Override find_personal_access_token for Conan API requests

Instead of setting the token as an instance variable override the finder to look into Bearer and Basic authorization headers for Conan API requests.

Override find_personal_access_token for Conan API requests
Instead of setting the token as an instance variable override the finder to look into Bearer and Basic authorization headers for Conan API requests.
886b06a3 · Krasimir Angelov · 1485821e · 886b06a3 · 886b06a3
Commit 886b06a3 authored Aug 07, 2019 by Krasimir Angelov
Show whitespace changes
Inline Side-by-side

Showing with 51 additions and 33 deletions

ee/lib/api/conan_packages.rb ee/lib/api/conan_packages.rb +44 -32

ee/spec/requests/api/conan_packages_spec.rb ee/spec/requests/api/conan_packages_spec.rb +7 -1

No files found.
--- a/ee/lib/api/conan_packages.rb
+++ b/ee/lib/api/conan_packages.rb
@@ -3,21 +3,15 @@ module API
  class ConanPackages < Grape::API
    HMAC_KEY = 'gitlab-conan-packages'.freeze
+    helpers ::API::Helpers::PackagesHelpers
    before do
      not_found! unless Feature.enabled?(:conan_package_registry)
      require_packages_enabled!
-    end
-    helpers ::API::Helpers::PackagesHelpers
+      # Personal access token will be extracted from Bearer or Basic authorization
+      # in the overriden find_personal_access_token helper
-    helpers do
+      authenticate!
-      def jwt_secret
-        OpenSSL::HMAC.hexdigest(
-          OpenSSL::Digest::SHA256.new,
-          ::Settings.attr_encrypted_db_key_base,
-          HMAC_KEY
-        )
-      end
    end
    namespace 'packages/conan/v1/users/' do
@@ -27,12 +21,6 @@ module API
        detail 'This feature was introduced in GitLab 12.2'
      end
      get 'authenticate' do
-        encoded_credentials = headers['Authorization'].to_s.split('Basic ', 2).second
-        token = Base64.decode64(encoded_credentials || '').split(':', 2).second
-        request.env['HTTP_PRIVATE_TOKEN'] = token
-        authenticate!
        jwt = JSONWebToken::HMACToken.new(jwt_secret)
        jwt['pat'] = access_token.id
        jwt['u'] = access_token.user_id
@@ -43,28 +31,52 @@ module API
    end
    namespace 'packages/conan/v1/' do
-      before do
+      desc 'Ping the Conan API' do
-        require_conan_authentication!
+        detail 'This feature was introduced in GitLab 12.2'
+      end
+      get 'ping' do
+        header 'X-Conan-Server-Capabilities', [].join(',')
+      end
    end
    helpers do
-        def require_conan_authentication!
+      def find_personal_access_token
-          jwt = headers['Authorization'].to_s.split('Bearer ', 2).second
+        personal_access_token = find_personal_access_token_from_conan_jwt ||
-          payload = JSONWebToken::HMACToken.decode(jwt, jwt_secret).first
+          find_personal_access_token_from_conan_http_basic_auth
+        personal_access_token || unauthorized!
+      end
-          @access_token = PersonalAccessToken.find_by_id_and_user_id(payload['pat'], payload['u'])
+      # We need to override this one because it
+      # looks into Bearer authorization header
+      def find_oauth_access_token
+      end
-          authenticate!
+      def find_personal_access_token_from_conan_jwt
+        jwt = Doorkeeper::OAuth::Token.from_bearer_authorization(current_request)
+        return unless jwt
+        payload = JSONWebToken::HMACToken.decode(jwt, jwt_secret).first
+        PersonalAccessToken.find_by_id_and_user_id(payload['pat'], payload['u'])
      rescue JWT::DecodeError
        unauthorized!
      end
-      end
-      desc 'Ping the Conan API' do
+      def find_personal_access_token_from_conan_http_basic_auth
-        detail 'This feature was introduced in GitLab 12.2'
+        encoded_credentials = headers['Authorization'].to_s.split('Basic ', 2).second
+        token = Base64.decode64(encoded_credentials || '').split(':', 2).second
+        return unless token
+        PersonalAccessToken.find_by_token(token)
      end
-      get 'ping' do
-        header 'X-Conan-Server-Capabilities', [].join(',')
+      def jwt_secret
+        OpenSSL::HMAC.hexdigest(
+          OpenSSL::Digest::SHA256.new,
+          ::Settings.attr_encrypted_db_key_base,
+          HMAC_KEY
+        )
      end
    end
  end

--- a/ee/spec/requests/api/conan_packages_spec.rb
+++ b/ee/spec/requests/api/conan_packages_spec.rb
@@ -4,7 +4,13 @@ require 'spec_helper'
 describe API::ConanPackages do
  let(:base_secret) { SecureRandom.base64(32) }
-  let(:jwt_secret) { OpenSSL::HMAC.hexdigest(OpenSSL::Digest::SHA256.new, base_secret, API::ConanPackages::HMAC_KEY) }
+  let(:jwt_secret) do
+    OpenSSL::HMAC.hexdigest(
+      OpenSSL::Digest::SHA256.new,
+      base_secret,
+      API::ConanPackages::HMAC_KEY
+    )
+  end
  before do
    stub_licensed_features(packages: true)