diff options
author | Ercan Ucan <ercan.ucan@siemens.com> | 2021-02-15 03:28:29 +0300 |
---|---|---|
committer | Jaime Martinez <jmartinez@gitlab.com> | 2021-02-15 03:28:29 +0300 |
commit | b41995a13969b2926ad265bcc769f473e48166cb (patch) | |
tree | 2d70d9c1c201a6e9a4bf73cbe06b9b9d792cd825 /internal/auth/auth.go | |
parent | 2eefcef73409cf7510d7ecacce76b299a8340a4c (diff) |
fix(auth): make authentication scope for Pages configurable
This MR makes required authentication permission scope for
Pages configurable.
By default, Pages will use `api` scope to authenticate with
Pages Application registered on GitLab.
With this MR, the scope is configurable and can be set to `read_api`
by providing the `auth-scope` variable in the arguments or in
the `gitlab-pages.conf`
/label ~security
Changelog: added
Diffstat (limited to 'internal/auth/auth.go')
-rw-r--r-- | internal/auth/auth.go | 9 |
1 files changed, 5 insertions, 4 deletions
diff --git a/internal/auth/auth.go b/internal/auth/auth.go index cbbc720e..2fdcbeb3 100644 --- a/internal/auth/auth.go +++ b/internal/auth/auth.go @@ -32,7 +32,7 @@ import ( const ( apiURLUserTemplate = "%s/api/v4/user" apiURLProjectTemplate = "%s/api/v4/projects/%d/pages_access" - authorizeURLTemplate = "%s/oauth/authorize?client_id=%s&redirect_uri=%s&response_type=code&state=%s" + authorizeURLTemplate = "%s/oauth/authorize?client_id=%s&redirect_uri=%s&response_type=code&state=%s&scope=%s" tokenURLTemplate = "%s/oauth/token" tokenContentTemplate = "client_id=%s&client_secret=%s&code=%s&grant_type=authorization_code&redirect_uri=%s" callbackPath = "/auth" @@ -59,6 +59,7 @@ type Auth struct { redirectURI string gitLabServer string authSecret string + authScope string jwtSigningKey []byte jwtExpiry time.Duration apiClient *http.Client @@ -266,7 +267,7 @@ func (a *Auth) handleProxyingAuth(session *sessions.Session, w http.ResponseWrit return true } - url := fmt.Sprintf(authorizeURLTemplate, a.gitLabServer, a.clientID, a.redirectURI, state) + url := fmt.Sprintf(authorizeURLTemplate, a.gitLabServer, a.clientID, a.redirectURI, state, a.authScope) logRequest(r).WithFields(log.Fields{ "gitlab_server": a.gitLabServer, @@ -645,8 +646,7 @@ func generateKeys(secret string, count int) ([][]byte, error) { } // New when authentication supported this will be used to create authentication handler -func New(pagesDomain string, storeSecret string, clientID string, clientSecret string, - redirectURI string, gitLabServer string) (*Auth, error) { +func New(pagesDomain, storeSecret, clientID, clientSecret, redirectURI, gitLabServer, authScope string) (*Auth, error) { // generate 3 keys, 2 for the cookie store and 1 for JWT signing keys, err := generateKeys(storeSecret, 3) if err != nil { @@ -665,6 +665,7 @@ func New(pagesDomain string, storeSecret string, clientID string, clientSecret s }, store: sessions.NewCookieStore(keys[0], keys[1]), authSecret: storeSecret, + authScope: authScope, jwtSigningKey: keys[2], jwtExpiry: time.Minute, now: time.Now, |