Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Support
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
G
gitlab-ce
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Issues
0
Issues
0
List
Boards
Labels
Milestones
Merge Requests
0
Merge Requests
0
Analytics
Analytics
Repository
Value Stream
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Create a new issue
Commits
Issue Boards
Open sidebar
Boxiang Sun
gitlab-ce
Commits
d1fea99d
Commit
d1fea99d
authored
Dec 02, 2018
by
mortyccp
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
Allow basic authentication on go get middleware
parent
32fbc12c
Changes
4
Show whitespace changes
Inline
Side-by-side
Showing
4 changed files
with
59 additions
and
17 deletions
+59
-17
changelogs/unreleased/allow-basic-auth-on-go-get-middleware.yml
...logs/unreleased/allow-basic-auth-on-go-get-middleware.yml
+5
-0
lib/gitlab/auth.rb
lib/gitlab/auth.rb
+12
-12
lib/gitlab/middleware/go.rb
lib/gitlab/middleware/go.rb
+22
-5
spec/lib/gitlab/middleware/go_spec.rb
spec/lib/gitlab/middleware/go_spec.rb
+20
-0
No files found.
changelogs/unreleased/allow-basic-auth-on-go-get-middleware.yml
0 → 100644
View file @
d1fea99d
---
title
:
Allow basic authentication on go get middleware
merge_request
:
23497
author
:
Morty Choi @mortyccp
type
:
changed
lib/gitlab/auth.rb
View file @
d1fea99d
...
@@ -169,18 +169,6 @@ module Gitlab
...
@@ -169,18 +169,6 @@ module Gitlab
AccessTokenValidationService
.
new
(
token
).
include_any_scope?
(
scopes
)
AccessTokenValidationService
.
new
(
token
).
include_any_scope?
(
scopes
)
end
end
def
abilities_for_scopes
(
scopes
)
abilities_by_scope
=
{
api:
full_authentication_abilities
,
read_registry:
[
:read_container_image
],
read_repository:
[
:download_code
]
}
scopes
.
flat_map
do
|
scope
|
abilities_by_scope
.
fetch
(
scope
.
to_sym
,
[])
end
.
uniq
end
# rubocop: disable CodeReuse/ActiveRecord
# rubocop: disable CodeReuse/ActiveRecord
def
deploy_token_check
(
login
,
password
)
def
deploy_token_check
(
login
,
password
)
return
unless
password
.
present?
return
unless
password
.
present?
...
@@ -246,6 +234,18 @@ module Gitlab
...
@@ -246,6 +234,18 @@ module Gitlab
public
public
def
abilities_for_scopes
(
scopes
)
abilities_by_scope
=
{
api:
full_authentication_abilities
,
read_registry:
[
:read_container_image
],
read_repository:
[
:download_code
]
}
scopes
.
flat_map
do
|
scope
|
abilities_by_scope
.
fetch
(
scope
.
to_sym
,
[])
end
.
uniq
end
def
build_authentication_abilities
def
build_authentication_abilities
[
[
:read_project
,
:read_project
,
...
...
lib/gitlab/middleware/go.rb
View file @
d1fea99d
...
@@ -6,6 +6,7 @@ module Gitlab
...
@@ -6,6 +6,7 @@ module Gitlab
module
Middleware
module
Middleware
class
Go
class
Go
include
ActionView
::
Helpers
::
TagHelper
include
ActionView
::
Helpers
::
TagHelper
include
ActionController
::
HttpAuthentication
::
Basic
PROJECT_PATH_REGEX
=
%r{
\A
(
#{
Gitlab
::
PathRegex
.
full_namespace_route_regex
}
/
#{
Gitlab
::
PathRegex
.
project_route_regex
}
)/}
.
freeze
PROJECT_PATH_REGEX
=
%r{
\A
(
#{
Gitlab
::
PathRegex
.
full_namespace_route_regex
}
/
#{
Gitlab
::
PathRegex
.
project_route_regex
}
)/}
.
freeze
...
@@ -14,7 +15,7 @@ module Gitlab
...
@@ -14,7 +15,7 @@ module Gitlab
end
end
def
call
(
env
)
def
call
(
env
)
request
=
Rack
::
Request
.
new
(
env
)
request
=
ActionDispatch
::
Request
.
new
(
env
)
render_go_doc
(
request
)
||
@app
.
call
(
env
)
render_go_doc
(
request
)
||
@app
.
call
(
env
)
end
end
...
@@ -110,22 +111,38 @@ module Gitlab
...
@@ -110,22 +111,38 @@ module Gitlab
def
project_for_paths
(
paths
,
request
)
def
project_for_paths
(
paths
,
request
)
project
=
Project
.
where_full_path_in
(
paths
).
first
project
=
Project
.
where_full_path_in
(
paths
).
first
return
unless
Ability
.
allowed?
(
current_user
(
reques
t
),
:read_project
,
project
)
return
unless
Ability
.
allowed?
(
current_user
(
request
,
projec
t
),
:read_project
,
project
)
project
project
end
end
def
current_user
(
request
)
def
current_user
(
request
,
project
)
current_user_from_access_token_and_warden?
(
request
)
||
current_user_from_basic_authentication?
(
request
,
project
)
end
def
current_user_from_access_token_and_warden?
(
request
)
authenticator
=
Gitlab
::
Auth
::
RequestAuthenticator
.
new
(
request
)
authenticator
=
Gitlab
::
Auth
::
RequestAuthenticator
.
new
(
request
)
user
=
authenticator
.
find_user_from_access_token
||
authenticator
.
find_user_from_warden
user
=
authenticator
.
find_user_from_access_token
||
authenticator
.
find_user_from_warden
return
unless
user
&
.
can?
(
:access_api
)
return
unless
user
&
.
can?
(
:access_api
)
# Right now, the `api` scope is the only one that should be able to determine private project existence.
# Right now, the `api` scope is the only one that should be able to determine private project existence.
return
unless
authenticator
.
valid_access_token?
(
scopes:
[
:api
])
return
unless
authenticator
.
valid_access_token?
(
scopes:
[
:api
])
user
user
end
end
def
current_user_from_basic_authentication?
(
request
,
project
)
return
unless
has_basic_credentials?
(
request
)
login
,
password
=
user_name_and_password
(
request
)
auth_result
=
Gitlab
::
Auth
.
find_for_git_client
(
login
,
password
,
project:
project
,
ip:
request
.
ip
)
return
unless
auth_result
.
success?
return
unless
auth_result
.
actor
&
.
can?
(
:access_api
)
if
auth_result
.
type
==
:personal_access_token
apiScopeAbilities
=
Gitlab
::
Auth
.
abilities_for_scopes
([
:api
])
return
unless
auth_result
.
authentication_abilities
.
sort
==
apiScopeAbilities
.
sort
end
auth_result
.
actor
end
end
end
end
end
end
end
spec/lib/gitlab/middleware/go_spec.rb
View file @
d1fea99d
...
@@ -135,6 +135,26 @@ describe Gitlab::Middleware::Go do
...
@@ -135,6 +135,26 @@ describe Gitlab::Middleware::Go do
it_behaves_like
'unauthorized'
it_behaves_like
'unauthorized'
end
end
end
end
context
'using basic auth'
do
let
(
:personal_access_token
)
{
create
(
:personal_access_token
,
user:
current_user
)
}
before
do
env
[
'HTTP_AUTHORIZATION'
]
=
ActionController
::
HttpAuthentication
::
Basic
.
encode_credentials
(
current_user
.
username
,
personal_access_token
.
token
)
end
context
'with api scope'
do
it_behaves_like
'authenticated'
end
context
'with read_user scope'
do
before
do
personal_access_token
.
update_attribute
(
:scopes
,
[
:read_user
])
end
it_behaves_like
'unauthorized'
end
end
end
end
end
end
end
end
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment