Add an extra layer of security by checking a token

Add an extra layer of security by checking a development token to prevent users from starting using WIP feature on private GitLab instances.

Add an extra layer of security by checking a token
Add an extra layer of security by checking a development token to prevent users from starting using WIP feature on private GitLab instances.
580a4249 · Vitali Tatarintev · b4645b55 · 580a4249 · 580a4249 · 580a4249
Commit 580a4249 authored Sep 05, 2019 by Vitali Tatarintev
4 changed files
--- a/ee/app/services/projects/alerting/notify_service.rb
+++ b/ee/app/services/projects/alerting/notify_service.rb
@@ -5,10 +5,17 @@ module Projects
    class NotifyService < BaseService
      include Gitlab::Utils::StrongMemoize

-      def execute
-        process_incident_issues if create_issue?
+      # Prevents users to use WIP feature on private GitLab instances
+      # by enabling 'generic_alert_endpoint' feature manually.
+      DEV_TOKEN = :development_token

-        true
+      def execute(token)
+        return unauthorized unless valid_token?(token)
+        return forbidden unless create_issue?
+
+        process_incident_issues
+
+        ServiceResponse.success
      end

      private
@@ -33,6 +40,18 @@ module Projects
      def parsed_payload
        Gitlab::Alerting::NotificationPayloadParser.call(params.to_h)
      end
+
+      def valid_token?(token)
+        token == DEV_TOKEN
+      end
+
+      def unauthorized
+        ServiceResponse.error(message: 'Unauthorized', http_status: 401)
+      end
+
+      def forbidden
+        ServiceResponse.error(message: 'Forbidden', http_status: 403)
+      end
    end
  end
 end
--- a/ee/spec/services/projects/alerting/notify_service_spec.rb
+++ b/ee/spec/services/projects/alerting/notify_service_spec.rb
@@ -10,7 +10,33 @@ describe Projects::Alerting::NotifyService do
    project.clear_memoization(:licensed_feature_available)
  end

+  shared_examples 'processes incident issues' do |amount|
+    let(:create_incident_service) { spy }
+
+    it 'processes issues', :sidekiq do
+      expect(IncidentManagement::ProcessAlertWorker)
+        .to receive(:perform_async)
+        .with(project.id, kind_of(Hash))
+        .exactly(amount).times
+
+      Sidekiq::Testing.inline! do
+        expect(subject.status).to eq(:success)
+      end
+    end
+  end
+
+  shared_examples 'does not process incident issues' do |http_status:|
+    it 'does not process issues' do
+      expect(IncidentManagement::ProcessAlertWorker)
+        .not_to receive(:perform_async)
+
+      expect(subject.status).to eq(:error)
+      expect(subject.http_status).to eq(http_status)
+    end
+  end
+
  describe '#execute' do
+    let(:token) { :development_token }
    let(:starts_at) { Time.now.change(usec: 0) }
    let(:service) { described_class.new(project, nil, payload) }
    let(:payload_raw) do
@@ -21,7 +47,7 @@ describe Projects::Alerting::NotifyService do
    end
    let(:payload) { ActionController::Parameters.new(payload_raw).permit! }

-    subject { service.execute }
+    subject { service.execute(token) }

    context 'with license' do
      before do
@@ -33,15 +59,23 @@ describe Projects::Alerting::NotifyService do
          stub_feature_flags(generic_alert_endpoint: true)
        end

+        context 'with valid token' do
          it_behaves_like 'processes incident issues', 1
        end

+        context 'with invalid token' do
+          let(:token) { 'invalid-token' }
+
+          it_behaves_like 'does not process incident issues', http_status: 401
+        end
+      end
+
      context 'with Generic Alert Endpoint feature disabled' do
        before do
          stub_feature_flags(generic_alert_endpoint: false)
        end

-        it_behaves_like 'does not process incident issues'
+        it_behaves_like 'does not process incident issues', http_status: 403
      end
    end

@@ -50,7 +84,7 @@ describe Projects::Alerting::NotifyService do
        stub_licensed_features(incident_management: false)
      end

-      it_behaves_like 'does not process incident issues'
+      it_behaves_like 'does not process incident issues', http_status: 403
    end
  end
 end
--- a/ee/spec/services/projects/prometheus/alerts/notify_service_spec.rb
+++ b/ee/spec/services/projects/prometheus/alerts/notify_service_spec.rb
@@ -29,6 +29,30 @@ describe Projects::Prometheus::Alerts::NotifyService do
    end
  end

+  shared_examples 'processes incident issues' do |amount|
+    let(:create_incident_service) { spy }
+
+    it 'processes issues', :sidekiq do
+      expect(IncidentManagement::ProcessAlertWorker)
+        .to receive(:perform_async)
+        .with(project.id, kind_of(Hash))
+        .exactly(amount).times
+
+      Sidekiq::Testing.inline! do
+        expect(subject).to eq(true)
+      end
+    end
+  end
+
+  shared_examples 'does not process incident issues' do
+    it 'does not process issues' do
+      expect(IncidentManagement::ProcessAlertWorker)
+        .not_to receive(:perform_async)
+
+      expect(subject).to eq(true)
+    end
+  end
+
  shared_examples 'persists events' do
    let(:create_events_service) { spy }


--- a/ee/spec/support/shared_examples/services/alerting.rb
+++ b/ee/spec/support/shared_examples/services/alerting.rb
-# frozen_string_literal: true
-
-shared_examples 'processes incident issues' do |amount|
-  let(:create_incident_service) { spy }
-
-  it 'processes issues', :sidekiq do
-    expect(IncidentManagement::ProcessAlertWorker)
-      .to receive(:perform_async)
-      .with(project.id, kind_of(Hash))
-      .exactly(amount).times
-
-    Sidekiq::Testing.inline! do
-      expect(subject).to eq(true)
-    end
-  end
-end
-
-shared_examples 'does not process incident issues' do
-  it 'does not process issues' do
-    expect(IncidentManagement::ProcessAlertWorker)
-      .not_to receive(:perform_async)
-
-    expect(subject).to eq(true)
-  end
-end