Override find_personal_access_token for Conan API requests

Instead of setting the token as an instance variable override the finder to look into Bearer and Basic authorization headers for Conan API requests.

Override find_personal_access_token for Conan API requests
Instead of setting the token as an instance variable override the finder to look into Bearer and Basic authorization headers for Conan API requests.
886b06a3 · Krasimir Angelov · 1485821e · 886b06a3 · 886b06a3
Commit 886b06a3 authored Aug 07, 2019 by Krasimir Angelov
Show whitespace changes
Inline Side-by-side

Showing with 51 additions and 33 deletions

ee/lib/api/conan_packages.rb ee/lib/api/conan_packages.rb +44 -32

ee/spec/requests/api/conan_packages_spec.rb ee/spec/requests/api/conan_packages_spec.rb +7 -1

No files found.
--- a/ee/lib/api/conan_packages.rb
+++ b/ee/lib/api/conan_packages.rb
@@ -3,21 +3,15 @@ module API
  class ConanPackages < Grape::API
    HMAC_KEY = 'gitlab-conan-packages'.freeze

+    helpers ::API::Helpers::PackagesHelpers
+
    before do
      not_found! unless Feature.enabled?(:conan_package_registry)
      require_packages_enabled!
-    end

-    helpers ::API::Helpers::PackagesHelpers
-
-    helpers do
-      def jwt_secret
-        OpenSSL::HMAC.hexdigest(
-          OpenSSL::Digest::SHA256.new,
-          ::Settings.attr_encrypted_db_key_base,
-          HMAC_KEY
-        )
-      end
+      # Personal access token will be extracted from Bearer or Basic authorization
+      # in the overriden find_personal_access_token helper
+      authenticate!
    end

    namespace 'packages/conan/v1/users/' do
@@ -27,12 +21,6 @@ module API
        detail 'This feature was introduced in GitLab 12.2'
      end
      get 'authenticate' do
-        encoded_credentials = headers['Authorization'].to_s.split('Basic ', 2).second
-        token = Base64.decode64(encoded_credentials || '').split(':', 2).second
-        request.env['HTTP_PRIVATE_TOKEN'] = token
-
-        authenticate!
-
        jwt = JSONWebToken::HMACToken.new(jwt_secret)
        jwt['pat'] = access_token.id
        jwt['u'] = access_token.user_id
@@ -43,28 +31,52 @@ module API
    end

    namespace 'packages/conan/v1/' do
-      before do
-        require_conan_authentication!
+      desc 'Ping the Conan API' do
+        detail 'This feature was introduced in GitLab 12.2'
+      end
+      get 'ping' do
+        header 'X-Conan-Server-Capabilities', [].join(',')
+      end
    end

    helpers do
-        def require_conan_authentication!
-          jwt = headers['Authorization'].to_s.split('Bearer ', 2).second
-          payload = JSONWebToken::HMACToken.decode(jwt, jwt_secret).first
+      def find_personal_access_token
+        personal_access_token = find_personal_access_token_from_conan_jwt ||
+          find_personal_access_token_from_conan_http_basic_auth
+
+        personal_access_token || unauthorized!
+      end

-          @access_token = PersonalAccessToken.find_by_id_and_user_id(payload['pat'], payload['u'])
+      # We need to override this one because it
+      # looks into Bearer authorization header
+      def find_oauth_access_token
+      end

-          authenticate!
+      def find_personal_access_token_from_conan_jwt
+        jwt = Doorkeeper::OAuth::Token.from_bearer_authorization(current_request)
+        return unless jwt
+
+        payload = JSONWebToken::HMACToken.decode(jwt, jwt_secret).first
+
+        PersonalAccessToken.find_by_id_and_user_id(payload['pat'], payload['u'])
      rescue JWT::DecodeError
        unauthorized!
      end
-      end

-      desc 'Ping the Conan API' do
-        detail 'This feature was introduced in GitLab 12.2'
+      def find_personal_access_token_from_conan_http_basic_auth
+        encoded_credentials = headers['Authorization'].to_s.split('Basic ', 2).second
+        token = Base64.decode64(encoded_credentials || '').split(':', 2).second
+        return unless token
+
+        PersonalAccessToken.find_by_token(token)
      end
-      get 'ping' do
-        header 'X-Conan-Server-Capabilities', [].join(',')
+
+      def jwt_secret
+        OpenSSL::HMAC.hexdigest(
+          OpenSSL::Digest::SHA256.new,
+          ::Settings.attr_encrypted_db_key_base,
+          HMAC_KEY
+        )
      end
    end
  end

--- a/ee/spec/requests/api/conan_packages_spec.rb
+++ b/ee/spec/requests/api/conan_packages_spec.rb
@@ -4,7 +4,13 @@ require 'spec_helper'
 describe API::ConanPackages do
  let(:base_secret) { SecureRandom.base64(32) }

-  let(:jwt_secret) { OpenSSL::HMAC.hexdigest(OpenSSL::Digest::SHA256.new, base_secret, API::ConanPackages::HMAC_KEY) }
+  let(:jwt_secret) do
+    OpenSSL::HMAC.hexdigest(
+      OpenSSL::Digest::SHA256.new,
+      base_secret,
+      API::ConanPackages::HMAC_KEY
+    )
+  end

  before do
    stub_licensed_features(packages: true)