Commit 7d1fde8c authored by Thong Kuah's avatar Thong Kuah

Move authorization code to centralized module

This enables re-use of authorization code. Also make use to Rails' Token
authorization code
parent 5f366e2b
......@@ -17,22 +17,6 @@ module API
repo_type.repository_for(project).full_path
end
def authorization_header
strong_memoize(:authorization_header) do
request.headers['Authorization']
end
end
def authorization_token
unless authorization_header.present?
unauthorized!
end
_token_type, authorization_token = authorization_header.split(' ', 2)
authorization_token
end
def check_feature_enabled
not_found! unless Feature.enabled?(:kubernetes_agent_internal_api)
end
......@@ -43,10 +27,11 @@ module API
desc 'Gets agent info' do
detail 'Retrieves agent info for the given token'
end
route_setting :authentication, cluster_agent_token_allowed: true
get '/agent_info' do
check_feature_enabled
agent_token = Clusters::AgentToken.find_by_token(authorization_token)
agent_token = cluster_agent_token_from_authorization_token
if agent_token
agent = agent_token.agent
......@@ -71,10 +56,11 @@ module API
desc 'Gets project info' do
detail 'Retrieves project info (if authorized)'
end
route_setting :authentication, cluster_agent_token_allowed: true
get '/project_info' do
check_feature_enabled
agent_token = Clusters::AgentToken.find_by_token(authorization_token)
agent_token = cluster_agent_token_from_authorization_token
if agent_token
project = find_project(params[:id])
......
......@@ -20,6 +20,7 @@ module Gitlab
module AuthFinders
include Gitlab::Utils::StrongMemoize
include ActionController::HttpAuthentication::Basic
include ActionController::HttpAuthentication::Token
PRIVATE_TOKEN_HEADER = 'HTTP_PRIVATE_TOKEN'
PRIVATE_TOKEN_PARAM = :private_token
......@@ -131,6 +132,15 @@ module Gitlab
deploy_token
end
def cluster_agent_token_from_authorization_token
return unless route_authentication_setting[:cluster_agent_token_allowed]
return unless current_request.authorization.present?
authorization_token, _options = token_and_options(current_request)
::Clusters::AgentToken.find_by_token(authorization_token)
end
def find_runner_from_token
return unless api_request?
......
......@@ -744,6 +744,56 @@ RSpec.describe Gitlab::Auth::AuthFinders do
end
end
describe '#cluster_agent_token_from_authorization_token' do
let_it_be(:agent_token) { create(:cluster_agent_token) }
context 'when route_setting is empty' do
it 'returns nil' do
expect(cluster_agent_token_from_authorization_token).to be_nil
end
end
context 'when route_setting allows cluster agent token' do
let(:route_authentication_setting) { { cluster_agent_token_allowed: true } }
context 'Authorization header is empty' do
it 'returns nil' do
expect(cluster_agent_token_from_authorization_token).to be_nil
end
end
context 'Authorization header is incorrect' do
before do
request.headers['Authorization'] = 'Bearer ABCD'
end
it 'returns nil' do
expect(cluster_agent_token_from_authorization_token).to be_nil
end
end
context 'Authorization header is malformed' do
before do
request.headers['Authorization'] = 'Bearer'
end
it 'returns nil' do
expect(cluster_agent_token_from_authorization_token).to be_nil
end
end
context 'Authorization header matches agent token' do
before do
request.headers['Authorization'] = "Bearer #{agent_token.token}"
end
it 'returns the agent token' do
expect(cluster_agent_token_from_authorization_token).to eq(agent_token)
end
end
end
end
describe '#find_runner_from_token' do
let(:runner) { create(:ci_runner) }
......
......@@ -16,10 +16,10 @@ RSpec.describe API::Internal::Kubernetes do
end
end
it 'returns 401 if Authorization header not sent' do
it 'returns 403 if Authorization header not sent' do
get api('/internal/kubernetes/agent_info')
expect(response).to have_gitlab_http_status(:unauthorized)
expect(response).to have_gitlab_http_status(:forbidden)
end
context 'an agent is found' do
......@@ -65,10 +65,10 @@ RSpec.describe API::Internal::Kubernetes do
end
end
it 'returns 401 if Authorization header not sent' do
it 'returns 403 if Authorization header not sent' do
get api('/internal/kubernetes/project_info')
expect(response).to have_gitlab_http_status(:unauthorized)
expect(response).to have_gitlab_http_status(:forbidden)
end
context 'no such agent exists' do
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment