Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Support
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
G
gitlab-ce
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Issues
0
Issues
0
List
Boards
Labels
Milestones
Merge Requests
1
Merge Requests
1
Analytics
Analytics
Repository
Value Stream
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Create a new issue
Commits
Issue Boards
Open sidebar
nexedi
gitlab-ce
Commits
933025a9
Commit
933025a9
authored
Aug 03, 2021
by
GitLab Bot
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
Add latest changes from gitlab-org/security/gitlab@13-12-stable-ee
parent
66e26f11
Changes
7
Show whitespace changes
Inline
Side-by-side
Showing
7 changed files
with
97 additions
and
3 deletions
+97
-3
app/controllers/admin/impersonation_tokens_controller.rb
app/controllers/admin/impersonation_tokens_controller.rb
+5
-0
app/views/admin/users/_head.html.haml
app/views/admin/users/_head.html.haml
+3
-2
lib/gitlab/auth.rb
lib/gitlab/auth.rb
+4
-1
spec/features/admin/admin_users_impersonation_tokens_spec.rb
spec/features/admin/admin_users_impersonation_tokens_spec.rb
+12
-0
spec/lib/gitlab/auth_spec.rb
spec/lib/gitlab/auth_spec.rb
+9
-0
spec/requests/admin/impersonation_tokens_controller_spec.rb
spec/requests/admin/impersonation_tokens_controller_spec.rb
+38
-0
spec/requests/git_http_spec.rb
spec/requests/git_http_spec.rb
+26
-0
No files found.
app/controllers/admin/impersonation_tokens_controller.rb
View file @
933025a9
...
@@ -2,6 +2,7 @@
...
@@ -2,6 +2,7 @@
class
Admin::ImpersonationTokensController
<
Admin
::
ApplicationController
class
Admin::ImpersonationTokensController
<
Admin
::
ApplicationController
before_action
:user
before_action
:user
before_action
:verify_impersonation_enabled!
feature_category
:authentication_and_authorization
feature_category
:authentication_and_authorization
...
@@ -41,6 +42,10 @@ class Admin::ImpersonationTokensController < Admin::ApplicationController
...
@@ -41,6 +42,10 @@ class Admin::ImpersonationTokensController < Admin::ApplicationController
end
end
# rubocop: enable CodeReuse/ActiveRecord
# rubocop: enable CodeReuse/ActiveRecord
def
verify_impersonation_enabled!
access_denied!
unless
helpers
.
impersonation_enabled?
end
def
finder
(
options
=
{})
def
finder
(
options
=
{})
PersonalAccessTokensFinder
.
new
({
user:
user
,
impersonation:
true
}.
merge
(
options
))
PersonalAccessTokensFinder
.
new
({
user:
user
,
impersonation:
true
}.
merge
(
options
))
end
end
...
...
app/views/admin/users/_head.html.haml
View file @
933025a9
...
@@ -37,6 +37,7 @@
...
@@ -37,6 +37,7 @@
=
link_to
_
(
"SSH keys"
),
keys_admin_user_path
(
@user
)
=
link_to
_
(
"SSH keys"
),
keys_admin_user_path
(
@user
)
=
nav_link
(
controller: :identities
)
do
=
nav_link
(
controller: :identities
)
do
=
link_to
_
(
"Identities"
),
admin_user_identities_path
(
@user
)
=
link_to
_
(
"Identities"
),
admin_user_identities_path
(
@user
)
-
if
impersonation_enabled?
=
nav_link
(
controller: :impersonation_tokens
)
do
=
nav_link
(
controller: :impersonation_tokens
)
do
=
link_to
_
(
"Impersonation Tokens"
),
admin_user_impersonation_tokens_path
(
@user
)
=
link_to
_
(
"Impersonation Tokens"
),
admin_user_impersonation_tokens_path
(
@user
)
.gl-mb-3
.gl-mb-3
lib/gitlab/auth.rb
View file @
933025a9
...
@@ -192,7 +192,10 @@ module Gitlab
...
@@ -192,7 +192,10 @@ module Gitlab
def
personal_access_token_check
(
password
,
project
)
def
personal_access_token_check
(
password
,
project
)
return
unless
password
.
present?
return
unless
password
.
present?
token
=
PersonalAccessTokensFinder
.
new
(
state:
'active'
).
find_by_token
(
password
)
finder_options
=
{
state:
'active'
}
finder_options
[
:impersonation
]
=
false
unless
Gitlab
.
config
.
gitlab
.
impersonation_enabled
token
=
PersonalAccessTokensFinder
.
new
(
finder_options
).
find_by_token
(
password
)
return
unless
token
return
unless
token
...
...
spec/features/admin/admin_users_impersonation_tokens_spec.rb
View file @
933025a9
...
@@ -83,4 +83,16 @@ RSpec.describe 'Admin > Users > Impersonation Tokens', :js do
...
@@ -83,4 +83,16 @@ RSpec.describe 'Admin > Users > Impersonation Tokens', :js do
expect
(
no_personal_access_tokens_message
).
to
have_text
(
"This user has no active impersonation tokens."
)
expect
(
no_personal_access_tokens_message
).
to
have_text
(
"This user has no active impersonation tokens."
)
end
end
end
end
describe
"impersonation disabled state"
do
before
do
stub_config_setting
(
impersonation_enabled:
false
)
end
it
"does not show impersonation tokens tab"
do
visit
admin_user_path
(
user
)
expect
(
page
).
not_to
have_content
(
"Impersonation Tokens"
)
end
end
end
end
spec/lib/gitlab/auth_spec.rb
View file @
933025a9
...
@@ -336,6 +336,15 @@ RSpec.describe Gitlab::Auth, :use_clean_rails_memory_store_caching do
...
@@ -336,6 +336,15 @@ RSpec.describe Gitlab::Auth, :use_clean_rails_memory_store_caching do
expect_results_with_abilities
(
impersonation_token
,
described_class
.
full_authentication_abilities
)
expect_results_with_abilities
(
impersonation_token
,
described_class
.
full_authentication_abilities
)
end
end
it
'fails if it is an impersonation token but impersonation is blocked'
do
stub_config_setting
(
impersonation_enabled:
false
)
impersonation_token
=
create
(
:personal_access_token
,
:impersonation
,
scopes:
[
'api'
])
expect
(
gl_auth
.
find_for_git_client
(
''
,
impersonation_token
.
token
,
project:
nil
,
ip:
'ip'
))
.
to
eq
(
Gitlab
::
Auth
::
Result
.
new
(
nil
,
nil
,
nil
,
nil
))
end
it
'limits abilities based on scope'
do
it
'limits abilities based on scope'
do
personal_access_token
=
create
(
:personal_access_token
,
scopes:
%w[read_user sudo]
)
personal_access_token
=
create
(
:personal_access_token
,
scopes:
%w[read_user sudo]
)
...
...
spec/requests/admin/impersonation_tokens_controller_spec.rb
0 → 100644
View file @
933025a9
# frozen_string_literal: true
require
'spec_helper'
RSpec
.
describe
Admin
::
ImpersonationTokensController
,
:enable_admin_mode
do
let
(
:admin
)
{
create
(
:admin
)
}
let!
(
:user
)
{
create
(
:user
)
}
before
do
sign_in
(
admin
)
end
context
"when impersonation is disabled"
do
before
do
stub_config_setting
(
impersonation_enabled:
false
)
end
it
"shows error page for index page"
do
get
admin_user_impersonation_tokens_path
(
user_id:
user
.
username
)
expect
(
response
).
to
have_gitlab_http_status
(
:not_found
)
end
it
"responds with 404 for create action"
do
post
admin_user_impersonation_tokens_path
(
user_id:
user
.
username
)
expect
(
response
).
to
have_gitlab_http_status
(
:not_found
)
end
it
"responds with 404 for revoke action"
do
token
=
create
(
:personal_access_token
,
:impersonation
,
user:
user
)
put
revoke_admin_user_impersonation_token_path
(
user_id:
user
.
username
,
id:
token
.
id
)
expect
(
response
).
to
have_gitlab_http_status
(
:not_found
)
end
end
end
spec/requests/git_http_spec.rb
View file @
933025a9
...
@@ -706,6 +706,32 @@ RSpec.describe 'Git HTTP requests' do
...
@@ -706,6 +706,32 @@ RSpec.describe 'Git HTTP requests' do
end
end
end
end
end
end
context
'when token is impersonated'
do
context
'when impersonation is off'
do
before
do
stub_config_setting
(
impersonation_enabled:
false
)
end
it
'responds to uploads with status 401 unauthorized'
do
write_access_token
=
create
(
:personal_access_token
,
:impersonation
,
user:
user
,
scopes:
[
:write_repository
])
upload
(
path
,
user:
user
.
username
,
password:
write_access_token
.
token
)
do
|
response
|
expect
(
response
).
to
have_gitlab_http_status
(
:unauthorized
)
end
end
end
context
'when impersonation is on'
do
it
'responds to uploads with status 200'
do
write_access_token
=
create
(
:personal_access_token
,
:impersonation
,
user:
user
,
scopes:
[
:write_repository
])
upload
(
path
,
user:
user
.
username
,
password:
write_access_token
.
token
)
do
|
response
|
expect
(
response
).
to
have_gitlab_http_status
(
:ok
)
end
end
end
end
end
end
end
end
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment