Merge branch 'security-fix-pat-web-access' into 'master'

[master] Resolve "Personal access token with only `read_user` scope can be used to authenticate any web request"

See merge request gitlab/gitlabhq!2583

1 files changed, 92 insertions, 0 deletions

diff --git a/spec/support/controllers/sessionless_auth_controller_shared_examples.rb b/spec/support/controllers/sessionless_auth_controller_shared_examples.rb
new file mode 100644
index 00000000000..7e4958f177a
--- /dev/null
+++ b/spec/support/controllers/sessionless_auth_controller_shared_examples.rb
@@ -0,0 +1,92 @@
+shared_examples 'authenticates sessionless user' do |path, format, params|
+  params ||= {}
+
+  before do
+    stub_authentication_activity_metrics(debug: false)
+  end
+
+  let(:user) { create(:user) }
+  let(:personal_access_token) { create(:personal_access_token, user: user) }
+  let(:default_params) { { format: format }.merge(params.except(:public) || {}) }
+
+  context "when the 'personal_access_token' param is populated with the personal access token" do
+    it 'logs the user in' do
+      expect(authentication_metrics)
+        .to increment(:user_authenticated_counter)
+              .and increment(:user_session_override_counter)
+                     .and increment(:user_sessionless_authentication_counter)
+
+      get path, default_params.merge(private_token: personal_access_token.token)
+
+      expect(response).to have_gitlab_http_status(200)
+      expect(controller.current_user).to eq(user)
+    end
+
+    it 'does not log the user in if page is public', if: params[:public] do
+      get path, default_params
+
+      expect(response).to have_gitlab_http_status(200)
+      expect(controller.current_user).to be_nil
+    end
+  end
+
+  context 'when the personal access token has no api scope', unless: params[:public] do
+    it 'does not log the user in' do
+      expect(authentication_metrics)
+        .to increment(:user_unauthenticated_counter)
+
+      personal_access_token.update(scopes: [:read_user])
+
+      get path, default_params.merge(private_token: personal_access_token.token)
+
+      expect(response).not_to have_gitlab_http_status(200)
+    end
+  end
+
+  context "when the 'PERSONAL_ACCESS_TOKEN' header is populated with the personal access token" do
+    it 'logs the user in' do
+      expect(authentication_metrics)
+        .to increment(:user_authenticated_counter)
+              .and increment(:user_session_override_counter)
+                     .and increment(:user_sessionless_authentication_counter)
+
+      @request.headers['PRIVATE-TOKEN'] = personal_access_token.token
+      get path, default_params
+
+      expect(response).to have_gitlab_http_status(200)
+    end
+  end
+
+  context "when the 'feed_token' param is populated with the feed token", if: format == :rss do
+    it "logs the user in" do
+      expect(authentication_metrics)
+        .to increment(:user_authenticated_counter)
+              .and increment(:user_session_override_counter)
+                     .and increment(:user_sessionless_authentication_counter)
+
+      get path, default_params.merge(feed_token: user.feed_token)
+
+      expect(response).to have_gitlab_http_status 200
+    end
+  end
+
+  context "when the 'feed_token' param is populated with an invalid feed token", if: format == :rss, unless: params[:public] do
+    it "logs the user" do
+      expect(authentication_metrics)
+        .to increment(:user_unauthenticated_counter)
+
+      get path, default_params.merge(feed_token: 'token')
+
+      expect(response.status).not_to eq 200
+    end
+  end
+
+  it "doesn't log the user in otherwise", unless: params[:public] do
+    expect(authentication_metrics)
+      .to increment(:user_unauthenticated_counter)
+
+    get path, default_params.merge(private_token: 'token')
+
+    expect(response.status).not_to eq(200)
+  end
+end