summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authormortyccp <mortyccp@gmail.com>2018-12-30 15:08:37 +0800
committermortyccp <mortyccp@gmail.com>2019-01-03 20:28:02 +0800
commit3a62f1565779ffc194dcf30e612fbcf8589f61ce (patch)
treef6c5c767ef794f853db0cfb5da77f3a6fa064633
parentb7e0a09de22eac10cba64c8980c2854efb2731c1 (diff)
downloadgitlab-ce-3a62f1565779ffc194dcf30e612fbcf8589f61ce.tar.gz
Remove authentication via warden and PRIVATE_TOKEN header
-rw-r--r--lib/gitlab/auth.rb24
-rw-r--r--lib/gitlab/middleware/go.rb21
-rw-r--r--spec/lib/gitlab/middleware/go_spec.rb64
3 files changed, 32 insertions, 77 deletions
diff --git a/lib/gitlab/auth.rb b/lib/gitlab/auth.rb
index a60f8cea27c..fa3399b64f5 100644
--- a/lib/gitlab/auth.rb
+++ b/lib/gitlab/auth.rb
@@ -170,6 +170,18 @@ module Gitlab
end
# rubocop: disable CodeReuse/ActiveRecord
+ def abilities_for_scopes(scopes)
+ abilities_by_scope = {
+ api: full_authentication_abilities,
+ read_registry: [:read_container_image],
+ read_repository: [:download_code]
+ }
+
+ scopes.flat_map do |scope|
+ abilities_by_scope.fetch(scope.to_sym, [])
+ end.uniq
+ end
+
def deploy_token_check(login, password)
return unless password.present?
@@ -234,18 +246,6 @@ module Gitlab
public
- def abilities_for_scopes(scopes)
- abilities_by_scope = {
- api: full_authentication_abilities,
- read_registry: [:read_container_image],
- read_repository: [:download_code]
- }
-
- scopes.flat_map do |scope|
- abilities_by_scope.fetch(scope.to_sym, [])
- end.uniq
- end
-
def build_authentication_abilities
[
:read_project,
diff --git a/lib/gitlab/middleware/go.rb b/lib/gitlab/middleware/go.rb
index 0ef106920dd..72a788022ef 100644
--- a/lib/gitlab/middleware/go.rb
+++ b/lib/gitlab/middleware/go.rb
@@ -117,32 +117,15 @@ module Gitlab
end
def current_user(request, project)
- current_user_from_access_token_and_warden?(request) || current_user_from_basic_authentication?(request, project)
- end
-
- def current_user_from_access_token_and_warden?(request)
- authenticator = Gitlab::Auth::RequestAuthenticator.new(request)
- user = authenticator.find_user_from_access_token || authenticator.find_user_from_warden
- return unless user&.can?(:access_api)
- # Right now, the `api` scope is the only one that should be able to determine private project existence.
- return unless authenticator.valid_access_token?(scopes: [:api])
-
- user
- end
-
- def current_user_from_basic_authentication?(request, project)
return unless has_basic_credentials?(request)
login, password = user_name_and_password(request)
auth_result = Gitlab::Auth.find_for_git_client(login, password, project: project, ip: request.ip)
return unless auth_result.success?
- return unless auth_result.actor&.can?(:access_api)
+ return unless auth_result.actor&.can?(:access_git)
- if auth_result.type == :personal_access_token
- api_sceope_abilities = Gitlab::Auth.abilities_for_scopes([:api])
- return unless auth_result.authentication_abilities.sort == api_sceope_abilities.sort
- end
+ return unless auth_result.authentication_abilities.include?(:read_project)
auth_result.actor
end
diff --git a/spec/lib/gitlab/middleware/go_spec.rb b/spec/lib/gitlab/middleware/go_spec.rb
index b43eab5e2fd..3103dbd503e 100644
--- a/spec/lib/gitlab/middleware/go_spec.rb
+++ b/spec/lib/gitlab/middleware/go_spec.rb
@@ -96,40 +96,10 @@ describe Gitlab::Middleware::Go do
it_behaves_like 'unauthorized'
end
- end
-
- context 'using warden' do
- before do
- env['warden'] = double(authenticate: current_user)
- end
- context 'when active' do
- it_behaves_like 'authenticated'
- end
-
- context 'when blocked' do
+ context 'with user is blocked' do
before do
- current_user.block!
- end
-
- it_behaves_like 'unauthorized'
- end
- end
-
- context 'using a personal access token' do
- let(:personal_access_token) { create(:personal_access_token, user: current_user) }
-
- before do
- env['HTTP_PRIVATE_TOKEN'] = personal_access_token.token
- end
-
- context 'with api scope' do
- it_behaves_like 'authenticated'
- end
-
- context 'with read_user scope' do
- before do
- personal_access_token.update_attribute(:scopes, [:read_user])
+ current_user.block
end
it_behaves_like 'unauthorized'
@@ -137,23 +107,25 @@ describe Gitlab::Middleware::Go do
end
context 'using basic auth' do
- let(:personal_access_token) { create(:personal_access_token, user: current_user) }
-
- before do
- env['REMOTE_ADDR'] = "192.168.0.1"
- env['HTTP_AUTHORIZATION'] = ActionController::HttpAuthentication::Basic.encode_credentials(current_user.username, personal_access_token.token)
- end
+ context 'using a personal access token' do
+ let(:personal_access_token) { create(:personal_access_token, user: current_user) }
- context 'with api scope' do
- it_behaves_like 'authenticated'
- end
-
- context 'with read_user scope' do
before do
- personal_access_token.update_attribute(:scopes, [:read_user])
+ env['REMOTE_ADDR'] = "192.168.0.1"
+ env['HTTP_AUTHORIZATION'] = ActionController::HttpAuthentication::Basic.encode_credentials(current_user.username, personal_access_token.token)
+ end
+
+ context 'with api scope' do
+ it_behaves_like 'authenticated'
+ end
+
+ context 'with read_user scope' do
+ before do
+ personal_access_token.update_attribute(:scopes, [:read_user])
+ end
+
+ it_behaves_like 'unauthorized'
end
-
- it_behaves_like 'unauthorized'
end
end
end