Protect sidekiq admin UI with admin mode

038ae1ec · Diego Louzán · Imre Farkas · a661d092 · 038ae1ec · 038ae1ec
Commit 038ae1ec authored Apr 15, 2020 by Diego Louzán Committed by Imre Farkas Apr 15, 2020
4 changed files
--- a/changelogs/unreleased/fix-admin-mode-sidekiq-admin-ui.yml
+++ b/changelogs/unreleased/fix-admin-mode-sidekiq-admin-ui.yml
+---
+title: Protect sidekiq admin UI with admin mode
+merge_request: 28164
+author: Diego Louzán
+type: fixed
--- a/config/routes/sidekiq.rb
+++ b/config/routes/sidekiq.rb
-constraint = lambda { |request| request.env['warden'].authenticate? && request.env['warden'].user.admin? }
-constraints constraint do
+constraints ::Constraints::AdminConstrainer.new do
  mount Sidekiq::Web, at: '/admin/sidekiq', as: :sidekiq
 end
--- a/lib/constraints/admin_constrainer.rb
+++ b/lib/constraints/admin_constrainer.rb
+# frozen_string_literal: true
+
+module Constraints
+  class AdminConstrainer
+    def matches?(request)
+      if Feature.enabled?(:user_mode_in_session)
+        admin_mode_enabled?(request)
+      else
+        user_is_admin?(request)
+      end
+    end
+
+    private
+
+    def user_is_admin?(request)
+      request.env['warden'].authenticate? && request.env['warden'].user.admin?
+    end
+
+    def admin_mode_enabled?(request)
+      Gitlab::Session.with_session(request.session) do
+        request.env['warden'].authenticate? && Gitlab::Auth::CurrentUserMode.new(request.env['warden'].user).admin_mode?
+      end
+    end
+  end
+end
--- a/spec/lib/constraints/admin_constrainer_spec.rb
+++ b/spec/lib/constraints/admin_constrainer_spec.rb
+# frozen_string_literal: true
+#
+require 'spec_helper'
+
+describe Constraints::AdminConstrainer, :do_not_mock_admin_mode do
+  let(:user) { create(:user) }
+
+  let(:session) { {} }
+  let(:env) { { 'warden' => double(:warden, authenticate?: true, user: user) } }
+  let(:request) { double(:request, session: session, env: env) }
+
+  around do |example|
+    Gitlab::Session.with_session(session) do
+      example.run
+    end
+  end
+
+  describe '#matches' do
+    context 'feature flag :user_mode_in_session is enabled' do
+      context 'when user is a regular user' do
+        it 'forbids access' do
+          expect(subject.matches?(request)).to be(false)
+        end
+      end
+
+      context 'when user is an admin' do
+        let(:user) { create(:admin) }
+
+        context 'admin mode is disabled' do
+          it 'forbids access' do
+            expect(subject.matches?(request)).to be(false)
+          end
+        end
+
+        context 'admin mode is enabled' do
+          before do
+            current_user_mode = Gitlab::Auth::CurrentUserMode.new(user)
+            current_user_mode.request_admin_mode!
+            current_user_mode.enable_admin_mode!(password: user.password)
+          end
+
+          it 'allows access' do
+            expect(subject.matches?(request)).to be(true)
+          end
+        end
+      end
+    end
+
+    context 'feature flag :user_mode_in_session is disabled' do
+      before do
+        stub_feature_flags(user_mode_in_session: false)
+      end
+
+      context 'when user is a regular user' do
+        it 'forbids access' do
+          expect(subject.matches?(request)).to be(false)
+        end
+      end
+
+      context 'when user is an admin' do
+        let(:user) { create(:admin) }
+
+        it 'allows access' do
+          expect(subject.matches?(request)).to be(true)
+        end
+      end
+    end
+  end
+end