Add latest changes from gitlab-org/security/gitlab@14-10-stable-ee

2 files changed, 133 insertions, 62 deletions

diff --git a/spec/lib/gitlab/auth/request_authenticator_spec.rb b/spec/lib/gitlab/auth/request_authenticator_spec.rb
index 2bc80edb98c..0ce5e6a7f5c 100644
--- a/spec/lib/gitlab/auth/request_authenticator_spec.rb
+++ b/spec/lib/gitlab/auth/request_authenticator_spec.rb
@@ -76,6 +76,38 @@ RSpec.describe Gitlab::Auth::RequestAuthenticator do
     end
   end
 
+  describe '#find_authenticated_requester' do
+    let_it_be(:api_user) { create(:user) }
+    let_it_be(:deploy_token_user) { create(:user) }
+
+    it 'returns the deploy token if it exists' do
+      allow_next_instance_of(described_class) do |authenticator|
+        expect(authenticator).to receive(:deploy_token_from_request).and_return(deploy_token_user)
+        allow(authenticator).to receive(:user).and_return(nil)
+      end
+
+      expect(subject.find_authenticated_requester([:api])).to eq deploy_token_user
+    end
+
+    it 'returns the user id if it exists' do
+      allow_next_instance_of(described_class) do |authenticator|
+        allow(authenticator).to receive(:deploy_token_from_request).and_return(deploy_token_user)
+        expect(authenticator).to receive(:user).and_return(api_user)
+      end
+
+      expect(subject.find_authenticated_requester([:api])).to eq api_user
+    end
+
+    it 'rerturns nil if no match is found' do
+      allow_next_instance_of(described_class) do |authenticator|
+        expect(authenticator).to receive(:deploy_token_from_request).and_return(nil)
+        expect(authenticator).to receive(:user).and_return(nil)
+      end
+
+      expect(subject.find_authenticated_requester([:api])).to eq nil
+    end
+  end
+
   describe '#find_sessionless_user' do
     let_it_be(:dependency_proxy_user) { build(:user) }
     let_it_be(:access_token_user) { build(:user) }
@@ -380,10 +412,10 @@ RSpec.describe Gitlab::Auth::RequestAuthenticator do
   describe '#route_authentication_setting' do
     using RSpec::Parameterized::TableSyntax
 
-    where(:script_name, :expected_job_token_allowed, :expected_basic_auth_personal_access_token) do
-      '/api/endpoint'          | true  | true
-      '/namespace/project.git' | false | true
-      '/web/endpoint'          | false | false
+    where(:script_name, :expected_job_token_allowed, :expected_basic_auth_personal_access_token, :expected_deploy_token_allowed) do
+      '/api/endpoint'          | true  | true  | true
+      '/namespace/project.git' | false | true  | true
+      '/web/endpoint'          | false | false | false
     end
 
     with_them do
@@ -394,7 +426,8 @@ RSpec.describe Gitlab::Auth::RequestAuthenticator do
       it 'returns correct settings' do
         expect(subject.send(:route_authentication_setting)).to eql({
           job_token_allowed: expected_job_token_allowed,
-          basic_auth_personal_access_token: expected_basic_auth_personal_access_token
+          basic_auth_personal_access_token: expected_basic_auth_personal_access_token,
+          deploy_token_allowed: expected_deploy_token_allowed
         })
       end
     end
diff --git a/spec/lib/gitlab/metrics/subscribers/rack_attack_spec.rb b/spec/lib/gitlab/metrics/subscribers/rack_attack_spec.rb
index 2d595632772..fda4b94bd78 100644
--- a/spec/lib/gitlab/metrics/subscribers/rack_attack_spec.rb
+++ b/spec/lib/gitlab/metrics/subscribers/rack_attack_spec.rb
@@ -91,72 +91,110 @@ RSpec.describe Gitlab::Metrics::Subscribers::RackAttack, :request_store do
       end
     end
 
-    context 'when matched throttle requires user information' do
-      context 'when user not found' do
-        let(:event) do
-          ActiveSupport::Notifications::Event.new(
-            event_name, Time.current, Time.current + 2.seconds, '1', request: double(
-              :request,
-              ip: '1.2.3.4',
-              request_method: 'GET',
-              fullpath: '/api/v4/internal/authorized_keys',
-              env: {
-                'rack.attack.match_type' => match_type,
-                'rack.attack.matched' => 'throttle_authenticated_api',
-                'rack.attack.match_discriminator' => 'not_exist_user_id'
-              }
+    context 'matching user or deploy token authenticated information' do
+      context 'when matching for user' do
+        context 'when user not found' do
+          let(:event) do
+            ActiveSupport::Notifications::Event.new(
+              event_name, Time.current, Time.current + 2.seconds, '1', request: double(
+                :request,
+                ip: '1.2.3.4',
+                request_method: 'GET',
+                fullpath: '/api/v4/internal/authorized_keys',
+                env: {
+                  'rack.attack.match_type' => match_type,
+                  'rack.attack.matched' => 'throttle_authenticated_api',
+                  'rack.attack.match_discriminator' => "user:#{non_existing_record_id}"
+                }
+              )
             )
-          )
+          end
+
+          it 'logs request information and user id' do
+            expect(Gitlab::AuthLogger).to receive(:error).with(
+              include(
+                message: 'Rack_Attack',
+                env: match_type,
+                remote_ip: '1.2.3.4',
+                request_method: 'GET',
+                path: '/api/v4/internal/authorized_keys',
+                matched: 'throttle_authenticated_api',
+                user_id: non_existing_record_id
+              )
+            )
+            subscriber.send(match_type, event)
+          end
         end
 
-        it 'logs request information and user id' do
-          expect(Gitlab::AuthLogger).to receive(:error).with(
-            include(
-              message: 'Rack_Attack',
-              env: match_type,
-              remote_ip: '1.2.3.4',
-              request_method: 'GET',
-              path: '/api/v4/internal/authorized_keys',
-              matched: 'throttle_authenticated_api',
-              user_id: 'not_exist_user_id'
+        context 'when user found' do
+          let(:user) { create(:user) }
+          let(:event) do
+            ActiveSupport::Notifications::Event.new(
+              event_name, Time.current, Time.current + 2.seconds, '1', request: double(
+                :request,
+                ip: '1.2.3.4',
+                request_method: 'GET',
+                fullpath: '/api/v4/internal/authorized_keys',
+                env: {
+                  'rack.attack.match_type' => match_type,
+                  'rack.attack.matched' => 'throttle_authenticated_api',
+                  'rack.attack.match_discriminator' => "user:#{user.id}"
+                }
+              )
             )
-          )
-          subscriber.send(match_type, event)
+          end
+
+          it 'logs request information and user meta' do
+            expect(Gitlab::AuthLogger).to receive(:error).with(
+              include(
+                message: 'Rack_Attack',
+                env: match_type,
+                remote_ip: '1.2.3.4',
+                request_method: 'GET',
+                path: '/api/v4/internal/authorized_keys',
+                matched: 'throttle_authenticated_api',
+                user_id: user.id,
+                'meta.user' => user.username
+              )
+            )
+            subscriber.send(match_type, event)
+          end
         end
       end
 
-      context 'when user found' do
-        let(:user) { create(:user) }
-        let(:event) do
-          ActiveSupport::Notifications::Event.new(
-            event_name, Time.current, Time.current + 2.seconds, '1', request: double(
-              :request,
-              ip: '1.2.3.4',
-              request_method: 'GET',
-              fullpath: '/api/v4/internal/authorized_keys',
-              env: {
-                'rack.attack.match_type' => match_type,
-                'rack.attack.matched' => 'throttle_authenticated_api',
-                'rack.attack.match_discriminator' => user.id
-              }
+      context 'when matching for deploy token' do
+        context 'when deploy token found' do
+          let(:deploy_token) { create(:deploy_token) }
+          let(:event) do
+            ActiveSupport::Notifications::Event.new(
+              event_name, Time.current, Time.current + 2.seconds, '1', request: double(
+                :request,
+                ip: '1.2.3.4',
+                request_method: 'GET',
+                fullpath: '/api/v4/internal/authorized_keys',
+                env: {
+                  'rack.attack.match_type' => match_type,
+                  'rack.attack.matched' => 'throttle_authenticated_api',
+                  'rack.attack.match_discriminator' => "deploy_token:#{deploy_token.id}"
+                }
+              )
             )
-          )
-        end
-
-        it 'logs request information and user meta' do
-          expect(Gitlab::AuthLogger).to receive(:error).with(
-            include(
-              message: 'Rack_Attack',
-              env: match_type,
-              remote_ip: '1.2.3.4',
-              request_method: 'GET',
-              path: '/api/v4/internal/authorized_keys',
-              matched: 'throttle_authenticated_api',
-              user_id: user.id,
-              'meta.user' => user.username
+          end
+
+          it 'logs request information and user meta' do
+            expect(Gitlab::AuthLogger).to receive(:error).with(
+              include(
+                message: 'Rack_Attack',
+                env: match_type,
+                remote_ip: '1.2.3.4',
+                request_method: 'GET',
+                path: '/api/v4/internal/authorized_keys',
+                matched: 'throttle_authenticated_api',
+                deploy_token_id: deploy_token.id
+              )
             )
-          )
-          subscriber.send(match_type, event)
+            subscriber.send(match_type, event)
+          end
         end
       end
     end