Revert JWT scope inforcement

d3be0812 · Valery Sizov · 6f550e74 · d3be0812 · d3be0812
Commit d3be0812 authored Feb 20, 2019 by Valery Sizov
Showing with 0 additions and 54 deletions

ee/app/controllers/ee/projects/git_http_controller.rb ee/app/controllers/ee/projects/git_http_controller.rb +0 -9

ee/spec/requests/git_http_geo_spec.rb ee/spec/requests/git_http_geo_spec.rb +0 -45

No files found.
--- a/ee/app/controllers/ee/projects/git_http_controller.rb
+++ b/ee/app/controllers/ee/projects/git_http_controller.rb
@@ -48,7 +48,6 @@ module EE
      def authenticate_user
        return super unless geo_request?
        return render_bad_geo_auth('Bad token') unless decoded_authorization
-        return render_bad_geo_auth('Unauthorized scope') unless jwt_scope_valid?

        # grant access
        @authentication_result = ::Gitlab::Auth::Result.new(nil, project, :geo, [:download_code, :push_code]) # rubocop:disable Gitlab/ModuleWithInstanceVariables
@@ -58,14 +57,6 @@ module EE
        render_bad_geo_auth("Invalid signature time ")
      end

-      def jwt_scope_valid?
-        decoded_authorization[:scope] == ::Gitlab::Geo::JwtRequestDecoder.build_repository_scope(repository_type, project.id)
-      end
-
-      def repository_type
-        wiki? ? 'wiki' : 'repository'
-      end
-
      def decoded_authorization
        strong_memoize(:decoded_authorization) do
          ::Gitlab::Geo::JwtRequestDecoder.new(request.headers['Authorization']).decode

--- a/ee/spec/requests/git_http_geo_spec.rb
+++ b/ee/spec/requests/git_http_geo_spec.rb
@@ -21,7 +21,6 @@ describe "Git HTTP requests (Geo)" do
  let!(:key_for_user_without_push_access) { create(:key, user: user_without_push_access) }

  let(:env) { valid_geo_env }
-  let(:auth_token_with_invalid_scope) { Gitlab::Geo::BaseRequest.new(scope: "invalid-#{project.id}").authorization }

  before do
    project.add_maintainer(user)
@@ -347,50 +346,6 @@ describe "Git HTTP requests (Geo)" do
        end
      end
    end
-
-    context 'invalid scope' do
-      let(:repository_path) { project.full_path }
-
-      subject do
-        make_request
-        response
-      end
-
-      def make_request
-        get "/#{repository_path}.git/info/refs", params: { service: 'git-upload-pack' }, headers: env
-      end
-
-      shared_examples_for 'unauthorized because of invalid scope' do
-        it { is_expected.to have_gitlab_http_status(:unauthorized) }
-
-        it 'returns correct error' do
-          expect(subject.parsed_body).to eq('Geo JWT authentication failed: Unauthorized scope')
-        end
-      end
-
-      context 'invalid scope of Geo JWT token' do
-        let(:env) { geo_env(auth_token_with_invalid_scope) }
-
-        include_examples 'unauthorized because of invalid scope'
-      end
-
-      context 'Geo JWT token scopes for wiki and repository are not interchangeable' do
-        context 'wiki scope' do
-          let(:auth_token_with_valid_wiki_scope) { Gitlab::Geo::BaseRequest.new(scope: "wiki-#{project.id}").authorization }
-          let(:env) { geo_env(auth_token_with_valid_wiki_scope) }
-
-          include_examples 'unauthorized because of invalid scope'
-        end
-
-        context 'respository scope' do
-          let(:repository_path) { project.wiki.full_path }
-          let(:auth_token_with_valid_repository_scope) { Gitlab::Geo::BaseRequest.new(scope: "repository-#{project.id}").authorization }
-          let(:env) { geo_env(auth_token_with_valid_repository_scope) }
-
-          include_examples 'unauthorized because of invalid scope'
-        end
-      end
-    end
  end

  def valid_geo_env