diff --git a/app/controllers/jwt_controller.rb b/app/controllers/jwt_controller.rb
index faa5967d64eaa62d2ea83e9796ebeca4b0d64696..83409c7e0966edf0d466b308780b6dac7ff8f49b 100644
--- a/app/controllers/jwt_controller.rb
+++ b/app/controllers/jwt_controller.rb
@@ -33,7 +33,7 @@ def authenticate_project_or_user
@authentication_result = Gitlab::Auth::Result.new(nil, nil, :none, Gitlab::Auth.read_only_authentication_abilities)
authenticate_with_http_basic do |login, password|
- @authentication_result = Gitlab::Auth.find_for_git_client(login, password, project: nil, ip: request.ip)
+ @authentication_result = Gitlab::Auth.find_for_git_client(login, password, project: nil, request: request)
if @authentication_result.failed?
log_authentication_failed(login, @authentication_result)
diff --git a/app/controllers/repositories/git_http_client_controller.rb b/app/controllers/repositories/git_http_client_controller.rb
index 71d8ad829f6d090406a5c4c14357dd1ece089c71..e8da6ee986ab0632b6ba32f097ce699ee0ea7354 100644
--- a/app/controllers/repositories/git_http_client_controller.rb
+++ b/app/controllers/repositories/git_http_client_controller.rb
@@ -129,7 +129,7 @@ def repo_type
def handle_basic_authentication(login, password)
@authentication_result = Gitlab::Auth.find_for_git_client(
- login, password, project: project, ip: request.ip)
+ login, password, project: project, request: request)
@authentication_result.success?
end
diff --git a/ee/spec/lib/gitlab/auth_spec.rb b/ee/spec/lib/gitlab/auth_spec.rb
index f856780fd38dbf3d181a985e81321d0e374497d9..f181413597dbbce3a6cdc7915fe3edbd298d3677 100644
--- a/ee/spec/lib/gitlab/auth_spec.rb
+++ b/ee/spec/lib/gitlab/auth_spec.rb
@@ -9,6 +9,8 @@
let(:gl_auth) { described_class }
describe '.find_for_git_client' do
+ let(:request) { instance_double(ActionDispatch::Request, ip: 'ip') }
+
context 'when using personal access token as password' do
shared_examples 'successfully authenticates' do
it 'successfully authenticates' do
@@ -17,7 +19,7 @@
personal_access_token.user.username,
personal_access_token.token,
project: project,
- ip: 'ip'
+ request: request
)
).to have_attributes(
actor: personal_access_token.user,
@@ -35,7 +37,7 @@
personal_access_token.user.username,
personal_access_token.token,
project: project,
- ip: 'ip'
+ request: request
)
).to have_attributes(auth_failure)
end
@@ -106,7 +108,7 @@
end
context 'when using build token as password' do
- subject { gl_auth.find_for_git_client(username, build.token, project: project, ip: 'ip') }
+ subject { gl_auth.find_for_git_client(username, build.token, project: project, request: request) }
let(:username) { 'gitlab-ci-token' }
diff --git a/lib/gitlab/auth.rb b/lib/gitlab/auth.rb
index fc1f7a1583cb6bc8d24f0ad4187b67757e6ddafd..6bfcae037b8ae39ed79bf54faf4dd760b4701704 100644
--- a/lib/gitlab/auth.rb
+++ b/lib/gitlab/auth.rb
@@ -60,10 +60,10 @@ def omniauth_enabled?
Gitlab.config.omniauth.enabled
end
- def find_for_git_client(login, password, project:, ip:)
- raise "Must provide an IP for rate limiting" if ip.nil?
+ def find_for_git_client(login, password, project:, request:)
+ raise "Must provide an IP for rate limiting" if request.ip.nil?
- rate_limiter = Gitlab::Auth::IpRateLimiter.new(ip)
+ rate_limiter = Gitlab::Auth::IpRateLimiter.new(request.ip)
raise IpBlocked if !skip_rate_limit?(login: login) && rate_limiter.banned?
@@ -80,7 +80,7 @@ def find_for_git_client(login, password, project:, ip:)
user_with_password_for_git(login, password) ||
Gitlab::Auth::Result::EMPTY
- rate_limit!(rate_limiter, success: result.success?, login: login)
+ rate_limit!(rate_limiter, success: result.success?, login: login, request: request)
look_to_limit_user(result.actor)
return result if result.success? || authenticate_using_internal_or_ldap_password?
@@ -142,7 +142,7 @@ def find_with_user_password(login, password, increment_failed_attempts: false)
private
- def rate_limit!(rate_limiter, success:, login:)
+ def rate_limit!(rate_limiter, success:, login:, request:)
return if skip_rate_limit?(login: login)
if success
@@ -155,8 +155,18 @@ def rate_limit!(rate_limiter, success:, login:)
# request from this IP if needed.
# This returns true when the failures are over the threshold and the IP
# is banned.
- Gitlab::AppLogger.info "IP #{rate_limiter.ip} failed to login " \
- "as #{login} but has been temporarily banned from Git auth"
+
+ message = "Rack_Attack: Git auth failures has exceeded the threshold." \
+ "IP has been temporarily banned from Git auth."
+
+ Gitlab::AuthLogger.error(
+ message: message,
+ env: :blocklist,
+ remote_ip: request.ip,
+ request_method: request.request_method,
+ path: request.fullpath,
+ login: login
+ )
end
end
diff --git a/lib/gitlab/middleware/go.rb b/lib/gitlab/middleware/go.rb
index d2336ec4bb262003a0007df4d86a2315b4fd692e..5a0612be88ede49b4b8c9b840c0ab2045c5a287d 100644
--- a/lib/gitlab/middleware/go.rb
+++ b/lib/gitlab/middleware/go.rb
@@ -141,7 +141,7 @@ def authentication_result(request, project)
return empty_result unless has_basic_credentials?(request)
login, password = user_name_and_password(request)
- auth_result = Gitlab::Auth.find_for_git_client(login, password, project: project, ip: request.ip)
+ auth_result = Gitlab::Auth.find_for_git_client(login, password, project: project, request: request)
return empty_result unless auth_result.success?
return empty_result unless auth_result.can?(:access_git)
diff --git a/spec/lib/gitlab/auth_spec.rb b/spec/lib/gitlab/auth_spec.rb
index f5b9555916c7edf3d398050857865f56a57af5f3..020089b38800dea7d2d2d124c8bdb0b03ed1c431 100644
--- a/spec/lib/gitlab/auth_spec.rb
+++ b/spec/lib/gitlab/auth_spec.rb
@@ -8,6 +8,8 @@
let(:auth_failure) { { actor: nil, project: nil, type: nil, authentication_abilities: nil } }
let(:gl_auth) { described_class }
+ let(:request) { instance_double(ActionDispatch::Request, ip: 'ip') }
+
describe 'constants' do
it 'API_SCOPES contains all scopes for API access' do
expect(subject::API_SCOPES).to match_array %i[api read_user read_api create_runner k8s_proxy]
@@ -202,7 +204,7 @@
end
context 'when IP is already banned' do
- subject { gl_auth.find_for_git_client('username-does-not-matter', 'password-does-not-matter', project: nil, ip: 'ip') }
+ subject { gl_auth.find_for_git_client('username-does-not-matter', 'password-does-not-matter', project: nil, request: request) }
before do
expect_next_instance_of(Gitlab::Auth::IpRateLimiter) do |rate_limiter|
@@ -223,7 +225,7 @@
expect(rate_limiter).not_to receive(:reset!)
end
- gl_auth.find_for_git_client('gitlab-ci-token', build.token, project: build.project, ip: 'ip')
+ gl_auth.find_for_git_client('gitlab-ci-token', build.token, project: build.project, request: request)
end
it 'skips rate limiting for failed auth' do
@@ -231,7 +233,7 @@
expect(rate_limiter).not_to receive(:register_fail!)
end
- gl_auth.find_for_git_client('gitlab-ci-token', 'wrong_token', project: build.project, ip: 'ip')
+ gl_auth.find_for_git_client('gitlab-ci-token', 'wrong_token', project: build.project, request: request)
end
end
@@ -243,7 +245,7 @@
expect(rate_limiter).to receive(:reset!)
end
- gl_auth.find_for_git_client(user.username, user.password, project: nil, ip: 'ip')
+ gl_auth.find_for_git_client(user.username, user.password, project: nil, request: request)
end
it 'rate limits a user by unique IPs' do
@@ -252,7 +254,7 @@
end
expect(Gitlab::Auth::UniqueIpsLimiter).to receive(:limit_user!).twice.and_call_original
- gl_auth.find_for_git_client(user.username, user.password, project: nil, ip: 'ip')
+ gl_auth.find_for_git_client(user.username, user.password, project: nil, request: request)
end
it 'registers failure for failed auth' do
@@ -260,13 +262,36 @@
expect(rate_limiter).to receive(:register_fail!)
end
- gl_auth.find_for_git_client(user.username, 'wrong_password', project: nil, ip: 'ip')
+ gl_auth.find_for_git_client(user.username, 'wrong_password', project: nil, request: request)
+ end
+
+ context 'when failure goes over threshold' do
+ let(:request) { instance_double(ActionDispatch::Request, fullpath: '/some/project.git/info/refs', request_method: 'GET', ip: 'ip') }
+
+ before do
+ expect_next_instance_of(Gitlab::Auth::IpRateLimiter) do |rate_limiter|
+ expect(rate_limiter).to receive(:register_fail!).and_return(true)
+ end
+ end
+
+ it 'logs a message' do
+ expect(Gitlab::AuthLogger).to receive(:error).with(
+ message: include('IP has been temporarily banned from Git auth'),
+ env: :blocklist,
+ remote_ip: request.ip,
+ request_method: request.request_method,
+ path: request.fullpath,
+ login: user.username
+ )
+
+ gl_auth.find_for_git_client(user.username, 'wrong_password', project: nil, request: request)
+ end
end
end
end
context 'build token' do
- subject { gl_auth.find_for_git_client(username, build.token, project: project, ip: 'ip') }
+ subject { gl_auth.find_for_git_client(username, build.token, project: project, request: request) }
let(:username) { 'gitlab-ci-token' }
@@ -344,20 +369,20 @@
project.create_drone_ci_integration(active: true)
project.drone_ci_integration.update!(token: 'token', drone_url: generate(:url))
- expect(gl_auth.find_for_git_client('drone-ci-token', 'token', project: project, ip: 'ip')).to have_attributes(actor: nil, project: project, type: :ci, authentication_abilities: described_class.build_authentication_abilities)
+ expect(gl_auth.find_for_git_client('drone-ci-token', 'token', project: project, request: request)).to have_attributes(actor: nil, project: project, type: :ci, authentication_abilities: described_class.build_authentication_abilities)
end
it 'recognizes master passwords' do
user = create(:user)
- expect(gl_auth.find_for_git_client(user.username, user.password, project: nil, ip: 'ip')).to have_attributes(actor: user, project: nil, type: :gitlab_or_ldap, authentication_abilities: described_class.full_authentication_abilities)
+ expect(gl_auth.find_for_git_client(user.username, user.password, project: nil, request: request)).to have_attributes(actor: user, project: nil, type: :gitlab_or_ldap, authentication_abilities: described_class.full_authentication_abilities)
end
include_examples 'user login operation with unique ip limit' do
let(:user) { create(:user) }
def operation
- expect(gl_auth.find_for_git_client(user.username, user.password, project: nil, ip: 'ip')).to have_attributes(actor: user, project: nil, type: :gitlab_or_ldap, authentication_abilities: described_class.full_authentication_abilities)
+ expect(gl_auth.find_for_git_client(user.username, user.password, project: nil, request: request)).to have_attributes(actor: user, project: nil, type: :gitlab_or_ldap, authentication_abilities: described_class.full_authentication_abilities)
end
end
@@ -366,14 +391,14 @@ def operation
user = create(:user)
token = Gitlab::LfsToken.new(user).token
- expect(gl_auth.find_for_git_client(user.username, token, project: nil, ip: 'ip')).to have_attributes(actor: user, project: nil, type: :lfs_token, authentication_abilities: described_class.read_write_project_authentication_abilities)
+ expect(gl_auth.find_for_git_client(user.username, token, project: nil, request: request)).to have_attributes(actor: user, project: nil, type: :lfs_token, authentication_abilities: described_class.read_write_project_authentication_abilities)
end
it 'recognizes deploy key lfs tokens' do
key = create(:deploy_key)
token = Gitlab::LfsToken.new(key).token
- expect(gl_auth.find_for_git_client("lfs+deploy-key-#{key.id}", token, project: nil, ip: 'ip')).to have_attributes(actor: key, project: nil, type: :lfs_deploy_token, authentication_abilities: described_class.read_only_authentication_abilities)
+ expect(gl_auth.find_for_git_client("lfs+deploy-key-#{key.id}", token, project: nil, request: request)).to have_attributes(actor: key, project: nil, type: :lfs_deploy_token, authentication_abilities: described_class.read_only_authentication_abilities)
end
it 'does not try password auth before oauth' do
@@ -382,7 +407,7 @@ def operation
expect(gl_auth).not_to receive(:find_with_user_password)
- gl_auth.find_for_git_client(user.username, token, project: nil, ip: 'ip')
+ gl_auth.find_for_git_client(user.username, token, project: nil, request: request)
end
it 'grants deploy key write permissions' do
@@ -390,14 +415,14 @@ def operation
create(:deploy_keys_project, :write_access, deploy_key: key, project: project)
token = Gitlab::LfsToken.new(key).token
- expect(gl_auth.find_for_git_client("lfs+deploy-key-#{key.id}", token, project: project, ip: 'ip')).to have_attributes(actor: key, project: nil, type: :lfs_deploy_token, authentication_abilities: described_class.read_write_authentication_abilities)
+ expect(gl_auth.find_for_git_client("lfs+deploy-key-#{key.id}", token, project: project, request: request)).to have_attributes(actor: key, project: nil, type: :lfs_deploy_token, authentication_abilities: described_class.read_write_authentication_abilities)
end
it 'does not grant deploy key write permissions' do
key = create(:deploy_key)
token = Gitlab::LfsToken.new(key).token
- expect(gl_auth.find_for_git_client("lfs+deploy-key-#{key.id}", token, project: project, ip: 'ip')).to have_attributes(actor: key, project: nil, type: :lfs_deploy_token, authentication_abilities: described_class.read_only_authentication_abilities)
+ expect(gl_auth.find_for_git_client("lfs+deploy-key-#{key.id}", token, project: project, request: request)).to have_attributes(actor: key, project: nil, type: :lfs_deploy_token, authentication_abilities: described_class.read_only_authentication_abilities)
end
end
@@ -409,7 +434,7 @@ def operation
it 'fails' do
access_token = Doorkeeper::AccessToken.create!(application_id: application.id, resource_owner_id: user.id, scopes: 'api')
- expect(gl_auth.find_for_git_client("oauth2", access_token.token, project: nil, ip: 'ip'))
+ expect(gl_auth.find_for_git_client("oauth2", access_token.token, project: nil, request: request))
.to have_attributes(auth_failure)
end
end
@@ -436,7 +461,7 @@ def operation
it 'authenticates with correct abilities' do
access_token = Doorkeeper::AccessToken.create!(application_id: application.id, resource_owner_id: user.id, scopes: scopes)
- expect(gl_auth.find_for_git_client("oauth2", access_token.token, project: nil, ip: 'ip'))
+ expect(gl_auth.find_for_git_client("oauth2", access_token.token, project: nil, request: request))
.to have_attributes(actor: user, project: nil, type: :oauth, authentication_abilities: abilities)
end
end
@@ -447,7 +472,7 @@ def operation
expect(gl_auth).not_to receive(:find_with_user_password)
- gl_auth.find_for_git_client("oauth2", access_token.token, project: nil, ip: 'ip')
+ gl_auth.find_for_git_client("oauth2", access_token.token, project: nil, request: request)
end
context 'blocked user' do
@@ -513,7 +538,7 @@ def operation
impersonation_token = create(:personal_access_token, :impersonation, scopes: ['api'])
- expect(gl_auth.find_for_git_client('', impersonation_token.token, project: nil, ip: 'ip'))
+ expect(gl_auth.find_for_git_client('', impersonation_token.token, project: nil, request: request))
.to have_attributes(auth_failure)
end
@@ -536,7 +561,7 @@ def operation
end
it 'fails if user is blocked' do
- expect(gl_auth.find_for_git_client('', personal_access_token.token, project: nil, ip: 'ip'))
+ expect(gl_auth.find_for_git_client('', personal_access_token.token, project: nil, request: request))
.to have_attributes(auth_failure)
end
end
@@ -544,19 +569,19 @@ def operation
context 'when using a resource access token' do
shared_examples 'with a valid access token' do
it 'successfully authenticates the project bot' do
- expect(gl_auth.find_for_git_client(project_bot_user.username, access_token.token, project: project, ip: 'ip'))
+ expect(gl_auth.find_for_git_client(project_bot_user.username, access_token.token, project: project, request: request))
.to have_attributes(actor: project_bot_user, project: nil, type: :personal_access_token, authentication_abilities: described_class.full_authentication_abilities)
end
it 'successfully authenticates the project bot with a nil project' do
- expect(gl_auth.find_for_git_client(project_bot_user.username, access_token.token, project: nil, ip: 'ip'))
+ expect(gl_auth.find_for_git_client(project_bot_user.username, access_token.token, project: nil, request: request))
.to have_attributes(actor: project_bot_user, project: nil, type: :personal_access_token, authentication_abilities: described_class.full_authentication_abilities)
end
end
shared_examples 'with an invalid access token' do
it 'fails for a non-member' do
- expect(gl_auth.find_for_git_client(project_bot_user.username, access_token.token, project: project, ip: 'ip'))
+ expect(gl_auth.find_for_git_client(project_bot_user.username, access_token.token, project: project, request: request))
.to have_attributes(auth_failure)
end
@@ -566,7 +591,7 @@ def operation
end
it 'fails for a blocked project bot' do
- expect(gl_auth.find_for_git_client(project_bot_user.username, access_token.token, project: project, ip: 'ip'))
+ expect(gl_auth.find_for_git_client(project_bot_user.username, access_token.token, project: project, request: request))
.to have_attributes(auth_failure)
end
end
@@ -637,7 +662,7 @@ def operation
it 'updates last_used_at column if token is valid' do
personal_access_token = create(:personal_access_token, scopes: ['write_repository'])
- expect { gl_auth.find_for_git_client('', personal_access_token.token, project: nil, ip: 'ip') }.to change { personal_access_token.reload.last_used_at }
+ expect { gl_auth.find_for_git_client('', personal_access_token.token, project: nil, request: request) }.to change { personal_access_token.reload.last_used_at }
end
end
@@ -649,7 +674,7 @@ def operation
username: 'normal_user'
)
- expect(gl_auth.find_for_git_client(user.username, user.password, project: nil, ip: 'ip'))
+ expect(gl_auth.find_for_git_client(user.username, user.password, project: nil, request: request))
.to have_attributes(auth_failure)
end
@@ -665,14 +690,14 @@ def operation
it 'fails if grace period expired' do
stub_application_setting(two_factor_grace_period: 0)
- expect { gl_auth.find_for_git_client(user.username, user.password, project: nil, ip: 'ip') }
+ expect { gl_auth.find_for_git_client(user.username, user.password, project: nil, request: request) }
.to raise_error(Gitlab::Auth::MissingPersonalAccessTokenError)
end
it 'goes through if grace period is not expired yet' do
stub_application_setting(two_factor_grace_period: 72)
- expect(gl_auth.find_for_git_client(user.username, user.password, project: nil, ip: 'ip'))
+ expect(gl_auth.find_for_git_client(user.username, user.password, project: nil, request: request))
.to have_attributes(actor: user, project: nil, type: :gitlab_or_ldap, authentication_abilities: described_class.full_authentication_abilities)
end
end
@@ -683,7 +708,7 @@ def operation
end
it 'fails' do
- expect { gl_auth.find_for_git_client(user.username, user.password, project: nil, ip: 'ip') }
+ expect { gl_auth.find_for_git_client(user.username, user.password, project: nil, request: request) }
.to raise_error(Gitlab::Auth::MissingPersonalAccessTokenError)
end
end
@@ -694,7 +719,7 @@ def operation
username: 'normal_user'
)
- expect(gl_auth.find_for_git_client(user.username, user.password, project: nil, ip: 'ip'))
+ expect(gl_auth.find_for_git_client(user.username, user.password, project: nil, request: request))
.to have_attributes(actor: user, project: nil, type: :gitlab_or_ldap, authentication_abilities: described_class.full_authentication_abilities)
end
@@ -704,7 +729,7 @@ def operation
username: 'oauth2'
)
- expect(gl_auth.find_for_git_client(user.username, user.password, project: nil, ip: 'ip'))
+ expect(gl_auth.find_for_git_client(user.username, user.password, project: nil, request: request))
.to have_attributes(actor: user, project: nil, type: :gitlab_or_ldap, authentication_abilities: described_class.full_authentication_abilities)
end
end
@@ -712,34 +737,34 @@ def operation
it 'returns double nil for invalid credentials' do
login = 'foo'
- expect(gl_auth.find_for_git_client(login, 'bar', project: nil, ip: 'ip')).to have_attributes(auth_failure)
+ expect(gl_auth.find_for_git_client(login, 'bar', project: nil, request: request)).to have_attributes(auth_failure)
end
it 'throws an error suggesting user create a PAT when internal auth is disabled' do
allow_any_instance_of(ApplicationSetting).to receive(:password_authentication_enabled_for_git?) { false }
- expect { gl_auth.find_for_git_client('foo', 'bar', project: nil, ip: 'ip') }.to raise_error(Gitlab::Auth::MissingPersonalAccessTokenError)
+ expect { gl_auth.find_for_git_client('foo', 'bar', project: nil, request: request) }.to raise_error(Gitlab::Auth::MissingPersonalAccessTokenError)
end
context 'while using deploy tokens' do
shared_examples 'registry token scope' do
it 'fails when login is not valid' do
- expect(gl_auth.find_for_git_client('random_login', deploy_token.token, project: project, ip: 'ip'))
+ expect(gl_auth.find_for_git_client('random_login', deploy_token.token, project: project, request: request))
.to have_attributes(auth_failure)
end
it 'fails when token is not valid' do
- expect(gl_auth.find_for_git_client(login, '123123', project: project, ip: 'ip'))
+ expect(gl_auth.find_for_git_client(login, '123123', project: project, request: request))
.to have_attributes(auth_failure)
end
it 'fails if token is nil' do
- expect(gl_auth.find_for_git_client(login, nil, project: nil, ip: 'ip'))
+ expect(gl_auth.find_for_git_client(login, nil, project: nil, request: request))
.to have_attributes(auth_failure)
end
it 'fails if token is not related to project' do
- expect(gl_auth.find_for_git_client(login, 'abcdef', project: nil, ip: 'ip'))
+ expect(gl_auth.find_for_git_client(login, 'abcdef', project: nil, request: request))
.to have_attributes(auth_failure)
end
@@ -747,7 +772,7 @@ def operation
deploy_token.revoke!
expect(deploy_token.revoked?).to be_truthy
- expect(gl_auth.find_for_git_client('deploy-token', deploy_token.token, project: nil, ip: 'ip'))
+ expect(gl_auth.find_for_git_client('deploy-token', deploy_token.token, project: nil, request: request))
.to have_attributes(auth_failure)
end
end
@@ -759,7 +784,7 @@ def operation
end
it 'fails when login and token are valid' do
- expect(gl_auth.find_for_git_client(login, deploy_token.token, project: nil, ip: 'ip'))
+ expect(gl_auth.find_for_git_client(login, deploy_token.token, project: nil, request: request))
.to have_attributes(auth_failure)
end
end
@@ -768,7 +793,7 @@ def operation
let(:project) { create(:project, :repository_disabled) }
it 'fails when login and token are valid' do
- expect(gl_auth.find_for_git_client(login, deploy_token.token, project: project, ip: 'ip'))
+ expect(gl_auth.find_for_git_client(login, deploy_token.token, project: project, request: request))
.to have_attributes(auth_failure)
end
end
@@ -782,14 +807,14 @@ def operation
it 'succeeds for the token' do
auth_success = { actor: deploy_token, project: project, type: :deploy_token, authentication_abilities: [:download_code] }
- expect(gl_auth.find_for_git_client(username, deploy_token.token, project: project, ip: 'ip'))
+ expect(gl_auth.find_for_git_client(username, deploy_token.token, project: project, request: request))
.to have_attributes(auth_success)
end
it 'succeeds for the user' do
auth_success = { actor: user, project: nil, type: :gitlab_or_ldap, authentication_abilities: described_class.full_authentication_abilities }
- expect(gl_auth.find_for_git_client(username, user.password, project: project, ip: 'ip'))
+ expect(gl_auth.find_for_git_client(username, user.password, project: project, request: request))
.to have_attributes(auth_success)
end
end
@@ -801,12 +826,12 @@ def operation
let(:auth_success) { { actor: read_repository, project: project, type: :deploy_token, authentication_abilities: [:download_code] } }
it 'succeeds for the right token' do
- expect(gl_auth.find_for_git_client('deployer', read_repository.token, project: project, ip: 'ip'))
+ expect(gl_auth.find_for_git_client('deployer', read_repository.token, project: project, request: request))
.to have_attributes(auth_success)
end
it 'fails for the wrong token' do
- expect(gl_auth.find_for_git_client('deployer', read_registry.token, project: project, ip: 'ip'))
+ expect(gl_auth.find_for_git_client('deployer', read_registry.token, project: project, request: request))
.not_to have_attributes(auth_success)
end
end
@@ -819,12 +844,12 @@ def operation
let(:auth_success) { { actor: read_repository, project: other_project, type: :deploy_token, authentication_abilities: [:download_code] } }
it 'succeeds for the right token' do
- expect(gl_auth.find_for_git_client('deployer', read_repository.token, project: other_project, ip: 'ip'))
+ expect(gl_auth.find_for_git_client('deployer', read_repository.token, project: other_project, request: request))
.to have_attributes(auth_success)
end
it 'fails for the wrong token' do
- expect(gl_auth.find_for_git_client('deployer', read_registry.token, project: other_project, ip: 'ip'))
+ expect(gl_auth.find_for_git_client('deployer', read_registry.token, project: other_project, request: request))
.not_to have_attributes(auth_success)
end
end
@@ -837,7 +862,7 @@ def operation
it 'succeeds when login and token are valid' do
auth_success = { actor: deploy_token, project: project, type: :deploy_token, authentication_abilities: [:download_code] }
- expect(gl_auth.find_for_git_client(login, deploy_token.token, project: project, ip: 'ip'))
+ expect(gl_auth.find_for_git_client(login, deploy_token.token, project: project, request: request))
.to have_attributes(auth_success)
end
@@ -845,34 +870,34 @@ def operation
deploy_token = create(:deploy_token, username: 'deployer', read_registry: false, projects: [project])
auth_success = { actor: deploy_token, project: project, type: :deploy_token, authentication_abilities: [:download_code] }
- expect(gl_auth.find_for_git_client('deployer', deploy_token.token, project: project, ip: 'ip'))
+ expect(gl_auth.find_for_git_client('deployer', deploy_token.token, project: project, request: request))
.to have_attributes(auth_success)
end
it 'does not attempt to rate limit unique IPs for a deploy token' do
expect(Gitlab::Auth::UniqueIpsLimiter).not_to receive(:limit_user!)
- gl_auth.find_for_git_client(login, deploy_token.token, project: project, ip: 'ip')
+ gl_auth.find_for_git_client(login, deploy_token.token, project: project, request: request)
end
it 'fails when login is not valid' do
- expect(gl_auth.find_for_git_client('random_login', deploy_token.token, project: project, ip: 'ip'))
+ expect(gl_auth.find_for_git_client('random_login', deploy_token.token, project: project, request: request))
.to have_attributes(auth_failure)
end
it 'fails when token is not valid' do
- expect(gl_auth.find_for_git_client(login, '123123', project: project, ip: 'ip'))
+ expect(gl_auth.find_for_git_client(login, '123123', project: project, request: request))
.to have_attributes(auth_failure)
end
it 'fails if token is nil' do
- expect(gl_auth.find_for_git_client(login, nil, project: project, ip: 'ip'))
+ expect(gl_auth.find_for_git_client(login, nil, project: project, request: request))
.to have_attributes(auth_failure)
end
it 'fails if token is not related to project' do
another_deploy_token = create(:deploy_token)
- expect(gl_auth.find_for_git_client(another_deploy_token.username, another_deploy_token.token, project: project, ip: 'ip'))
+ expect(gl_auth.find_for_git_client(another_deploy_token.username, another_deploy_token.token, project: project, request: request))
.to have_attributes(auth_failure)
end
@@ -880,7 +905,7 @@ def operation
deploy_token.revoke!
expect(deploy_token.revoked?).to be_truthy
- expect(gl_auth.find_for_git_client('deploy-token', deploy_token.token, project: project, ip: 'ip'))
+ expect(gl_auth.find_for_git_client('deploy-token', deploy_token.token, project: project, request: request))
.to have_attributes(auth_failure)
end
end
@@ -890,7 +915,7 @@ def operation
let(:deploy_token) { create(:deploy_token, :group, read_repository: true, groups: [project_with_group.group]) }
let(:login) { deploy_token.username }
- subject { gl_auth.find_for_git_client(login, deploy_token.token, project: project_with_group, ip: 'ip') }
+ subject { gl_auth.find_for_git_client(login, deploy_token.token, project: project_with_group, request: request) }
it 'succeeds when login and a group deploy token are valid' do
auth_success = { actor: deploy_token, project: project_with_group, type: :deploy_token, authentication_abilities: [:download_code, :read_container_image] }
@@ -901,7 +926,7 @@ def operation
it 'fails if token is not related to group' do
another_deploy_token = create(:deploy_token, :group, read_repository: true)
- expect(gl_auth.find_for_git_client(another_deploy_token.username, another_deploy_token.token, project: project_with_group, ip: 'ip'))
+ expect(gl_auth.find_for_git_client(another_deploy_token.username, another_deploy_token.token, project: project_with_group, request: request))
.to have_attributes(auth_failure)
end
end
@@ -918,7 +943,7 @@ def operation
it 'succeeds when login and a project token are valid' do
auth_success = { actor: deploy_token, project: project, type: :deploy_token, authentication_abilities: [:read_container_image] }
- expect(gl_auth.find_for_git_client(login, deploy_token.token, project: project, ip: 'ip'))
+ expect(gl_auth.find_for_git_client(login, deploy_token.token, project: project, request: request))
.to have_attributes(auth_success)
end
@@ -940,7 +965,7 @@ def operation
it 'succeeds when login and a project token are valid' do
auth_success = { actor: deploy_token, project: project, type: :deploy_token, authentication_abilities: [:create_container_image] }
- expect(gl_auth.find_for_git_client(login, deploy_token.token, project: project, ip: 'ip'))
+ expect(gl_auth.find_for_git_client(login, deploy_token.token, project: project, request: request))
.to have_attributes(auth_success)
end
@@ -953,7 +978,7 @@ def operation
end
describe '#build_access_token_check' do
- subject { gl_auth.find_for_git_client('gitlab-ci-token', build.token, project: build.project, ip: '1.2.3.4') }
+ subject { gl_auth.find_for_git_client('gitlab-ci-token', build.token, project: build.project, request: request) }
let_it_be(:user) { create(:user) }
@@ -1143,7 +1168,7 @@ def operation
private
def expect_results_with_abilities(personal_access_token, abilities, success = true)
- expect(gl_auth.find_for_git_client('', personal_access_token&.token, project: nil, ip: 'ip'))
+ expect(gl_auth.find_for_git_client('', personal_access_token&.token, project: nil, request: request))
.to have_attributes(actor: personal_access_token&.user, project: nil, type: personal_access_token.nil? ? nil : :personal_access_token, authentication_abilities: abilities)
end
end