diff options
| author | Timothy Andrew <mail@timothyandrew.net> | 2016-11-22 12:13:37 +0300 |
|---|---|---|
| committer | Timothy Andrew <mail@timothyandrew.net> | 2016-12-16 13:59:31 +0300 |
| commit | 36b3210b9ec4fffd9fa5a73626907e8a6a59f435 (patch) | |
| tree | 11f045f3647f24901a8966b472d27cab86338f44 /lib/gitlab | |
| parent | 7fa06ed55d18af4d055041eb27d38fecf9b5548f (diff) | |
Validate access token scopes in `Gitlab::Auth`
- This module is used for git-over-http, as well as JWT.
- The only valid scope here is `api`, currently.
Diffstat (limited to 'lib/gitlab')
| -rw-r--r-- | lib/gitlab/auth.rb | 14 |
1 files changed, 11 insertions, 3 deletions
diff --git a/lib/gitlab/auth.rb b/lib/gitlab/auth.rb index c3c464248ef..c6a23aa2bdf 100644 --- a/lib/gitlab/auth.rb +++ b/lib/gitlab/auth.rb @@ -92,7 +92,7 @@ module Gitlab def oauth_access_token_check(login, password) if login == "oauth2" && password.present? token = Doorkeeper::AccessToken.by_token(password) - if token && token.accessible? + if token && token.accessible? && token_has_scope?(token) user = User.find_by(id: token.resource_owner_id) Gitlab::Auth::Result.new(user, nil, :oauth, read_authentication_abilities) end @@ -101,12 +101,20 @@ module Gitlab def personal_access_token_check(login, password) if login && password - user = User.find_by_personal_access_token(password) + token = PersonalAccessToken.active.find_by_token(password) validation = User.by_login(login) - Gitlab::Auth::Result.new(user, nil, :personal_token, full_authentication_abilities) if user.present? && user == validation + + if token && token.user == validation && token_has_scope?(token) + Gitlab::Auth::Result.new(validation, nil, :personal_token, full_authentication_abilities) + end + end end + def token_has_scope?(token) + AccessTokenValidationService.sufficient_scope?(token, ['api']) + end + def lfs_token_check(login, password) deploy_key_matches = login.match(/\Alfs\+deploy-key-(\d+)\z/) |