Merge branch 'basic-auth-rack-attack' into 'master'

Handle basic auth with PAT for Rack Attack See merge request gitlab-org/gitlab!48903

Merge branch 'basic-auth-rack-attack' into 'master'
Handle basic auth with PAT for Rack Attack See merge request gitlab-org/gitlab!48903
9b516b9c · Sean McGivern · 8af4dbea · c916f0c2 · 9b516b9c · 9b516b9c
Commit 9b516b9c authored Dec 04, 2020 by Sean McGivern
Showing with 58 additions and 7 deletions

lib/gitlab/auth/request_authenticator.rb lib/gitlab/auth/request_authenticator.rb +8 -1

spec/lib/gitlab/auth/request_authenticator_spec.rb spec/lib/gitlab/auth/request_authenticator_spec.rb +50 -6

No files found.
--- a/lib/gitlab/auth/request_authenticator.rb
+++ b/lib/gitlab/auth/request_authenticator.rb
@@ -49,9 +49,16 @@ module Gitlab
      private
+      def access_token
+        strong_memoize(:access_token) do
+          super || find_personal_access_token_from_http_basic_auth
+        end
+      end
      def route_authentication_setting
        @route_authentication_setting ||= {
-          job_token_allowed: api_request?
+          job_token_allowed: api_request?,
+          basic_auth_personal_access_token: api_request?
        }
      end
    end

--- a/spec/lib/gitlab/auth/request_authenticator_spec.rb
+++ b/spec/lib/gitlab/auth/request_authenticator_spec.rb
@@ -50,13 +50,13 @@ RSpec.describe Gitlab::Auth::RequestAuthenticator do
      allow_any_instance_of(described_class).to receive(:find_user_from_web_access_token).and_return(access_token_user)
      allow_any_instance_of(described_class).to receive(:find_user_from_feed_token).and_return(feed_token_user)
-      expect(subject.find_sessionless_user([:api])).to eq access_token_user
+      expect(subject.find_sessionless_user(:api)).to eq access_token_user
    end
    it 'returns feed_token user if no access_token user found' do
      allow_any_instance_of(described_class).to receive(:find_user_from_feed_token).and_return(feed_token_user)
-      expect(subject.find_sessionless_user([:api])).to eq feed_token_user
+      expect(subject.find_sessionless_user(:api)).to eq feed_token_user
    end
    it 'returns static_object_token user if no feed_token user found' do
@@ -64,7 +64,7 @@ RSpec.describe Gitlab::Auth::RequestAuthenticator do
        .to receive(:find_user_from_static_object_token)
        .and_return(static_object_token_user)
-      expect(subject.find_sessionless_user([:api])).to eq static_object_token_user
+      expect(subject.find_sessionless_user(:api)).to eq static_object_token_user
    end
    it 'returns job_token user if no static_object_token user found' do
@@ -72,17 +72,61 @@ RSpec.describe Gitlab::Auth::RequestAuthenticator do
        .to receive(:find_user_from_job_token)
        .and_return(job_token_user)
-      expect(subject.find_sessionless_user([:api])).to eq job_token_user
+      expect(subject.find_sessionless_user(:api)).to eq job_token_user
    end
    it 'returns nil if no user found' do
-      expect(subject.find_sessionless_user([:api])).to be_blank
+      expect(subject.find_sessionless_user(:api)).to be_blank
    end
    it 'rescue Gitlab::Auth::AuthenticationError exceptions' do
      allow_any_instance_of(described_class).to receive(:find_user_from_web_access_token).and_raise(Gitlab::Auth::UnauthorizedError)
-      expect(subject.find_sessionless_user([:api])).to be_blank
+      expect(subject.find_sessionless_user(:api)).to be_blank
+    end
+  end
+  describe '#find_personal_access_token_from_http_basic_auth' do
+    let_it_be(:personal_access_token) { create(:personal_access_token) }
+    let_it_be(:user) { personal_access_token.user }
+    before do
+      allow(subject).to receive(:has_basic_credentials?).and_return(true)
+      allow(subject).to receive(:user_name_and_password).and_return([user.username, personal_access_token.token])
+    end
+    context 'with API requests' do
+      before do
+        env['SCRIPT_NAME'] = '/api/endpoint'
+      end
+      it 'tries to find the user' do
+        expect(subject.user([:api])).to eq user
+      end
+      it 'returns nil if the token is revoked' do
+        personal_access_token.revoke!
+        expect(subject.user([:api])).to be_blank
+      end
+      it 'returns nil if the token does not have API scope' do
+        personal_access_token.update!(scopes: ['read_registry'])
+        expect(subject.user([:api])).to be_blank
+      end
+    end
+    context 'without API requests' do
+      before do
+        env['SCRIPT_NAME'] = '/web/endpoint'
+      end
+      it 'does not search for job users' do
+        expect(PersonalAccessToken).not_to receive(:find_by_token)
+        expect(subject.user([:api])).to be_nil
+      end
    end
  end