Add latest changes from gitlab-org/security/gitlab@14-10-stable-ee

author: GitLab Bot <gitlab-bot@gitlab.com> 2022-04-29 08:23:17 +0000
committer: GitLab Bot <gitlab-bot@gitlab.com> 2022-04-29 08:23:24 +0000
commit: 2234b4382091add4dfe8d44f4e0764bf64ff8c5e (patch)
tree: 2e16ea43616574e4612223b7cdb70322ce914648 /lib
parent: 6c85cb2ff17cf4ea34372e84ef579734fd607cec (diff)
download: gitlab-ce-2234b4382091add4dfe8d44f4e0764bf64ff8c5e.tar.gz
5 files changed, 30 insertions, 8 deletions
diff --git a/lib/api/ci/pipeline_schedules.rb b/lib/api/ci/pipeline_schedules.rb
index 8a9ba2cbe0f..6030fe86f00 100644
--- a/lib/api/ci/pipeline_schedules.rb
+++ b/lib/api/ci/pipeline_schedules.rb
@@ -93,7 +93,7 @@ module API
           requires :pipeline_schedule_id, type: Integer, desc: 'The pipeline schedule id'
         end
         post ':id/pipeline_schedules/:pipeline_schedule_id/take_ownership' do
-          authorize! :update_pipeline_schedule, pipeline_schedule
+          authorize! :take_ownership_pipeline_schedule, pipeline_schedule
 
           if pipeline_schedule.own!(current_user)
             present pipeline_schedule, with: Entities::Ci::PipelineScheduleDetails
diff --git a/lib/api/helpers/packages/conan/api_helpers.rb b/lib/api/helpers/packages/conan/api_helpers.rb
index e92547890e8..994d3c4c473 100644
--- a/lib/api/helpers/packages/conan/api_helpers.rb
+++ b/lib/api/helpers/packages/conan/api_helpers.rb
@@ -153,7 +153,7 @@ module API
           def token
             strong_memoize(:token) do
               token = nil
-              token = ::Gitlab::ConanToken.from_personal_access_token(access_token) if access_token
+              token = ::Gitlab::ConanToken.from_personal_access_token(find_personal_access_token.user_id, access_token_from_request) if find_personal_access_token
               token = ::Gitlab::ConanToken.from_deploy_token(deploy_token_from_request) if deploy_token_from_request
               token = ::Gitlab::ConanToken.from_job(find_job_from_token) if find_job_from_token
               token
@@ -224,9 +224,27 @@ module API
             forbidden!
           end
 
+          # We override this method from auth_finders because we need to
+          # extract the token from the Conan JWT which is specific to the Conan API
           def find_personal_access_token
-            find_personal_access_token_from_conan_jwt ||
-              find_personal_access_token_from_http_basic_auth
+            strong_memoize(:find_personal_access_token) do
+              PersonalAccessToken.find_by_token(access_token_from_request)
+            end
+          end
+
+          def access_token_from_request
+            strong_memoize(:access_token_from_request) do
+              find_personal_access_token_from_conan_jwt ||
+                find_password_from_basic_auth
+            end
+          end
+
+          def find_password_from_basic_auth
+            return unless route_authentication_setting[:basic_auth_personal_access_token]
+            return unless has_basic_credentials?(current_request)
+
+            _username, password = user_name_and_password(current_request)
+            password
           end
 
           def find_user_from_job_token
@@ -256,7 +274,7 @@ module API
 
             return unless token
 
-            PersonalAccessToken.find_by_id_and_user_id(token.access_token_id, token.user_id)
+            token.access_token_id
           end
 
           def find_deploy_token_from_conan_jwt
diff --git a/lib/api/pypi_packages.rb b/lib/api/pypi_packages.rb
index 86f36d4fc00..d4f51beb2e5 100644
--- a/lib/api/pypi_packages.rb
+++ b/lib/api/pypi_packages.rb
@@ -174,7 +174,7 @@ module API
           requires :version, type: String
           optional :requires_python, type: String
           optional :md5_digest, type: String
-          optional :sha256_digest, type: String
+          optional :sha256_digest, type: String, regexp: Gitlab::Regex.sha256_regex
         end
 
         route_setting :authentication, deploy_token_allowed: true, basic_auth_personal_access_token: true, job_token_allowed: :basic_auth
diff --git a/lib/gitlab/conan_token.rb b/lib/gitlab/conan_token.rb
index d0560807f45..87a085461bc 100644
--- a/lib/gitlab/conan_token.rb
+++ b/lib/gitlab/conan_token.rb
@@ -13,8 +13,8 @@ module Gitlab
     attr_reader :access_token_id, :user_id
 
     class << self
-      def from_personal_access_token(access_token)
-        new(access_token_id: access_token.id, user_id: access_token.user_id)
+      def from_personal_access_token(user_id, token)
+        new(access_token_id: token, user_id: user_id)
       end
 
       def from_job(job)
diff --git a/lib/gitlab/regex.rb b/lib/gitlab/regex.rb
index c9202c6c54c..205106afddb 100644
--- a/lib/gitlab/regex.rb
+++ b/lib/gitlab/regex.rb
@@ -237,6 +237,10 @@ module Gitlab
         generic_package_name_regex
       end
 
+      def sha256_regex
+        @sha256_regex ||= /\A[0-9a-f]{64}\z/i.freeze
+      end
+
       private
 
       def conan_name_regex
author	GitLab Bot <gitlab-bot@gitlab.com>	2022-04-29 08:23:17 +0000
committer	GitLab Bot <gitlab-bot@gitlab.com>	2022-04-29 08:23:24 +0000
commit	2234b4382091add4dfe8d44f4e0764bf64ff8c5e (patch)
tree	2e16ea43616574e4612223b7cdb70322ce914648 /lib
parent	6c85cb2ff17cf4ea34372e84ef579734fd607cec (diff)
download	gitlab-ce-2234b4382091add4dfe8d44f4e0764bf64ff8c5e.tar.gz