Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Support
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
G
gitlab-ce
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Issues
0
Issues
0
List
Boards
Labels
Milestones
Merge Requests
1
Merge Requests
1
Analytics
Analytics
Repository
Value Stream
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Create a new issue
Commits
Issue Boards
Open sidebar
nexedi
gitlab-ce
Commits
77026839
Commit
77026839
authored
Aug 22, 2016
by
Jacob Vosmaer
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
Assert presence of valid JWT header
parent
3b1bfe8d
Changes
2
Show whitespace changes
Inline
Side-by-side
Showing
2 changed files
with
46 additions
and
1 deletion
+46
-1
authorization_test.go
authorization_test.go
+43
-0
internal/api/api.go
internal/api/api.go
+3
-1
No files found.
authorization_test.go
View file @
77026839
...
...
@@ -11,6 +11,8 @@ import (
"gitlab.com/gitlab-org/gitlab-workhorse/internal/badgateway"
"gitlab.com/gitlab-org/gitlab-workhorse/internal/helper"
"gitlab.com/gitlab-org/gitlab-workhorse/internal/testhelper"
"github.com/dgrijalva/jwt-go"
)
func
okHandler
(
w
http
.
ResponseWriter
,
_
*
http
.
Request
,
_
*
api
.
Response
)
{
...
...
@@ -76,3 +78,44 @@ func TestPreAuthorizeContentTypeFailure(t *testing.T) {
""
,
200
,
500
)
}
func
TestPreAuthorizeJWT
(
t
*
testing
.
T
)
{
ts
:=
httptest
.
NewServer
(
http
.
HandlerFunc
(
func
(
w
http
.
ResponseWriter
,
r
*
http
.
Request
)
{
token
,
err
:=
jwt
.
Parse
(
r
.
Header
.
Get
(
api
.
RequestHeader
),
func
(
token
*
jwt
.
Token
)
(
interface
{},
error
)
{
// Don't forget to validate the alg is what you expect:
if
_
,
ok
:=
token
.
Method
.
(
*
jwt
.
SigningMethodHMAC
);
!
ok
{
return
nil
,
fmt
.
Errorf
(
"Unexpected signing method: %v"
,
token
.
Header
[
"alg"
])
}
secretBytes
,
err
:=
(
&
api
.
Secret
{
File
:
testhelper
.
SecretFile
()})
.
Bytes
()
if
err
!=
nil
{
return
nil
,
fmt
.
Errorf
(
"read secret from file: %v"
,
err
)
}
return
secretBytes
,
nil
})
if
err
!=
nil
{
t
.
Fatalf
(
"decode token: %v"
,
err
)
}
claims
,
ok
:=
token
.
Claims
.
(
jwt
.
MapClaims
)
if
!
ok
||
!
token
.
Valid
{
t
.
Fatal
(
"claims cast failed or token invalid"
)
}
if
claims
[
"iss"
]
!=
"gitlab-workhorse"
{
t
.
Fatalf
(
"execpted issuer gitlab-workhorse, got %q"
,
claims
[
"iss"
])
}
w
.
Header
()
.
Set
(
"Content-Type"
,
api
.
ResponseContentType
)
if
_
,
err
:=
w
.
Write
([]
byte
(
`{"hello":"world"}`
));
err
!=
nil
{
t
.
Fatalf
(
"write auth response: %v"
,
err
)
}
}))
defer
ts
.
Close
()
runPreAuthorizeHandler
(
t
,
ts
,
"/authorize"
,
regexp
.
MustCompile
(
`/authorize\z`
),
""
,
200
,
201
)
}
internal/api/api.go
View file @
77026839
...
...
@@ -18,6 +18,8 @@ import (
// Custom content type for API responses, to catch routing / programming mistakes
const
ResponseContentType
=
"application/vnd.gitlab-workhorse+json"
const
RequestHeader
=
"Gitlab-Workhorse-Api-Request"
type
API
struct
{
Client
*
http
.
Client
URL
*
url
.
URL
...
...
@@ -136,7 +138,7 @@ func (api *API) newRequest(r *http.Request, body io.Reader, suffix string) (*htt
if
err
!=
nil
{
return
nil
,
fmt
.
Errorf
(
"newRequest: sign JWT: %v"
,
err
)
}
authReq
.
Header
.
Set
(
"Gitlab-Workhorse-Api-Request"
,
tokenString
)
authReq
.
Header
.
Set
(
RequestHeader
,
tokenString
)
return
authReq
,
nil
}
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment