Commit c916f0c2 authored by Sean McGivern's avatar Sean McGivern

Handle basic auth with PAT for Rack Attack

API routes which mimic external APIs - things like NuGet, our Go proxy,
and our Terraform API - often allow a personal access token to be passed
in basic auth.

We weren't handling that case in Rack Attack, which meant those requests
were being handled by the unauthenticated throttle even when they were
authenticated.
parent c57426fe
...@@ -49,9 +49,16 @@ module Gitlab ...@@ -49,9 +49,16 @@ module Gitlab
private private
def access_token
strong_memoize(:access_token) do
super || find_personal_access_token_from_http_basic_auth
end
end
def route_authentication_setting def route_authentication_setting
@route_authentication_setting ||= { @route_authentication_setting ||= {
job_token_allowed: api_request? job_token_allowed: api_request?,
basic_auth_personal_access_token: api_request?
} }
end end
end end
......
...@@ -50,13 +50,13 @@ RSpec.describe Gitlab::Auth::RequestAuthenticator do ...@@ -50,13 +50,13 @@ RSpec.describe Gitlab::Auth::RequestAuthenticator do
allow_any_instance_of(described_class).to receive(:find_user_from_web_access_token).and_return(access_token_user) allow_any_instance_of(described_class).to receive(:find_user_from_web_access_token).and_return(access_token_user)
allow_any_instance_of(described_class).to receive(:find_user_from_feed_token).and_return(feed_token_user) allow_any_instance_of(described_class).to receive(:find_user_from_feed_token).and_return(feed_token_user)
expect(subject.find_sessionless_user([:api])).to eq access_token_user expect(subject.find_sessionless_user(:api)).to eq access_token_user
end end
it 'returns feed_token user if no access_token user found' do it 'returns feed_token user if no access_token user found' do
allow_any_instance_of(described_class).to receive(:find_user_from_feed_token).and_return(feed_token_user) allow_any_instance_of(described_class).to receive(:find_user_from_feed_token).and_return(feed_token_user)
expect(subject.find_sessionless_user([:api])).to eq feed_token_user expect(subject.find_sessionless_user(:api)).to eq feed_token_user
end end
it 'returns static_object_token user if no feed_token user found' do it 'returns static_object_token user if no feed_token user found' do
...@@ -64,7 +64,7 @@ RSpec.describe Gitlab::Auth::RequestAuthenticator do ...@@ -64,7 +64,7 @@ RSpec.describe Gitlab::Auth::RequestAuthenticator do
.to receive(:find_user_from_static_object_token) .to receive(:find_user_from_static_object_token)
.and_return(static_object_token_user) .and_return(static_object_token_user)
expect(subject.find_sessionless_user([:api])).to eq static_object_token_user expect(subject.find_sessionless_user(:api)).to eq static_object_token_user
end end
it 'returns job_token user if no static_object_token user found' do it 'returns job_token user if no static_object_token user found' do
...@@ -72,17 +72,61 @@ RSpec.describe Gitlab::Auth::RequestAuthenticator do ...@@ -72,17 +72,61 @@ RSpec.describe Gitlab::Auth::RequestAuthenticator do
.to receive(:find_user_from_job_token) .to receive(:find_user_from_job_token)
.and_return(job_token_user) .and_return(job_token_user)
expect(subject.find_sessionless_user([:api])).to eq job_token_user expect(subject.find_sessionless_user(:api)).to eq job_token_user
end end
it 'returns nil if no user found' do it 'returns nil if no user found' do
expect(subject.find_sessionless_user([:api])).to be_blank expect(subject.find_sessionless_user(:api)).to be_blank
end end
it 'rescue Gitlab::Auth::AuthenticationError exceptions' do it 'rescue Gitlab::Auth::AuthenticationError exceptions' do
allow_any_instance_of(described_class).to receive(:find_user_from_web_access_token).and_raise(Gitlab::Auth::UnauthorizedError) allow_any_instance_of(described_class).to receive(:find_user_from_web_access_token).and_raise(Gitlab::Auth::UnauthorizedError)
expect(subject.find_sessionless_user([:api])).to be_blank expect(subject.find_sessionless_user(:api)).to be_blank
end
end
describe '#find_personal_access_token_from_http_basic_auth' do
let_it_be(:personal_access_token) { create(:personal_access_token) }
let_it_be(:user) { personal_access_token.user }
before do
allow(subject).to receive(:has_basic_credentials?).and_return(true)
allow(subject).to receive(:user_name_and_password).and_return([user.username, personal_access_token.token])
end
context 'with API requests' do
before do
env['SCRIPT_NAME'] = '/api/endpoint'
end
it 'tries to find the user' do
expect(subject.user([:api])).to eq user
end
it 'returns nil if the token is revoked' do
personal_access_token.revoke!
expect(subject.user([:api])).to be_blank
end
it 'returns nil if the token does not have API scope' do
personal_access_token.update!(scopes: ['read_registry'])
expect(subject.user([:api])).to be_blank
end
end
context 'without API requests' do
before do
env['SCRIPT_NAME'] = '/web/endpoint'
end
it 'does not search for job users' do
expect(PersonalAccessToken).not_to receive(:find_by_token)
expect(subject.user([:api])).to be_nil
end
end end
end end
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment