Commit 3a62f156 authored by mortyccp's avatar mortyccp

Remove authentication via warden and PRIVATE_TOKEN header

parent b7e0a09d
......@@ -170,6 +170,18 @@ module Gitlab
end
# rubocop: disable CodeReuse/ActiveRecord
def abilities_for_scopes(scopes)
abilities_by_scope = {
api: full_authentication_abilities,
read_registry: [:read_container_image],
read_repository: [:download_code]
}
scopes.flat_map do |scope|
abilities_by_scope.fetch(scope.to_sym, [])
end.uniq
end
def deploy_token_check(login, password)
return unless password.present?
......@@ -234,18 +246,6 @@ module Gitlab
public
def abilities_for_scopes(scopes)
abilities_by_scope = {
api: full_authentication_abilities,
read_registry: [:read_container_image],
read_repository: [:download_code]
}
scopes.flat_map do |scope|
abilities_by_scope.fetch(scope.to_sym, [])
end.uniq
end
def build_authentication_abilities
[
:read_project,
......
......@@ -117,32 +117,15 @@ module Gitlab
end
def current_user(request, project)
current_user_from_access_token_and_warden?(request) || current_user_from_basic_authentication?(request, project)
end
def current_user_from_access_token_and_warden?(request)
authenticator = Gitlab::Auth::RequestAuthenticator.new(request)
user = authenticator.find_user_from_access_token || authenticator.find_user_from_warden
return unless user&.can?(:access_api)
# Right now, the `api` scope is the only one that should be able to determine private project existence.
return unless authenticator.valid_access_token?(scopes: [:api])
user
end
def current_user_from_basic_authentication?(request, project)
return unless has_basic_credentials?(request)
login, password = user_name_and_password(request)
auth_result = Gitlab::Auth.find_for_git_client(login, password, project: project, ip: request.ip)
return unless auth_result.success?
return unless auth_result.actor&.can?(:access_api)
return unless auth_result.actor&.can?(:access_git)
if auth_result.type == :personal_access_token
api_sceope_abilities = Gitlab::Auth.abilities_for_scopes([:api])
return unless auth_result.authentication_abilities.sort == api_sceope_abilities.sort
end
return unless auth_result.authentication_abilities.include?(:read_project)
auth_result.actor
end
......
......@@ -96,40 +96,10 @@ describe Gitlab::Middleware::Go do
it_behaves_like 'unauthorized'
end
end
context 'using warden' do
before do
env['warden'] = double(authenticate: current_user)
end
context 'when active' do
it_behaves_like 'authenticated'
end
context 'when blocked' do
context 'with user is blocked' do
before do
current_user.block!
end
it_behaves_like 'unauthorized'
end
end
context 'using a personal access token' do
let(:personal_access_token) { create(:personal_access_token, user: current_user) }
before do
env['HTTP_PRIVATE_TOKEN'] = personal_access_token.token
end
context 'with api scope' do
it_behaves_like 'authenticated'
end
context 'with read_user scope' do
before do
personal_access_token.update_attribute(:scopes, [:read_user])
current_user.block
end
it_behaves_like 'unauthorized'
......@@ -137,23 +107,25 @@ describe Gitlab::Middleware::Go do
end
context 'using basic auth' do
let(:personal_access_token) { create(:personal_access_token, user: current_user) }
before do
env['REMOTE_ADDR'] = "192.168.0.1"
env['HTTP_AUTHORIZATION'] = ActionController::HttpAuthentication::Basic.encode_credentials(current_user.username, personal_access_token.token)
end
context 'using a personal access token' do
let(:personal_access_token) { create(:personal_access_token, user: current_user) }
context 'with api scope' do
it_behaves_like 'authenticated'
end
context 'with read_user scope' do
before do
personal_access_token.update_attribute(:scopes, [:read_user])
env['REMOTE_ADDR'] = "192.168.0.1"
env['HTTP_AUTHORIZATION'] = ActionController::HttpAuthentication::Basic.encode_credentials(current_user.username, personal_access_token.token)
end
context 'with api scope' do
it_behaves_like 'authenticated'
end
context 'with read_user scope' do
before do
personal_access_token.update_attribute(:scopes, [:read_user])
end
it_behaves_like 'unauthorized'
end
it_behaves_like 'unauthorized'
end
end
end
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment