From d7437af3f31f388bf59b23a06c9bff5c8c5fd157 Mon Sep 17 00:00:00 2001 From: GitLab Bot Date: Wed, 30 Nov 2022 04:46:20 +0000 Subject: Add latest changes from gitlab-org/security/gitlab@15-6-stable-ee --- .../admin_area/settings/external_authorization.md | 3 +++ doc/user/packages/package_registry/index.md | 1 + doc/user/project/deploy_keys/index.md | 2 ++ doc/user/project/deploy_tokens/index.md | 2 ++ lib/gitlab/api_authentication/token_resolver.rb | 2 ++ lib/gitlab/auth/auth_finders.rb | 1 + lib/gitlab/git_access.rb | 4 ++-- .../api_authentication/token_resolver_spec.rb | 12 ++++++++++ spec/lib/gitlab/auth/auth_finders_spec.rb | 9 +++++++ spec/lib/gitlab/git_access_spec.rb | 28 ++++++++++++++++++++++ 10 files changed, 62 insertions(+), 2 deletions(-) diff --git a/doc/user/admin_area/settings/external_authorization.md b/doc/user/admin_area/settings/external_authorization.md index a34ceac0d95..09ac477b062 100644 --- a/doc/user/admin_area/settings/external_authorization.md +++ b/doc/user/admin_area/settings/external_authorization.md @@ -43,6 +43,9 @@ using Omnibus, learn to install a custom CA in the Alternatively, learn where to install custom certificates by using `openssl version -d`. +When external authorization is enabled, [deploy tokens](../../project/deploy_tokens/index.md) + and [deploy keys](../../project/deploy_keys/index.md) can't be used for Git operations. + ## Configuration The external authorization service can be enabled by an administrator: diff --git a/doc/user/packages/package_registry/index.md b/doc/user/packages/package_registry/index.md index 8e160cbb195..1aeb98fd48a 100644 --- a/doc/user/packages/package_registry/index.md +++ b/doc/user/packages/package_registry/index.md @@ -62,6 +62,7 @@ For most package types, the following credential types are valid: NOTE: If you have not activated the "Packages" feature for your project at **Settings > General > Project features**, you will receive a 403 Forbidden response. +Accessing package registry via deploy token is not available when external authorization is enabled. ## Use GitLab CI/CD to build packages diff --git a/doc/user/project/deploy_keys/index.md b/doc/user/project/deploy_keys/index.md index 58f7d3198b2..56bb899c233 100644 --- a/doc/user/project/deploy_keys/index.md +++ b/doc/user/project/deploy_keys/index.md @@ -18,6 +18,8 @@ Depending on your needs, you might want to use a [deploy token](../deploy_tokens | Validity | Valid as long as it's registered and enabled. | Can be given an expiration date. | | Registry access | Cannot access a package registry. | Can read from and write to a package registry. | +Deploy keys can't be used for Git operations if [external authorization](../../admin_area/settings/external_authorization.md) is enabled. + ## Scope A deploy key has a defined scope when it is created: diff --git a/doc/user/project/deploy_tokens/index.md b/doc/user/project/deploy_tokens/index.md index aab72d4859e..3dd6f14ea70 100644 --- a/doc/user/project/deploy_tokens/index.md +++ b/doc/user/project/deploy_tokens/index.md @@ -41,6 +41,8 @@ You can create deploy tokens at either the project or group level: By default, a deploy token does not expire. You can optionally set an expiry date when you create it. Expiry occurs at midnight UTC on that date. +Deploy tokens can't be used for Git operations and Package Registry operations if [external authorization](../../admin_area/settings/external_authorization.md) is enabled. + ## Scope A deploy token's scope determines the actions it can perform. diff --git a/lib/gitlab/api_authentication/token_resolver.rb b/lib/gitlab/api_authentication/token_resolver.rb index dd9039e37f6..afada055928 100644 --- a/lib/gitlab/api_authentication/token_resolver.rb +++ b/lib/gitlab/api_authentication/token_resolver.rb @@ -165,6 +165,8 @@ module Gitlab end def with_deploy_token(raw, &block) + raise ::Gitlab::Auth::UnauthorizedError if Gitlab::ExternalAuthorization.enabled? + token = ::DeployToken.active.find_by_token(raw.password) return unless token diff --git a/lib/gitlab/auth/auth_finders.rb b/lib/gitlab/auth/auth_finders.rb index c994f179b66..16bee187c87 100644 --- a/lib/gitlab/auth/auth_finders.rb +++ b/lib/gitlab/auth/auth_finders.rb @@ -147,6 +147,7 @@ module Gitlab # deploy tokens are accepted with deploy token headers and basic auth headers def deploy_token_from_request return unless route_authentication_setting[:deploy_token_allowed] + return if Gitlab::ExternalAuthorization.enabled? token = current_request.env[DEPLOY_TOKEN_HEADER].presence || parsed_oauth_token diff --git a/lib/gitlab/git_access.rb b/lib/gitlab/git_access.rb index 9a3f5fb844b..da2a81983ec 100644 --- a/lib/gitlab/git_access.rb +++ b/lib/gitlab/git_access.rb @@ -367,7 +367,7 @@ module Gitlab end def deploy_key? - actor.is_a?(DeployKey) + actor.is_a?(DeployKey) && !Gitlab::ExternalAuthorization.enabled? end def deploy_token @@ -375,7 +375,7 @@ module Gitlab end def deploy_token? - actor.is_a?(DeployToken) + actor.is_a?(DeployToken) && !Gitlab::ExternalAuthorization.enabled? end def ci? diff --git a/spec/lib/gitlab/api_authentication/token_resolver_spec.rb b/spec/lib/gitlab/api_authentication/token_resolver_spec.rb index bbc6bf0d481..9f86b95651a 100644 --- a/spec/lib/gitlab/api_authentication/token_resolver_spec.rb +++ b/spec/lib/gitlab/api_authentication/token_resolver_spec.rb @@ -114,6 +114,18 @@ RSpec.describe Gitlab::APIAuthentication::TokenResolver do it_behaves_like 'an unauthorized request' end + + context 'when the external_authorization_service is enabled' do + before do + stub_application_setting(external_authorization_service_enabled: true) + end + + context 'with a valid deploy token' do + let(:raw) { username_and_password(token.username, token.token) } + + it_behaves_like 'an unauthorized request' + end + end end context 'with :personal_access_token' do diff --git a/spec/lib/gitlab/auth/auth_finders_spec.rb b/spec/lib/gitlab/auth/auth_finders_spec.rb index 05eca4cf70f..9283c31a207 100644 --- a/spec/lib/gitlab/auth/auth_finders_spec.rb +++ b/spec/lib/gitlab/auth/auth_finders_spec.rb @@ -389,6 +389,15 @@ RSpec.describe Gitlab::Auth::AuthFinders do it { is_expected.to be_nil } end end + + context 'when the external_authorization_service is enabled' do + before do + stub_application_setting(external_authorization_service_enabled: true) + set_header(described_class::DEPLOY_TOKEN_HEADER, deploy_token.token) + end + + it { is_expected.to be_nil } + end end describe '#find_user_from_access_token' do diff --git a/spec/lib/gitlab/git_access_spec.rb b/spec/lib/gitlab/git_access_spec.rb index 7e3a1bf61bc..10a099af4f0 100644 --- a/spec/lib/gitlab/git_access_spec.rb +++ b/spec/lib/gitlab/git_access_spec.rb @@ -5,6 +5,7 @@ require 'spec_helper' RSpec.describe Gitlab::GitAccess, :aggregate_failures do include TermsHelper include AdminModeHelper + include ExternalAuthorizationServiceHelpers let(:user) { create(:user) } let(:actor) { user } @@ -111,6 +112,19 @@ RSpec.describe Gitlab::GitAccess, :aggregate_failures do end end end + + context 'when the external_authorization_service is enabled' do + before do + stub_application_setting(external_authorization_service_enabled: true) + end + + it 'blocks push and pull with "not found"' do + aggregate_failures do + expect { push_access_check }.to raise_not_found + expect { pull_access_check }.to raise_not_found + end + end + end end context 'when actor is a User' do @@ -176,6 +190,20 @@ RSpec.describe Gitlab::GitAccess, :aggregate_failures do expect { push_access_check }.to raise_not_found end end + + context 'when the external_authorization_service is enabled' do + before do + stub_application_setting(external_authorization_service_enabled: true) + end + + it 'blocks pull access' do + expect { pull_access_check }.to raise_not_found + end + + it 'blocks the push' do + expect { push_access_check }.to raise_not_found + end + end end end -- cgit v1.2.3