Commit d0d87238 authored by GitLab Bot's avatar GitLab Bot

Automatic merge of gitlab-org/gitlab-ce master

parents 546820e3 420442c5
---
title: Use reports syntax for Dependency scanning in Auto DevOps
merge_request: 24081
author:
type: added
---
title: Allow basic authentication on go get middleware
merge_request: 23497
author: Morty Choi @mortyccp
type: changed
......@@ -359,6 +359,9 @@ Any security warnings are also
NOTE: **Note:**
The Auto Dependency Scanning stage will be skipped on licenses other than Ultimate.
NOTE: **Note:**
The Auto Dependency Scanning job requires GitLab Runner 11.5 or above.
### Auto License Management **[ULTIMATE]**
> Introduced in [GitLab Ultimate][ee] 11.0.
......
......@@ -185,7 +185,8 @@ dependency_scanning:
- setup_docker
- dependency_scanning
artifacts:
paths: [gl-dependency-scanning-report.json]
reports:
dependency_scanning: gl-dependency-scanning-report.json
only:
refs:
- branches
......
......@@ -6,6 +6,7 @@ module Gitlab
module Middleware
class Go
include ActionView::Helpers::TagHelper
include ActionController::HttpAuthentication::Basic
PROJECT_PATH_REGEX = %r{\A(#{Gitlab::PathRegex.full_namespace_route_regex}/#{Gitlab::PathRegex.project_route_regex})/}.freeze
......@@ -14,7 +15,7 @@ module Gitlab
end
def call(env)
request = Rack::Request.new(env)
request = ActionDispatch::Request.new(env)
render_go_doc(request) || @app.call(env)
end
......@@ -110,21 +111,23 @@ module Gitlab
def project_for_paths(paths, request)
project = Project.where_full_path_in(paths).first
return unless Ability.allowed?(current_user(request), :read_project, project)
return unless Ability.allowed?(current_user(request, project), :read_project, project)
project
end
def current_user(request)
authenticator = Gitlab::Auth::RequestAuthenticator.new(request)
user = authenticator.find_user_from_access_token || authenticator.find_user_from_warden
def current_user(request, project)
return unless has_basic_credentials?(request)
return unless user&.can?(:access_api)
login, password = user_name_and_password(request)
auth_result = Gitlab::Auth.find_for_git_client(login, password, project: project, ip: request.ip)
return unless auth_result.success?
# Right now, the `api` scope is the only one that should be able to determine private project existence.
return unless authenticator.valid_access_token?(scopes: [:api])
return unless auth_result.actor&.can?(:access_git)
user
return unless auth_result.authentication_abilities.include?(:read_project)
auth_result.actor
end
end
end
......
......@@ -96,43 +96,36 @@ describe Gitlab::Middleware::Go do
it_behaves_like 'unauthorized'
end
end
context 'using warden' do
before do
env['warden'] = double(authenticate: current_user)
end
context 'when active' do
it_behaves_like 'authenticated'
end
context 'when blocked' do
context 'with user is blocked' do
before do
current_user.block!
current_user.block
end
it_behaves_like 'unauthorized'
end
end
context 'using a personal access token' do
let(:personal_access_token) { create(:personal_access_token, user: current_user) }
before do
env['HTTP_PRIVATE_TOKEN'] = personal_access_token.token
end
context 'with api scope' do
it_behaves_like 'authenticated'
end
context 'using basic auth' do
context 'using a personal access token' do
let(:personal_access_token) { create(:personal_access_token, user: current_user) }
context 'with read_user scope' do
before do
personal_access_token.update_attribute(:scopes, [:read_user])
env['REMOTE_ADDR'] = "192.168.0.1"
env['HTTP_AUTHORIZATION'] = ActionController::HttpAuthentication::Basic.encode_credentials(current_user.username, personal_access_token.token)
end
it_behaves_like 'unauthorized'
context 'with api scope' do
it_behaves_like 'authenticated'
end
context 'with read_user scope' do
before do
personal_access_token.update_attribute(:scopes, [:read_user])
end
it_behaves_like 'unauthorized'
end
end
end
end
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment