Restrict the dependency proxy auth service

Any objects other than `User` (such as `DeployToken`) are not allowed Changelog: security

Restrict the dependency proxy auth service
Any objects other than `User` (such as `DeployToken`) are not allowed Changelog: security
6a5b2117 · David Fernandez · John T Skarbek · 67c694c7 · 6a5b2117 · 6a5b2117
Commit 6a5b2117 authored Apr 20, 2021 by David Fernandez Committed by John T Skarbek Apr 28, 2021
4 changed files
--- a/app/services/auth/dependency_proxy_authentication_service.rb
+++ b/app/services/auth/dependency_proxy_authentication_service.rb
@@ -8,7 +8,10 @@ module Auth
    def execute(authentication_abilities:)
      return error('dependency proxy not enabled', 404) unless ::Gitlab.config.dependency_proxy.enabled
-      return error('access forbidden', 403) unless current_user
+      # Because app/controllers/concerns/dependency_proxy/auth.rb consumes this
+      # JWT only as `User.find`, we currently only allow User (not DeployToken, etc)
+      return error('access forbidden', 403) unless current_user.is_a?(User)
      { token: authorized_token.encoded }
    end

--- a/changelogs/unreleased/security-10io-dependency-proxy-and-deploy-tokens.yml
+++ b/changelogs/unreleased/security-10io-dependency-proxy-and-deploy-tokens.yml
+---
+title: Do not allow deploy tokens in the dependency proxy authentication service
+merge_request:
+author:
+type: security
--- a/spec/requests/jwt_controller_spec.rb
+++ b/spec/requests/jwt_controller_spec.rb
@@ -263,25 +263,21 @@ RSpec.describe JwtController do
      let(:credential_user) { group_deploy_token.username }
      let(:credential_password) { group_deploy_token.token }
-      it_behaves_like 'with valid credentials'
+      it_behaves_like 'returning response status', :forbidden
    end
    context 'with project deploy token' do
      let(:credential_user) { project_deploy_token.username }
      let(:credential_password) { project_deploy_token.token }
-      it_behaves_like 'with valid credentials'
+      it_behaves_like 'returning response status', :forbidden
    end
    context 'with invalid credentials' do
      let(:credential_user) { 'foo' }
      let(:credential_password) { 'bar' }
-      it 'returns unauthorized' do
+      it_behaves_like 'returning response status', :unauthorized
-        subject
-        expect(response).to have_gitlab_http_status(:unauthorized)
-      end
    end
  end

--- a/spec/services/auth/dependency_proxy_authentication_service_spec.rb
+++ b/spec/services/auth/dependency_proxy_authentication_service_spec.rb
@@ -13,28 +13,31 @@ RSpec.describe Auth::DependencyProxyAuthenticationService do
  describe '#execute' do
    subject { service.execute(authentication_abilities: nil) }
+    shared_examples 'returning' do |status:, message:|
+      it "returns #{message}", :aggregate_failures do
+        expect(subject[:http_status]).to eq(status)
+        expect(subject[:message]).to eq(message)
+      end
+    end
    context 'dependency proxy is not enabled' do
      before do
        stub_config(dependency_proxy: { enabled: false })
      end
-      it 'returns not found' do
+      it_behaves_like 'returning', status: 404, message: 'dependency proxy not enabled'
-        result = subject
-        expect(result[:http_status]).to eq(404)
-        expect(result[:message]).to eq('dependency proxy not enabled')
-      end
    end
    context 'without a user' do
      let(:user) { nil }
-      it 'returns forbidden' do
+      it_behaves_like 'returning', status: 403, message: 'access forbidden'
-        result = subject
+    end
+    context 'with a deploy token as user' do
+      let_it_be(:user) { create(:deploy_token) }
-        expect(result[:http_status]).to eq(403)
+      it_behaves_like 'returning', status: 403, message: 'access forbidden'
-        expect(result[:message]).to eq('access forbidden')
-      end
    end
    context 'with a user' do