Commit d3be0812 authored by Valery Sizov's avatar Valery Sizov

Revert JWT scope inforcement

parent 6f550e74
...@@ -48,7 +48,6 @@ module EE ...@@ -48,7 +48,6 @@ module EE
def authenticate_user def authenticate_user
return super unless geo_request? return super unless geo_request?
return render_bad_geo_auth('Bad token') unless decoded_authorization return render_bad_geo_auth('Bad token') unless decoded_authorization
return render_bad_geo_auth('Unauthorized scope') unless jwt_scope_valid?
# grant access # grant access
@authentication_result = ::Gitlab::Auth::Result.new(nil, project, :geo, [:download_code, :push_code]) # rubocop:disable Gitlab/ModuleWithInstanceVariables @authentication_result = ::Gitlab::Auth::Result.new(nil, project, :geo, [:download_code, :push_code]) # rubocop:disable Gitlab/ModuleWithInstanceVariables
...@@ -58,14 +57,6 @@ module EE ...@@ -58,14 +57,6 @@ module EE
render_bad_geo_auth("Invalid signature time ") render_bad_geo_auth("Invalid signature time ")
end end
def jwt_scope_valid?
decoded_authorization[:scope] == ::Gitlab::Geo::JwtRequestDecoder.build_repository_scope(repository_type, project.id)
end
def repository_type
wiki? ? 'wiki' : 'repository'
end
def decoded_authorization def decoded_authorization
strong_memoize(:decoded_authorization) do strong_memoize(:decoded_authorization) do
::Gitlab::Geo::JwtRequestDecoder.new(request.headers['Authorization']).decode ::Gitlab::Geo::JwtRequestDecoder.new(request.headers['Authorization']).decode
......
...@@ -21,7 +21,6 @@ describe "Git HTTP requests (Geo)" do ...@@ -21,7 +21,6 @@ describe "Git HTTP requests (Geo)" do
let!(:key_for_user_without_push_access) { create(:key, user: user_without_push_access) } let!(:key_for_user_without_push_access) { create(:key, user: user_without_push_access) }
let(:env) { valid_geo_env } let(:env) { valid_geo_env }
let(:auth_token_with_invalid_scope) { Gitlab::Geo::BaseRequest.new(scope: "invalid-#{project.id}").authorization }
before do before do
project.add_maintainer(user) project.add_maintainer(user)
...@@ -347,50 +346,6 @@ describe "Git HTTP requests (Geo)" do ...@@ -347,50 +346,6 @@ describe "Git HTTP requests (Geo)" do
end end
end end
end end
context 'invalid scope' do
let(:repository_path) { project.full_path }
subject do
make_request
response
end
def make_request
get "/#{repository_path}.git/info/refs", params: { service: 'git-upload-pack' }, headers: env
end
shared_examples_for 'unauthorized because of invalid scope' do
it { is_expected.to have_gitlab_http_status(:unauthorized) }
it 'returns correct error' do
expect(subject.parsed_body).to eq('Geo JWT authentication failed: Unauthorized scope')
end
end
context 'invalid scope of Geo JWT token' do
let(:env) { geo_env(auth_token_with_invalid_scope) }
include_examples 'unauthorized because of invalid scope'
end
context 'Geo JWT token scopes for wiki and repository are not interchangeable' do
context 'wiki scope' do
let(:auth_token_with_valid_wiki_scope) { Gitlab::Geo::BaseRequest.new(scope: "wiki-#{project.id}").authorization }
let(:env) { geo_env(auth_token_with_valid_wiki_scope) }
include_examples 'unauthorized because of invalid scope'
end
context 'respository scope' do
let(:repository_path) { project.wiki.full_path }
let(:auth_token_with_valid_repository_scope) { Gitlab::Geo::BaseRequest.new(scope: "repository-#{project.id}").authorization }
let(:env) { geo_env(auth_token_with_valid_repository_scope) }
include_examples 'unauthorized because of invalid scope'
end
end
end
end end
def valid_geo_env def valid_geo_env
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment