Authenticate the internal API using a header

Instead of mixing in the shared secret into the querystring or body, we could also specify it in a header.
2019-03-08 14:57:01 +01:00 · 2019-03-08 14:57:01 +01:00 · b0fac091ec
commit b0fac091ec
parent 8a59c9fdba
2 changed files with 22 additions and 4 deletions
--- a/lib/api/helpers.rb
+++ b/lib/api/helpers.rb
@ -6,6 +6,7 @@ module API
    include Helpers::Pagination

    SUDO_HEADER = "HTTP_SUDO".freeze
+    GITLAB_SHARED_SECRET_HEADER = "Gitlab-Shared-Secret".freeze
    SUDO_PARAM = :sudo
    API_USER_ENV = 'gitlab.api.user'.freeze

@ -212,10 +213,12 @@ module API
    end

    def authenticate_by_gitlab_shell_token!
-      input = params['secret_token'].try(:chomp)
-      unless Devise.secure_compare(secret_token, input)
-        unauthorized!
-      end
+      input = params['secret_token']
+      input ||= Base64.decode64(headers[GITLAB_SHARED_SECRET_HEADER]) if headers.key?(GITLAB_SHARED_SECRET_HEADER)
+
+      input&.chomp!
+
+      unauthorized! unless Devise.secure_compare(secret_token, input)
    end

    def authenticated_with_full_private_access!
--- a/spec/requests/api/internal_spec.rb
+++ b/spec/requests/api/internal_spec.rb
@ -26,6 +26,21 @@ describe API::Internal do

      expect(json_response['redis']).to be(false)
    end
+
+    context 'authenticating' do
+      it 'authenticates using a header' do
+        get api("/internal/check"),
+            headers: { API::Helpers::GITLAB_SHARED_SECRET_HEADER => Base64.encode64(secret_token) }
+
+        expect(response).to have_gitlab_http_status(200)
+      end
+
+      it 'returns 401 when no credentials provided' do
+        get(api("/internal/check"))
+
+        expect(response).to have_gitlab_http_status(401)
+      end
+    end
  end

  describe 'GET /internal/broadcast_message' do