Age | Commit message (Collapse) | Author | |
---|---|---|---|
2022-05-02 | Add nolintlint linter configuration | feistel | |
Require an explanation for nolint rules and warn about unused rules | |||
2022-04-08 | chore: move check outside of fetching token function | Jaime Martinez | |
2022-04-08 | fix: handle context canceled gracefully for auth and artifacts | Jaime Martinez | |
Changelog: changed | |||
2022-04-06 | Add comment details for nonce size | Vishal Tak | |
2022-04-06 | Update nonce to make it of standard size | Vishal Tak | |
Changelog: changed | |||
2022-04-05 | Merge branch 'refactor/specialized-require' into 'master' | Jaime Martinez | |
test: replace require.Equal with specialized assertions See merge request gitlab-org/gitlab-pages!685 | |||
2022-03-24 | fix: validate that session was issued on the same host | Vladimir Shushlin | |
Currently, sessions are valid across all domains. And our auth tokens are also valid for all pages projects user has access to. This means that cookie from one website can be reused on the another. Attackers can steal cookies in many different ways. The easiest way would be to setup a validated custom domain, then proxy all requests to pages server, but log the cookies. Once you have a cookie for attackers domain, you can reuse it on any other pages domain the target user has access to. This commit saves current domain in the session and validates it when reading the session. Changelog: security | |||
2022-03-15 | feat: allow auth http.Client timeout to be configurable | Osman İlge Ünaldı | |
Changelog: added | |||
2022-03-11 | Add correlation_id to all exception captures | Kassio Borges | |
2022-02-24 | test: replace require.Equal with specialized assertions | feistel | |
2022-02-18 | refactor: use testhelpers.Close() | yigithankardas | |
2022-02-04 | Merge branch 'test/move-mocks' into 'master' | Vladimir Shushlin | |
test: move mocks to their own package See merge request gitlab-org/gitlab-pages!671 | |||
2022-01-31 | fix: ensure logging status codes field names are consistent | Stan Hu | |
LabKit logs all HTTP responses with a `status` field of an integer. We ensure that all errors now use this convention and store the full status text as `status_text`. This is needed to enusre Elasticsearch doesn't drop logs due to mapping conflicts. Changelog: fixed | |||
2022-01-26 | test: move mocks to their own package | feistel | |
2022-01-24 | lint: fix gci issues | feistel | |
2021-12-08 | Merge branch 'remove-unused-ctx' into 'master' | Jaime Martinez | |
refactor: enable unparam in .gitlabci.yml See merge request gitlab-org/gitlab-pages!631 | |||
2021-12-07 | refactor: enable unparam in .golangci.yml | Vladimir Shushlin | |
and fix offences | |||
2021-12-07 | chore: upgrade to labkit 1.11.0 | Jaime Martinez | |
And report stack trace with error tracking to Sentry. Changelog: other | |||
2021-11-22 | chore(auth): add unit tests for domainAllowed | Markus Legner | |
2021-11-22 | fix(auth): check suffix correctly in domainAllowed | Markus Legner | |
Changelog: fixed | |||
2021-11-19 | Merge branch 'joernchen-master-patch-26405' into 'master' | Jaime Martinez | |
Escape user supplied code before inserting as a POST parameter See merge request gitlab-org/gitlab-pages!620 | |||
2021-11-19 | Escape user supplied code before inserting as a POST parameter | Joern Schneeweisz | |
2021-11-17 | test: stop calling mockController.Finish directly | feistel | |
This is handled by mockgen 1.5.0+ | |||
2021-10-26 | refactor: rename imported domain packages | Vladimir Shushlin | |
2021-10-25 | refactor: remove domain from request | Jaime Martinez | |
2021-10-01 | Merge branch 'fix/source-mock' into 'master' | Alessio Caiazza | |
test: update source mock to use mockgen Closes #277 See merge request gitlab-org/gitlab-pages!525 | |||
2021-10-01 | test: simplify assertion | feistel | |
replace require.Equal with require.False/True | |||
2021-09-29 | docs: update middlewares method doc for signature change | Jaime Martinez | |
2021-09-28 | refactor: move acl to auth package and update function signature | feistel | |
2021-09-16 | refactor: move middlewares to corresponding packages | feistel | |
2021-09-09 | test: update source mock to use mockgen | feistel | |
2021-09-09 | refactor: move away from ioutil (deprecated) | feistel | |
2021-09-02 | refactor: replace magic numbers with http status codes | feistel | |
2021-08-19 | test: fix response body not being closed | feistel | |
nolint is added when the body is nil or if the body can't be closed | |||
2021-08-10 | Merge branch 'fix/no-ctx' into 'master' | Jaime Martinez | |
fix: propagate context to sub requests See merge request gitlab-org/gitlab-pages!538 | |||
2021-08-09 | feat: capture errors when trying to fetch the access token | feistel | |
2021-08-09 | refactor: improve checkAuthentication logic, check error first and log ↵ | feistel | |
status code during an unexpected response | |||
2021-08-08 | fix: propagate context to sub requests | feistel | |
2021-08-05 | fix: close response body and fix memory leak | feistel | |
2021-08-04 | build: bump jwt library to v4.0.0 | feistel | |
2021-08-04 | build: replace jwt-go with maintained fork | feistel | |
Changelog: other | |||
2021-07-22 | Use internal-gitlab-server in auth-related tasks | feistel | |
Update the auth package to use the internal server when fetching access token or checking for authentication. Changelog: changed | |||
2021-07-07 | Add correlation_id to outbound requests | Jaime Martinez | |
2021-07-07 | Improve logging and correlation ID | Jaime Martinez | |
2021-04-22 | Follow error strings convention | feistel | |
2021-02-24 | fix: use correlationID middleware | Ercan Ucan | |
As discussed within https://gitlab.com/gitlab-org/gitlab-pages/-/issues/510 this MR adds the usage of labkit's correlationID middleware. It uses a similar approach to the implemantion in gitlab-workhorse. Fixes https://gitlab.com/gitlab-org/gitlab-pages/-/issues/510 :tools: with :heart: at Siemens Changelog: fixed | |||
2021-02-15 | fix(auth): make authentication scope for Pages configurable | Ercan Ucan | |
This MR makes required authentication permission scope for Pages configurable. By default, Pages will use `api` scope to authenticate with Pages Application registered on GitLab. With this MR, the scope is configurable and can be set to `read_api` by providing the `auth-scope` variable in the arguments or in the `gitlab-pages.conf` /label ~security Changelog: added | |||
2021-02-03 | Simplify meteredRoundTripper init | Jaime Martinez | |
Use file.html explicitly in test | |||
2021-01-11 | Refactor 'Error's not used as errors to strings | Kevin | |
Change variables of error type to strings constants when these variables are solely used for the message contained in the errors. | |||
2020-12-17 | Encrypt and sign OAuth code | Jaime Martinez | |
Add AES GCM encryption/decryption to auth Add signing key to Auth Abstract key generation and Auth init to their own funcs. Cleanup and DRY unit tests. Use same code parameter in auth redirect Cleanup auth and add tests for enc/dec oauth code Add acceptance test for fix Apply suggestion from review Add missing test and apply feedback Fix unit test Simplify acceptance test |