Skip to content

G
gitlab-ce
Commit 9b516b9c authored by Sean McGivern's avatar Sean McGivern
Browse files
Options

Merge branch 'basic-auth-rack-attack' into 'master' 

Handle basic auth with PAT for Rack Attack

See merge request gitlab-org/gitlab!48903
parents 8af4dbea c916f0c2
Hide whitespace changes
Inline Side-by-side
Showing with 58 additions and 7 deletions
lib/gitlab/auth/request_authenticator.rb
View file @ 9b516b9c
...@@ -49,9 +49,16 @@ module Gitlab ...@@ -49,9 +49,16 @@ module Gitlab
private private
def access_token
strong_memoize(:access_token) do
super || find_personal_access_token_from_http_basic_auth
end
end
def route_authentication_setting def route_authentication_setting
@route_authentication_setting ||= { @route_authentication_setting ||= {
job_token_allowed: api_request? job_token_allowed: api_request?,
basic_auth_personal_access_token: api_request?
} }
end end
end end
......
spec/lib/gitlab/auth/request_authenticator_spec.rb
View file @ 9b516b9c
...@@ -50,13 +50,13 @@ RSpec.describe Gitlab::Auth::RequestAuthenticator do ...@@ -50,13 +50,13 @@ RSpec.describe Gitlab::Auth::RequestAuthenticator do
allow_any_instance_of(described_class).to receive(:find_user_from_web_access_token).and_return(access_token_user) allow_any_instance_of(described_class).to receive(:find_user_from_web_access_token).and_return(access_token_user)
allow_any_instance_of(described_class).to receive(:find_user_from_feed_token).and_return(feed_token_user) allow_any_instance_of(described_class).to receive(:find_user_from_feed_token).and_return(feed_token_user)
expect(subject.find_sessionless_user([:api])).to eq access_token_user expect(subject.find_sessionless_user(:api)).to eq access_token_user
end end
it 'returns feed_token user if no access_token user found' do it 'returns feed_token user if no access_token user found' do
allow_any_instance_of(described_class).to receive(:find_user_from_feed_token).and_return(feed_token_user) allow_any_instance_of(described_class).to receive(:find_user_from_feed_token).and_return(feed_token_user)
expect(subject.find_sessionless_user([:api])).to eq feed_token_user expect(subject.find_sessionless_user(:api)).to eq feed_token_user
end end
it 'returns static_object_token user if no feed_token user found' do it 'returns static_object_token user if no feed_token user found' do
...@@ -64,7 +64,7 @@ RSpec.describe Gitlab::Auth::RequestAuthenticator do ...@@ -64,7 +64,7 @@ RSpec.describe Gitlab::Auth::RequestAuthenticator do
.to receive(:find_user_from_static_object_token) .to receive(:find_user_from_static_object_token)
.and_return(static_object_token_user) .and_return(static_object_token_user)
expect(subject.find_sessionless_user([:api])).to eq static_object_token_user expect(subject.find_sessionless_user(:api)).to eq static_object_token_user
end end
it 'returns job_token user if no static_object_token user found' do it 'returns job_token user if no static_object_token user found' do
...@@ -72,17 +72,61 @@ RSpec.describe Gitlab::Auth::RequestAuthenticator do ...@@ -72,17 +72,61 @@ RSpec.describe Gitlab::Auth::RequestAuthenticator do
.to receive(:find_user_from_job_token) .to receive(:find_user_from_job_token)
.and_return(job_token_user) .and_return(job_token_user)
expect(subject.find_sessionless_user([:api])).to eq job_token_user expect(subject.find_sessionless_user(:api)).to eq job_token_user
end end
it 'returns nil if no user found' do it 'returns nil if no user found' do
expect(subject.find_sessionless_user([:api])).to be_blank expect(subject.find_sessionless_user(:api)).to be_blank
end end
it 'rescue Gitlab::Auth::AuthenticationError exceptions' do it 'rescue Gitlab::Auth::AuthenticationError exceptions' do
allow_any_instance_of(described_class).to receive(:find_user_from_web_access_token).and_raise(Gitlab::Auth::UnauthorizedError) allow_any_instance_of(described_class).to receive(:find_user_from_web_access_token).and_raise(Gitlab::Auth::UnauthorizedError)
expect(subject.find_sessionless_user([:api])).to be_blank expect(subject.find_sessionless_user(:api)).to be_blank
end
end
describe '#find_personal_access_token_from_http_basic_auth' do
let_it_be(:personal_access_token) { create(:personal_access_token) }
let_it_be(:user) { personal_access_token.user }
before do
allow(subject).to receive(:has_basic_credentials?).and_return(true)
allow(subject).to receive(:user_name_and_password).and_return([user.username, personal_access_token.token])
end
context 'with API requests' do
before do
env['SCRIPT_NAME'] = '/api/endpoint'
end
it 'tries to find the user' do
expect(subject.user([:api])).to eq user
end
it 'returns nil if the token is revoked' do
personal_access_token.revoke!
expect(subject.user([:api])).to be_blank
end
it 'returns nil if the token does not have API scope' do
personal_access_token.update!(scopes: ['read_registry'])
expect(subject.user([:api])).to be_blank
end
end
context 'without API requests' do
before do
env['SCRIPT_NAME'] = '/web/endpoint'
end
it 'does not search for job users' do
expect(PersonalAccessToken).not_to receive(:find_by_token)
expect(subject.user([:api])).to be_nil
end
end end
end end
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment
GitLab Nexedi Edition | About GitLab | About Nexedi | 沪ICP备2021021310号-2 | 沪ICP备2021021310号-7