Merge branch 'allow-basic-auth-on-go-get-middleware' into 'master'

Allow basic auth on go get middleware Closes #45055 See merge request gitlab-org/gitlab-ce!23497

Merge branch 'allow-basic-auth-on-go-get-middleware' into 'master'
Allow basic auth on go get middleware Closes #45055 See merge request gitlab-org/gitlab-ce!23497
e39d2aec · Douwe Maan · 32fbc12c · 2099578f · e39d2aec · e39d2aec
Commit e39d2aec authored Jan 03, 2019 by Douwe Maan
3 changed files
--- a/changelogs/unreleased/allow-basic-auth-on-go-get-middleware.yml
+++ b/changelogs/unreleased/allow-basic-auth-on-go-get-middleware.yml
+---
+title: Allow basic authentication on go get middleware
+merge_request: 23497
+author: Morty Choi @mortyccp
+type: changed
--- a/lib/gitlab/middleware/go.rb
+++ b/lib/gitlab/middleware/go.rb
@@ -6,6 +6,7 @@ module Gitlab
  module Middleware
    class Go
      include ActionView::Helpers::TagHelper
+      include ActionController::HttpAuthentication::Basic

      PROJECT_PATH_REGEX = %r{\A(#{Gitlab::PathRegex.full_namespace_route_regex}/#{Gitlab::PathRegex.project_route_regex})/}.freeze

@@ -14,7 +15,7 @@ module Gitlab
      end

      def call(env)
-        request = Rack::Request.new(env)
+        request = ActionDispatch::Request.new(env)

        render_go_doc(request) || @app.call(env)
      end
@@ -110,21 +111,23 @@ module Gitlab

      def project_for_paths(paths, request)
        project = Project.where_full_path_in(paths).first
-        return unless Ability.allowed?(current_user(request), :read_project, project)
+        return unless  Ability.allowed?(current_user(request, project), :read_project, project)

        project
      end

-      def current_user(request)
-        authenticator = Gitlab::Auth::RequestAuthenticator.new(request)
-        user = authenticator.find_user_from_access_token || authenticator.find_user_from_warden
+      def current_user(request, project)
+        return unless has_basic_credentials?(request)

-        return unless user&.can?(:access_api)
+        login, password = user_name_and_password(request)
+        auth_result = Gitlab::Auth.find_for_git_client(login, password, project: project, ip: request.ip)
+        return unless auth_result.success?

-        # Right now, the `api` scope is the only one that should be able to determine private project existence.
-        return unless authenticator.valid_access_token?(scopes: [:api])
+        return unless auth_result.actor&.can?(:access_git)

-        user
+        return unless auth_result.authentication_abilities.include?(:read_project)
+
+        auth_result.actor
      end
    end
  end

--- a/spec/lib/gitlab/middleware/go_spec.rb
+++ b/spec/lib/gitlab/middleware/go_spec.rb
@@ -96,43 +96,36 @@ describe Gitlab::Middleware::Go do

                    it_behaves_like 'unauthorized'
                  end
-                end
-
-                context 'using warden' do
-                  before do
-                    env['warden'] = double(authenticate: current_user)
-                  end

-                  context 'when active' do
-                    it_behaves_like 'authenticated'
-                  end
-
-                  context 'when blocked' do
+                  context 'with user is blocked' do
                    before do
-                      current_user.block!
+                      current_user.block
                    end

                    it_behaves_like 'unauthorized'
                  end
                end

-                context 'using a personal access token' do
-                  let(:personal_access_token) { create(:personal_access_token, user: current_user) }
-
-                  before do
-                    env['HTTP_PRIVATE_TOKEN'] = personal_access_token.token
-                  end
-
-                  context 'with api scope' do
-                    it_behaves_like 'authenticated'
-                  end
+                context 'using basic auth' do
+                  context 'using a personal access token' do
+                    let(:personal_access_token) { create(:personal_access_token, user: current_user) }

-                  context 'with read_user scope' do
                    before do
-                      personal_access_token.update_attribute(:scopes, [:read_user])
+                      env['REMOTE_ADDR'] = "192.168.0.1"
+                      env['HTTP_AUTHORIZATION'] = ActionController::HttpAuthentication::Basic.encode_credentials(current_user.username, personal_access_token.token)
                    end

-                    it_behaves_like 'unauthorized'
+                    context 'with api scope' do
+                      it_behaves_like 'authenticated'
+                    end
+
+                    context 'with read_user scope' do
+                      before do
+                        personal_access_token.update_attribute(:scopes, [:read_user])
+                      end
+
+                      it_behaves_like 'unauthorized'
+                    end
                  end
                end
              end