Merge branch 'sarnold-add-http-basic-auth-to-alerts' into 'master'

Add HTTP Basic support for Alert authentication See merge request gitlab-org/gitlab!70588

Merge branch 'sarnold-add-http-basic-auth-to-alerts' into 'master'
Add HTTP Basic support for Alert authentication See merge request gitlab-org/gitlab!70588
ec525886 · Igor Drozdov · 5ea16e16 · 836653f8 · ec525886 · ec525886
Commit ec525886 authored Oct 12, 2021 by Igor Drozdov
3 changed files
--- a/app/controllers/projects/alerting/notifications_controller.rb
+++ b/app/controllers/projects/alerting/notifications_controller.rb
@@ -3,6 +3,8 @@
 module Projects
  module Alerting
    class NotificationsController < Projects::ApplicationController
+      include ActionController::HttpAuthentication::Basic
+
      respond_to :json

      skip_before_action :verify_authenticity_token
@@ -27,9 +29,19 @@ module Projects
      end

      def extract_alert_manager_token(request)
+        extract_bearer_token(request) || extract_basic_auth_token(request)
+      end
+
+      def extract_bearer_token(request)
        Doorkeeper::OAuth::Token.from_bearer_authorization(request)
      end

+      def extract_basic_auth_token(request)
+        _username, token = user_name_and_password(request)
+
+        token
+      end
+
      def notify_service
        notify_service_class.new(project, notification_payload)
      end

--- a/doc/operations/incident_management/integrations.md
+++ b/doc/operations/incident_management/integrations.md
@@ -125,17 +125,7 @@ NOTE:
 Ensure your requests are smaller than the
 [payload application limits](../../administration/instance_limits.md#generic-alert-json-payloads).

-Example request:
-
-```shell
-curl --request POST \
-  --data '{"title": "Incident title"}' \
-  --header "Authorization: Bearer <authorization_key>" \
-  --header "Content-Type: application/json" \
-  <url>
-```
-
-The `<authorization_key>` and `<url>` values can be found when configuring an alert integration.
+### Example request body

 Example payload:

@@ -157,6 +147,55 @@ Example payload:
 }
 ```

+## Authorization
+
+The following authorization methods are accepted:
+
+- Bearer authorization header
+- Basic authentication
+
+The `<authorization_key>` and `<url>` values can be found when configuring an alert integration.
+
+### Bearer authorization header
+
+The authorization key can be used as the Bearer token:
+
+```shell
+curl --request POST \
+  --data '{"title": "Incident title"}' \
+  --header "Authorization: Bearer <authorization_key>" \
+  --header "Content-Type: application/json" \
+  <url>
+```
+
+### Basic authentication
+
+The authorization key can be used as the `password`. The `username` is left blank:
+
+- username: <blank>
+- pasword: authorization_key
+
+```shell
+curl --request POST \
+  --data '{"title": "Incident title"}' \
+  --header "Authorization: Basic <base_64_encoded_credentials>" \
+  --header "Content-Type: application/json" \
+  <url>
+```
+
+Basic authentication can also be used with credentials directly in the URL:
+
+```shell
+curl --request POST \
+  --data '{"title": "Incident title"}' \
+  --header "Content-Type: application/json" \
+  <username:password@url>
+```
+
+WARNING:
+Using your authorization key in the URL is insecure, as it's visible in server logs. We recommend
+using one of the above header options if your tooling supports it.
+
 ## Triggering test alerts

 > [Introduced](https://gitlab.com/groups/gitlab-org/-/epics/3066) in GitLab in 13.2.

--- a/spec/controllers/projects/alerting/notifications_controller_spec.rb
+++ b/spec/controllers/projects/alerting/notifications_controller_spec.rb
@@ -3,6 +3,8 @@
 require 'spec_helper'

 RSpec.describe Projects::Alerting::NotificationsController do
+  include HttpBasicAuthHelpers
+
  let_it_be(:project) { create(:project) }
  let_it_be(:environment) { create(:environment, project: project) }

@@ -53,86 +55,96 @@ RSpec.describe Projects::Alerting::NotificationsController do
        end
      end

-      context 'bearer token' do
-        context 'when set' do
-          context 'when extractable' do
-            before do
-              request.headers['HTTP_AUTHORIZATION'] = 'Bearer some token'
-            end
-
-            it 'extracts bearer token' do
-              expect(notify_service).to receive(:execute).with('some token', nil)
-
-              make_request
-            end
-
-            context 'with a corresponding integration' do
-              context 'with integration parameters specified' do
-                let_it_be_with_reload(:integration) { create(:alert_management_http_integration, project: project) }
+      shared_examples 'a working token' do
+        it 'extracts token' do
+          expect(notify_service).to receive(:execute).with('some token', nil)

-                let(:params) { project_params(endpoint_identifier: integration.endpoint_identifier, name: integration.name) }
-
-                context 'the integration is active' do
-                  it 'extracts and finds the integration' do
-                    expect(notify_service).to receive(:execute).with('some token', integration)
+          make_request
+        end

-                    make_request
-                  end
-                end
+        context 'with a corresponding integration' do
+          context 'with integration parameters specified' do
+            let_it_be_with_reload(:integration) { create(:alert_management_http_integration, project: project) }

-                context 'when the integration is inactive' do
-                  before do
-                    integration.update!(active: false)
-                  end
+            let(:params) { project_params(endpoint_identifier: integration.endpoint_identifier, name: integration.name) }

-                  it 'does not find an integration' do
-                    expect(notify_service).to receive(:execute).with('some token', nil)
+            context 'the integration is active' do
+              it 'extracts and finds the integration' do
+                expect(notify_service).to receive(:execute).with('some token', integration)

-                    make_request
-                  end
-                end
+                make_request
              end
+            end

-              context 'without integration parameters specified' do
-                let_it_be(:integration) { create(:alert_management_http_integration, :legacy, project: project) }
+            context 'when the integration is inactive' do
+              before do
+                integration.update!(active: false)
+              end

-                it 'extracts and finds the legacy integration' do
-                  expect(notify_service).to receive(:execute).with('some token', integration)
+              it 'does not find an integration' do
+                expect(notify_service).to receive(:execute).with('some token', nil)

-                  make_request
-                end
+                make_request
              end
            end
          end

-          context 'when inextractable' do
-            it 'passes nil for a non-bearer token' do
-              request.headers['HTTP_AUTHORIZATION'] = 'some token'
+          context 'without integration parameters specified' do
+            let_it_be(:integration) { create(:alert_management_http_integration, :legacy, project: project) }

-              expect(notify_service).to receive(:execute).with(nil, nil)
+            it 'extracts and finds the legacy integration' do
+              expect(notify_service).to receive(:execute).with('some token', integration)

              make_request
            end
          end
        end
+      end

-        context 'when missing' do
-          it 'passes nil' do
-            expect(notify_service).to receive(:execute).with(nil, nil)
-
-            make_request
+      context 'with bearer token' do
+        context 'when set' do
+          before do
+            request.headers.merge(build_token_auth_header('some token'))
          end
+
+          it_behaves_like 'a working token'
+        end
+      end
+
+      context 'with basic auth token' do
+        before do
+          request.headers.merge basic_auth_header(nil, 'some token')
+        end
+
+        it_behaves_like 'a working token'
+      end
+
+      context 'when inextractable token' do
+        it 'passes nil for a non-bearer token' do
+          request.headers['HTTP_AUTHORIZATION'] = 'some token'
+
+          expect(notify_service).to receive(:execute).with(nil, nil)
+
+          make_request
+        end
+      end
+
+      context 'when missing token' do
+        it 'passes nil' do
+          expect(notify_service).to receive(:execute).with(nil, nil)
+
+          make_request
        end
      end
    end

-    context 'generic alert payload' do
+    context 'with generic alert payload' do
      it_behaves_like 'process alert payload', Projects::Alerting::NotifyService do
        let(:payload) { { title: 'Alert title' } }
      end
    end

-    context 'Prometheus alert payload' do
+    context 'with Prometheus alert payload' do
      include PrometheusHelpers

      it_behaves_like 'process alert payload', Projects::Prometheus::Alerts::NotifyService do