Commit 7a6c7bd6 authored by Douwe Maan's avatar Douwe Maan Committed by Nick Thomas

Allow token authentication on go-get request

parent 981b5905
---
title: Allow token authentication on go-get request
merge_request:
author:
type: changed
...@@ -20,6 +20,14 @@ module Gitlab ...@@ -20,6 +20,14 @@ module Gitlab
rescue Gitlab::Auth::AuthenticationError rescue Gitlab::Auth::AuthenticationError
nil nil
end end
def valid_access_token?(scopes: [])
validate_access_token!(scopes: scopes)
true
rescue Gitlab::Auth::AuthenticationError
false
end
end end
end end
end end
...@@ -114,7 +114,15 @@ module Gitlab ...@@ -114,7 +114,15 @@ module Gitlab
end end
def current_user(request) def current_user(request)
request.env['warden']&.authenticate authenticator = Gitlab::Auth::RequestAuthenticator.new(request)
user = authenticator.find_user_from_access_token || authenticator.find_user_from_warden
return unless user&.can?(:access_api)
# Right now, the `api` scope is the only one that should be able to determine private project existence.
return unless authenticator.valid_access_token?(scopes: [:api])
user
end end
end end
end end
......
...@@ -3,19 +3,30 @@ require 'spec_helper' ...@@ -3,19 +3,30 @@ require 'spec_helper'
describe Gitlab::Middleware::Go do describe Gitlab::Middleware::Go do
let(:app) { double(:app) } let(:app) { double(:app) }
let(:middleware) { described_class.new(app) } let(:middleware) { described_class.new(app) }
let(:env) do
{
'rack.input' => '',
'REQUEST_METHOD' => 'GET'
}
end
describe '#call' do describe '#call' do
describe 'when go-get=0' do describe 'when go-get=0' do
before do
env['QUERY_STRING'] = 'go-get=0'
end
it 'skips go-import generation' do it 'skips go-import generation' do
env = { 'rack.input' => '',
'QUERY_STRING' => 'go-get=0' }
expect(app).to receive(:call).with(env).and_return('no-go') expect(app).to receive(:call).with(env).and_return('no-go')
middleware.call(env) middleware.call(env)
end end
end end
describe 'when go-get=1' do describe 'when go-get=1' do
let(:current_user) { nil } before do
env['QUERY_STRING'] = 'go-get=1'
env['PATH_INFO'] = "/#{path}"
end
shared_examples 'go-get=1' do |enabled_protocol:| shared_examples 'go-get=1' do |enabled_protocol:|
context 'with simple 2-segment project path' do context 'with simple 2-segment project path' do
...@@ -54,21 +65,75 @@ describe Gitlab::Middleware::Go do ...@@ -54,21 +65,75 @@ describe Gitlab::Middleware::Go do
project.update_attribute(:visibility_level, Project::PRIVATE) project.update_attribute(:visibility_level, Project::PRIVATE)
end end
context 'with access to the project' do shared_examples 'unauthorized' do
it 'returns the 2-segment group path' do
expect_response_with_path(go, enabled_protocol, group.full_path)
end
end
context 'when not authenticated' do
it_behaves_like 'unauthorized'
end
context 'when authenticated' do
let(:current_user) { project.creator } let(:current_user) { project.creator }
before do before do
project.team.add_master(current_user) project.team.add_master(current_user)
end end
it 'returns the full project path' do shared_examples 'authenticated' do
expect_response_with_path(go, enabled_protocol, project.full_path) context 'with access to the project' do
it 'returns the full project path' do
expect_response_with_path(go, enabled_protocol, project.full_path)
end
end
context 'without access to the project' do
before do
project.team.find_member(current_user).destroy
end
it_behaves_like 'unauthorized'
end
end end
end
context 'without access to the project' do context 'using warden' do
it 'returns the 2-segment group path' do before do
expect_response_with_path(go, enabled_protocol, group.full_path) env['warden'] = double(authenticate: current_user)
end
context 'when active' do
it_behaves_like 'authenticated'
end
context 'when blocked' do
before do
current_user.block!
end
it_behaves_like 'unauthorized'
end
end
context 'using a personal access token' do
let(:personal_access_token) { create(:personal_access_token, user: current_user) }
before do
env['HTTP_PRIVATE_TOKEN'] = personal_access_token.token
end
context 'with api scope' do
it_behaves_like 'authenticated'
end
context 'with read_user scope' do
before do
personal_access_token.update_attribute(:scopes, [:read_user])
end
it_behaves_like 'unauthorized'
end
end end
end end
end end
...@@ -138,12 +203,6 @@ describe Gitlab::Middleware::Go do ...@@ -138,12 +203,6 @@ describe Gitlab::Middleware::Go do
end end
def go def go
env = {
'rack.input' => '',
'QUERY_STRING' => 'go-get=1',
'PATH_INFO' => "/#{path}",
'warden' => double(authenticate: current_user)
}
middleware.call(env) middleware.call(env)
end end
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment