diff --git a/lib/gitlab/auth.rb b/lib/gitlab/auth.rb index a60f8cea27cca3c80ba3eeea7efbaa7cc8a09ef5..fa3399b64f51b186d4ab108b5a58e5e0f5a50994 100644 --- a/lib/gitlab/auth.rb +++ b/lib/gitlab/auth.rb @@ -170,6 +170,18 @@ module Gitlab end # rubocop: disable CodeReuse/ActiveRecord + def abilities_for_scopes(scopes) + abilities_by_scope = { + api: full_authentication_abilities, + read_registry: [:read_container_image], + read_repository: [:download_code] + } + + scopes.flat_map do |scope| + abilities_by_scope.fetch(scope.to_sym, []) + end.uniq + end + def deploy_token_check(login, password) return unless password.present? @@ -234,18 +246,6 @@ module Gitlab public - def abilities_for_scopes(scopes) - abilities_by_scope = { - api: full_authentication_abilities, - read_registry: [:read_container_image], - read_repository: [:download_code] - } - - scopes.flat_map do |scope| - abilities_by_scope.fetch(scope.to_sym, []) - end.uniq - end - def build_authentication_abilities [ :read_project, diff --git a/lib/gitlab/middleware/go.rb b/lib/gitlab/middleware/go.rb index 0ef106920dda2f700d29738c273f7957d452402c..72a788022ef58840018bf35dccd9b9cb8b69de1e 100644 --- a/lib/gitlab/middleware/go.rb +++ b/lib/gitlab/middleware/go.rb @@ -117,32 +117,15 @@ module Gitlab end def current_user(request, project) - current_user_from_access_token_and_warden?(request) || current_user_from_basic_authentication?(request, project) - end - - def current_user_from_access_token_and_warden?(request) - authenticator = Gitlab::Auth::RequestAuthenticator.new(request) - user = authenticator.find_user_from_access_token || authenticator.find_user_from_warden - return unless user&.can?(:access_api) - # Right now, the `api` scope is the only one that should be able to determine private project existence. - return unless authenticator.valid_access_token?(scopes: [:api]) - - user - end - - def current_user_from_basic_authentication?(request, project) return unless has_basic_credentials?(request) login, password = user_name_and_password(request) auth_result = Gitlab::Auth.find_for_git_client(login, password, project: project, ip: request.ip) return unless auth_result.success? - return unless auth_result.actor&.can?(:access_api) + return unless auth_result.actor&.can?(:access_git) - if auth_result.type == :personal_access_token - api_sceope_abilities = Gitlab::Auth.abilities_for_scopes([:api]) - return unless auth_result.authentication_abilities.sort == api_sceope_abilities.sort - end + return unless auth_result.authentication_abilities.include?(:read_project) auth_result.actor end diff --git a/spec/lib/gitlab/middleware/go_spec.rb b/spec/lib/gitlab/middleware/go_spec.rb index b43eab5e2fd9d3db65c581fe8ae7855f3fa4a45a..3103dbd503e152c267d147eab2b6c758a50771fb 100644 --- a/spec/lib/gitlab/middleware/go_spec.rb +++ b/spec/lib/gitlab/middleware/go_spec.rb @@ -96,40 +96,10 @@ describe Gitlab::Middleware::Go do it_behaves_like 'unauthorized' end - end - - context 'using warden' do - before do - env['warden'] = double(authenticate: current_user) - end - context 'when active' do - it_behaves_like 'authenticated' - end - - context 'when blocked' do + context 'with user is blocked' do before do - current_user.block! - end - - it_behaves_like 'unauthorized' - end - end - - context 'using a personal access token' do - let(:personal_access_token) { create(:personal_access_token, user: current_user) } - - before do - env['HTTP_PRIVATE_TOKEN'] = personal_access_token.token - end - - context 'with api scope' do - it_behaves_like 'authenticated' - end - - context 'with read_user scope' do - before do - personal_access_token.update_attribute(:scopes, [:read_user]) + current_user.block end it_behaves_like 'unauthorized' @@ -137,23 +107,25 @@ describe Gitlab::Middleware::Go do end context 'using basic auth' do - let(:personal_access_token) { create(:personal_access_token, user: current_user) } - - before do - env['REMOTE_ADDR'] = "192.168.0.1" - env['HTTP_AUTHORIZATION'] = ActionController::HttpAuthentication::Basic.encode_credentials(current_user.username, personal_access_token.token) - end + context 'using a personal access token' do + let(:personal_access_token) { create(:personal_access_token, user: current_user) } - context 'with api scope' do - it_behaves_like 'authenticated' - end - - context 'with read_user scope' do before do - personal_access_token.update_attribute(:scopes, [:read_user]) + env['REMOTE_ADDR'] = "192.168.0.1" + env['HTTP_AUTHORIZATION'] = ActionController::HttpAuthentication::Basic.encode_credentials(current_user.username, personal_access_token.token) + end + + context 'with api scope' do + it_behaves_like 'authenticated' + end + + context 'with read_user scope' do + before do + personal_access_token.update_attribute(:scopes, [:read_user]) + end + + it_behaves_like 'unauthorized' end - - it_behaves_like 'unauthorized' end end end