Remove authentication via warden and PRIVATE_TOKEN header
This commit is contained in:
parent
b7e0a09de2
commit
3a62f15657
|
@ -170,6 +170,18 @@ module Gitlab
|
|||
end
|
||||
|
||||
# rubocop: disable CodeReuse/ActiveRecord
|
||||
def abilities_for_scopes(scopes)
|
||||
abilities_by_scope = {
|
||||
api: full_authentication_abilities,
|
||||
read_registry: [:read_container_image],
|
||||
read_repository: [:download_code]
|
||||
}
|
||||
|
||||
scopes.flat_map do |scope|
|
||||
abilities_by_scope.fetch(scope.to_sym, [])
|
||||
end.uniq
|
||||
end
|
||||
|
||||
def deploy_token_check(login, password)
|
||||
return unless password.present?
|
||||
|
||||
|
@ -234,18 +246,6 @@ module Gitlab
|
|||
|
||||
public
|
||||
|
||||
def abilities_for_scopes(scopes)
|
||||
abilities_by_scope = {
|
||||
api: full_authentication_abilities,
|
||||
read_registry: [:read_container_image],
|
||||
read_repository: [:download_code]
|
||||
}
|
||||
|
||||
scopes.flat_map do |scope|
|
||||
abilities_by_scope.fetch(scope.to_sym, [])
|
||||
end.uniq
|
||||
end
|
||||
|
||||
def build_authentication_abilities
|
||||
[
|
||||
:read_project,
|
||||
|
|
|
@ -117,32 +117,15 @@ module Gitlab
|
|||
end
|
||||
|
||||
def current_user(request, project)
|
||||
current_user_from_access_token_and_warden?(request) || current_user_from_basic_authentication?(request, project)
|
||||
end
|
||||
|
||||
def current_user_from_access_token_and_warden?(request)
|
||||
authenticator = Gitlab::Auth::RequestAuthenticator.new(request)
|
||||
user = authenticator.find_user_from_access_token || authenticator.find_user_from_warden
|
||||
return unless user&.can?(:access_api)
|
||||
# Right now, the `api` scope is the only one that should be able to determine private project existence.
|
||||
return unless authenticator.valid_access_token?(scopes: [:api])
|
||||
|
||||
user
|
||||
end
|
||||
|
||||
def current_user_from_basic_authentication?(request, project)
|
||||
return unless has_basic_credentials?(request)
|
||||
|
||||
login, password = user_name_and_password(request)
|
||||
auth_result = Gitlab::Auth.find_for_git_client(login, password, project: project, ip: request.ip)
|
||||
return unless auth_result.success?
|
||||
|
||||
return unless auth_result.actor&.can?(:access_api)
|
||||
return unless auth_result.actor&.can?(:access_git)
|
||||
|
||||
if auth_result.type == :personal_access_token
|
||||
api_sceope_abilities = Gitlab::Auth.abilities_for_scopes([:api])
|
||||
return unless auth_result.authentication_abilities.sort == api_sceope_abilities.sort
|
||||
end
|
||||
return unless auth_result.authentication_abilities.include?(:read_project)
|
||||
|
||||
auth_result.actor
|
||||
end
|
||||
|
|
|
@ -96,40 +96,10 @@ describe Gitlab::Middleware::Go do
|
|||
|
||||
it_behaves_like 'unauthorized'
|
||||
end
|
||||
end
|
||||
|
||||
context 'using warden' do
|
||||
before do
|
||||
env['warden'] = double(authenticate: current_user)
|
||||
end
|
||||
|
||||
context 'when active' do
|
||||
it_behaves_like 'authenticated'
|
||||
end
|
||||
|
||||
context 'when blocked' do
|
||||
context 'with user is blocked' do
|
||||
before do
|
||||
current_user.block!
|
||||
end
|
||||
|
||||
it_behaves_like 'unauthorized'
|
||||
end
|
||||
end
|
||||
|
||||
context 'using a personal access token' do
|
||||
let(:personal_access_token) { create(:personal_access_token, user: current_user) }
|
||||
|
||||
before do
|
||||
env['HTTP_PRIVATE_TOKEN'] = personal_access_token.token
|
||||
end
|
||||
|
||||
context 'with api scope' do
|
||||
it_behaves_like 'authenticated'
|
||||
end
|
||||
|
||||
context 'with read_user scope' do
|
||||
before do
|
||||
personal_access_token.update_attribute(:scopes, [:read_user])
|
||||
current_user.block
|
||||
end
|
||||
|
||||
it_behaves_like 'unauthorized'
|
||||
|
@ -137,23 +107,25 @@ describe Gitlab::Middleware::Go do
|
|||
end
|
||||
|
||||
context 'using basic auth' do
|
||||
let(:personal_access_token) { create(:personal_access_token, user: current_user) }
|
||||
context 'using a personal access token' do
|
||||
let(:personal_access_token) { create(:personal_access_token, user: current_user) }
|
||||
|
||||
before do
|
||||
env['REMOTE_ADDR'] = "192.168.0.1"
|
||||
env['HTTP_AUTHORIZATION'] = ActionController::HttpAuthentication::Basic.encode_credentials(current_user.username, personal_access_token.token)
|
||||
end
|
||||
|
||||
context 'with api scope' do
|
||||
it_behaves_like 'authenticated'
|
||||
end
|
||||
|
||||
context 'with read_user scope' do
|
||||
before do
|
||||
personal_access_token.update_attribute(:scopes, [:read_user])
|
||||
env['REMOTE_ADDR'] = "192.168.0.1"
|
||||
env['HTTP_AUTHORIZATION'] = ActionController::HttpAuthentication::Basic.encode_credentials(current_user.username, personal_access_token.token)
|
||||
end
|
||||
|
||||
context 'with api scope' do
|
||||
it_behaves_like 'authenticated'
|
||||
end
|
||||
|
||||
context 'with read_user scope' do
|
||||
before do
|
||||
personal_access_token.update_attribute(:scopes, [:read_user])
|
||||
end
|
||||
|
||||
it_behaves_like 'unauthorized'
|
||||
end
|
||||
|
||||
it_behaves_like 'unauthorized'
|
||||
end
|
||||
end
|
||||
end
|
||||
|
|
Loading…
Reference in New Issue