Commit 99c7c140 authored by James Fargher's avatar James Fargher

Merge branch 'id-grant-abilities-for-oauth-users' into 'master'

Grant permissions for oauth users based on scopes

See merge request gitlab-org/gitlab!74646
parents b2b0203b 33390e15
...@@ -189,7 +189,7 @@ module Gitlab ...@@ -189,7 +189,7 @@ module Gitlab
user = User.id_in(token.resource_owner_id).first user = User.id_in(token.resource_owner_id).first
return unless user && can_user_login_with_non_expired_password?(user) return unless user && can_user_login_with_non_expired_password?(user)
Gitlab::Auth::Result.new(user, nil, :oauth, full_authentication_abilities) Gitlab::Auth::Result.new(user, nil, :oauth, abilities_for_scopes(token.scopes))
end end
end end
end end
...@@ -230,7 +230,7 @@ module Gitlab ...@@ -230,7 +230,7 @@ module Gitlab
# rubocop: enable CodeReuse/ActiveRecord # rubocop: enable CodeReuse/ActiveRecord
def valid_oauth_token?(token) def valid_oauth_token?(token)
token && token.accessible? && valid_scoped_token?(token, [:api]) token && token.accessible? && valid_scoped_token?(token, Doorkeeper.configuration.scopes)
end end
def valid_scoped_token?(token, scopes) def valid_scoped_token?(token, scopes)
......
...@@ -259,30 +259,48 @@ RSpec.describe Gitlab::Auth, :use_clean_rails_memory_store_caching do ...@@ -259,30 +259,48 @@ RSpec.describe Gitlab::Auth, :use_clean_rails_memory_store_caching do
context 'while using OAuth tokens as passwords' do context 'while using OAuth tokens as passwords' do
let(:user) { create(:user) } let(:user) { create(:user) }
let(:token_w_api_scope) { Doorkeeper::AccessToken.create!(application_id: application.id, resource_owner_id: user.id, scopes: 'api') }
let(:application) { Doorkeeper::Application.create!(name: 'MyApp', redirect_uri: 'https://app.com', owner: user) } let(:application) { Doorkeeper::Application.create!(name: 'MyApp', redirect_uri: 'https://app.com', owner: user) }
shared_examples 'an oauth failure' do shared_examples 'an oauth failure' do
it 'fails' do it 'fails' do
expect(gl_auth.find_for_git_client("oauth2", token_w_api_scope.token, project: nil, ip: 'ip')) access_token = Doorkeeper::AccessToken.create!(application_id: application.id, resource_owner_id: user.id, scopes: 'api')
expect(gl_auth.find_for_git_client("oauth2", access_token.token, project: nil, ip: 'ip'))
.to have_attributes(auth_failure) .to have_attributes(auth_failure)
end end
end end
it 'succeeds for OAuth tokens with the `api` scope' do context 'with specified scopes' do
expect(gl_auth.find_for_git_client("oauth2", token_w_api_scope.token, project: nil, ip: 'ip')).to have_attributes(actor: user, project: nil, type: :oauth, authentication_abilities: described_class.full_authentication_abilities) using RSpec::Parameterized::TableSyntax
where(:scopes, :abilities) do
'api' | described_class.full_authentication_abilities
'read_api' | described_class.read_only_authentication_abilities
'read_repository' | [:download_code]
'write_repository' | [:download_code, :push_code]
'read_user' | []
'sudo' | []
'openid' | []
'profile' | []
'email' | []
end end
it 'fails for OAuth tokens with other scopes' do with_them do
token = Doorkeeper::AccessToken.create!(application_id: application.id, resource_owner_id: user.id, scopes: 'read_user') it 'authenticates with correct abilities' do
access_token = Doorkeeper::AccessToken.create!(application_id: application.id, resource_owner_id: user.id, scopes: scopes)
expect(gl_auth.find_for_git_client("oauth2", token.token, project: nil, ip: 'ip')).to have_attributes(auth_failure) expect(gl_auth.find_for_git_client("oauth2", access_token.token, project: nil, ip: 'ip'))
.to have_attributes(actor: user, project: nil, type: :oauth, authentication_abilities: abilities)
end
end
end end
it 'does not try password auth before oauth' do it 'does not try password auth before oauth' do
access_token = Doorkeeper::AccessToken.create!(application_id: application.id, resource_owner_id: user.id, scopes: 'api')
expect(gl_auth).not_to receive(:find_with_user_password) expect(gl_auth).not_to receive(:find_with_user_password)
gl_auth.find_for_git_client("oauth2", token_w_api_scope.token, project: nil, ip: 'ip') gl_auth.find_for_git_client("oauth2", access_token.token, project: nil, ip: 'ip')
end end
context 'blocked user' do context 'blocked user' do
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment