diff options
| author | mortyccp <mortyccp@gmail.com> | 2018-12-30 15:08:37 +0800 |
|---|---|---|
| committer | mortyccp <mortyccp@gmail.com> | 2019-01-03 20:28:02 +0800 |
| commit | 3a62f1565779ffc194dcf30e612fbcf8589f61ce (patch) | |
| tree | f6c5c767ef794f853db0cfb5da77f3a6fa064633 /lib | |
| parent | b7e0a09de22eac10cba64c8980c2854efb2731c1 (diff) | |
| download | gitlab-ce-3a62f1565779ffc194dcf30e612fbcf8589f61ce.tar.gz | |
Remove authentication via warden and PRIVATE_TOKEN header
Diffstat (limited to 'lib')
| -rw-r--r-- | lib/gitlab/auth.rb | 24 | ||||
| -rw-r--r-- | lib/gitlab/middleware/go.rb | 21 |
2 files changed, 14 insertions, 31 deletions
diff --git a/lib/gitlab/auth.rb b/lib/gitlab/auth.rb index a60f8cea27c..fa3399b64f5 100644 --- a/lib/gitlab/auth.rb +++ b/lib/gitlab/auth.rb @@ -170,6 +170,18 @@ module Gitlab end # rubocop: disable CodeReuse/ActiveRecord + def abilities_for_scopes(scopes) + abilities_by_scope = { + api: full_authentication_abilities, + read_registry: [:read_container_image], + read_repository: [:download_code] + } + + scopes.flat_map do |scope| + abilities_by_scope.fetch(scope.to_sym, []) + end.uniq + end + def deploy_token_check(login, password) return unless password.present? @@ -234,18 +246,6 @@ module Gitlab public - def abilities_for_scopes(scopes) - abilities_by_scope = { - api: full_authentication_abilities, - read_registry: [:read_container_image], - read_repository: [:download_code] - } - - scopes.flat_map do |scope| - abilities_by_scope.fetch(scope.to_sym, []) - end.uniq - end - def build_authentication_abilities [ :read_project, diff --git a/lib/gitlab/middleware/go.rb b/lib/gitlab/middleware/go.rb index 0ef106920dd..72a788022ef 100644 --- a/lib/gitlab/middleware/go.rb +++ b/lib/gitlab/middleware/go.rb @@ -117,32 +117,15 @@ module Gitlab end def current_user(request, project) - current_user_from_access_token_and_warden?(request) || current_user_from_basic_authentication?(request, project) - end - - def current_user_from_access_token_and_warden?(request) - authenticator = Gitlab::Auth::RequestAuthenticator.new(request) - user = authenticator.find_user_from_access_token || authenticator.find_user_from_warden - return unless user&.can?(:access_api) - # Right now, the `api` scope is the only one that should be able to determine private project existence. - return unless authenticator.valid_access_token?(scopes: [:api]) - - user - end - - def current_user_from_basic_authentication?(request, project) return unless has_basic_credentials?(request) login, password = user_name_and_password(request) auth_result = Gitlab::Auth.find_for_git_client(login, password, project: project, ip: request.ip) return unless auth_result.success? - return unless auth_result.actor&.can?(:access_api) + return unless auth_result.actor&.can?(:access_git) - if auth_result.type == :personal_access_token - api_sceope_abilities = Gitlab::Auth.abilities_for_scopes([:api]) - return unless auth_result.authentication_abilities.sort == api_sceope_abilities.sort - end + return unless auth_result.authentication_abilities.include?(:read_project) auth_result.actor end |