BigW Consortium Gitlab
Skip to content
Projects
Groups
Snippets
Help
This project
Loading...
Sign in / Register
Toggle navigation
G
gitlab-ce
Project
Overview
Details
Activity
Cycle Analytics
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Charts
Issues
0
Issues
0
List
Board
Labels
Milestones
Merge Requests
0
Merge Requests
0
Registry
Registry
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Charts
Create a new issue
Commits
Issue Boards
Open sidebar
Forest Godfrey
gitlab-ce
Commits
36b3210b
Commit
36b3210b
authored
Nov 22, 2016
by
Timothy Andrew
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
Validate access token scopes in `Gitlab::Auth`
- This module is used for git-over-http, as well as JWT. - The only valid scope here is `api`, currently.
parent
7fa06ed5
Hide whitespace changes
Inline
Side-by-side
Showing
3 changed files
with
51 additions
and
11 deletions
+51
-11
auth.rb
lib/gitlab/auth.rb
+11
-3
auth_spec.rb
spec/lib/gitlab/auth_spec.rb
+39
-7
git_http_spec.rb
spec/requests/git_http_spec.rb
+1
-1
No files found.
lib/gitlab/auth.rb
View file @
36b3210b
...
@@ -92,7 +92,7 @@ module Gitlab
...
@@ -92,7 +92,7 @@ module Gitlab
def
oauth_access_token_check
(
login
,
password
)
def
oauth_access_token_check
(
login
,
password
)
if
login
==
"oauth2"
&&
password
.
present?
if
login
==
"oauth2"
&&
password
.
present?
token
=
Doorkeeper
::
AccessToken
.
by_token
(
password
)
token
=
Doorkeeper
::
AccessToken
.
by_token
(
password
)
if
token
&&
token
.
accessible?
if
token
&&
token
.
accessible?
&&
token_has_scope?
(
token
)
user
=
User
.
find_by
(
id:
token
.
resource_owner_id
)
user
=
User
.
find_by
(
id:
token
.
resource_owner_id
)
Gitlab
::
Auth
::
Result
.
new
(
user
,
nil
,
:oauth
,
read_authentication_abilities
)
Gitlab
::
Auth
::
Result
.
new
(
user
,
nil
,
:oauth
,
read_authentication_abilities
)
end
end
...
@@ -101,12 +101,20 @@ module Gitlab
...
@@ -101,12 +101,20 @@ module Gitlab
def
personal_access_token_check
(
login
,
password
)
def
personal_access_token_check
(
login
,
password
)
if
login
&&
password
if
login
&&
password
user
=
User
.
find_by_personal_access
_token
(
password
)
token
=
PersonalAccessToken
.
active
.
find_by
_token
(
password
)
validation
=
User
.
by_login
(
login
)
validation
=
User
.
by_login
(
login
)
Gitlab
::
Auth
::
Result
.
new
(
user
,
nil
,
:personal_token
,
full_authentication_abilities
)
if
user
.
present?
&&
user
==
validation
if
token
&&
token
.
user
==
validation
&&
token_has_scope?
(
token
)
Gitlab
::
Auth
::
Result
.
new
(
validation
,
nil
,
:personal_token
,
full_authentication_abilities
)
end
end
end
end
end
def
token_has_scope?
(
token
)
AccessTokenValidationService
.
sufficient_scope?
(
token
,
[
'api'
])
end
def
lfs_token_check
(
login
,
password
)
def
lfs_token_check
(
login
,
password
)
deploy_key_matches
=
login
.
match
(
/\Alfs\+deploy-key-(\d+)\z/
)
deploy_key_matches
=
login
.
match
(
/\Alfs\+deploy-key-(\d+)\z/
)
...
...
spec/lib/gitlab/auth_spec.rb
View file @
36b3210b
...
@@ -79,14 +79,46 @@ describe Gitlab::Auth, lib: true do
...
@@ -79,14 +79,46 @@ describe Gitlab::Auth, lib: true do
expect
(
gl_auth
.
find_for_git_client
(
"lfs+deploy-key-
#{
key
.
id
}
"
,
token
,
project:
nil
,
ip:
ip
)).
to
eq
(
Gitlab
::
Auth
::
Result
.
new
(
key
,
nil
,
:lfs_deploy_token
,
read_authentication_abilities
))
expect
(
gl_auth
.
find_for_git_client
(
"lfs+deploy-key-
#{
key
.
id
}
"
,
token
,
project:
nil
,
ip:
ip
)).
to
eq
(
Gitlab
::
Auth
::
Result
.
new
(
key
,
nil
,
:lfs_deploy_token
,
read_authentication_abilities
))
end
end
it
'recognizes OAuth tokens'
do
context
"while using OAuth tokens as passwords"
do
user
=
create
(
:user
)
it
'succeeds for OAuth tokens with the `api` scope'
do
application
=
Doorkeeper
::
Application
.
create!
(
name:
"MyApp"
,
redirect_uri:
"https://app.com"
,
owner:
user
)
user
=
create
(
:user
)
token
=
Doorkeeper
::
AccessToken
.
create!
(
application_id:
application
.
id
,
resource_owner_id:
user
.
id
)
application
=
Doorkeeper
::
Application
.
create!
(
name:
"MyApp"
,
redirect_uri:
"https://app.com"
,
owner:
user
)
ip
=
'ip'
token
=
Doorkeeper
::
AccessToken
.
create!
(
application_id:
application
.
id
,
resource_owner_id:
user
.
id
,
scopes:
"api"
)
ip
=
'ip'
expect
(
gl_auth
).
to
receive
(
:rate_limit!
).
with
(
ip
,
success:
true
,
login:
'oauth2'
)
expect
(
gl_auth
.
find_for_git_client
(
"oauth2"
,
token
.
token
,
project:
nil
,
ip:
ip
)).
to
eq
(
Gitlab
::
Auth
::
Result
.
new
(
user
,
nil
,
:oauth
,
read_authentication_abilities
))
end
it
'fails for OAuth tokens with other scopes'
do
user
=
create
(
:user
)
application
=
Doorkeeper
::
Application
.
create!
(
name:
"MyApp"
,
redirect_uri:
"https://app.com"
,
owner:
user
)
token
=
Doorkeeper
::
AccessToken
.
create!
(
application_id:
application
.
id
,
resource_owner_id:
user
.
id
,
scopes:
"read_user"
)
ip
=
'ip'
expect
(
gl_auth
).
to
receive
(
:rate_limit!
).
with
(
ip
,
success:
false
,
login:
'oauth2'
)
expect
(
gl_auth
.
find_for_git_client
(
"oauth2"
,
token
.
token
,
project:
nil
,
ip:
ip
)).
to
eq
(
Gitlab
::
Auth
::
Result
.
new
(
nil
,
nil
))
end
end
context
"while using personal access tokens as passwords"
do
it
'succeeds for personal access tokens with the `api` scope'
do
user
=
create
(
:user
)
personal_access_token
=
create
(
:personal_access_token
,
user:
user
,
scopes:
[
'api'
])
ip
=
'ip'
expect
(
gl_auth
).
to
receive
(
:rate_limit!
).
with
(
ip
,
success:
true
,
login:
user
.
email
)
expect
(
gl_auth
.
find_for_git_client
(
user
.
email
,
personal_access_token
.
token
,
project:
nil
,
ip:
ip
)).
to
eq
(
Gitlab
::
Auth
::
Result
.
new
(
user
,
nil
,
:personal_token
,
full_authentication_abilities
))
end
it
'fails for personal access tokens with other scopes'
do
user
=
create
(
:user
)
personal_access_token
=
create
(
:personal_access_token
,
user:
user
,
scopes:
[
'read_user'
])
ip
=
'ip'
expect
(
gl_auth
).
to
receive
(
:rate_limit!
).
with
(
ip
,
success:
true
,
login:
'oauth2'
)
expect
(
gl_auth
).
to
receive
(
:rate_limit!
).
with
(
ip
,
success:
false
,
login:
user
.
email
)
expect
(
gl_auth
.
find_for_git_client
(
"oauth2"
,
token
.
token
,
project:
nil
,
ip:
ip
)).
to
eq
(
Gitlab
::
Auth
::
Result
.
new
(
user
,
nil
,
:oauth
,
read_authentication_abilities
))
expect
(
gl_auth
.
find_for_git_client
(
user
.
email
,
personal_access_token
.
token
,
project:
nil
,
ip:
ip
)).
to
eq
(
Gitlab
::
Auth
::
Result
.
new
(
nil
,
nil
))
end
end
end
it
'returns double nil for invalid credentials'
do
it
'returns double nil for invalid credentials'
do
...
...
spec/requests/git_http_spec.rb
View file @
36b3210b
...
@@ -230,7 +230,7 @@ describe 'Git HTTP requests', lib: true do
...
@@ -230,7 +230,7 @@ describe 'Git HTTP requests', lib: true do
context
"when an oauth token is provided"
do
context
"when an oauth token is provided"
do
before
do
before
do
application
=
Doorkeeper
::
Application
.
create!
(
name:
"MyApp"
,
redirect_uri:
"https://app.com"
,
owner:
user
)
application
=
Doorkeeper
::
Application
.
create!
(
name:
"MyApp"
,
redirect_uri:
"https://app.com"
,
owner:
user
)
@token
=
Doorkeeper
::
AccessToken
.
create!
(
application_id:
application
.
id
,
resource_owner_id:
user
.
id
)
@token
=
Doorkeeper
::
AccessToken
.
create!
(
application_id:
application
.
id
,
resource_owner_id:
user
.
id
,
scopes:
"api"
)
end
end
it
"downloads get status 200"
do
it
"downloads get status 200"
do
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment