Commit a66b2077 authored by Ash McKenzie's avatar Ash McKenzie

Merge branch...

Merge branch '5523-geo-relative-url-roots-in-external_url-causes-redirect-loop-on-secondary-login' into 'master'

Geo: Fix OAuth authentication with relative URLs

Closes #5523

See merge request gitlab-org/gitlab-ee!11976
parents e518d9a8 0f69a31f
---
title: 'Geo: Fix OAuth authentication with relative URLs'
merge_request: 11976
author:
type: fixed
...@@ -8,13 +8,19 @@ module Gitlab ...@@ -8,13 +8,19 @@ module Gitlab
include Gitlab::Utils::StrongMemoize include Gitlab::Utils::StrongMemoize
include GrapePathHelpers::NamedRouteMatcher include GrapePathHelpers::NamedRouteMatcher
# We don't use oauth_token_path helper because its output depends
# on secondary configuration (ex., relative URL) while we really need
# it for a primary. This is why we're building it ourselves using
# primary node configuration and this static URL
TOKEN_PATH = '/oauth/token'
def authorize_url(params = {}) def authorize_url(params = {})
oauth_client.auth_code.authorize_url(params) oauth_client.auth_code.authorize_url(params)
end end
def authenticate(access_token) def authenticate(access_token)
api = OAuth2::AccessToken.from_hash(oauth_client, access_token: access_token) api = OAuth2::AccessToken.from_hash(oauth_client, access_token: access_token)
api.get(api_v4_user_path).parsed api.get(primary_api_user_path).parsed
end end
def get_token(code, params = {}, opts = {}) def get_token(code, params = {}, opts = {})
...@@ -41,8 +47,12 @@ module Gitlab ...@@ -41,8 +47,12 @@ module Gitlab
end end
end end
def primary_api_user_path
Gitlab::Utils.append_path(Gitlab::Geo.primary_node.internal_url, api_v4_user_path)
end
def token_url def token_url
Gitlab::Utils.append_path(Gitlab::Geo.primary_node.internal_url, oauth_token_path) Gitlab::Utils.append_path(Gitlab::Geo.primary_node.internal_url, TOKEN_PATH)
end end
end end
end end
......
...@@ -49,5 +49,35 @@ describe Gitlab::Geo::Oauth::Session, :geo do ...@@ -49,5 +49,35 @@ describe Gitlab::Geo::Oauth::Session, :geo do
expect { subject.authenticate(access_token.token) }.to raise_error(OAuth2::Error) expect { subject.authenticate(access_token.token) }.to raise_error(OAuth2::Error)
end end
end end
context 'primary is configured with relative URL' do
it 'includes primary relative URL path' do
primary_node.update(url: 'http:://localhost/relative-path/')
api_response = double(parsed: true)
expect_any_instance_of(OAuth2::AccessToken)
.to receive(:get).with(%r{^http:://localhost/relative-path/}).and_return(api_response)
subject.authenticate('any token')
end
end
end
describe '#get_token' do
context 'primary is configured with relative URL' do
it "makes the request to a primary's relative URL" do
response = ActiveSupport::JSON.encode({ access_token: 'fake-token' }.as_json)
primary_node.update(url: 'http://example.com/gitlab/')
api_url = "#{primary_node.internal_url}oauth/token"
stub_request(:post, api_url).to_return(
body: response,
headers: { 'Content-Type' => 'application/json' }
)
expect(subject.get_token('any code')).to eq('fake-token')
end
end
end end
end end
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment