From 8d441c8191f3348f07e378d87e9458d0be7ad2f3 Mon Sep 17 00:00:00 2001 From: Alain Takoudjou Date: Thu, 20 Sep 2018 10:18:46 +0200 Subject: [PATCH] NXD: access token should be valid for project and namespace when doing git clone https://gitlab-ci-token:RUNNER_TOKEN@GITLAB_URL/NAMESPACE/PROJECT.git user is always gitlab-ci-token and cannot be used to identify the project, runner token is not unique per project. If two projects in the namespace has the same token and the wrong project is returned by `build_access_token_check` method, gitlab will simply return 404. `build_access_token_check` now take namespace_id as parameter so that we can ensure that we authenticate on the right project. --- app/controllers/jwt_controller.rb | 4 +++- .../projects/git_http_client_controller.rb | 3 ++- lib/gitlab/auth.rb | 16 ++++++++++------ 3 files changed, 15 insertions(+), 8 deletions(-) diff --git a/app/controllers/jwt_controller.rb b/app/controllers/jwt_controller.rb index c2e4d62b50b..2ad2b9e2e2a 100644 --- a/app/controllers/jwt_controller.rb +++ b/app/controllers/jwt_controller.rb @@ -23,7 +23,9 @@ class JwtController < ApplicationController @authentication_result = Gitlab::Auth::Result.new(nil, nil, :none, Gitlab::Auth.read_authentication_abilities) authenticate_with_http_basic do |login, password| - @authentication_result = Gitlab::Auth.find_for_git_client(login, password, project: nil, ip: request.ip) + @authentication_result = Gitlab::Auth.find_for_git_client( + login, password, project: nil, ip: request.ip, + namespace_id: params[:namespace_id]) render_unauthorized unless @authentication_result.success? && (@authentication_result.actor.nil? || @authentication_result.actor.is_a?(User)) diff --git a/app/controllers/projects/git_http_client_controller.rb b/app/controllers/projects/git_http_client_controller.rb index 216c158e41e..ee4925660b3 100644 --- a/app/controllers/projects/git_http_client_controller.rb +++ b/app/controllers/projects/git_http_client_controller.rb @@ -125,7 +125,8 @@ class Projects::GitHttpClientController < Projects::ApplicationController def handle_basic_authentication(login, password) @authentication_result = Gitlab::Auth.find_for_git_client( - login, password, project: project, ip: request.ip) + login, password, project: project, ip: request.ip, + namespace_id: params[:namespace_id]) return false unless @authentication_result.success? diff --git a/lib/gitlab/auth.rb b/lib/gitlab/auth.rb index df58db945fd..a79297fcd52 100644 --- a/lib/gitlab/auth.rb +++ b/lib/gitlab/auth.rb @@ -7,7 +7,7 @@ module Gitlab OPTIONAL_SCOPES = SCOPES - DEFAULT_SCOPES class << self - def find_for_git_client(login, password, project:, ip:) + def find_for_git_client(login, password, project:, ip:, namespace_id:) raise "Must provide an IP for rate limiting" if ip.nil? # `user_with_password_for_git` should be the last check @@ -15,7 +15,7 @@ module Gitlab # is enabled. result = service_request_check(login, password, project) || - build_access_token_check(login, password) || + build_access_token_check(login, password, namespace_id: namespace_id) || lfs_token_check(login, password) || oauth_access_token_check(login, password) || personal_access_token_check(login, password) || @@ -151,14 +151,18 @@ module Gitlab end end - def build_access_token_check(login, password) + def build_access_token_check(login, password, namespace_id:) return unless login == 'gitlab-ci-token' return unless password # XXX-nxd: we also accept runners_token if enabled on projects - project = Project.with_builds_enabled.find_by(runners_token: password) - if project - Gitlab::Auth::Result.new(nil, project, :ci, build_authentication_abilities) + namespace = Namespace.find_by_path_or_name(namespace_id) + if namespace + # find for project in the given namespace + project = Project.with_builds_enabled.find_by(runners_token: password, namespace_id: namespace.id) + if project + Gitlab::Auth::Result.new(nil, project, :ci, build_authentication_abilities) + end else build = ::Ci::Build.running.find_by_token(password) return unless build -- 2.30.9