summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorGitLab Bot <gitlab-bot@gitlab.com>2022-11-30 04:46:20 +0000
committerGitLab Bot <gitlab-bot@gitlab.com>2022-11-30 04:46:20 +0000
commitd7437af3f31f388bf59b23a06c9bff5c8c5fd157 (patch)
tree992bc5e9b85094644aebfd45a4c0955a27fcfba4
parentf981f6691d5395e04ee2858593135c448c10757d (diff)
downloadgitlab-ce-d7437af3f31f388bf59b23a06c9bff5c8c5fd157.tar.gz
Add latest changes from gitlab-org/security/gitlab@15-6-stable-ee
-rw-r--r--doc/user/admin_area/settings/external_authorization.md3
-rw-r--r--doc/user/packages/package_registry/index.md1
-rw-r--r--doc/user/project/deploy_keys/index.md2
-rw-r--r--doc/user/project/deploy_tokens/index.md2
-rw-r--r--lib/gitlab/api_authentication/token_resolver.rb2
-rw-r--r--lib/gitlab/auth/auth_finders.rb1
-rw-r--r--lib/gitlab/git_access.rb4
-rw-r--r--spec/lib/gitlab/api_authentication/token_resolver_spec.rb12
-rw-r--r--spec/lib/gitlab/auth/auth_finders_spec.rb9
-rw-r--r--spec/lib/gitlab/git_access_spec.rb28
10 files changed, 62 insertions, 2 deletions
diff --git a/doc/user/admin_area/settings/external_authorization.md b/doc/user/admin_area/settings/external_authorization.md
index a34ceac0d95..09ac477b062 100644
--- a/doc/user/admin_area/settings/external_authorization.md
+++ b/doc/user/admin_area/settings/external_authorization.md
@@ -43,6 +43,9 @@ using Omnibus, learn to install a custom CA in the
Alternatively, learn where to install custom certificates by using
`openssl version -d`.
+When external authorization is enabled, [deploy tokens](../../project/deploy_tokens/index.md)
+ and [deploy keys](../../project/deploy_keys/index.md) can't be used for Git operations.
+
## Configuration
The external authorization service can be enabled by an administrator:
diff --git a/doc/user/packages/package_registry/index.md b/doc/user/packages/package_registry/index.md
index 8e160cbb195..1aeb98fd48a 100644
--- a/doc/user/packages/package_registry/index.md
+++ b/doc/user/packages/package_registry/index.md
@@ -62,6 +62,7 @@ For most package types, the following credential types are valid:
NOTE:
If you have not activated the "Packages" feature for your project at **Settings > General > Project features**, you will receive a 403 Forbidden response.
+Accessing package registry via deploy token is not available when external authorization is enabled.
## Use GitLab CI/CD to build packages
diff --git a/doc/user/project/deploy_keys/index.md b/doc/user/project/deploy_keys/index.md
index 58f7d3198b2..56bb899c233 100644
--- a/doc/user/project/deploy_keys/index.md
+++ b/doc/user/project/deploy_keys/index.md
@@ -18,6 +18,8 @@ Depending on your needs, you might want to use a [deploy token](../deploy_tokens
| Validity | Valid as long as it's registered and enabled. | Can be given an expiration date. |
| Registry access | Cannot access a package registry. | Can read from and write to a package registry. |
+Deploy keys can't be used for Git operations if [external authorization](../../admin_area/settings/external_authorization.md) is enabled.
+
## Scope
A deploy key has a defined scope when it is created:
diff --git a/doc/user/project/deploy_tokens/index.md b/doc/user/project/deploy_tokens/index.md
index aab72d4859e..3dd6f14ea70 100644
--- a/doc/user/project/deploy_tokens/index.md
+++ b/doc/user/project/deploy_tokens/index.md
@@ -41,6 +41,8 @@ You can create deploy tokens at either the project or group level:
By default, a deploy token does not expire. You can optionally set an expiry date when you create
it. Expiry occurs at midnight UTC on that date.
+Deploy tokens can't be used for Git operations and Package Registry operations if [external authorization](../../admin_area/settings/external_authorization.md) is enabled.
+
## Scope
A deploy token's scope determines the actions it can perform.
diff --git a/lib/gitlab/api_authentication/token_resolver.rb b/lib/gitlab/api_authentication/token_resolver.rb
index dd9039e37f6..afada055928 100644
--- a/lib/gitlab/api_authentication/token_resolver.rb
+++ b/lib/gitlab/api_authentication/token_resolver.rb
@@ -165,6 +165,8 @@ module Gitlab
end
def with_deploy_token(raw, &block)
+ raise ::Gitlab::Auth::UnauthorizedError if Gitlab::ExternalAuthorization.enabled?
+
token = ::DeployToken.active.find_by_token(raw.password)
return unless token
diff --git a/lib/gitlab/auth/auth_finders.rb b/lib/gitlab/auth/auth_finders.rb
index c994f179b66..16bee187c87 100644
--- a/lib/gitlab/auth/auth_finders.rb
+++ b/lib/gitlab/auth/auth_finders.rb
@@ -147,6 +147,7 @@ module Gitlab
# deploy tokens are accepted with deploy token headers and basic auth headers
def deploy_token_from_request
return unless route_authentication_setting[:deploy_token_allowed]
+ return if Gitlab::ExternalAuthorization.enabled?
token = current_request.env[DEPLOY_TOKEN_HEADER].presence || parsed_oauth_token
diff --git a/lib/gitlab/git_access.rb b/lib/gitlab/git_access.rb
index 9a3f5fb844b..da2a81983ec 100644
--- a/lib/gitlab/git_access.rb
+++ b/lib/gitlab/git_access.rb
@@ -367,7 +367,7 @@ module Gitlab
end
def deploy_key?
- actor.is_a?(DeployKey)
+ actor.is_a?(DeployKey) && !Gitlab::ExternalAuthorization.enabled?
end
def deploy_token
@@ -375,7 +375,7 @@ module Gitlab
end
def deploy_token?
- actor.is_a?(DeployToken)
+ actor.is_a?(DeployToken) && !Gitlab::ExternalAuthorization.enabled?
end
def ci?
diff --git a/spec/lib/gitlab/api_authentication/token_resolver_spec.rb b/spec/lib/gitlab/api_authentication/token_resolver_spec.rb
index bbc6bf0d481..9f86b95651a 100644
--- a/spec/lib/gitlab/api_authentication/token_resolver_spec.rb
+++ b/spec/lib/gitlab/api_authentication/token_resolver_spec.rb
@@ -114,6 +114,18 @@ RSpec.describe Gitlab::APIAuthentication::TokenResolver do
it_behaves_like 'an unauthorized request'
end
+
+ context 'when the external_authorization_service is enabled' do
+ before do
+ stub_application_setting(external_authorization_service_enabled: true)
+ end
+
+ context 'with a valid deploy token' do
+ let(:raw) { username_and_password(token.username, token.token) }
+
+ it_behaves_like 'an unauthorized request'
+ end
+ end
end
context 'with :personal_access_token' do
diff --git a/spec/lib/gitlab/auth/auth_finders_spec.rb b/spec/lib/gitlab/auth/auth_finders_spec.rb
index 05eca4cf70f..9283c31a207 100644
--- a/spec/lib/gitlab/auth/auth_finders_spec.rb
+++ b/spec/lib/gitlab/auth/auth_finders_spec.rb
@@ -389,6 +389,15 @@ RSpec.describe Gitlab::Auth::AuthFinders do
it { is_expected.to be_nil }
end
end
+
+ context 'when the external_authorization_service is enabled' do
+ before do
+ stub_application_setting(external_authorization_service_enabled: true)
+ set_header(described_class::DEPLOY_TOKEN_HEADER, deploy_token.token)
+ end
+
+ it { is_expected.to be_nil }
+ end
end
describe '#find_user_from_access_token' do
diff --git a/spec/lib/gitlab/git_access_spec.rb b/spec/lib/gitlab/git_access_spec.rb
index 7e3a1bf61bc..10a099af4f0 100644
--- a/spec/lib/gitlab/git_access_spec.rb
+++ b/spec/lib/gitlab/git_access_spec.rb
@@ -5,6 +5,7 @@ require 'spec_helper'
RSpec.describe Gitlab::GitAccess, :aggregate_failures do
include TermsHelper
include AdminModeHelper
+ include ExternalAuthorizationServiceHelpers
let(:user) { create(:user) }
let(:actor) { user }
@@ -111,6 +112,19 @@ RSpec.describe Gitlab::GitAccess, :aggregate_failures do
end
end
end
+
+ context 'when the external_authorization_service is enabled' do
+ before do
+ stub_application_setting(external_authorization_service_enabled: true)
+ end
+
+ it 'blocks push and pull with "not found"' do
+ aggregate_failures do
+ expect { push_access_check }.to raise_not_found
+ expect { pull_access_check }.to raise_not_found
+ end
+ end
+ end
end
context 'when actor is a User' do
@@ -176,6 +190,20 @@ RSpec.describe Gitlab::GitAccess, :aggregate_failures do
expect { push_access_check }.to raise_not_found
end
end
+
+ context 'when the external_authorization_service is enabled' do
+ before do
+ stub_application_setting(external_authorization_service_enabled: true)
+ end
+
+ it 'blocks pull access' do
+ expect { pull_access_check }.to raise_not_found
+ end
+
+ it 'blocks the push' do
+ expect { push_access_check }.to raise_not_found
+ end
+ end
end
end