Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Support
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
G
gitlab-ce
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Issues
0
Issues
0
List
Boards
Labels
Milestones
Merge Requests
1
Merge Requests
1
Analytics
Analytics
Repository
Value Stream
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Create a new issue
Commits
Issue Boards
Open sidebar
nexedi
gitlab-ce
Commits
de812b20
Commit
de812b20
authored
Jul 13, 2021
by
Małgorzata Ksionek
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
Block impersonation token use if it is not permitted
Changelog: security
parent
cec85a0a
Changes
7
Show whitespace changes
Inline
Side-by-side
Showing
7 changed files
with
97 additions
and
3 deletions
+97
-3
app/controllers/admin/impersonation_tokens_controller.rb
app/controllers/admin/impersonation_tokens_controller.rb
+5
-0
app/views/admin/users/_head.html.haml
app/views/admin/users/_head.html.haml
+3
-2
lib/gitlab/auth.rb
lib/gitlab/auth.rb
+4
-1
spec/features/admin/admin_users_impersonation_tokens_spec.rb
spec/features/admin/admin_users_impersonation_tokens_spec.rb
+12
-0
spec/lib/gitlab/auth_spec.rb
spec/lib/gitlab/auth_spec.rb
+9
-0
spec/requests/admin/impersonation_tokens_controller_spec.rb
spec/requests/admin/impersonation_tokens_controller_spec.rb
+38
-0
spec/requests/git_http_spec.rb
spec/requests/git_http_spec.rb
+26
-0
No files found.
app/controllers/admin/impersonation_tokens_controller.rb
View file @
de812b20
...
@@ -2,6 +2,7 @@
...
@@ -2,6 +2,7 @@
class
Admin::ImpersonationTokensController
<
Admin
::
ApplicationController
class
Admin::ImpersonationTokensController
<
Admin
::
ApplicationController
before_action
:user
before_action
:user
before_action
:verify_impersonation_enabled!
feature_category
:authentication_and_authorization
feature_category
:authentication_and_authorization
...
@@ -41,6 +42,10 @@ class Admin::ImpersonationTokensController < Admin::ApplicationController
...
@@ -41,6 +42,10 @@ class Admin::ImpersonationTokensController < Admin::ApplicationController
end
end
# rubocop: enable CodeReuse/ActiveRecord
# rubocop: enable CodeReuse/ActiveRecord
def
verify_impersonation_enabled!
access_denied!
unless
helpers
.
impersonation_enabled?
end
def
finder
(
options
=
{})
def
finder
(
options
=
{})
PersonalAccessTokensFinder
.
new
({
user:
user
,
impersonation:
true
}.
merge
(
options
))
PersonalAccessTokensFinder
.
new
({
user:
user
,
impersonation:
true
}.
merge
(
options
))
end
end
...
...
app/views/admin/users/_head.html.haml
View file @
de812b20
...
@@ -42,6 +42,7 @@
...
@@ -42,6 +42,7 @@
=
link_to
_
(
"SSH keys"
),
keys_admin_user_path
(
@user
)
=
link_to
_
(
"SSH keys"
),
keys_admin_user_path
(
@user
)
=
nav_link
(
controller: :identities
)
do
=
nav_link
(
controller: :identities
)
do
=
link_to
_
(
"Identities"
),
admin_user_identities_path
(
@user
)
=
link_to
_
(
"Identities"
),
admin_user_identities_path
(
@user
)
-
if
impersonation_enabled?
=
nav_link
(
controller: :impersonation_tokens
)
do
=
nav_link
(
controller: :impersonation_tokens
)
do
=
link_to
_
(
"Impersonation Tokens"
),
admin_user_impersonation_tokens_path
(
@user
)
=
link_to
_
(
"Impersonation Tokens"
),
admin_user_impersonation_tokens_path
(
@user
)
.gl-mb-3
.gl-mb-3
lib/gitlab/auth.rb
View file @
de812b20
...
@@ -193,7 +193,10 @@ module Gitlab
...
@@ -193,7 +193,10 @@ module Gitlab
def
personal_access_token_check
(
password
,
project
)
def
personal_access_token_check
(
password
,
project
)
return
unless
password
.
present?
return
unless
password
.
present?
token
=
PersonalAccessTokensFinder
.
new
(
state:
'active'
).
find_by_token
(
password
)
finder_options
=
{
state:
'active'
}
finder_options
[
:impersonation
]
=
false
unless
Gitlab
.
config
.
gitlab
.
impersonation_enabled
token
=
PersonalAccessTokensFinder
.
new
(
finder_options
).
find_by_token
(
password
)
return
unless
token
return
unless
token
...
...
spec/features/admin/admin_users_impersonation_tokens_spec.rb
View file @
de812b20
...
@@ -83,4 +83,16 @@ RSpec.describe 'Admin > Users > Impersonation Tokens', :js do
...
@@ -83,4 +83,16 @@ RSpec.describe 'Admin > Users > Impersonation Tokens', :js do
expect
(
no_personal_access_tokens_message
).
to
have_text
(
"This user has no active impersonation tokens."
)
expect
(
no_personal_access_tokens_message
).
to
have_text
(
"This user has no active impersonation tokens."
)
end
end
end
end
describe
"impersonation disabled state"
do
before
do
stub_config_setting
(
impersonation_enabled:
false
)
end
it
"does not show impersonation tokens tab"
do
visit
admin_user_path
(
user
)
expect
(
page
).
not_to
have_content
(
"Impersonation Tokens"
)
end
end
end
end
spec/lib/gitlab/auth_spec.rb
View file @
de812b20
...
@@ -336,6 +336,15 @@ RSpec.describe Gitlab::Auth, :use_clean_rails_memory_store_caching do
...
@@ -336,6 +336,15 @@ RSpec.describe Gitlab::Auth, :use_clean_rails_memory_store_caching do
expect_results_with_abilities
(
impersonation_token
,
described_class
.
full_authentication_abilities
)
expect_results_with_abilities
(
impersonation_token
,
described_class
.
full_authentication_abilities
)
end
end
it
'fails if it is an impersonation token but impersonation is blocked'
do
stub_config_setting
(
impersonation_enabled:
false
)
impersonation_token
=
create
(
:personal_access_token
,
:impersonation
,
scopes:
[
'api'
])
expect
(
gl_auth
.
find_for_git_client
(
''
,
impersonation_token
.
token
,
project:
nil
,
ip:
'ip'
))
.
to
eq
(
Gitlab
::
Auth
::
Result
.
new
(
nil
,
nil
,
nil
,
nil
))
end
it
'limits abilities based on scope'
do
it
'limits abilities based on scope'
do
personal_access_token
=
create
(
:personal_access_token
,
scopes:
%w[read_user sudo]
)
personal_access_token
=
create
(
:personal_access_token
,
scopes:
%w[read_user sudo]
)
...
...
spec/requests/admin/impersonation_tokens_controller_spec.rb
0 → 100644
View file @
de812b20
# frozen_string_literal: true
require
'spec_helper'
RSpec
.
describe
Admin
::
ImpersonationTokensController
,
:enable_admin_mode
do
let
(
:admin
)
{
create
(
:admin
)
}
let!
(
:user
)
{
create
(
:user
)
}
before
do
sign_in
(
admin
)
end
context
"when impersonation is disabled"
do
before
do
stub_config_setting
(
impersonation_enabled:
false
)
end
it
"shows error page for index page"
do
get
admin_user_impersonation_tokens_path
(
user_id:
user
.
username
)
expect
(
response
).
to
have_gitlab_http_status
(
:not_found
)
end
it
"responds with 404 for create action"
do
post
admin_user_impersonation_tokens_path
(
user_id:
user
.
username
)
expect
(
response
).
to
have_gitlab_http_status
(
:not_found
)
end
it
"responds with 404 for revoke action"
do
token
=
create
(
:personal_access_token
,
:impersonation
,
user:
user
)
put
revoke_admin_user_impersonation_token_path
(
user_id:
user
.
username
,
id:
token
.
id
)
expect
(
response
).
to
have_gitlab_http_status
(
:not_found
)
end
end
end
spec/requests/git_http_spec.rb
View file @
de812b20
...
@@ -706,6 +706,32 @@ RSpec.describe 'Git HTTP requests' do
...
@@ -706,6 +706,32 @@ RSpec.describe 'Git HTTP requests' do
end
end
end
end
end
end
context
'when token is impersonated'
do
context
'when impersonation is off'
do
before
do
stub_config_setting
(
impersonation_enabled:
false
)
end
it
'responds to uploads with status 401 unauthorized'
do
write_access_token
=
create
(
:personal_access_token
,
:impersonation
,
user:
user
,
scopes:
[
:write_repository
])
upload
(
path
,
user:
user
.
username
,
password:
write_access_token
.
token
)
do
|
response
|
expect
(
response
).
to
have_gitlab_http_status
(
:unauthorized
)
end
end
end
context
'when impersonation is on'
do
it
'responds to uploads with status 200'
do
write_access_token
=
create
(
:personal_access_token
,
:impersonation
,
user:
user
,
scopes:
[
:write_repository
])
upload
(
path
,
user:
user
.
username
,
password:
write_access_token
.
token
)
do
|
response
|
expect
(
response
).
to
have_gitlab_http_status
(
:ok
)
end
end
end
end
end
end
end
end
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment