Add HTTP Basic support for Alert authentication

app/controllers/projects/alerting/notifications_controller.rb

@@ -3,6 +3,8 @@
 module Projects
   module Alerting
     class NotificationsController < Projects::ApplicationController
+      include ActionController::HttpAuthentication::Basic
+
       respond_to :json
 
       skip_before_action :verify_authenticity_token
@@ -27,9 +29,19 @@ module Projects
       end
 
       def extract_alert_manager_token(request)
+        extract_bearer_token(request) || extract_basic_auth_token(request)
+      end
+
+      def extract_bearer_token(request)
         Doorkeeper::OAuth::Token.from_bearer_authorization(request)
       end
 
+      def extract_basic_auth_token(request)
+        _username, token = user_name_and_password(request)
+
+        token
+      end
+
       def notify_service
         notify_service_class.new(project, notification_payload)
       end

doc/operations/incident_management/integrations.md

@@ -125,17 +125,7 @@ NOTE:
 Ensure your requests are smaller than the
 [payload application limits](../../administration/instance_limits.md#generic-alert-json-payloads).
 
-Example request:
-
-```shell
-curl --request POST \
-  --data '{"title": "Incident title"}' \
-  --header "Authorization: Bearer <authorization_key>" \
-  --header "Content-Type: application/json" \
-  <url>
-```
-
-The `<authorization_key>` and `<url>` values can be found when configuring an alert integration.
+### Example request body
 
 Example payload:
 
@@ -157,6 +147,55 @@ Example payload:
 }
 ```
 
+## Authorization
+
+The following authorization methods are accepted:
+
+- Bearer authorization header
+- Basic authentication
+
+The `<authorization_key>` and `<url>` values can be found when configuring an alert integration.
+
+### Bearer authorization header
+
+The authorization key can be used as the Bearer token:
+
+```shell
+curl --request POST \
+  --data '{"title": "Incident title"}' \
+  --header "Authorization: Bearer <authorization_key>" \
+  --header "Content-Type: application/json" \
+  <url>
+```
+
+### Basic authentication
+
+The authorization key can be used as the `password`. The `username` is left blank:
+
+- username: <blank>
+- pasword: authorization_key
+
+```shell
+curl --request POST \
+  --data '{"title": "Incident title"}' \
+  --header "Authorization: Basic <base_64_encoded_credentials>" \
+  --header "Content-Type: application/json" \
+  <url>
+```
+
+Basic authentication can also be used with credentials directly in the URL:
+
+```shell
+curl --request POST \
+  --data '{"title": "Incident title"}' \
+  --header "Content-Type: application/json" \
+  <username:password@url>
+```
+
+WARNING:
+Using your authorization key in the URL is insecure, as it's visible in server logs. We recommend
+using one of the above header options if your tooling supports it.
+
 ## Triggering test alerts
 
 > [Introduced](https://gitlab.com/groups/gitlab-org/-/epics/3066) in GitLab in 13.2.

spec/controllers/projects/alerting/notifications_controller_spec.rb

@@ -3,6 +3,8 @@
 require 'spec_helper'
 
 RSpec.describe Projects::Alerting::NotificationsController do
+  include HttpBasicAuthHelpers
+
   let_it_be(:project) { create(:project) }
   let_it_be(:environment) { create(:environment, project: project) }
 
@@ -53,14 +55,8 @@ RSpec.describe Projects::Alerting::NotificationsController do
         end
       end
 
-      context 'bearer token' do
-        context 'when set' do
-          context 'when extractable' do
-            before do
-              request.headers['HTTP_AUTHORIZATION'] = 'Bearer some token'
-            end
-
-            it 'extracts bearer token' do
+      shared_examples 'a working token' do
+        it 'extracts token' do
           expect(notify_service).to receive(:execute).with('some token', nil)
 
           make_request
@@ -105,7 +101,25 @@ RSpec.describe Projects::Alerting::NotificationsController do
         end
       end
 
-          context 'when inextractable' do
+      context 'with bearer token' do
+        context 'when set' do
+          before do
+            request.headers.merge(build_token_auth_header('some token'))
+          end
+
+          it_behaves_like 'a working token'
+        end
+      end
+
+      context 'with basic auth token' do
+        before do
+          request.headers.merge basic_auth_header(nil, 'some token')
+        end
+
+        it_behaves_like 'a working token'
+      end
+
+      context 'when inextractable token' do
         it 'passes nil for a non-bearer token' do
           request.headers['HTTP_AUTHORIZATION'] = 'some token'
 
@@ -114,9 +128,8 @@ RSpec.describe Projects::Alerting::NotificationsController do
           make_request
         end
       end
-        end
 
-        context 'when missing' do
+      context 'when missing token' do
         it 'passes nil' do
           expect(notify_service).to receive(:execute).with(nil, nil)
 
@@ -124,15 +137,14 @@ RSpec.describe Projects::Alerting::NotificationsController do
         end
       end
     end
-    end
 
-    context 'generic alert payload' do
+    context 'with generic alert payload' do
       it_behaves_like 'process alert payload', Projects::Alerting::NotifyService do
         let(:payload) { { title: 'Alert title' } }
       end
     end
 
-    context 'Prometheus alert payload' do
+    context 'with Prometheus alert payload' do
       include PrometheusHelpers
 
       it_behaves_like 'process alert payload', Projects::Prometheus::Alerts::NotifyService do