Commit e39d2aec authored by Douwe Maan's avatar Douwe Maan

Merge branch 'allow-basic-auth-on-go-get-middleware' into 'master'

Allow basic auth on go get middleware

Closes #45055

See merge request gitlab-org/gitlab-ce!23497
parents 32fbc12c 2099578f
---
title: Allow basic authentication on go get middleware
merge_request: 23497
author: Morty Choi @mortyccp
type: changed
...@@ -6,6 +6,7 @@ module Gitlab ...@@ -6,6 +6,7 @@ module Gitlab
module Middleware module Middleware
class Go class Go
include ActionView::Helpers::TagHelper include ActionView::Helpers::TagHelper
include ActionController::HttpAuthentication::Basic
PROJECT_PATH_REGEX = %r{\A(#{Gitlab::PathRegex.full_namespace_route_regex}/#{Gitlab::PathRegex.project_route_regex})/}.freeze PROJECT_PATH_REGEX = %r{\A(#{Gitlab::PathRegex.full_namespace_route_regex}/#{Gitlab::PathRegex.project_route_regex})/}.freeze
...@@ -14,7 +15,7 @@ module Gitlab ...@@ -14,7 +15,7 @@ module Gitlab
end end
def call(env) def call(env)
request = Rack::Request.new(env) request = ActionDispatch::Request.new(env)
render_go_doc(request) || @app.call(env) render_go_doc(request) || @app.call(env)
end end
...@@ -110,21 +111,23 @@ module Gitlab ...@@ -110,21 +111,23 @@ module Gitlab
def project_for_paths(paths, request) def project_for_paths(paths, request)
project = Project.where_full_path_in(paths).first project = Project.where_full_path_in(paths).first
return unless Ability.allowed?(current_user(request), :read_project, project) return unless Ability.allowed?(current_user(request, project), :read_project, project)
project project
end end
def current_user(request) def current_user(request, project)
authenticator = Gitlab::Auth::RequestAuthenticator.new(request) return unless has_basic_credentials?(request)
user = authenticator.find_user_from_access_token || authenticator.find_user_from_warden
return unless user&.can?(:access_api) login, password = user_name_and_password(request)
auth_result = Gitlab::Auth.find_for_git_client(login, password, project: project, ip: request.ip)
return unless auth_result.success?
# Right now, the `api` scope is the only one that should be able to determine private project existence. return unless auth_result.actor&.can?(:access_git)
return unless authenticator.valid_access_token?(scopes: [:api])
user return unless auth_result.authentication_abilities.include?(:read_project)
auth_result.actor
end end
end end
end end
......
...@@ -96,43 +96,36 @@ describe Gitlab::Middleware::Go do ...@@ -96,43 +96,36 @@ describe Gitlab::Middleware::Go do
it_behaves_like 'unauthorized' it_behaves_like 'unauthorized'
end end
end
context 'using warden' do
before do
env['warden'] = double(authenticate: current_user)
end
context 'when active' do context 'with user is blocked' do
it_behaves_like 'authenticated'
end
context 'when blocked' do
before do before do
current_user.block! current_user.block
end end
it_behaves_like 'unauthorized' it_behaves_like 'unauthorized'
end end
end end
context 'using a personal access token' do context 'using basic auth' do
let(:personal_access_token) { create(:personal_access_token, user: current_user) } context 'using a personal access token' do
let(:personal_access_token) { create(:personal_access_token, user: current_user) }
before do
env['HTTP_PRIVATE_TOKEN'] = personal_access_token.token
end
context 'with api scope' do
it_behaves_like 'authenticated'
end
context 'with read_user scope' do
before do before do
personal_access_token.update_attribute(:scopes, [:read_user]) env['REMOTE_ADDR'] = "192.168.0.1"
env['HTTP_AUTHORIZATION'] = ActionController::HttpAuthentication::Basic.encode_credentials(current_user.username, personal_access_token.token)
end end
it_behaves_like 'unauthorized' context 'with api scope' do
it_behaves_like 'authenticated'
end
context 'with read_user scope' do
before do
personal_access_token.update_attribute(:scopes, [:read_user])
end
it_behaves_like 'unauthorized'
end
end end
end end
end end
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment