diff options
author | Jaime Martinez <jmartinez@gitlab.com> | 2020-05-28 11:07:03 +0300 |
---|---|---|
committer | Jaime Martinez <jmartinez@gitlab.com> | 2020-07-06 02:13:51 +0300 |
commit | 4f82a5659cfcec5e7782b80f0d551353cbdcc1dc (patch) | |
tree | 0b9ccdfa09a1cbf932dfd23d26506b3096ccd285 /internal/auth/auth.go | |
parent | fb2c26ff998b809baddeb9618aae52c49200bc8b (diff) |
Get namespace domain if auth fails for a private domain
Add acceptance test and some more domains for testing
Move namespace domain serving logic
Restore go.sum
Remove redundant return
Fix linter
Diffstat (limited to 'internal/auth/auth.go')
-rw-r--r-- | internal/auth/auth.go | 43 |
1 files changed, 12 insertions, 31 deletions
diff --git a/internal/auth/auth.go b/internal/auth/auth.go index c12207ca..768e7f75 100644 --- a/internal/auth/auth.go +++ b/internal/auth/auth.go @@ -18,7 +18,6 @@ import ( log "github.com/sirupsen/logrus" "gitlab.com/gitlab-org/labkit/errortracking" - "gitlab.com/gitlab-org/gitlab-pages/internal/domain" "gitlab.com/gitlab-org/gitlab-pages/internal/httperrors" "gitlab.com/gitlab-org/gitlab-pages/internal/httptransport" "gitlab.com/gitlab-org/gitlab-pages/internal/request" @@ -437,10 +436,10 @@ func (a *Auth) IsAuthSupported() bool { return a != nil } -func (a *Auth) checkAuthentication(w http.ResponseWriter, r *http.Request, projectID uint64) bool { +func (a *Auth) checkAuthentication(w http.ResponseWriter, r *http.Request, projectID uint64) (contentServed, authFailed bool) { session := a.checkSessionIsValid(w, r) if session == nil { - return true + return true, false } // Access token exists, authorize request @@ -457,14 +456,14 @@ func (a *Auth) checkAuthentication(w http.ResponseWriter, r *http.Request, proje errortracking.Capture(err, errortracking.WithRequest(req)) httperrors.Serve500(w) - return true + return true, false } req.Header.Add("Authorization", "Bearer "+session.Values["access_token"].(string)) resp, err := a.apiClient.Do(req) if err == nil && checkResponseForInvalidToken(resp, session, w, r) { - return true + return true, false } if err != nil || resp.StatusCode != 200 { @@ -472,17 +471,17 @@ func (a *Auth) checkAuthentication(w http.ResponseWriter, r *http.Request, proje logRequest(r).WithError(err).Error("Failed to retrieve info with token") } - return false + return false, true } - return false + return false, false } // CheckAuthenticationWithoutProject checks if user is authenticated and has a valid token -func (a *Auth) CheckAuthenticationWithoutProject(w http.ResponseWriter, r *http.Request) bool { +func (a *Auth) CheckAuthenticationWithoutProject(w http.ResponseWriter, r *http.Request) (contentServed, authFailed bool) { if a == nil { // No auth supported - return false + return false, false } return a.checkAuthentication(w, r, 0) @@ -512,7 +511,8 @@ func (a *Auth) RequireAuth(w http.ResponseWriter, r *http.Request) bool { } // CheckAuthentication checks if user is authenticated and has access to the project -func (a *Auth) CheckAuthentication(w http.ResponseWriter, r *http.Request, domain *domain.Domain) bool { +// will return contentServed = false when authFailed = true +func (a *Auth) CheckAuthentication(w http.ResponseWriter, r *http.Request, projectID uint64) (contentServed, authFailed bool) { logRequest(r).Debug("Authenticate request") if a == nil { @@ -520,29 +520,10 @@ func (a *Auth) CheckAuthentication(w http.ResponseWriter, r *http.Request, domai errortracking.Capture(errAuthNotConfigured, errortracking.WithRequest(r)) httperrors.Serve500(w) - return true - } - - if a.checkAuthentication(w, r, domain.GetProjectID(r)) { - // if auth fails, try to resolve parent namespace domain - r.URL.Path = "/" - parent, err := domain.Resolver.Resolve(r) - if err != nil { - httperrors.Serve404(w) - return true - } - - // for namespace domains that have no access control enabled - if parent.LookupPath.IsNamespaceProject && !parent.LookupPath.HasAccessControl { - parent.ServeNotFoundHTTP(w, r) - return true - } - - httperrors.Serve404(w) - return true + return true, false } - return false + return a.checkAuthentication(w, r, projectID) } // CheckResponseForInvalidToken checks response for invalid token and destroys session if it was invalid |