summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorGitLab Bot <gitlab-bot@gitlab.com>2021-08-03 11:59:03 +0000
committerGitLab Bot <gitlab-bot@gitlab.com>2021-08-03 11:59:03 +0000
commit933025a9f9430f3a2c6e57fdba4fa3a839b22a4e (patch)
tree26c0a9702844e9bb563a22713cf9b70398705cf2
parent66e26f113a97590b3cb49db87eec749312073c90 (diff)
downloadgitlab-ce-933025a9f9430f3a2c6e57fdba4fa3a839b22a4e.tar.gz
Add latest changes from gitlab-org/security/gitlab@13-12-stable-ee
-rw-r--r--app/controllers/admin/impersonation_tokens_controller.rb5
-rw-r--r--app/views/admin/users/_head.html.haml5
-rw-r--r--lib/gitlab/auth.rb5
-rw-r--r--spec/features/admin/admin_users_impersonation_tokens_spec.rb12
-rw-r--r--spec/lib/gitlab/auth_spec.rb9
-rw-r--r--spec/requests/admin/impersonation_tokens_controller_spec.rb38
-rw-r--r--spec/requests/git_http_spec.rb26
7 files changed, 97 insertions, 3 deletions
diff --git a/app/controllers/admin/impersonation_tokens_controller.rb b/app/controllers/admin/impersonation_tokens_controller.rb
index c3166d5dd82..eb279298baf 100644
--- a/app/controllers/admin/impersonation_tokens_controller.rb
+++ b/app/controllers/admin/impersonation_tokens_controller.rb
@@ -2,6 +2,7 @@
class Admin::ImpersonationTokensController < Admin::ApplicationController
before_action :user
+ before_action :verify_impersonation_enabled!
feature_category :authentication_and_authorization
@@ -41,6 +42,10 @@ class Admin::ImpersonationTokensController < Admin::ApplicationController
end
# rubocop: enable CodeReuse/ActiveRecord
+ def verify_impersonation_enabled!
+ access_denied! unless helpers.impersonation_enabled?
+ end
+
def finder(options = {})
PersonalAccessTokensFinder.new({ user: user, impersonation: true }.merge(options))
end
diff --git a/app/views/admin/users/_head.html.haml b/app/views/admin/users/_head.html.haml
index be04e87f8b9..a7f821a273f 100644
--- a/app/views/admin/users/_head.html.haml
+++ b/app/views/admin/users/_head.html.haml
@@ -37,6 +37,7 @@
= link_to _("SSH keys"), keys_admin_user_path(@user)
= nav_link(controller: :identities) do
= link_to _("Identities"), admin_user_identities_path(@user)
- = nav_link(controller: :impersonation_tokens) do
- = link_to _("Impersonation Tokens"), admin_user_impersonation_tokens_path(@user)
+ - if impersonation_enabled?
+ = nav_link(controller: :impersonation_tokens) do
+ = link_to _("Impersonation Tokens"), admin_user_impersonation_tokens_path(@user)
.gl-mb-3
diff --git a/lib/gitlab/auth.rb b/lib/gitlab/auth.rb
index 7cae7e4ea8f..e3b6e575f54 100644
--- a/lib/gitlab/auth.rb
+++ b/lib/gitlab/auth.rb
@@ -192,7 +192,10 @@ module Gitlab
def personal_access_token_check(password, project)
return unless password.present?
- token = PersonalAccessTokensFinder.new(state: 'active').find_by_token(password)
+ finder_options = { state: 'active' }
+ finder_options[:impersonation] = false unless Gitlab.config.gitlab.impersonation_enabled
+
+ token = PersonalAccessTokensFinder.new(finder_options).find_by_token(password)
return unless token
diff --git a/spec/features/admin/admin_users_impersonation_tokens_spec.rb b/spec/features/admin/admin_users_impersonation_tokens_spec.rb
index dc528dd92d4..0e9fe35faf7 100644
--- a/spec/features/admin/admin_users_impersonation_tokens_spec.rb
+++ b/spec/features/admin/admin_users_impersonation_tokens_spec.rb
@@ -83,4 +83,16 @@ RSpec.describe 'Admin > Users > Impersonation Tokens', :js do
expect(no_personal_access_tokens_message).to have_text("This user has no active impersonation tokens.")
end
end
+
+ describe "impersonation disabled state" do
+ before do
+ stub_config_setting(impersonation_enabled: false)
+ end
+
+ it "does not show impersonation tokens tab" do
+ visit admin_user_path(user)
+
+ expect(page).not_to have_content("Impersonation Tokens")
+ end
+ end
end
diff --git a/spec/lib/gitlab/auth_spec.rb b/spec/lib/gitlab/auth_spec.rb
index 7f06e66ad50..2d1caf53bc5 100644
--- a/spec/lib/gitlab/auth_spec.rb
+++ b/spec/lib/gitlab/auth_spec.rb
@@ -336,6 +336,15 @@ RSpec.describe Gitlab::Auth, :use_clean_rails_memory_store_caching do
expect_results_with_abilities(impersonation_token, described_class.full_authentication_abilities)
end
+ it 'fails if it is an impersonation token but impersonation is blocked' do
+ stub_config_setting(impersonation_enabled: false)
+
+ impersonation_token = create(:personal_access_token, :impersonation, scopes: ['api'])
+
+ expect(gl_auth.find_for_git_client('', impersonation_token.token, project: nil, ip: 'ip'))
+ .to eq(Gitlab::Auth::Result.new(nil, nil, nil, nil))
+ end
+
it 'limits abilities based on scope' do
personal_access_token = create(:personal_access_token, scopes: %w[read_user sudo])
diff --git a/spec/requests/admin/impersonation_tokens_controller_spec.rb b/spec/requests/admin/impersonation_tokens_controller_spec.rb
new file mode 100644
index 00000000000..018f497e7e5
--- /dev/null
+++ b/spec/requests/admin/impersonation_tokens_controller_spec.rb
@@ -0,0 +1,38 @@
+# frozen_string_literal: true
+
+require 'spec_helper'
+
+RSpec.describe Admin::ImpersonationTokensController, :enable_admin_mode do
+ let(:admin) { create(:admin) }
+ let!(:user) { create(:user) }
+
+ before do
+ sign_in(admin)
+ end
+
+ context "when impersonation is disabled" do
+ before do
+ stub_config_setting(impersonation_enabled: false)
+ end
+
+ it "shows error page for index page" do
+ get admin_user_impersonation_tokens_path(user_id: user.username)
+
+ expect(response).to have_gitlab_http_status(:not_found)
+ end
+
+ it "responds with 404 for create action" do
+ post admin_user_impersonation_tokens_path(user_id: user.username)
+
+ expect(response).to have_gitlab_http_status(:not_found)
+ end
+
+ it "responds with 404 for revoke action" do
+ token = create(:personal_access_token, :impersonation, user: user)
+
+ put revoke_admin_user_impersonation_token_path(user_id: user.username, id: token.id)
+
+ expect(response).to have_gitlab_http_status(:not_found)
+ end
+ end
+end
diff --git a/spec/requests/git_http_spec.rb b/spec/requests/git_http_spec.rb
index c379fd9e73b..d6cd82ac760 100644
--- a/spec/requests/git_http_spec.rb
+++ b/spec/requests/git_http_spec.rb
@@ -706,6 +706,32 @@ RSpec.describe 'Git HTTP requests' do
end
end
end
+
+ context 'when token is impersonated' do
+ context 'when impersonation is off' do
+ before do
+ stub_config_setting(impersonation_enabled: false)
+ end
+
+ it 'responds to uploads with status 401 unauthorized' do
+ write_access_token = create(:personal_access_token, :impersonation, user: user, scopes: [:write_repository])
+
+ upload(path, user: user.username, password: write_access_token.token) do |response|
+ expect(response).to have_gitlab_http_status(:unauthorized)
+ end
+ end
+ end
+
+ context 'when impersonation is on' do
+ it 'responds to uploads with status 200' do
+ write_access_token = create(:personal_access_token, :impersonation, user: user, scopes: [:write_repository])
+
+ upload(path, user: user.username, password: write_access_token.token) do |response|
+ expect(response).to have_gitlab_http_status(:ok)
+ end
+ end
+ end
+ end
end
end