From 105017c3084c60e45f4bac85a76da78f39e6433f Mon Sep 17 00:00:00 2001 From: Kamil Trzcinski Date: Mon, 2 May 2016 13:29:17 +0200 Subject: Added JWT controller --- app/controllers/jwt_controller.rb | 173 ++++++++++++++++++++++++++++++++++++++ 1 file changed, 173 insertions(+) create mode 100644 app/controllers/jwt_controller.rb (limited to 'app/controllers/jwt_controller.rb') diff --git a/app/controllers/jwt_controller.rb b/app/controllers/jwt_controller.rb new file mode 100644 index 00000000000..7e70c70c89c --- /dev/null +++ b/app/controllers/jwt_controller.rb @@ -0,0 +1,173 @@ +class JwtController < ApplicationController + skip_before_action :authenticate_user! + skip_before_action :verify_authenticity_token + + def auth + @authenticated = authenticate_with_http_basic do |login, password| + @ci_project = ci_project(login, password) + @user = authenticate_user(login, password) unless @ci_project + end + + unless @authenticated + return render_403 if has_basic_credentials? + end + + case params[:service] + when 'docker' + docker_token_auth(params[:scope], params[:offline_token]) + else + return render_404 + end + end + + private + + def render_400 + head :invalid_request + end + + def render_404 + head :not_found + end + + def render_403 + head :forbidden + end + + def docker_token_auth(scope, offline_token) + payload = { + aud: params[:service], + sub: @user.try(:username) + } + + if offline_token + return render_403 unless @user + elsif scope + access = process_access(scope) + return render_404 unless access + payload[:access] = [access] + end + + render json: { token: encode(payload) } + end + + def ci_project(login, password) + matched_login = /(?^[a-zA-Z]*-ci)-token$/.match(login) + + if matched_login.present? + underscored_service = matched_login['s'].underscore + + if underscored_service == 'gitlab_ci' + Project.find_by(builds_enabled: true, runners_token: password) + end + end + end + + def authenticate_user(login, password) + user = Gitlab::Auth.new.find(login, password) + + # If the user authenticated successfully, we reset the auth failure count + # from Rack::Attack for that IP. A client may attempt to authenticate + # with a username and blank password first, and only after it receives + # a 401 error does it present a password. Resetting the count prevents + # false positives from occurring. + # + # Otherwise, we let Rack::Attack know there was a failed authentication + # attempt from this IP. This information is stored in the Rails cache + # (Redis) and will be used by the Rack::Attack middleware to decide + # whether to block requests from this IP. + config = Gitlab.config.rack_attack.git_basic_auth + + if config.enabled + if user + # A successful login will reset the auth failure count from this IP + Rack::Attack::Allow2Ban.reset(request.ip, config) + else + banned = Rack::Attack::Allow2Ban.filter(request.ip, config) do + # Unless the IP is whitelisted, return true so that Allow2Ban + # increments the counter (stored in Rails.cache) for the IP + if config.ip_whitelist.include?(request.ip) + false + else + true + end + end + + if banned + Rails.logger.info "IP #{request.ip} failed to login " \ + "as #{login} but has been temporarily banned from Git auth" + end + end + end + + user + end + + def process_access(scope) + type, name, actions = scope.split(':', 3) + actions = actions.split(',') + + case type + when 'repository' + process_repository_access(type, name, actions) + end + end + + def process_repository_access(type, name, actions) + project = Project.find_with_namespace(name) + return unless project + + actions = actions.select do |action| + can_access?(project, action) + end + + { type: 'repository', name: name, actions: actions } if actions + end + + def default_payload + { + aud: 'docker', + sub: @user.try(:username), + aud: params[:service], + } + end + + def private_key + @private_key ||= OpenSSL::PKey::RSA.new File.read Gitlab.config.registry.key + end + + def encode(payload) + issued_at = Time.now + payload = payload.merge( + iss: Gitlab.config.registry.issuer, + iat: issued_at.to_i, + nbf: issued_at.to_i - 5.seconds.to_i, + exp: issued_at.to_i + 60.minutes.to_i, + jti: SecureRandom.uuid, + ) + headers = { + kid: kid(private_key) + } + JWT.encode(payload, private_key, 'RS256', headers) + end + + def can_access?(project, action) + case action + when 'pull' + project == @ci_project || can?(@user, :download_code, project) + when 'push' + project == @ci_project || can?(@user, :push_code, project) + else + false + end + end + + def kid(private_key) + sha256 = Digest::SHA256.new + sha256.update(private_key.public_key.to_der) + payload = StringIO.new(sha256.digest).read(30) + Base32.encode(payload).split('').each_slice(4).each_with_object([]) do |slice, mem| + mem << slice.join + end.join(':') + end +end -- cgit v1.2.1 From 011a905a821e2ff0cd2d9885ef93764018eb8346 Mon Sep 17 00:00:00 2001 From: Kamil Trzcinski Date: Mon, 2 May 2016 14:32:16 +0200 Subject: Split docker authentication service --- app/controllers/jwt_controller.rb | 114 +++++--------------------------------- 1 file changed, 13 insertions(+), 101 deletions(-) (limited to 'app/controllers/jwt_controller.rb') diff --git a/app/controllers/jwt_controller.rb b/app/controllers/jwt_controller.rb index 7e70c70c89c..2a92627cb1b 100644 --- a/app/controllers/jwt_controller.rb +++ b/app/controllers/jwt_controller.rb @@ -2,6 +2,10 @@ class JwtController < ApplicationController skip_before_action :authenticate_user! skip_before_action :verify_authenticity_token + SERVICES = { + 'docker' => Jwt::DockerAuthenticationService, + } + def auth @authenticated = authenticate_with_http_basic do |login, password| @ci_project = ci_project(login, password) @@ -9,46 +13,22 @@ class JwtController < ApplicationController end unless @authenticated - return render_403 if has_basic_credentials? - end - - case params[:service] - when 'docker' - docker_token_auth(params[:scope], params[:offline_token]) - else - return render_404 + head :forbidden if ActionController::HttpAuthentication::Basic.has_basic_credentials?(request) end - end - private - - def render_400 - head :invalid_request - end + service = SERVICES[params[:service]] + head :not_found unless service - def render_404 - head :not_found - end + result = service.new(@ci_project, @user, auth_params).execute + return head result[:http_status] if result[:http_status] - def render_403 - head :forbidden + render json: result end - def docker_token_auth(scope, offline_token) - payload = { - aud: params[:service], - sub: @user.try(:username) - } - - if offline_token - return render_403 unless @user - elsif scope - access = process_access(scope) - return render_404 unless access - payload[:access] = [access] - end + private - render json: { token: encode(payload) } + def auth_params + params.permit(:service, :scope, :offline_token, :account, :client_id) end def ci_project(login, password) @@ -102,72 +82,4 @@ class JwtController < ApplicationController user end - - def process_access(scope) - type, name, actions = scope.split(':', 3) - actions = actions.split(',') - - case type - when 'repository' - process_repository_access(type, name, actions) - end - end - - def process_repository_access(type, name, actions) - project = Project.find_with_namespace(name) - return unless project - - actions = actions.select do |action| - can_access?(project, action) - end - - { type: 'repository', name: name, actions: actions } if actions - end - - def default_payload - { - aud: 'docker', - sub: @user.try(:username), - aud: params[:service], - } - end - - def private_key - @private_key ||= OpenSSL::PKey::RSA.new File.read Gitlab.config.registry.key - end - - def encode(payload) - issued_at = Time.now - payload = payload.merge( - iss: Gitlab.config.registry.issuer, - iat: issued_at.to_i, - nbf: issued_at.to_i - 5.seconds.to_i, - exp: issued_at.to_i + 60.minutes.to_i, - jti: SecureRandom.uuid, - ) - headers = { - kid: kid(private_key) - } - JWT.encode(payload, private_key, 'RS256', headers) - end - - def can_access?(project, action) - case action - when 'pull' - project == @ci_project || can?(@user, :download_code, project) - when 'push' - project == @ci_project || can?(@user, :push_code, project) - else - false - end - end - - def kid(private_key) - sha256 = Digest::SHA256.new - sha256.update(private_key.public_key.to_der) - payload = StringIO.new(sha256.digest).read(30) - Base32.encode(payload).split('').each_slice(4).each_with_object([]) do |slice, mem| - mem << slice.join - end.join(':') - end end -- cgit v1.2.1 From daca2144c80546169fb35fcf76b1f3d052b643cc Mon Sep 17 00:00:00 2001 From: Kamil Trzcinski Date: Mon, 9 May 2016 20:47:06 +0300 Subject: Make code more clear in what is done --- app/controllers/jwt_controller.rb | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) (limited to 'app/controllers/jwt_controller.rb') diff --git a/app/controllers/jwt_controller.rb b/app/controllers/jwt_controller.rb index 2a92627cb1b..9bf1ddbba21 100644 --- a/app/controllers/jwt_controller.rb +++ b/app/controllers/jwt_controller.rb @@ -8,8 +8,9 @@ class JwtController < ApplicationController def auth @authenticated = authenticate_with_http_basic do |login, password| - @ci_project = ci_project(login, password) - @user = authenticate_user(login, password) unless @ci_project + # if it's possible we first try to authenticate project with login and password + @project = authenticate_project(login, password) + @user = authenticate_user(login, password) unless @project end unless @authenticated @@ -19,7 +20,7 @@ class JwtController < ApplicationController service = SERVICES[params[:service]] head :not_found unless service - result = service.new(@ci_project, @user, auth_params).execute + result = service.new(@project, @user, auth_params).execute return head result[:http_status] if result[:http_status] render json: result @@ -31,7 +32,7 @@ class JwtController < ApplicationController params.permit(:service, :scope, :offline_token, :account, :client_id) end - def ci_project(login, password) + def authenticate_project(login, password) matched_login = /(?^[a-zA-Z]*-ci)-token$/.match(login) if matched_login.present? -- cgit v1.2.1 From b180d79cdca2ce0f6aa7425baf47db5b9c1ec2e3 Mon Sep 17 00:00:00 2001 From: Kamil Trzcinski Date: Mon, 9 May 2016 22:04:42 +0300 Subject: Rename DockerAuthenticationService to ContainerRegistryAuthenticationService --- app/controllers/jwt_controller.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'app/controllers/jwt_controller.rb') diff --git a/app/controllers/jwt_controller.rb b/app/controllers/jwt_controller.rb index 9bf1ddbba21..0048a1a31ea 100644 --- a/app/controllers/jwt_controller.rb +++ b/app/controllers/jwt_controller.rb @@ -3,7 +3,7 @@ class JwtController < ApplicationController skip_before_action :verify_authenticity_token SERVICES = { - 'docker' => Jwt::DockerAuthenticationService, + 'container_registry' => Jwt::ContainerRegistryAuthenticationService, } def auth -- cgit v1.2.1 From fc2d985bfaa156ad052858cd2025b0300327ff95 Mon Sep 17 00:00:00 2001 From: Kamil Trzcinski Date: Thu, 12 May 2016 12:47:55 -0500 Subject: Fix CI tests --- app/controllers/jwt_controller.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'app/controllers/jwt_controller.rb') diff --git a/app/controllers/jwt_controller.rb b/app/controllers/jwt_controller.rb index 0048a1a31ea..599f62bd121 100644 --- a/app/controllers/jwt_controller.rb +++ b/app/controllers/jwt_controller.rb @@ -3,7 +3,7 @@ class JwtController < ApplicationController skip_before_action :verify_authenticity_token SERVICES = { - 'container_registry' => Jwt::ContainerRegistryAuthenticationService, + 'container_registry' => JWT::ContainerRegistryAuthenticationService, } def auth -- cgit v1.2.1 From 9ef9e008feb99aaf0c4edc85bb76039eb46f0794 Mon Sep 17 00:00:00 2001 From: Kamil Trzcinski Date: Fri, 13 May 2016 16:22:50 -0500 Subject: Move JWT to Gitlab::JWT --- app/controllers/jwt_controller.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'app/controllers/jwt_controller.rb') diff --git a/app/controllers/jwt_controller.rb b/app/controllers/jwt_controller.rb index 599f62bd121..c203c50d1fb 100644 --- a/app/controllers/jwt_controller.rb +++ b/app/controllers/jwt_controller.rb @@ -3,7 +3,7 @@ class JwtController < ApplicationController skip_before_action :verify_authenticity_token SERVICES = { - 'container_registry' => JWT::ContainerRegistryAuthenticationService, + 'container_registry' => ::Gitlab::JWT::ContainerRegistryAuthenticationService, } def auth -- cgit v1.2.1 From e900ff972a4a6133a499adcc1263d3634863f410 Mon Sep 17 00:00:00 2001 From: Kamil Trzcinski Date: Fri, 13 May 2016 16:23:02 -0500 Subject: Improve JwtController code --- app/controllers/jwt_controller.rb | 37 +++++++++++++++++++------------------ 1 file changed, 19 insertions(+), 18 deletions(-) (limited to 'app/controllers/jwt_controller.rb') diff --git a/app/controllers/jwt_controller.rb b/app/controllers/jwt_controller.rb index c203c50d1fb..e067f59808a 100644 --- a/app/controllers/jwt_controller.rb +++ b/app/controllers/jwt_controller.rb @@ -1,22 +1,13 @@ class JwtController < ApplicationController skip_before_action :authenticate_user! skip_before_action :verify_authenticity_token + before_action :authenticate_project_or_user SERVICES = { 'container_registry' => ::Gitlab::JWT::ContainerRegistryAuthenticationService, } def auth - @authenticated = authenticate_with_http_basic do |login, password| - # if it's possible we first try to authenticate project with login and password - @project = authenticate_project(login, password) - @user = authenticate_user(login, password) unless @project - end - - unless @authenticated - head :forbidden if ActionController::HttpAuthentication::Basic.has_basic_credentials?(request) - end - service = SERVICES[params[:service]] head :not_found unless service @@ -28,19 +19,28 @@ class JwtController < ApplicationController private + def authenticate_project_or_user + authenticate_with_http_basic do |login, password| + # if it's possible we first try to authenticate project with login and password + @project = authenticate_project(login, password) + return if @project + + @user = authenticate_user(login, password) + return if @user + end + + if ActionController::HttpAuthentication::Basic.has_basic_credentials?(request) + head :forbidden + end + end + def auth_params params.permit(:service, :scope, :offline_token, :account, :client_id) end def authenticate_project(login, password) - matched_login = /(?^[a-zA-Z]*-ci)-token$/.match(login) - - if matched_login.present? - underscored_service = matched_login['s'].underscore - - if underscored_service == 'gitlab_ci' - Project.find_by(builds_enabled: true, runners_token: password) - end + if login == 'gitlab_ci_token' + Project.find_by(builds_enabled: true, runners_token: password) end end @@ -77,6 +77,7 @@ class JwtController < ApplicationController if banned Rails.logger.info "IP #{request.ip} failed to login " \ "as #{login} but has been temporarily banned from Git auth" + return end end end -- cgit v1.2.1 From 63cdf1aeb04b9694c0b6d44b1141868fcc5a0904 Mon Sep 17 00:00:00 2001 From: Kamil Trzcinski Date: Sat, 14 May 2016 11:11:48 -0500 Subject: Use Auth::ContainerRegistryAuthenticationService --- app/controllers/jwt_controller.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'app/controllers/jwt_controller.rb') diff --git a/app/controllers/jwt_controller.rb b/app/controllers/jwt_controller.rb index e067f59808a..e5affb1adc9 100644 --- a/app/controllers/jwt_controller.rb +++ b/app/controllers/jwt_controller.rb @@ -4,7 +4,7 @@ class JwtController < ApplicationController before_action :authenticate_project_or_user SERVICES = { - 'container_registry' => ::Gitlab::JWT::ContainerRegistryAuthenticationService, + 'container_registry' => Auth::ContainerRegistryAuthenticationService, } def auth -- cgit v1.2.1 From 393459b2b24fe788764ee787552da055846b9a63 Mon Sep 17 00:00:00 2001 From: Kamil Trzcinski Date: Sat, 14 May 2016 14:04:04 -0500 Subject: Improve code design after review --- app/controllers/jwt_controller.rb | 7 ++----- 1 file changed, 2 insertions(+), 5 deletions(-) (limited to 'app/controllers/jwt_controller.rb') diff --git a/app/controllers/jwt_controller.rb b/app/controllers/jwt_controller.rb index e5affb1adc9..0a993bf280e 100644 --- a/app/controllers/jwt_controller.rb +++ b/app/controllers/jwt_controller.rb @@ -12,9 +12,8 @@ class JwtController < ApplicationController head :not_found unless service result = service.new(@project, @user, auth_params).execute - return head result[:http_status] if result[:http_status] - render json: result + render json: result, status: result[:http_status] end private @@ -27,10 +26,8 @@ class JwtController < ApplicationController @user = authenticate_user(login, password) return if @user - end - if ActionController::HttpAuthentication::Basic.has_basic_credentials?(request) - head :forbidden + render_403 end end -- cgit v1.2.1 From 46cc04ce7a374127dd617c8fd2671efed2819cda Mon Sep 17 00:00:00 2001 From: Kamil Trzcinski Date: Sat, 14 May 2016 14:16:44 -0500 Subject: Add TODO --- app/controllers/jwt_controller.rb | 3 +++ 1 file changed, 3 insertions(+) (limited to 'app/controllers/jwt_controller.rb') diff --git a/app/controllers/jwt_controller.rb b/app/controllers/jwt_controller.rb index 0a993bf280e..bd9d7e4425d 100644 --- a/app/controllers/jwt_controller.rb +++ b/app/controllers/jwt_controller.rb @@ -42,6 +42,9 @@ class JwtController < ApplicationController end def authenticate_user(login, password) + # TODO: this is a copy and paste from grack_auth, + # it should be refactored in the future + user = Gitlab::Auth.new.find(login, password) # If the user authenticated successfully, we reset the auth failure count -- cgit v1.2.1 From f4f9184a01bc7442411bbcffd9b6a86784fa5f53 Mon Sep 17 00:00:00 2001 From: Kamil Trzcinski Date: Sat, 14 May 2016 18:23:31 -0500 Subject: Rename JWT to JSONWebToken --- app/controllers/jwt_controller.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'app/controllers/jwt_controller.rb') diff --git a/app/controllers/jwt_controller.rb b/app/controllers/jwt_controller.rb index bd9d7e4425d..0edf084e9e4 100644 --- a/app/controllers/jwt_controller.rb +++ b/app/controllers/jwt_controller.rb @@ -4,7 +4,7 @@ class JwtController < ApplicationController before_action :authenticate_project_or_user SERVICES = { - 'container_registry' => Auth::ContainerRegistryAuthenticationService, + Auth::ContainerRegistryAuthenticationService::AUDIENCE => Auth::ContainerRegistryAuthenticationService, } def auth -- cgit v1.2.1 From 8d445fe665df313c16a88c319fde9bdfb97339df Mon Sep 17 00:00:00 2001 From: Kamil Trzcinski Date: Sat, 14 May 2016 19:45:33 -0500 Subject: Improve JwtController --- app/controllers/jwt_controller.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'app/controllers/jwt_controller.rb') diff --git a/app/controllers/jwt_controller.rb b/app/controllers/jwt_controller.rb index 0edf084e9e4..f5aa5397ff1 100644 --- a/app/controllers/jwt_controller.rb +++ b/app/controllers/jwt_controller.rb @@ -9,7 +9,7 @@ class JwtController < ApplicationController def auth service = SERVICES[params[:service]] - head :not_found unless service + return head :not_found unless service result = service.new(@project, @user, auth_params).execute -- cgit v1.2.1 From 646018a40e7d29682f31e774f453a6b3427b4216 Mon Sep 17 00:00:00 2001 From: Kamil Trzcinski Date: Sun, 22 May 2016 14:14:12 -0500 Subject: Fix the CI login to Container Registry (the gitlab-ci-token user) --- app/controllers/jwt_controller.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'app/controllers/jwt_controller.rb') diff --git a/app/controllers/jwt_controller.rb b/app/controllers/jwt_controller.rb index f5aa5397ff1..156ab2811d6 100644 --- a/app/controllers/jwt_controller.rb +++ b/app/controllers/jwt_controller.rb @@ -36,7 +36,7 @@ class JwtController < ApplicationController end def authenticate_project(login, password) - if login == 'gitlab_ci_token' + if login == 'gitlab-ci-token' Project.find_by(builds_enabled: true, runners_token: password) end end -- cgit v1.2.1 From 7ec1fa212d23911792674e947863f3e71f91834f Mon Sep 17 00:00:00 2001 From: Kamil Trzcinski Date: Mon, 30 May 2016 16:57:39 +0200 Subject: Make authentication service for Container Registry to be compatible with < Docker 1.11 --- app/controllers/jwt_controller.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'app/controllers/jwt_controller.rb') diff --git a/app/controllers/jwt_controller.rb b/app/controllers/jwt_controller.rb index 156ab2811d6..cee3b6c43e7 100644 --- a/app/controllers/jwt_controller.rb +++ b/app/controllers/jwt_controller.rb @@ -32,7 +32,7 @@ class JwtController < ApplicationController end def auth_params - params.permit(:service, :scope, :offline_token, :account, :client_id) + params.permit(:service, :scope, :account, :client_id) end def authenticate_project(login, password) -- cgit v1.2.1 From 1fab583266af0904dfc29facfe4551e37c06342a Mon Sep 17 00:00:00 2001 From: Jacob Vosmaer Date: Fri, 3 Jun 2016 17:08:44 +0200 Subject: Remove instances of Auth.new --- app/controllers/jwt_controller.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'app/controllers/jwt_controller.rb') diff --git a/app/controllers/jwt_controller.rb b/app/controllers/jwt_controller.rb index cee3b6c43e7..c05a55633b5 100644 --- a/app/controllers/jwt_controller.rb +++ b/app/controllers/jwt_controller.rb @@ -45,7 +45,7 @@ class JwtController < ApplicationController # TODO: this is a copy and paste from grack_auth, # it should be refactored in the future - user = Gitlab::Auth.new.find(login, password) + user = Gitlab::Auth.find_in_gitlab_or_ldap(login, password) # If the user authenticated successfully, we reset the auth failure count # from Rack::Attack for that IP. A client may attempt to authenticate -- cgit v1.2.1 From ff7c4e588ab4f7a397963d43becbe00d1bb584a1 Mon Sep 17 00:00:00 2001 From: Jacob Vosmaer Date: Mon, 6 Jun 2016 17:40:30 +0200 Subject: Remove code duplication in JwtController --- app/controllers/jwt_controller.rb | 40 +-------------------------------------- 1 file changed, 1 insertion(+), 39 deletions(-) (limited to 'app/controllers/jwt_controller.rb') diff --git a/app/controllers/jwt_controller.rb b/app/controllers/jwt_controller.rb index c05a55633b5..131a16dad9b 100644 --- a/app/controllers/jwt_controller.rb +++ b/app/controllers/jwt_controller.rb @@ -42,46 +42,8 @@ class JwtController < ApplicationController end def authenticate_user(login, password) - # TODO: this is a copy and paste from grack_auth, - # it should be refactored in the future - user = Gitlab::Auth.find_in_gitlab_or_ldap(login, password) - - # If the user authenticated successfully, we reset the auth failure count - # from Rack::Attack for that IP. A client may attempt to authenticate - # with a username and blank password first, and only after it receives - # a 401 error does it present a password. Resetting the count prevents - # false positives from occurring. - # - # Otherwise, we let Rack::Attack know there was a failed authentication - # attempt from this IP. This information is stored in the Rails cache - # (Redis) and will be used by the Rack::Attack middleware to decide - # whether to block requests from this IP. - config = Gitlab.config.rack_attack.git_basic_auth - - if config.enabled - if user - # A successful login will reset the auth failure count from this IP - Rack::Attack::Allow2Ban.reset(request.ip, config) - else - banned = Rack::Attack::Allow2Ban.filter(request.ip, config) do - # Unless the IP is whitelisted, return true so that Allow2Ban - # increments the counter (stored in Rails.cache) for the IP - if config.ip_whitelist.include?(request.ip) - false - else - true - end - end - - if banned - Rails.logger.info "IP #{request.ip} failed to login " \ - "as #{login} but has been temporarily banned from Git auth" - return - end - end - end - + Gitlab::Auth.rate_limit!(request.ip, success: user.present?, login: login) user end end -- cgit v1.2.1 From 0e896ffe4eebb8bcf04bc1327d498bb041faed56 Mon Sep 17 00:00:00 2001 From: Jacob Vosmaer Date: Fri, 10 Jun 2016 14:51:16 +0200 Subject: Improve Gitlab::Auth method names Auth.find was a very generic name for a very specific method. Auth.find_in_gitlab_or_ldap was inaccurate in GitLab EE where it also looks in Kerberos. --- app/controllers/jwt_controller.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'app/controllers/jwt_controller.rb') diff --git a/app/controllers/jwt_controller.rb b/app/controllers/jwt_controller.rb index 131a16dad9b..014b9b43ff2 100644 --- a/app/controllers/jwt_controller.rb +++ b/app/controllers/jwt_controller.rb @@ -42,7 +42,7 @@ class JwtController < ApplicationController end def authenticate_user(login, password) - user = Gitlab::Auth.find_in_gitlab_or_ldap(login, password) + user = Gitlab::Auth.find_with_user_password(login, password) Gitlab::Auth.rate_limit!(request.ip, success: user.present?, login: login) user end -- cgit v1.2.1