Remove authentication via warden and PRIVATE_TOKEN header

3a62f156 · mortyccp · b7e0a09d · 3a62f156 · 3a62f156 · 3a62f156
Showing with 32 addition and 77 deletion

lib/gitlab/auth.rb lib/gitlab/auth.rb +12 -12

lib/gitlab/middleware/go.rb lib/gitlab/middleware/go.rb +2 -19

spec/lib/gitlab/middleware/go_spec.rb spec/lib/gitlab/middleware/go_spec.rb +18 -46

未找到文件。
--- a/lib/gitlab/auth.rb
+++ b/lib/gitlab/auth.rb
@@ -170,6 +170,18 @@ module Gitlab
      end

      # rubocop: disable CodeReuse/ActiveRecord
+      def abilities_for_scopes(scopes)
+        abilities_by_scope = {
+          api: full_authentication_abilities,
+          read_registry: [:read_container_image],
+          read_repository: [:download_code]
+        }
+
+        scopes.flat_map do |scope|
+          abilities_by_scope.fetch(scope.to_sym, [])
+        end.uniq
+      end
+
      def deploy_token_check(login, password)
        return unless password.present?

@@ -234,18 +246,6 @@ module Gitlab

      public

-      def abilities_for_scopes(scopes)
-        abilities_by_scope = {
-          api: full_authentication_abilities,
-          read_registry: [:read_container_image],
-          read_repository: [:download_code]
-        }
-
-        scopes.flat_map do |scope|
-          abilities_by_scope.fetch(scope.to_sym, [])
-        end.uniq
-      end
-
      def build_authentication_abilities
        [
          :read_project,

--- a/lib/gitlab/middleware/go.rb
+++ b/lib/gitlab/middleware/go.rb
@@ -117,32 +117,15 @@ module Gitlab
      end

      def current_user(request, project)
-        current_user_from_access_token_and_warden?(request) || current_user_from_basic_authentication?(request, project)
-      end
-
-      def current_user_from_access_token_and_warden?(request)
-        authenticator = Gitlab::Auth::RequestAuthenticator.new(request)
-        user = authenticator.find_user_from_access_token || authenticator.find_user_from_warden
-        return unless user&.can?(:access_api)
-        # Right now, the `api` scope is the only one that should be able to determine private project existence.
-        return unless authenticator.valid_access_token?(scopes: [:api])
-
-        user
-      end
-
-      def current_user_from_basic_authentication?(request, project)
        return unless has_basic_credentials?(request)

        login, password = user_name_and_password(request)
        auth_result = Gitlab::Auth.find_for_git_client(login, password, project: project, ip: request.ip)
        return unless auth_result.success?

-        return unless auth_result.actor&.can?(:access_api)
+        return unless auth_result.actor&.can?(:access_git)

-        if auth_result.type == :personal_access_token
-          api_sceope_abilities = Gitlab::Auth.abilities_for_scopes([:api])
-          return unless auth_result.authentication_abilities.sort == api_sceope_abilities.sort
-        end
+        return unless auth_result.authentication_abilities.include?(:read_project)

        auth_result.actor
      end

--- a/spec/lib/gitlab/middleware/go_spec.rb
+++ b/spec/lib/gitlab/middleware/go_spec.rb
@@ -96,40 +96,10 @@ describe Gitlab::Middleware::Go do

                    it_behaves_like 'unauthorized'
                  end
-                end
-
-                context 'using warden' do
-                  before do
-                    env['warden'] = double(authenticate: current_user)
-                  end

-                  context 'when active' do
-                    it_behaves_like 'authenticated'
-                  end
-
-                  context 'when blocked' do
+                  context 'with user is blocked' do
                    before do
-                      current_user.block!
-                    end
-
-                    it_behaves_like 'unauthorized'
-                  end
-                end
-
-                context 'using a personal access token' do
-                  let(:personal_access_token) { create(:personal_access_token, user: current_user) }
-
-                  before do
-                    env['HTTP_PRIVATE_TOKEN'] = personal_access_token.token
-                  end
-
-                  context 'with api scope' do
-                    it_behaves_like 'authenticated'
-                  end
-
-                  context 'with read_user scope' do
-                    before do
-                      personal_access_token.update_attribute(:scopes, [:read_user])
+                      current_user.block
                    end

                    it_behaves_like 'unauthorized'
@@ -137,23 +107,25 @@ describe Gitlab::Middleware::Go do
                end

                context 'using basic auth' do
-                  let(:personal_access_token) { create(:personal_access_token, user: current_user) }
-
-                  before do
-                    env['REMOTE_ADDR'] = "192.168.0.1"
-                    env['HTTP_AUTHORIZATION'] = ActionController::HttpAuthentication::Basic.encode_credentials(current_user.username, personal_access_token.token)
-                  end
+                  context 'using a personal access token' do
+                    let(:personal_access_token) { create(:personal_access_token, user: current_user) }

-                  context 'with api scope' do
-                    it_behaves_like 'authenticated'
-                  end
-
-                  context 'with read_user scope' do
                    before do
-                      personal_access_token.update_attribute(:scopes, [:read_user])
+                      env['REMOTE_ADDR'] = "192.168.0.1"
+                      env['HTTP_AUTHORIZATION'] = ActionController::HttpAuthentication::Basic.encode_credentials(current_user.username, personal_access_token.token)
+                    end
+  
+                    context 'with api scope' do
+                      it_behaves_like 'authenticated'
+                    end
+  
+                    context 'with read_user scope' do
+                      before do
+                        personal_access_token.update_attribute(:scopes, [:read_user])
+                      end
+  
+                      it_behaves_like 'unauthorized'
                    end
-
-                    it_behaves_like 'unauthorized'
                  end
                end
              end