Add latest changes from gitlab-org/security/gitlab@14-3-stable-ee

author: GitLab Bot <gitlab-bot@gitlab.com> 2021-09-29 16:00:10 +0300
committer: GitLab Bot <gitlab-bot@gitlab.com> 2021-09-29 16:00:27 +0300
commit: 003d8b5eac3aa173a7061b82d84ffaf28e8024f6 (patch)
tree: b87970a41714669fd6b40b84db245bcaeebad3dd /spec
parent: 95328dd30a55cb66da05352131e7a981b44e1348 (diff)
2 files changed, 92 insertions, 23 deletions
diff --git a/spec/lib/gitlab/auth/request_authenticator_spec.rb b/spec/lib/gitlab/auth/request_authenticator_spec.rb
index 28e93a8da52..2543eb3a5e9 100644
--- a/spec/lib/gitlab/auth/request_authenticator_spec.rb
+++ b/spec/lib/gitlab/auth/request_authenticator_spec.rb
@@ -81,32 +81,72 @@ RSpec.describe Gitlab::Auth::RequestAuthenticator do
       expect(subject.find_sessionless_user(:api)).to eq job_token_user
     end
 
-    it 'returns lfs_token user if no job_token user found' do
-      allow_any_instance_of(described_class)
-        .to receive(:find_user_from_lfs_token)
-        .and_return(lfs_token_user)
-
-      expect(subject.find_sessionless_user(:api)).to eq lfs_token_user
-    end
-
-    it 'returns basic_auth_access_token user if no lfs_token user found' do
+    it 'returns nil even if basic_auth_access_token is available' do
       allow_any_instance_of(described_class)
         .to receive(:find_user_from_personal_access_token)
         .and_return(basic_auth_access_token_user)
 
-      expect(subject.find_sessionless_user(:api)).to eq basic_auth_access_token_user
+      expect(subject.find_sessionless_user(:api)).to be_nil
     end
 
-    it 'returns basic_auth_access_password user if no basic_auth_access_token user found' do
+    it 'returns nil even if find_user_from_lfs_token is available' do
       allow_any_instance_of(described_class)
-        .to receive(:find_user_from_basic_auth_password)
-        .and_return(basic_auth_password_user)
+        .to receive(:find_user_from_lfs_token)
+        .and_return(lfs_token_user)
 
-      expect(subject.find_sessionless_user(:api)).to eq basic_auth_password_user
+      expect(subject.find_sessionless_user(:api)).to be_nil
     end
 
     it 'returns nil if no user found' do
-      expect(subject.find_sessionless_user(:api)).to be_blank
+      expect(subject.find_sessionless_user(:api)).to be_nil
+    end
+
+    context 'in an API request' do
+      before do
+        env['SCRIPT_NAME'] = '/api/v4/projects'
+      end
+
+      it 'returns basic_auth_access_token user if no job_token_user found' do
+        allow_any_instance_of(described_class)
+          .to receive(:find_user_from_personal_access_token)
+          .and_return(basic_auth_access_token_user)
+
+        expect(subject.find_sessionless_user(:api)).to eq basic_auth_access_token_user
+      end
+    end
+
+    context 'in a Git request' do
+      before do
+        env['SCRIPT_NAME'] = '/group/project.git/info/refs'
+      end
+
+      it 'returns lfs_token user if no job_token user found' do
+        allow_any_instance_of(described_class)
+          .to receive(:find_user_from_lfs_token)
+          .and_return(lfs_token_user)
+
+        expect(subject.find_sessionless_user(nil)).to eq lfs_token_user
+      end
+
+      it 'returns basic_auth_access_token user if no lfs_token user found' do
+        allow_any_instance_of(described_class)
+          .to receive(:find_user_from_personal_access_token)
+          .and_return(basic_auth_access_token_user)
+
+        expect(subject.find_sessionless_user(nil)).to eq basic_auth_access_token_user
+      end
+
+      it 'returns basic_auth_access_password user if no basic_auth_access_token user found' do
+        allow_any_instance_of(described_class)
+          .to receive(:find_user_from_basic_auth_password)
+          .and_return(basic_auth_password_user)
+
+        expect(subject.find_sessionless_user(nil)).to eq basic_auth_password_user
+      end
+
+      it 'returns nil if no user found' do
+        expect(subject.find_sessionless_user(nil)).to be_blank
+      end
     end
 
     it 'rescue Gitlab::Auth::AuthenticationError exceptions' do
diff --git a/spec/requests/rack_attack_global_spec.rb b/spec/requests/rack_attack_global_spec.rb
index 87ef6fa1a18..be942f6ae86 100644
--- a/spec/requests/rack_attack_global_spec.rb
+++ b/spec/requests/rack_attack_global_spec.rb
@@ -933,17 +933,28 @@ RSpec.describe 'Rack Attack global throttles', :use_clean_rails_memory_store_cac
     end
 
     context 'authenticated with lfs token' do
-      it 'request is authenticated by token in basic auth' do
-        lfs_token = Gitlab::LfsToken.new(user)
-        encoded_login = ["#{user.username}:#{lfs_token.token}"].pack('m0')
+      let(:lfs_url) { '/namespace/repo.git/info/lfs/objects/batch' }
+      let(:lfs_token) { Gitlab::LfsToken.new(user) }
+      let(:encoded_login) { ["#{user.username}:#{lfs_token.token}"].pack('m0') }
+      let(:headers) { { 'AUTHORIZATION' => "Basic #{encoded_login}" } }
 
+      it 'request is authenticated by token in basic auth' do
         expect_authenticated_request
 
-        get url, headers: { 'AUTHORIZATION' => "Basic #{encoded_login}" }
+        get lfs_url, headers: headers
+      end
+
+      it 'request is not authenticated with API URL' do
+        expect_unauthenticated_request
+
+        get url, headers: headers
       end
     end
 
     context 'authenticated with regular login' do
+      let(:encoded_login) { ["#{user.username}:#{user.password}"].pack('m0') }
+      let(:headers) { { 'AUTHORIZATION' => "Basic #{encoded_login}" } }
+
       it 'request is authenticated after login' do
         login_as(user)
 
@@ -952,12 +963,30 @@ RSpec.describe 'Rack Attack global throttles', :use_clean_rails_memory_store_cac
         get url
       end
 
-      it 'request is authenticated by credentials in basic auth' do
-        encoded_login = ["#{user.username}:#{user.password}"].pack('m0')
+      it 'request is not authenticated by credentials in basic auth' do
+        expect_unauthenticated_request
 
-        expect_authenticated_request
+        get url, headers: headers
+      end
+
+      context 'with POST git-upload-pack' do
+        it 'request is authenticated by credentials in basic auth' do
+          expect(::Gitlab::Workhorse).to receive(:verify_api_request!)
+
+          expect_authenticated_request
 
-        get url, headers: { 'AUTHORIZATION' => "Basic #{encoded_login}" }
+          post '/namespace/repo.git/git-upload-pack', headers: headers
+        end
+      end
+
+      context 'with GET info/refs' do
+        it 'request is authenticated by credentials in basic auth' do
+          expect(::Gitlab::Workhorse).to receive(:verify_api_request!)
+
+          expect_authenticated_request
+
+          get '/namespace/repo.git/info/refs?service=git-upload-pack', headers: headers
+        end
       end
     end
   end
author	GitLab Bot <gitlab-bot@gitlab.com>	2021-09-29 16:00:10 +0300
committer	GitLab Bot <gitlab-bot@gitlab.com>	2021-09-29 16:00:27 +0300
commit	003d8b5eac3aa173a7061b82d84ffaf28e8024f6 (patch)
tree	b87970a41714669fd6b40b84db245bcaeebad3dd /spec
parent	95328dd30a55cb66da05352131e7a981b44e1348 (diff)