Add latest changes from gitlab-org/gitlab@13-8-stable-eev13.8.0-rc42

3 files changed, 23 insertions, 10 deletions

diff --git a/lib/gitlab/auth/auth_finders.rb b/lib/gitlab/auth/auth_finders.rb
index caa881eeeab..4c6254c9e69 100644
--- a/lib/gitlab/auth/auth_finders.rb
+++ b/lib/gitlab/auth/auth_finders.rb
@@ -92,10 +92,10 @@ module Gitlab
       # We only allow Private Access Tokens with `api` scope to be used by web
       # requests on RSS feeds or ICS files for backwards compatibility.
       # It is also used by GraphQL/API requests.
-      def find_user_from_web_access_token(request_format)
+      def find_user_from_web_access_token(request_format, scopes: [:api])
         return unless access_token && valid_web_access_format?(request_format)
 
-        validate_access_token!(scopes: [:api])
+        validate_access_token!(scopes: scopes)
 
         ::PersonalAccessTokens::LastUsedService.new(access_token).execute
 
@@ -194,11 +194,15 @@ module Gitlab
 
       def access_token
         strong_memoize(:access_token) do
-          # The token can be a PAT or an OAuth (doorkeeper) token
-          # It is also possible that a PAT is encapsulated in a `Bearer` OAuth token
-          # (e.g. NPM client registry auth), this case will be properly handled
-          # by find_personal_access_token
-          find_oauth_access_token || find_personal_access_token
+          if try(:namespace_inheritable, :authentication)
+            access_token_from_namespace_inheritable
+          else
+            # The token can be a PAT or an OAuth (doorkeeper) token
+            # It is also possible that a PAT is encapsulated in a `Bearer` OAuth token
+            # (e.g. NPM client registry auth), this case will be properly handled
+            # by find_personal_access_token
+            find_oauth_access_token || find_personal_access_token
+          end
         end
       end
 
diff --git a/lib/gitlab/auth/ldap/config.rb b/lib/gitlab/auth/ldap/config.rb
index f5931a1d5eb..97e4f921228 100644
--- a/lib/gitlab/auth/ldap/config.rb
+++ b/lib/gitlab/auth/ldap/config.rb
@@ -28,7 +28,7 @@ module Gitlab
         end
 
         def self.servers
-          Gitlab.config.ldap['servers']&.values || []
+          Gitlab.config.ldap.servers&.values || []
         end
 
         def self.available_servers
@@ -42,9 +42,18 @@ module Gitlab
         end
 
         def self.providers
-          servers.map { |server| server['provider_name'] }
+          provider_names_from_servers(servers)
         end
 
+        def self.available_providers
+          provider_names_from_servers(available_servers)
+        end
+
+        def self.provider_names_from_servers(servers)
+          servers&.map { |server| server['provider_name'] } || []
+        end
+        private_class_method :provider_names_from_servers
+
         def self.valid_provider?(provider)
           providers.include?(provider)
         end
diff --git a/lib/gitlab/auth/request_authenticator.rb b/lib/gitlab/auth/request_authenticator.rb
index d28ee54cfbc..504265a83ef 100644
--- a/lib/gitlab/auth/request_authenticator.rb
+++ b/lib/gitlab/auth/request_authenticator.rb
@@ -30,7 +30,7 @@ module Gitlab
       end
 
       def find_sessionless_user(request_format)
-        find_user_from_web_access_token(request_format) ||
+        find_user_from_web_access_token(request_format, scopes: [:api, :read_api]) ||
           find_user_from_feed_token(request_format) ||
           find_user_from_static_object_token(request_format) ||
           find_user_from_basic_auth_job ||