Fix job auth specs

b5261197 · Giorgenes Gelatti · 7c8aa97c · b5261197 · b5261197
Commit b5261197 authored Nov 18, 2019 by Giorgenes Gelatti
Hide whitespace changes
Inline Side-by-side

Showing with 23 additions and 21 deletions

ee/lib/ee/api/helpers.rb ee/lib/ee/api/helpers.rb +2 -2

ee/lib/ee/gitlab/auth/user_auth_finders.rb ee/lib/ee/gitlab/auth/user_auth_finders.rb +21 -19

No files found.
--- a/ee/lib/ee/api/helpers.rb
+++ b/ee/lib/ee/api/helpers.rb
@@ -140,11 +140,11 @@ module EE
      end

      def job_token_authentication?
-        initial_current_user && find_current_job
+        initial_current_user && @job_token_authentication # rubocop:disable Gitlab/ModuleWithInstanceVariables
      end

      def current_ci_job
-        find_current_job
+        @job_token_authentication
      end

      def warden

--- a/ee/lib/ee/gitlab/auth/user_auth_finders.rb
+++ b/ee/lib/ee/gitlab/auth/user_auth_finders.rb
@@ -6,22 +6,25 @@ module EE
      module UserAuthFinders
        extend ActiveSupport::Concern
        extend ::Gitlab::Utils::Override
-        include ::Gitlab::Utils::StrongMemoize

        JOB_TOKEN_HEADER = "HTTP_JOB_TOKEN".freeze
        JOB_TOKEN_PARAM = :job_token

        def find_user_from_bearer_token
-          find_current_job&.user ||
+          find_user_from_job_bearer_token ||
            find_user_from_access_token
        end

        def find_user_from_job_token
-          return unless job_token
+          return unless route_authentication_setting[:job_token_allowed]
+
+          token = (params[JOB_TOKEN_PARAM] || env[JOB_TOKEN_HEADER]).to_s
+          return unless token.present?

-          raise ::Gitlab::Auth::UnauthorizedError unless find_current_job
+          job = find_job_from_token(token)
+          raise ::Gitlab::Auth::UnauthorizedError unless job

-          find_current_job.user
+          job.user
        end

        override :find_oauth_access_token
@@ -33,31 +36,30 @@ module EE

        override :validate_access_token!
        def validate_access_token!(scopes: [])
-          # if we have a successful job token, don't go ahead and try regular validation as it will fail
-          # for the job token
-          find_current_job || super
+          # return early if we've already authenticated via a job token
+          @job_token_authentication.present? || super # rubocop:disable Gitlab/ModuleWithInstanceVariables
        end

        def scim_request?
          current_request.path.starts_with?("/api/scim/")
        end

-        def find_current_job
-          return unless job_token
+        private

-          strong_memoize(:find_current_job) do
-            ::Ci::Build.find_by_token(job_token)
-          end
+        def find_job_from_token(token)
+          @job_token_authentication ||= ::Ci::Build.find_by_token(token)
        end

-        private
-
-        def job_token
+        def find_user_from_job_bearer_token
          return unless route_authentication_setting[:job_token_allowed]

-          strong_memoize(:job_token) do
-            (params[JOB_TOKEN_PARAM] || env[JOB_TOKEN_HEADER] || parsed_oauth_token).to_s
-          end
+          token = parsed_oauth_token
+          return unless token
+
+          job = find_job_from_token(token)
+          return unless job
+
+          job.user
        end
      end
    end