| Age | Commit message (Collapse) | Author |
|---|
|
|
|
|
|
|
|
# Conflicts:
# internal/auth/auth_test.go
|
|
|
|
This commit restricts arbitrary protocol redirection to only https or http URLs and introduces nolint: gocyclo for auth.handleProxyingAuth method.
Changelog: security
|
|
Related to: https://gitlab.com/gitlab-org/gitlab-pages/-/issues/806
Changelog: added
|
|
|
|
Require an explanation for nolint rules and warn about
unused rules
|
|
|
|
Changelog: changed
|
|
Currently, sessions are valid across all domains.
And our auth tokens are also valid for all pages projects
user has access to.
This means that cookie from one website can be reused on the
another.
Attackers can steal cookies in many different ways.
The easiest way would be to setup a validated custom domain,
then proxy all requests to pages server, but log the cookies.
Once you have a cookie for attackers domain, you can reuse it
on any other pages domain the target user has access to.
This commit saves current domain in the session and validates it
when reading the session.
Changelog: security
|
|
Changelog: added
|
|
|
|
LabKit logs all HTTP responses with a `status` field of an integer. We
ensure that all errors now use this convention and store the full
status text as `status_text`.
This is needed to enusre Elasticsearch doesn't drop logs due to
mapping conflicts.
Changelog: fixed
|
|
|
|
refactor: enable unparam in .gitlabci.yml
See merge request gitlab-org/gitlab-pages!631
|
|
and fix offences
|
|
And report stack trace with error tracking to Sentry.
Changelog: other
|
|
Changelog: fixed
|
|
|
|
|
|
fix: propagate context to sub requests
See merge request gitlab-org/gitlab-pages!538
|
|
|
|
status code during an unexpected response
|
|
|
|
|
|
Update the auth package to use the internal server
when fetching access token or checking for authentication.
Changelog: changed
|
|
|
|
|
|
|
|
As discussed within https://gitlab.com/gitlab-org/gitlab-pages/-/issues/510 this
MR adds the usage of labkit's correlationID middleware.
It uses a similar approach to the implemantion in gitlab-workhorse.
Fixes https://gitlab.com/gitlab-org/gitlab-pages/-/issues/510
:tools: with :heart: at Siemens
Changelog: fixed
|
|
This MR makes required authentication permission scope for
Pages configurable.
By default, Pages will use `api` scope to authenticate with
Pages Application registered on GitLab.
With this MR, the scope is configurable and can be set to `read_api`
by providing the `auth-scope` variable in the arguments or in
the `gitlab-pages.conf`
/label ~security
Changelog: added
|
|
Use file.html explicitly in test
|
|
Change variables of error type to strings constants when these variables
are solely used for the message contained in the errors.
|
|
Add AES GCM encryption/decryption to auth
Add signing key to Auth
Abstract key generation and Auth init to their own funcs.
Cleanup and DRY unit tests.
Use same code parameter in auth redirect
Cleanup auth and add tests for enc/dec oauth code
Add acceptance test for fix
Apply suggestion from review
Add missing test and apply feedback
Fix unit test
Simplify acceptance test
|
|
Simplify responsibilities of auth package and reduce
complexity of app.go deciding which content to serve.
|
|
Add acceptance test and some more domains for testing
Move namespace domain serving logic
Restore go.sum
Remove redundant return
Fix linter
|
|
Update labkit
|
|
|
|
- ineffassign
- misspell
- structcheck
- typecheck
- unconvert
- unused
- varcheck
- whitespace
|
|
|
|
As part of https://gitlab.com/gitlab-org/gitlab-pages/-/issues/385
we have introduced the use of a custom `.golangci.yml` file with some
custom rules for linting.
This replaces the need of downloading and using `golint`, `gofmt`
`go vet` and `gocyclo` manually. We take advantage of the custom
`golangci-lint` docker image as stated in the [Automatic lintinb]
(https://docs.gitlab.com/ee/development/go_guide/#automatic-linting)
section of the Go standards and style guidelines.
This iteration enables a subset of linters, with the remaining
of them enabled on a separate MR as described in the issue above.
The main changes introduced by this linter include:
- gosec: potential hardcoded credentials
- goconst: DRY by declaring and using constants
- gosimple: reduce statements complexity and improve return statements
|
|
increasing MaxIdleConnsPerHost
|
|
|
|
|
|
|
|
Separate domain config source
See merge request gitlab-org/gitlab-pages!188
|
|
Remove some duplicate logic on Auth module
Separate handling artifact to own handlers package
Unit test handlers by mocking auth and artifact modules
Add generate-mock step to Makefile
Use additional handler func to simplify TryMakeRequest return type
Always try with token if exists
Do not log RequestURI, log path only
Remove not used logRequest func
|
|
|
