diff options
| author | Douwe Maan <douwe@selenight.nl> | 2018-02-20 11:38:26 +0100 |
|---|---|---|
| committer | Douwe Maan <douwe@selenight.nl> | 2018-02-20 11:38:26 +0100 |
| commit | f174fb6c2ac6c723152a8044c02fdcf4d42d37b9 (patch) | |
| tree | b193aef391f934ae305002303c5d4f7ac489720d | |
| parent | 39499e3841bf631aeadfa1d483e8d1acd22d9f0a (diff) | |
| download | gitlab-ce-dm-go-get-api-token.tar.gz | |
Ignore RSS token and validate token scopedm-go-get-api-token
| -rw-r--r-- | lib/gitlab/auth/request_authenticator.rb | 8 | ||||
| -rw-r--r-- | lib/gitlab/middleware/go.rb | 11 | ||||
| -rw-r--r-- | spec/lib/gitlab/middleware/go_spec.rb | 44 |
3 files changed, 52 insertions, 11 deletions
diff --git a/lib/gitlab/auth/request_authenticator.rb b/lib/gitlab/auth/request_authenticator.rb index 46ec040ce92..a0b5cd868c3 100644 --- a/lib/gitlab/auth/request_authenticator.rb +++ b/lib/gitlab/auth/request_authenticator.rb @@ -20,6 +20,14 @@ module Gitlab rescue Gitlab::Auth::AuthenticationError nil end + + def valid_access_token?(scopes: []) + validate_access_token!(scopes: scopes) + + true + rescue Gitlab::Auth::AuthenticationError + false + end end end end diff --git a/lib/gitlab/middleware/go.rb b/lib/gitlab/middleware/go.rb index 6c1b04b2838..1fd8f147b44 100644 --- a/lib/gitlab/middleware/go.rb +++ b/lib/gitlab/middleware/go.rb @@ -114,8 +114,15 @@ module Gitlab end def current_user(request) - user = Gitlab::Auth::RequestAuthenticator.new(request).user - user if user&.can?(:access_api) + authenticator = Gitlab::Auth::RequestAuthenticator.new(request) + user = authenticator.find_user_from_access_token || authenticator.find_user_from_warden + + return unless user&.can?(:access_api) + + # Right now, the `api` scope is the only one that should be able to determine private project existence. + return unless authenticator.valid_access_token?(scopes: [:api]) + + user end end end diff --git a/spec/lib/gitlab/middleware/go_spec.rb b/spec/lib/gitlab/middleware/go_spec.rb index 0a3150c0317..b24c9882c0c 100644 --- a/spec/lib/gitlab/middleware/go_spec.rb +++ b/spec/lib/gitlab/middleware/go_spec.rb @@ -65,30 +65,36 @@ describe Gitlab::Middleware::Go do project.update_attribute(:visibility_level, Project::PRIVATE) end - context 'when not authenticated' do + shared_examples 'unauthorized' do it 'returns the 2-segment group path' do expect_response_with_path(go, enabled_protocol, group.full_path) end end + context 'when not authenticated' do + it_behaves_like 'unauthorized' + end + context 'when authenticated' do let(:current_user) { project.creator } + before do + project.team.add_master(current_user) + end + shared_examples 'authenticated' do context 'with access to the project' do - before do - project.team.add_master(current_user) - end - it 'returns the full project path' do expect_response_with_path(go, enabled_protocol, project.full_path) end end context 'without access to the project' do - it 'returns the 2-segment group path' do - expect_response_with_path(go, enabled_protocol, group.full_path) + before do + project.team.find_member(current_user).destroy end + + it_behaves_like 'unauthorized' end end @@ -97,7 +103,17 @@ describe Gitlab::Middleware::Go do env['warden'] = double(authenticate: current_user) end - it_behaves_like 'authenticated' + context 'when active' do + it_behaves_like 'authenticated' + end + + context 'when blocked' do + before do + current_user.block! + end + + it_behaves_like 'unauthorized' + end end context 'using a personal access token' do @@ -107,7 +123,17 @@ describe Gitlab::Middleware::Go do env['HTTP_PRIVATE_TOKEN'] = personal_access_token.token end - it_behaves_like 'authenticated' + context 'with api scope' do + it_behaves_like 'authenticated' + end + + context 'with read_user scope' do + before do + personal_access_token.update_attribute(:scopes, [:read_user]) + end + + it_behaves_like 'unauthorized' + end end end end |