Merge branch '212526-oauth-orphan-check' into 'master'

Fix oauth check to verify user exists See merge request gitlab-org/gitlab!28159

Merge branch '212526-oauth-orphan-check' into 'master'
Fix oauth check to verify user exists See merge request gitlab-org/gitlab!28159
a9b05ffc · Peter Leitzen · badfc1d1 · eeef12d4 · a9b05ffc · a9b05ffc
Commit a9b05ffc authored Mar 27, 2020 by Peter Leitzen
3 changed files
--- a/changelogs/unreleased/212526-oauth-orphan-check.yml
+++ b/changelogs/unreleased/212526-oauth-orphan-check.yml
+---
+title: Fix Gitlab::Auth to handle orphaned oauth tokens
+merge_request: 28159
+author:
+type: fixed
--- a/lib/gitlab/auth.rb
+++ b/lib/gitlab/auth.rb
@@ -164,20 +164,18 @@ module Gitlab
        Gitlab::Auth::Result.new(user, nil, :gitlab_or_ldap, full_authentication_abilities)
      end

-      # rubocop: disable CodeReuse/ActiveRecord
      def oauth_access_token_check(login, password)
        if login == "oauth2" && password.present?
          token = Doorkeeper::AccessToken.by_token(password)

          if valid_oauth_token?(token)
-            user = User.find_by(id: token.resource_owner_id)
-            return unless user.can?(:log_in)
+            user = User.id_in(token.resource_owner_id).first
+            return unless user&.can?(:log_in)

            Gitlab::Auth::Result.new(user, nil, :oauth, full_authentication_abilities)
          end
        end
      end
-      # rubocop: enable CodeReuse/ActiveRecord

      def personal_access_token_check(password)
        return unless password.present?

--- a/spec/lib/gitlab/auth_spec.rb
+++ b/spec/lib/gitlab/auth_spec.rb
@@ -250,6 +250,13 @@ describe Gitlab::Auth, :use_clean_rails_memory_store_caching do
      let(:token_w_api_scope) { Doorkeeper::AccessToken.create!(application_id: application.id, resource_owner_id: user.id, scopes: 'api') }
      let(:application) { Doorkeeper::Application.create!(name: 'MyApp', redirect_uri: 'https://app.com', owner: user) }

+      shared_examples 'an oauth failure' do
+        it 'fails' do
+          expect(gl_auth.find_for_git_client("oauth2", token_w_api_scope.token, project: nil, ip: 'ip'))
+            .to eq(Gitlab::Auth::Result.new(nil, nil, nil, nil))
+        end
+      end
+
      it 'succeeds for OAuth tokens with the `api` scope' do
        expect(gl_auth.find_for_git_client("oauth2", token_w_api_scope.token, project: nil, ip: 'ip')).to eq(Gitlab::Auth::Result.new(user, nil, :oauth, described_class.full_authentication_abilities))
      end
@@ -269,10 +276,15 @@ describe Gitlab::Auth, :use_clean_rails_memory_store_caching do
      context 'blocked user' do
        let(:user) { create(:user, :blocked) }

-        it 'fails' do
-          expect(gl_auth.find_for_git_client("oauth2", token_w_api_scope.token, project: nil, ip: 'ip'))
-            .to eq(Gitlab::Auth::Result.new(nil, nil, nil, nil))
+        it_behaves_like 'an oauth failure'
+      end
+
+      context 'orphaned token' do
+        before do
+          user.destroy
        end
+
+        it_behaves_like 'an oauth failure'
      end
    end