Commit bee780e8 authored by Timothy Andrew's avatar Timothy Andrew

Allow OAuth clients to push code

- We currently support fetching code with username = 'oauth2' and
  password = <access_token>.
- Trying to _push_ code with the same credentials fails with an authentication
  error.
- There's no reason this shouldn't be enabled, especially since we allow the
  OAuth client to create deploy keys with push access:

  https://docs.gitlab.com/ce/api/deploy_keys.html#add-deploy-key
parent 7629c9ec
---
title: Allow OAuth clients to push code
merge_request: 10677
author:
...@@ -108,7 +108,7 @@ module Gitlab ...@@ -108,7 +108,7 @@ module Gitlab
token = Doorkeeper::AccessToken.by_token(password) token = Doorkeeper::AccessToken.by_token(password)
if valid_oauth_token?(token) if valid_oauth_token?(token)
user = User.find_by(id: token.resource_owner_id) user = User.find_by(id: token.resource_owner_id)
Gitlab::Auth::Result.new(user, nil, :oauth, read_authentication_abilities) Gitlab::Auth::Result.new(user, nil, :oauth, full_authentication_abilities)
end end
end end
end end
......
...@@ -118,7 +118,7 @@ describe Gitlab::Auth, lib: true do ...@@ -118,7 +118,7 @@ describe Gitlab::Auth, lib: true do
it 'succeeds for OAuth tokens with the `api` scope' do it 'succeeds for OAuth tokens with the `api` scope' do
expect(gl_auth).to receive(:rate_limit!).with('ip', success: true, login: 'oauth2') expect(gl_auth).to receive(:rate_limit!).with('ip', success: true, login: 'oauth2')
expect(gl_auth.find_for_git_client("oauth2", token_w_api_scope.token, project: nil, ip: 'ip')).to eq(Gitlab::Auth::Result.new(user, nil, :oauth, read_authentication_abilities)) expect(gl_auth.find_for_git_client("oauth2", token_w_api_scope.token, project: nil, ip: 'ip')).to eq(Gitlab::Auth::Result.new(user, nil, :oauth, full_authentication_abilities))
end end
it 'fails for OAuth tokens with other scopes' do it 'fails for OAuth tokens with other scopes' do
......
...@@ -270,10 +270,10 @@ describe 'Git HTTP requests', lib: true do ...@@ -270,10 +270,10 @@ describe 'Git HTTP requests', lib: true do
expect(response.content_type.to_s).to eq(Gitlab::Workhorse::INTERNAL_API_CONTENT_TYPE) expect(response.content_type.to_s).to eq(Gitlab::Workhorse::INTERNAL_API_CONTENT_TYPE)
end end
it "uploads get status 401 (no project existence information leak)" do it "uploads get status 200" do
push_get "#{project.path_with_namespace}.git", user: 'oauth2', password: @token.token push_get "#{project.path_with_namespace}.git", user: 'oauth2', password: @token.token
expect(response).to have_http_status(401) expect(response).to have_http_status(200)
end end
end end
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment