Commit 188d4271 authored by Imre Farkas's avatar Imre Farkas

Merge branch 'fix/219551_project_token_http' into 'master'

fix: allow bot account to clone through http (#219551)

Closes #219551

See merge request gitlab-org/gitlab!40635
parents 5b91cf71 a72c4b7a
---
title: allow project bot account to clone through http
merge_request: 40635
author: Philippe Vienne @PhilippeVienne
type: fixed
...@@ -50,7 +50,7 @@ module Gitlab ...@@ -50,7 +50,7 @@ module Gitlab
build_access_token_check(login, password) || build_access_token_check(login, password) ||
lfs_token_check(login, password, project) || lfs_token_check(login, password, project) ||
oauth_access_token_check(login, password) || oauth_access_token_check(login, password) ||
personal_access_token_check(password) || personal_access_token_check(password, project) ||
deploy_token_check(login, password, project) || deploy_token_check(login, password, project) ||
user_with_password_for_git(login, password) || user_with_password_for_git(login, password) ||
Gitlab::Auth::Result.new Gitlab::Auth::Result.new
...@@ -189,12 +189,18 @@ module Gitlab ...@@ -189,12 +189,18 @@ module Gitlab
end end
end end
def personal_access_token_check(password) def personal_access_token_check(password, project)
return unless password.present? return unless password.present?
token = PersonalAccessTokensFinder.new(state: 'active').find_by_token(password) token = PersonalAccessTokensFinder.new(state: 'active').find_by_token(password)
if token && valid_scoped_token?(token, all_available_scopes) && token.user.can?(:log_in) return unless token
return if project && token.user.project_bot? && !project.bots.include?(token.user)
return unless valid_scoped_token?(token, all_available_scopes)
if token.user.project_bot? || token.user.can?(:log_in)
Gitlab::Auth::Result.new(token.user, nil, :personal_access_token, abilities_for_scopes(token.scopes)) Gitlab::Auth::Result.new(token.user, nil, :personal_access_token, abilities_for_scopes(token.scopes))
end end
end end
......
...@@ -358,6 +358,29 @@ RSpec.describe Gitlab::Auth, :use_clean_rails_memory_store_caching do ...@@ -358,6 +358,29 @@ RSpec.describe Gitlab::Auth, :use_clean_rails_memory_store_caching do
.to eq(Gitlab::Auth::Result.new(nil, nil, nil, nil)) .to eq(Gitlab::Auth::Result.new(nil, nil, nil, nil))
end end
end end
context 'when using a project access token' do
let_it_be(:project_bot_user) { create(:user, :project_bot) }
let_it_be(:project_access_token) { create(:personal_access_token, user: project_bot_user) }
context 'with valid project access token' do
before_all do
project.add_maintainer(project_bot_user)
end
it 'succeeds' do
expect(gl_auth.find_for_git_client(project_bot_user.username, project_access_token.token, project: project, ip: 'ip'))
.to eq(Gitlab::Auth::Result.new(project_bot_user, nil, :personal_access_token, described_class.full_authentication_abilities))
end
end
context 'with invalid project access token' do
it 'fails' do
expect(gl_auth.find_for_git_client(project_bot_user.username, project_access_token.token, project: project, ip: 'ip'))
.to eq(Gitlab::Auth::Result.new(nil, nil, nil, nil))
end
end
end
end end
context 'while using regular user and password' do context 'while using regular user and password' do
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment