalid_token
,
:invalid_token
,
"Bad Access Token."
)
"Bad Access Token."
)
when
Gitlab
::
Auth
::
UserAuthFinders
::
ExpiredError
when
Gitlab
::
Auth
::
ExpiredError
Rack
::
OAuth2
::
Server
::
Resource
::
Bearer
::
Unauthorized
.
new
(
Rack
::
OAuth2
::
Server
::
Resource
::
Bearer
::
Unauthorized
.
new
(
:invalid_token
,
:invalid_token
,
"Token is expired. You can either do re-authorization or token refresh."
)
"Token is expired. You can either do re-authorization or token refresh."
)
when
Gitlab
::
Auth
::
UserAuthFinders
::
RevokedError
when
Gitlab
::
Auth
::
RevokedError
Rack
::
OAuth2
::
Server
::
Resource
::
Bearer
::
Unauthorized
.
new
(
Rack
::
OAuth2
::
Server
::
Resource
::
Bearer
::
Unauthorized
.
new
(
:invalid_token
,
:invalid_token
,
"Token was revoked. You have to re-authorize from the user."
)
"Token was revoked. You have to re-authorize from the user."
)
when
Gitlab
::
Auth
::
UserAuthFinders
::
InsufficientScopeError
when
Gitlab
::
Auth
::
InsufficientScopeError
# FIXME: ForbiddenError (inherited from Bearer::Forbidden of Rack::Oauth2)
# FIXME: ForbiddenError (inherited from Bearer::Forbidden of Rack::Oauth2)
# does not include WWW-Authenticate header, which breaks the standard.
# does not include WWW-Authenticate header, which breaks the standard.
Rack
::
OAuth2
::
Server
::
Resource
::
Bearer
::
Forbidden
.
new
(
Rack
::
OAuth2
::
Server
::
Resource
::
Bearer
::
Forbidden
.
new
(
...
...
lib/api/helpers.rb
View file @
1436598e
...
@@ -398,7 +398,7 @@ module API
...
@@ -398,7 +398,7 @@ module API
begin
begin
@initial_current_user
=
Gitlab
::
Auth
::
UniqueIpsLimiter
.
limit_user!
{
find_current_user!
}
@initial_current_user
=
Gitlab
::
Auth
::
UniqueIpsLimiter
.
limit_user!
{
find_current_user!
}
rescue
Gitlab
::
Auth
::
U
serAuthFinders
::
U
nauthorizedError
rescue
Gitlab
::
Auth
::
UnauthorizedError
unauthorized!
unauthorized!
end
end
end
end
...
...
lib/gitlab/auth/request_authenticator.rb
View file @
1436598e
...
@@ -17,7 +17,7 @@ module Gitlab
...
@@ -17,7 +17,7 @@ module Gitlab
def
find_sessionless_user
def
find_sessionless_user
find_user_from_access_token
||
find_user_from_rss_token
find_user_from_access_token
||
find_user_from_rss_token
rescue
API
::
APIGuard
::
AuthenticationException
rescue
Gitlab
::
Auth
::
AuthenticationException
nil
nil
end
end
end
end
...
...
lib/gitlab/auth/user_auth_finders.rb
View file @
1436598e
module
Gitlab
module
Gitlab
module
Auth
module
Auth
#
# Exceptions
#
AuthenticationException
=
Class
.
new
(
StandardError
)
MissingTokenError
=
Class
.
new
(
AuthenticationException
)
TokenNotFoundError
=
Class
.
new
(
AuthenticationException
)
ExpiredError
=
Class
.
new
(
AuthenticationException
)
RevokedError
=
Class
.
new
(
AuthenticationException
)
UnauthorizedError
=
Class
.
new
(
AuthenticationException
)
class
InsufficientScopeError
<
AuthenticationException
attr_reader
:scopes
def
initialize
(
scopes
)
@scopes
=
scopes
.
map
{
|
s
|
s
.
try
(
:name
)
||
s
}
end
end
module
UserAuthFinders
module
UserAuthFinders
PRIVATE_TOKEN_HEADER
=
'HTTP_PRIVATE_TOKEN'
.
freeze
PRIVATE_TOKEN_HEADER
=
'HTTP_PRIVATE_TOKEN'
.
freeze
PRIVATE_TOKEN_PARAM
=
:private_token
PRIVATE_TOKEN_PARAM
=
:private_token
#
# Exceptions
#
AuthenticationException
=
Class
.
new
(
StandardError
)
MissingTokenError
=
Class
.
new
(
AuthenticationException
)
TokenNotFoundError
=
Class
.
new
(
AuthenticationException
)
ExpiredError
=
Class
.
new
(
AuthenticationException
)
RevokedError
=
Class
.
new
(
AuthenticationException
)
UnauthorizedError
=
Class
.
new
(
AuthenticationException
)
class
InsufficientScopeError
<
AuthenticationException
attr_reader
:scopes
def
initialize
(
scopes
)
@scopes
=
scopes
.
map
{
|
s
|
s
.
try
(
:name
)
||
s
}
end
end
# Check the Rails session for valid authentication details
# Check the Rails session for valid authentication details
def
find_user_from_warden
def
find_user_from_warden
current_request
.
env
[
'warden'
]
&
.
authenticate
if
verified_request?
current_request
.
env
[
'warden'
]
&
.
authenticate
if
verified_request?
...
...
spec/lib/gitlab/auth/request_authenticator_spec.rb
View file @
1436598e
...
@@ -33,7 +33,7 @@ describe Gitlab::Auth::RequestAuthenticator do
...
@@ -33,7 +33,7 @@ describe Gitlab::Auth::RequestAuthenticator do
end
end
it
'bubbles up exceptions'
do
it
'bubbles up exceptions'
do
allow_any_instance_of
(
described_class
).
to
receive
(
:find_user_from_warden
).
and_raise
(
Gitlab
::
Auth
::
U
serAuthFinders
::
U
nauthorizedError
)
allow_any_instance_of
(
described_class
).
to
receive
(
:find_user_from_warden
).
and_raise
(
Gitlab
::
Auth
::
UnauthorizedError
)
end
end
end
end
...
@@ -59,7 +59,7 @@ describe Gitlab::Auth::RequestAuthenticator do
...
@@ -59,7 +59,7 @@ describe Gitlab::Auth::RequestAuthenticator do
end
end
it
'rescue API::APIGuard::AuthenticationException exceptions'
do
it
'rescue API::APIGuard::AuthenticationException exceptions'
do
allow_any_instance_of
(
described_class
).
to
receive
(
:find_user_from_access_token
).
and_raise
(
Gitlab
::
Auth
::
U
serAuthFinders
::
U
nauthorizedError
)
allow_any_instance_of
(
described_class
).
to
receive
(
:find_user_from_access_token
).
and_raise
(
Gitlab
::
Auth
::
UnauthorizedError
)
expect
(
subject
.
find_sessionless_user
).
to
be_blank
expect
(
subject
.
find_sessionless_user
).
to
be_blank
end
end
...
...
spec/lib/gitlab/auth/user_auth_finders_spec.rb
View file @
1436598e
...
@@ -65,7 +65,7 @@ describe Gitlab::Auth::UserAuthFinders do
...
@@ -65,7 +65,7 @@ describe Gitlab::Auth::UserAuthFinders do
it
'returns exception if invalid rss_token'
do
it
'returns exception if invalid rss_token'
do
set_param
(
:rss_token
,
'invalid_token'
)
set_param
(
:rss_token
,
'invalid_token'
)
expect
{
find_user_from_rss_token
}.
to
raise_error
(
Gitlab
::
Auth
::
U
serAuthFinders
::
U
nauthorizedError
)
expect
{
find_user_from_rss_token
}.
to
raise_error
(
Gitlab
::
Auth
::
UnauthorizedError
)
end
end
end
end
...
@@ -96,7 +96,7 @@ describe Gitlab::Auth::UserAuthFinders do
...
@@ -96,7 +96,7 @@ describe Gitlab::Auth::UserAuthFinders do
env
[
Gitlab
::
Auth
::
UserAuthFinders
::
PRIVATE_TOKEN_HEADER
]
=
personal_access_token
.
token
env
[
Gitlab
::
Auth
::
UserAuthFinders
::
PRIVATE_TOKEN_HEADER
]
=
personal_access_token
.
token
allow_any_instance_of
(
PersonalAccessToken
).
to
receive
(
:user
).
and_return
(
nil
)
allow_any_instance_of
(
PersonalAccessToken
).
to
receive
(
:user
).
and_return
(
nil
)
expect
{
find_user_from_access_token
}.
to
raise_error
(
Gitlab
::
Auth
::
U
serAuthFinders
::
U
nauthorizedError
)
expect
{
find_user_from_access_token
}.
to
raise_error
(
Gitlab
::
Auth
::
UnauthorizedError
)
end
end
end
end
end
end
...
@@ -127,7 +127,7 @@ describe Gitlab::Auth::UserAuthFinders do
...
@@ -127,7 +127,7 @@ describe Gitlab::Auth::UserAuthFinders do
it
'returns exception if invalid personal_access_token'
do
it
'returns exception if invalid personal_access_token'
do
env
[
Gitlab
::
Auth
::
UserAuthFinders
::
PRIVATE_TOKEN_HEADER
]
=
'invalid_token'
env
[
Gitlab
::
Auth
::
UserAuthFinders
::
PRIVATE_TOKEN_HEADER
]
=
'invalid_token'
expect
{
find_personal_access_token
}.
to
raise_error
(
Gitlab
::
Auth
::
U
serAuthFinders
::
U
nauthorizedError
)
expect
{
find_personal_access_token
}.
to
raise_error
(
Gitlab
::
Auth
::
UnauthorizedError
)
end
end
end
end
...
@@ -158,7 +158,7 @@ describe Gitlab::Auth::UserAuthFinders do
...
@@ -158,7 +158,7 @@ describe Gitlab::Auth::UserAuthFinders do
it
'returns exception if invalid oauth_access_token'
do
it
'returns exception if invalid oauth_access_token'
do
env
[
'HTTP_AUTHORIZATION'
]
=
"Bearer invalid_token"
env
[
'HTTP_AUTHORIZATION'
]
=
"Bearer invalid_token"
expect
{
find_oauth_access_token
}.
to
raise_error
(
Gitlab
::
Auth
::
U
serAuthFinders
::
U
nauthorizedError
)
expect
{
find_oauth_access_token
}.
to
raise_error
(
Gitlab
::
Auth
::
UnauthorizedError
)
end
end
end
end
...
@@ -174,20 +174,20 @@ describe Gitlab::Auth::UserAuthFinders do
...
@@ -174,20 +174,20 @@ describe Gitlab::Auth::UserAuthFinders do
allow_any_instance_of
(
described_class
).
to
receive
(
:access_token
).
and_return
(
personal_access_token
)
allow_any_instance_of
(
described_class
).
to
receive
(
:access_token
).
and_return
(
personal_access_token
)
end
end
it
'returns Gitlab::Auth::
UserAuthFinders::
ExpiredError if token expired'
do
it
'returns Gitlab::Auth::ExpiredError if token expired'
do
personal_access_token
.
expires_at
=
1
.
day
.
ago
personal_access_token
.
expires_at
=
1
.
day
.
ago
expect
{
validate_access_token!
}.
to
raise_error
(
Gitlab
::
Auth
::
UserAuthFinders
::
ExpiredError
)
expect
{
validate_access_token!
}.
to
raise_error
(
Gitlab
::
Auth
::
ExpiredError
)
end
end
it
'returns Gitlab::Auth::
UserAuthFinders::
RevokedError if token revoked'
do
it
'returns Gitlab::Auth::RevokedError if token revoked'
do
personal_access_token
.
revoke!
personal_access_token
.
revoke!
expect
{
validate_access_token!
}.
to
raise_error
(
Gitlab
::
Auth
::
UserAuthFinders
::
RevokedError
)
expect
{
validate_access_token!
}.
to
raise_error
(
Gitlab
::
Auth
::
RevokedError
)
end
end
it
'returns Gitlab::Auth::
UserAuthFinders::
InsufficientScopeError if invalid token scope'
do
it
'returns Gitlab::Auth::InsufficientScopeError if invalid token scope'
do
expect
{
validate_access_token!
(
scopes:
[
:sudo
])
}.
to
raise_error
(
Gitlab
::
Auth
::
UserAuthFinders
::
InsufficientScopeError
)
expect
{
validate_access_token!
(
scopes:
[
:sudo
])
}.
to
raise_error
(
Gitlab
::
Auth
::
InsufficientScopeError
)
end
end
end
end
end
end
...
...
spec/requests/api/helpers_spec.rb
View file @
1436598e
...
@@ -166,21 +166,21 @@ describe API::Helpers do
...
@@ -166,21 +166,21 @@ describe API::Helpers do
personal_access_token
=
create
(
:personal_access_token
,
user:
user
,
scopes:
[
'read_user'
])
personal_access_token
=
create
(
:personal_access_token
,
user:
user
,
scopes:
[
'read_user'
])
env
[
Gitlab
::
Auth
::
UserAuthFinders
::
PRIVATE_TOKEN_HEADER
]
=
personal_access_token
.
token
env
[
Gitlab
::
Auth
::
UserAuthFinders
::
PRIVATE_TOKEN_HEADER
]
=
personal_access_token
.
token
expect
{
current_user
}.
to
raise_error
Gitlab
::
Auth
::
UserAuthFinders
::
InsufficientScopeError
expect
{
current_user
}.
to
raise_error
Gitlab
::
Auth
::
InsufficientScopeError
end
end
it
'does not allow revoked tokens'
do
it
'does not allow revoked tokens'
do
personal_access_token
.
revoke!
personal_access_token
.
revoke!
env
[
Gitlab
::
Auth
::
UserAuthFinders
::
PRIVATE_TOKEN_HEADER
]
=
personal_access_token
.
token
env
[
Gitlab
::
Auth
::
UserAuthFinders
::
PRIVATE_TOKEN_HEADER
]
=
personal_access_token
.
token
expect
{
current_user
}.
to
raise_error
Gitlab
::
Auth
::
UserAuthFinders
::
RevokedError
expect
{
current_user
}.
to
raise_error
Gitlab
::
Auth
::
RevokedError
end
end
it
'does not allow expired tokens'
do
it
'does not allow expired tokens'
do
personal_access_token
.
update_attributes!
(
expires_at:
1
.
day
.
ago
)
personal_access_token
.
update_attributes!
(
expires_at:
1
.
day
.
ago
)
env
[
Gitlab
::
Auth
::
UserAuthFinders
::
PRIVATE_TOKEN_HEADER
]
=
personal_access_token
.
token
env
[
Gitlab
::
Auth
::
UserAuthFinders
::
PRIVATE_TOKEN_HEADER
]
=
personal_access_token
.
token
expect
{
current_user
}.
to
raise_error
Gitlab
::
Auth
::
UserAuthFinders
::
ExpiredError
expect
{
current_user
}.
to
raise_error
Gitlab
::
Auth
::
ExpiredError
end
end
end
end
end
end
...
@@ -392,7 +392,7 @@ describe API::Helpers do
...
@@ -392,7 +392,7 @@ describe API::Helpers do
end
end
it
'raises an error'
do
it
'raises an error'
do
expect
{
current_user
}.
to
raise_error
Gitlab
::
Auth
::
UserAuthFinders
::
InsufficientScopeError
expect
{
current_user
}.
to
raise_error
Gitlab
::
Auth
::
InsufficientScopeError
end
end
end
end
end
end
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment