Move authorization code to centralized module

This enables re-use of authorization code. Also make use to Rails' Token authorization code

Move authorization code to centralized module
This enables re-use of authorization code. Also make use to Rails' Token authorization code
7d1fde8c · Thong Kuah · 5f366e2b · 7d1fde8c · 7d1fde8c · 7d1fde8c
Commit 7d1fde8c authored Jul 15, 2020 by Thong Kuah
4 changed files
--- a/lib/api/internal/kubernetes.rb
+++ b/lib/api/internal/kubernetes.rb
@@ -17,22 +17,6 @@ module API
          repo_type.repository_for(project).full_path
        end

-        def authorization_header
-          strong_memoize(:authorization_header) do
-            request.headers['Authorization']
-          end
-        end
-
-        def authorization_token
-          unless authorization_header.present?
-            unauthorized!
-          end
-
-          _token_type, authorization_token = authorization_header.split(' ', 2)
-
-          authorization_token
-        end
-
        def check_feature_enabled
          not_found! unless Feature.enabled?(:kubernetes_agent_internal_api)
        end
@@ -43,10 +27,11 @@ module API
          desc 'Gets agent info' do
            detail 'Retrieves agent info for the given token'
          end
+          route_setting :authentication, cluster_agent_token_allowed: true
          get '/agent_info' do
            check_feature_enabled

-            agent_token = Clusters::AgentToken.find_by_token(authorization_token)
+            agent_token = cluster_agent_token_from_authorization_token

            if agent_token
              agent = agent_token.agent
@@ -71,10 +56,11 @@ module API
          desc 'Gets project info' do
            detail 'Retrieves project info (if authorized)'
          end
+          route_setting :authentication, cluster_agent_token_allowed: true
          get '/project_info' do
            check_feature_enabled

-            agent_token = Clusters::AgentToken.find_by_token(authorization_token)
+            agent_token = cluster_agent_token_from_authorization_token

            if agent_token
              project = find_project(params[:id])

--- a/lib/gitlab/auth/auth_finders.rb
+++ b/lib/gitlab/auth/auth_finders.rb
@@ -20,6 +20,7 @@ module Gitlab
    module AuthFinders
      include Gitlab::Utils::StrongMemoize
      include ActionController::HttpAuthentication::Basic
+      include ActionController::HttpAuthentication::Token

      PRIVATE_TOKEN_HEADER = 'HTTP_PRIVATE_TOKEN'
      PRIVATE_TOKEN_PARAM = :private_token
@@ -131,6 +132,15 @@ module Gitlab
        deploy_token
      end

+      def cluster_agent_token_from_authorization_token
+        return unless route_authentication_setting[:cluster_agent_token_allowed]
+        return unless current_request.authorization.present?
+
+        authorization_token, _options = token_and_options(current_request)
+
+        ::Clusters::AgentToken.find_by_token(authorization_token)
+      end
+
      def find_runner_from_token
        return unless api_request?


--- a/spec/lib/gitlab/auth/auth_finders_spec.rb
+++ b/spec/lib/gitlab/auth/auth_finders_spec.rb
@@ -744,6 +744,56 @@ RSpec.describe Gitlab::Auth::AuthFinders do
    end
  end

+  describe '#cluster_agent_token_from_authorization_token' do
+    let_it_be(:agent_token) { create(:cluster_agent_token) }
+
+    context 'when route_setting is empty' do
+      it 'returns nil' do
+        expect(cluster_agent_token_from_authorization_token).to be_nil
+      end
+    end
+
+    context 'when route_setting allows cluster agent token' do
+      let(:route_authentication_setting) { { cluster_agent_token_allowed: true } }
+
+      context 'Authorization header is empty' do
+        it 'returns nil' do
+          expect(cluster_agent_token_from_authorization_token).to be_nil
+        end
+      end
+
+      context 'Authorization header is incorrect' do
+        before do
+          request.headers['Authorization'] = 'Bearer ABCD'
+        end
+
+        it 'returns nil' do
+          expect(cluster_agent_token_from_authorization_token).to be_nil
+        end
+      end
+
+      context 'Authorization header is malformed' do
+        before do
+          request.headers['Authorization'] = 'Bearer'
+        end
+
+        it 'returns nil' do
+          expect(cluster_agent_token_from_authorization_token).to be_nil
+        end
+      end
+
+      context 'Authorization header matches agent token' do
+        before do
+          request.headers['Authorization'] = "Bearer #{agent_token.token}"
+        end
+
+        it 'returns the agent token' do
+          expect(cluster_agent_token_from_authorization_token).to eq(agent_token)
+        end
+      end
+    end
+  end
+
  describe '#find_runner_from_token' do
    let(:runner) { create(:ci_runner) }


--- a/spec/requests/api/internal/kubernetes_spec.rb
+++ b/spec/requests/api/internal/kubernetes_spec.rb
@@ -16,10 +16,10 @@ RSpec.describe API::Internal::Kubernetes do
      end
    end

-    it 'returns 401 if Authorization header not sent' do
+    it 'returns 403 if Authorization header not sent' do
      get api('/internal/kubernetes/agent_info')

-      expect(response).to have_gitlab_http_status(:unauthorized)
+      expect(response).to have_gitlab_http_status(:forbidden)
    end

    context 'an agent is found' do
@@ -65,10 +65,10 @@ RSpec.describe API::Internal::Kubernetes do
      end
    end

-    it 'returns 401 if Authorization header not sent' do
+    it 'returns 403 if Authorization header not sent' do
      get api('/internal/kubernetes/project_info')

-      expect(response).to have_gitlab_http_status(:unauthorized)
+      expect(response).to have_gitlab_http_status(:forbidden)
    end

    context 'no such agent exists' do