Merge branch 'allow-basic-auth-on-go-get-middleware' into 'master'

Allow basic auth on go get middleware

Closes #45055

See merge request gitlab-org/gitlab-ce!23497

3 files changed, 35 insertions, 34 deletions

diff --git a/changelogs/unreleased/allow-basic-auth-on-go-get-middleware.yml b/changelogs/unreleased/allow-basic-auth-on-go-get-middleware.yml
new file mode 100644
index 00000000000..fda3fdc28cf
--- /dev/null
+++ b/changelogs/unreleased/allow-basic-auth-on-go-get-middleware.yml
@@ -0,0 +1,5 @@
+---
+title: Allow basic authentication on go get middleware
+merge_request: 23497
+author: Morty Choi @mortyccp
+type: changed
diff --git a/lib/gitlab/middleware/go.rb b/lib/gitlab/middleware/go.rb
index d1a87c3b3bb..72a788022ef 100644
--- a/lib/gitlab/middleware/go.rb
+++ b/lib/gitlab/middleware/go.rb
@@ -6,6 +6,7 @@ module Gitlab
   module Middleware
     class Go
       include ActionView::Helpers::TagHelper
+      include ActionController::HttpAuthentication::Basic
 
       PROJECT_PATH_REGEX = %r{\A(#{Gitlab::PathRegex.full_namespace_route_regex}/#{Gitlab::PathRegex.project_route_regex})/}.freeze
 
@@ -14,7 +15,7 @@ module Gitlab
       end
 
       def call(env)
-        request = Rack::Request.new(env)
+        request = ActionDispatch::Request.new(env)
 
         render_go_doc(request) || @app.call(env)
       end
@@ -110,21 +111,23 @@ module Gitlab
 
       def project_for_paths(paths, request)
         project = Project.where_full_path_in(paths).first
-        return unless Ability.allowed?(current_user(request), :read_project, project)
+        return unless  Ability.allowed?(current_user(request, project), :read_project, project)
 
         project
       end
 
-      def current_user(request)
-        authenticator = Gitlab::Auth::RequestAuthenticator.new(request)
-        user = authenticator.find_user_from_access_token || authenticator.find_user_from_warden
+      def current_user(request, project)
+        return unless has_basic_credentials?(request)
 
-        return unless user&.can?(:access_api)
+        login, password = user_name_and_password(request)
+        auth_result = Gitlab::Auth.find_for_git_client(login, password, project: project, ip: request.ip)
+        return unless auth_result.success?
 
-        # Right now, the `api` scope is the only one that should be able to determine private project existence.
-        return unless authenticator.valid_access_token?(scopes: [:api])
+        return unless auth_result.actor&.can?(:access_git)
 
-        user
+        return unless auth_result.authentication_abilities.include?(:read_project)
+
+        auth_result.actor
       end
     end
   end
diff --git a/spec/lib/gitlab/middleware/go_spec.rb b/spec/lib/gitlab/middleware/go_spec.rb
index 7a3a9ab875b..f52095bf633 100644
--- a/spec/lib/gitlab/middleware/go_spec.rb
+++ b/spec/lib/gitlab/middleware/go_spec.rb
@@ -96,43 +96,36 @@ describe Gitlab::Middleware::Go do
 
                     it_behaves_like 'unauthorized'
                   end
-                end
-
-                context 'using warden' do
-                  before do
-                    env['warden'] = double(authenticate: current_user)
-                  end
 
-                  context 'when active' do
-                    it_behaves_like 'authenticated'
-                  end
-
-                  context 'when blocked' do
+                  context 'with user is blocked' do
                     before do
-                      current_user.block!
+                      current_user.block
                     end
 
                     it_behaves_like 'unauthorized'
                   end
                 end
 
-                context 'using a personal access token' do
-                  let(:personal_access_token) { create(:personal_access_token, user: current_user) }
-
-                  before do
-                    env['HTTP_PRIVATE_TOKEN'] = personal_access_token.token
-                  end
-
-                  context 'with api scope' do
-                    it_behaves_like 'authenticated'
-                  end
+                context 'using basic auth' do
+                  context 'using a personal access token' do
+                    let(:personal_access_token) { create(:personal_access_token, user: current_user) }
 
-                  context 'with read_user scope' do
                     before do
-                      personal_access_token.update_attribute(:scopes, [:read_user])
+                      env['REMOTE_ADDR'] = "192.168.0.1"
+                      env['HTTP_AUTHORIZATION'] = ActionController::HttpAuthentication::Basic.encode_credentials(current_user.username, personal_access_token.token)
                     end
 
-                    it_behaves_like 'unauthorized'
+                    context 'with api scope' do
+                      it_behaves_like 'authenticated'
+                    end
+
+                    context 'with read_user scope' do
+                      before do
+                        personal_access_token.update_attribute(:scopes, [:read_user])
+                      end
+
+                      it_behaves_like 'unauthorized'
+                    end
                   end
                 end
               end