1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
|
# frozen_string_literal: true
module Groups
module DependencyProxy
class ApplicationController < ::ApplicationController
EMPTY_AUTH_RESULT = Gitlab::Auth::Result.new(nil, nil, nil, nil).freeze
delegate :actor, to: :@authentication_result, allow_nil: true
# This allows auth_user to be set in the base ApplicationController
alias_method :authenticated_user, :actor
# We disable `authenticate_user!` since the `DependencyProxy::ApplicationController` performs auth using JWT token
skip_before_action :authenticate_user!, raise: false
prepend_before_action :authenticate_user_from_jwt_token!
before_action :skip_session
def authenticate_user_from_jwt_token!
authenticate_with_http_token do |token, _|
@authentication_result = EMPTY_AUTH_RESULT
user_or_token = ::DependencyProxy::AuthTokenService.user_or_token_from_jwt(token)
case user_or_token
when User
set_auth_result(user_or_token, :user)
sign_in(user_or_token) if can_sign_in?(user_or_token)
when PersonalAccessToken
set_auth_result(user_or_token.user, :personal_access_token)
@personal_access_token = user_or_token
when DeployToken
set_auth_result(user_or_token, :deploy_token)
end
end
request_bearer_token! unless authenticated_user
end
private
attr_reader :personal_access_token
def request_bearer_token!
# unfortunately, we cannot use https://api.rubyonrails.org/classes/ActionController/HttpAuthentication/Token.html#method-i-authentication_request
response.headers['WWW-Authenticate'] = ::DependencyProxy::Registry.authenticate_header
render plain: '', status: :unauthorized
end
def can_sign_in?(user_or_token)
return false if user_or_token.project_bot? || user_or_token.service_account?
true
end
def set_auth_result(actor, type)
@authentication_result = Gitlab::Auth::Result.new(actor, nil, type, [])
end
def skip_session
request.session_options[:skip] = true
end
end
end
end
|
