Commit 3a62f156 authored by mortyccp's avatar mortyccp

Remove authentication via warden and PRIVATE_TOKEN header

parent b7e0a09d
...@@ -170,6 +170,18 @@ module Gitlab ...@@ -170,6 +170,18 @@ module Gitlab
end end
# rubocop: disable CodeReuse/ActiveRecord # rubocop: disable CodeReuse/ActiveRecord
def abilities_for_scopes(scopes)
abilities_by_scope = {
api: full_authentication_abilities,
read_registry: [:read_container_image],
read_repository: [:download_code]
}
scopes.flat_map do |scope|
abilities_by_scope.fetch(scope.to_sym, [])
end.uniq
end
def deploy_token_check(login, password) def deploy_token_check(login, password)
return unless password.present? return unless password.present?
...@@ -234,18 +246,6 @@ module Gitlab ...@@ -234,18 +246,6 @@ module Gitlab
public public
def abilities_for_scopes(scopes)
abilities_by_scope = {
api: full_authentication_abilities,
read_registry: [:read_container_image],
read_repository: [:download_code]
}
scopes.flat_map do |scope|
abilities_by_scope.fetch(scope.to_sym, [])
end.uniq
end
def build_authentication_abilities def build_authentication_abilities
[ [
:read_project, :read_project,
......
...@@ -117,32 +117,15 @@ module Gitlab ...@@ -117,32 +117,15 @@ module Gitlab
end end
def current_user(request, project) def current_user(request, project)
current_user_from_access_token_and_warden?(request) || current_user_from_basic_authentication?(request, project)
end
def current_user_from_access_token_and_warden?(request)
authenticator = Gitlab::Auth::RequestAuthenticator.new(request)
user = authenticator.find_user_from_access_token || authenticator.find_user_from_warden
return unless user&.can?(:access_api)
# Right now, the `api` scope is the only one that should be able to determine private project existence.
return unless authenticator.valid_access_token?(scopes: [:api])
user
end
def current_user_from_basic_authentication?(request, project)
return unless has_basic_credentials?(request) return unless has_basic_credentials?(request)
login, password = user_name_and_password(request) login, password = user_name_and_password(request)
auth_result = Gitlab::Auth.find_for_git_client(login, password, project: project, ip: request.ip) auth_result = Gitlab::Auth.find_for_git_client(login, password, project: project, ip: request.ip)
return unless auth_result.success? return unless auth_result.success?
return unless auth_result.actor&.can?(:access_api) return unless auth_result.actor&.can?(:access_git)
if auth_result.type == :personal_access_token return unless auth_result.authentication_abilities.include?(:read_project)
api_sceope_abilities = Gitlab::Auth.abilities_for_scopes([:api])
return unless auth_result.authentication_abilities.sort == api_sceope_abilities.sort
end
auth_result.actor auth_result.actor
end end
......
...@@ -96,40 +96,10 @@ describe Gitlab::Middleware::Go do ...@@ -96,40 +96,10 @@ describe Gitlab::Middleware::Go do
it_behaves_like 'unauthorized' it_behaves_like 'unauthorized'
end end
end
context 'using warden' do
before do
env['warden'] = double(authenticate: current_user)
end
context 'when active' do context 'with user is blocked' do
it_behaves_like 'authenticated'
end
context 'when blocked' do
before do before do
current_user.block! current_user.block
end
it_behaves_like 'unauthorized'
end
end
context 'using a personal access token' do
let(:personal_access_token) { create(:personal_access_token, user: current_user) }
before do
env['HTTP_PRIVATE_TOKEN'] = personal_access_token.token
end
context 'with api scope' do
it_behaves_like 'authenticated'
end
context 'with read_user scope' do
before do
personal_access_token.update_attribute(:scopes, [:read_user])
end end
it_behaves_like 'unauthorized' it_behaves_like 'unauthorized'
...@@ -137,23 +107,25 @@ describe Gitlab::Middleware::Go do ...@@ -137,23 +107,25 @@ describe Gitlab::Middleware::Go do
end end
context 'using basic auth' do context 'using basic auth' do
let(:personal_access_token) { create(:personal_access_token, user: current_user) } context 'using a personal access token' do
let(:personal_access_token) { create(:personal_access_token, user: current_user) }
before do
env['REMOTE_ADDR'] = "192.168.0.1"
env['HTTP_AUTHORIZATION'] = ActionController::HttpAuthentication::Basic.encode_credentials(current_user.username, personal_access_token.token)
end
context 'with api scope' do
it_behaves_like 'authenticated'
end
context 'with read_user scope' do
before do before do
personal_access_token.update_attribute(:scopes, [:read_user]) env['REMOTE_ADDR'] = "192.168.0.1"
env['HTTP_AUTHORIZATION'] = ActionController::HttpAuthentication::Basic.encode_credentials(current_user.username, personal_access_token.token)
end
context 'with api scope' do
it_behaves_like 'authenticated'
end
context 'with read_user scope' do
before do
personal_access_token.update_attribute(:scopes, [:read_user])
end
it_behaves_like 'unauthorized'
end end
it_behaves_like 'unauthorized'
end end
end end
end end
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment