Handle basic auth with PAT for Rack Attack

API routes which mimic external APIs - things like NuGet, our Go proxy, and our Terraform API - often allow a personal access token to be passed in basic auth. We weren't handling that case in Rack Attack, which meant those requests were being handled by the unauthenticated throttle even when they were authenticated.

Handle basic auth with PAT for Rack Attack
API routes which mimic external APIs - things like NuGet, our Go proxy, and our Terraform API - often allow a personal access token to be passed in basic auth. We weren't handling that case in Rack Attack, which meant those requests were being handled by the unauthenticated throttle even when they were authenticated.
c916f0c2 · Sean McGivern · c57426fe · c916f0c2 · c916f0c2
Commit c916f0c2 authored Dec 01, 2020 by Sean McGivern
Showing with 58 additions and 7 deletions

lib/gitlab/auth/request_authenticator.rb lib/gitlab/auth/request_authenticator.rb +8 -1

spec/lib/gitlab/auth/request_authenticator_spec.rb spec/lib/gitlab/auth/request_authenticator_spec.rb +50 -6

No files found.
--- a/lib/gitlab/auth/request_authenticator.rb
+++ b/lib/gitlab/auth/request_authenticator.rb
@@ -49,9 +49,16 @@ module Gitlab

      private

+      def access_token
+        strong_memoize(:access_token) do
+          super || find_personal_access_token_from_http_basic_auth
+        end
+      end
+
      def route_authentication_setting
        @route_authentication_setting ||= {
-          job_token_allowed: api_request?
+          job_token_allowed: api_request?,
+          basic_auth_personal_access_token: api_request?
        }
      end
    end

--- a/spec/lib/gitlab/auth/request_authenticator_spec.rb
+++ b/spec/lib/gitlab/auth/request_authenticator_spec.rb
@@ -50,13 +50,13 @@ RSpec.describe Gitlab::Auth::RequestAuthenticator do
      allow_any_instance_of(described_class).to receive(:find_user_from_web_access_token).and_return(access_token_user)
      allow_any_instance_of(described_class).to receive(:find_user_from_feed_token).and_return(feed_token_user)

-      expect(subject.find_sessionless_user([:api])).to eq access_token_user
+      expect(subject.find_sessionless_user(:api)).to eq access_token_user
    end

    it 'returns feed_token user if no access_token user found' do
      allow_any_instance_of(described_class).to receive(:find_user_from_feed_token).and_return(feed_token_user)

-      expect(subject.find_sessionless_user([:api])).to eq feed_token_user
+      expect(subject.find_sessionless_user(:api)).to eq feed_token_user
    end

    it 'returns static_object_token user if no feed_token user found' do
@@ -64,7 +64,7 @@ RSpec.describe Gitlab::Auth::RequestAuthenticator do
        .to receive(:find_user_from_static_object_token)
        .and_return(static_object_token_user)

-      expect(subject.find_sessionless_user([:api])).to eq static_object_token_user
+      expect(subject.find_sessionless_user(:api)).to eq static_object_token_user
    end

    it 'returns job_token user if no static_object_token user found' do
@@ -72,17 +72,61 @@ RSpec.describe Gitlab::Auth::RequestAuthenticator do
        .to receive(:find_user_from_job_token)
        .and_return(job_token_user)

-      expect(subject.find_sessionless_user([:api])).to eq job_token_user
+      expect(subject.find_sessionless_user(:api)).to eq job_token_user
    end

    it 'returns nil if no user found' do
-      expect(subject.find_sessionless_user([:api])).to be_blank
+      expect(subject.find_sessionless_user(:api)).to be_blank
    end

    it 'rescue Gitlab::Auth::AuthenticationError exceptions' do
      allow_any_instance_of(described_class).to receive(:find_user_from_web_access_token).and_raise(Gitlab::Auth::UnauthorizedError)

-      expect(subject.find_sessionless_user([:api])).to be_blank
+      expect(subject.find_sessionless_user(:api)).to be_blank
+    end
+  end
+
+  describe '#find_personal_access_token_from_http_basic_auth' do
+    let_it_be(:personal_access_token) { create(:personal_access_token) }
+    let_it_be(:user) { personal_access_token.user }
+
+    before do
+      allow(subject).to receive(:has_basic_credentials?).and_return(true)
+      allow(subject).to receive(:user_name_and_password).and_return([user.username, personal_access_token.token])
+    end
+
+    context 'with API requests' do
+      before do
+        env['SCRIPT_NAME'] = '/api/endpoint'
+      end
+
+      it 'tries to find the user' do
+        expect(subject.user([:api])).to eq user
+      end
+
+      it 'returns nil if the token is revoked' do
+        personal_access_token.revoke!
+
+        expect(subject.user([:api])).to be_blank
+      end
+
+      it 'returns nil if the token does not have API scope' do
+        personal_access_token.update!(scopes: ['read_registry'])
+
+        expect(subject.user([:api])).to be_blank
+      end
+    end
+
+    context 'without API requests' do
+      before do
+        env['SCRIPT_NAME'] = '/web/endpoint'
+      end
+
+      it 'does not search for job users' do
+        expect(PersonalAccessToken).not_to receive(:find_by_token)
+
+        expect(subject.user([:api])).to be_nil
+      end
    end
  end