diff options
| author | Jaime Martinez <jmartinez@gitlab.com> | 2020-05-28 07:50:18 +0300 |
|---|---|---|
| committer | Jaime Martinez <jmartinez@gitlab.com> | 2020-07-06 02:13:51 +0300 |
| commit | fb2c26ff998b809baddeb9618aae52c49200bc8b (patch) | |
| tree | 500310d07317b81acffab5d9efc2f64cf0d01fbf | |
| parent | cac920323f196072c28bee611a4ee9157316cd6f (diff) | |
Find parent namepsace domain if auth fails for current project
Update labkit
| -rw-r--r-- | acceptance_test.go | 3 | ||||
| -rw-r--r-- | app.go | 2 | ||||
| -rw-r--r-- | go.mod | 2 | ||||
| -rw-r--r-- | go.sum | 5 | ||||
| -rw-r--r-- | internal/auth/auth.go | 24 |
5 files changed, 27 insertions, 9 deletions
diff --git a/acceptance_test.go b/acceptance_test.go index 6a49de8a..0ba5d18f 100644 --- a/acceptance_test.go +++ b/acceptance_test.go @@ -17,7 +17,6 @@ import ( "github.com/namsral/flag" "github.com/stretchr/testify/require" - "gotest.tools/assert" ) var pagesBinary = flag.String("gitlab-pages-binary", "./gitlab-pages", "Path to the gitlab-pages binary") @@ -251,7 +250,7 @@ func TestCustom404(t *testing.T) { require.NoError(t, err) defer rsp.Body.Close() - assert.Equal(t, http.StatusNotFound, rsp.StatusCode) + require.Equal(t, http.StatusNotFound, rsp.StatusCode) page, err := ioutil.ReadAll(rsp.Body) require.NoError(t, err) @@ -250,7 +250,7 @@ func (a *theApp) accessControlMiddleware(handler http.Handler) http.Handler { // Only for projects that have access control enabled if domain.IsAccessControlEnabled(r) { // accessControlMiddleware - if a.Auth.CheckAuthentication(w, r, domain.GetProjectID(r)) { + if a.Auth.CheckAuthentication(w, r, domain) { return } } @@ -23,7 +23,7 @@ require ( github.com/stretchr/testify v1.5.1 github.com/tomasen/realip v0.0.0-20180522021738-f0c99a92ddce github.com/wadey/gocovmerge v0.0.0-20160331181800-b5bfa59ec0ad - gitlab.com/gitlab-org/labkit v0.0.0-20200520155818-96e583c57891 + gitlab.com/gitlab-org/labkit v0.0.0-20200526151107-6dcf1319fcd0 gitlab.com/lupine/go-mimedb v0.0.0-20180307000149-e8af1d659877 golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550 golang.org/x/lint v0.0.0-20191125180803-fdd1cda4f05f @@ -327,9 +327,8 @@ github.com/yalp/jsonpath v0.0.0-20180802001716-5cc68e5049a0/go.mod h1:/LWChgwKmv github.com/yudai/gojsondiff v1.0.0/go.mod h1:AY32+k2cwILAkW1fbgxQ5mUmMiZFgLIV+FBNExI05xg= github.com/yudai/golcs v0.0.0-20170316035057-ecda9a501e82/go.mod h1:lgjkn3NuSvDfVJdfcVVdX+jpBxNmX4rDAzaS45IcYoM= github.com/yudai/pp v2.0.1+incompatible/go.mod h1:PuxR/8QJ7cyCkFp/aUDS+JY727OFEZkTdatxwunjIkc= -github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= -gitlab.com/gitlab-org/labkit v0.0.0-20200520155818-96e583c57891 h1:WiCGS5C0B0h+/dh5O7kUJoEZt34O/tbsis9QghNB3gE= -gitlab.com/gitlab-org/labkit v0.0.0-20200520155818-96e583c57891/go.mod h1:SNfxkfUwVNECgtmluVayv0GWFgEjjBs5AzgsowPQuo0= +gitlab.com/gitlab-org/labkit v0.0.0-20200526151107-6dcf1319fcd0 h1:+TiSK1umKrr6PCYCR8rJmUMk39hNynOgjZIbJmYXHm0= +gitlab.com/gitlab-org/labkit v0.0.0-20200526151107-6dcf1319fcd0/go.mod h1:SNfxkfUwVNECgtmluVayv0GWFgEjjBs5AzgsowPQuo0= gitlab.com/lupine/go-mimedb v0.0.0-20180307000149-e8af1d659877 h1:k5N2m0IPaMuwWmFTO9fyTK4IEnSm35GC/p1S7VRgUyM= gitlab.com/lupine/go-mimedb v0.0.0-20180307000149-e8af1d659877/go.mod h1:Es0wDVbtgNqhpEXMb+yct6JKnGMrNsUSh9oio0bqqdU= go.opencensus.io v0.21.0/go.mod h1:mSImk1erAIZhrmZN+AvHh14ztQfjbGwt4TtuofqLduU= diff --git a/internal/auth/auth.go b/internal/auth/auth.go index 453edff2..c12207ca 100644 --- a/internal/auth/auth.go +++ b/internal/auth/auth.go @@ -18,6 +18,7 @@ import ( log "github.com/sirupsen/logrus" "gitlab.com/gitlab-org/labkit/errortracking" + "gitlab.com/gitlab-org/gitlab-pages/internal/domain" "gitlab.com/gitlab-org/gitlab-pages/internal/httperrors" "gitlab.com/gitlab-org/gitlab-pages/internal/httptransport" "gitlab.com/gitlab-org/gitlab-pages/internal/request" @@ -511,7 +512,7 @@ func (a *Auth) RequireAuth(w http.ResponseWriter, r *http.Request) bool { } // CheckAuthentication checks if user is authenticated and has access to the project -func (a *Auth) CheckAuthentication(w http.ResponseWriter, r *http.Request, projectID uint64) bool { +func (a *Auth) CheckAuthentication(w http.ResponseWriter, r *http.Request, domain *domain.Domain) bool { logRequest(r).Debug("Authenticate request") if a == nil { @@ -522,7 +523,26 @@ func (a *Auth) CheckAuthentication(w http.ResponseWriter, r *http.Request, proje return true } - return a.checkAuthentication(w, r, projectID) + if a.checkAuthentication(w, r, domain.GetProjectID(r)) { + // if auth fails, try to resolve parent namespace domain + r.URL.Path = "/" + parent, err := domain.Resolver.Resolve(r) + if err != nil { + httperrors.Serve404(w) + return true + } + + // for namespace domains that have no access control enabled + if parent.LookupPath.IsNamespaceProject && !parent.LookupPath.HasAccessControl { + parent.ServeNotFoundHTTP(w, r) + return true + } + + httperrors.Serve404(w) + return true + } + + return false } // CheckResponseForInvalidToken checks response for invalid token and destroys session if it was invalid |