Skip to content

Commit 5f0f6a4

Browse files
thomasyipthomasyip
committed
ORGANIC-467. Restored authorize() capability.
1 parent e70ec30 commit 5f0f6a4

File tree

5 files changed

+33
-13
lines changed

5 files changed

+33
-13
lines changed

api/api.go

Lines changed: 4 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -77,10 +77,10 @@ func NewAPIWithVersion(ctx context.Context, globalConfig *conf.GlobalConfigurati
7777
r.Use(api.loadJWSSignatureHeader)
7878
r.Use(api.loadInstanceConfig)
7979
}
80-
r.With(api.auth.authenticate).Mount("/github", NewGitHubGateway())
81-
r.With(api.auth.authenticate).Mount("/gitlab", NewGitLabGateway())
82-
r.With(api.auth.authenticate).Mount("/bitbucket", NewBitBucketGateway())
83-
r.With(api.auth.authenticate).Get("/settings", api.Settings)
80+
r.With(api.auth.accessControl).Mount("/github", NewGitHubGateway())
81+
r.With(api.auth.accessControl).Mount("/gitlab", NewGitLabGateway())
82+
r.With(api.auth.accessControl).Mount("/bitbucket", NewBitBucketGateway())
83+
r.With(api.auth.accessControl).Get("/settings", api.Settings)
8484
})
8585

8686
if globalConfig.MultiInstanceMode {

api/auth.go

Lines changed: 14 additions & 9 deletions
Original file line numberDiff line numberDiff line change
@@ -2,7 +2,6 @@ package api
22

33
import (
44
"context"
5-
"errors"
65
"net/http"
76

87
"github.com/netlify/git-gateway/conf"
@@ -15,7 +14,17 @@ type Auth struct {
1514
version string
1615
}
1716

18-
// authenicate checks incoming requests for tokens presented using the Authorization header
17+
// check both authentication and authorization
18+
func (a *Auth) accessControl(w http.ResponseWriter, r *http.Request) (context.Context, error) {
19+
_, err := a.authenticate(w, r)
20+
if err != nil {
21+
return nil, err
22+
}
23+
24+
return a.authorize(w, r)
25+
}
26+
27+
// authenticate checks incoming requests for tokens presented using the Authorization header
1928
func (a *Auth) authenticate(w http.ResponseWriter, r *http.Request) (context.Context, error) {
2029
logrus.Info("Getting auth token")
2130
token, err := a.extractBearerToken(w, r)
@@ -33,13 +42,9 @@ func (a *Auth) authorize(w http.ResponseWriter, r *http.Request) (context.Contex
3342
claims := getClaims(ctx)
3443
config := getConfig(ctx)
3544

36-
logrus.Infof("authenticate context: %v+", ctx)
45+
logrus.Infof("authenticate url: %v+", r.URL)
3746
if claims == nil {
38-
return nil, errors.New("Access to endpoint not allowed: no claims found in Bearer token")
39-
}
40-
41-
if !allowedRegexp.MatchString(r.URL.Path) {
42-
return nil, errors.New("Access to endpoint not allowed: this part of GitHub's API has been restricted")
47+
return nil, unauthorizedError("Access to endpoint not allowed: no claims found in Bearer token")
4348
}
4449

4550
if len(config.Roles) == 0 {
@@ -59,7 +64,7 @@ func (a *Auth) authorize(w http.ResponseWriter, r *http.Request) (context.Contex
5964
}
6065
}
6166

62-
return nil, errors.New("Access to endpoint not allowed: your role doesn't allow access")
67+
return nil, unauthorizedError("Access to endpoint not allowed: your role doesn't allow access")
6368
}
6469

6570
func NewAuthWithVersion(ctx context.Context, globalConfig *conf.GlobalConfiguration, version string) *Auth {

api/bitbucket.go

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -117,6 +117,11 @@ func (bb *BitBucketGateway) ServeHTTP(w http.ResponseWriter, r *http.Request) {
117117
return
118118
}
119119

120+
if !bitbucketAllowedRegexp.MatchString(r.URL.Path) {
121+
handleError(unauthorizedError("Access to endpoint not allowed: this part of BitBucket's API has been restricted"), w, r)
122+
return
123+
}
124+
120125
endpoint := config.BitBucket.Endpoint
121126
apiURL := singleJoiningSlash(endpoint, "/repositories/"+config.BitBucket.Repo)
122127
target, err := url.Parse(apiURL)

api/github.go

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -59,6 +59,11 @@ func (gh *GitHubGateway) ServeHTTP(w http.ResponseWriter, r *http.Request) {
5959
return
6060
}
6161

62+
if !allowedRegexp.MatchString(r.URL.Path) {
63+
handleError(unauthorizedError("Access to endpoint not allowed: this part of GitHub's API has been restricted"), w, r)
64+
return
65+
}
66+
6267
endpoint := config.GitHub.Endpoint
6368
apiURL := singleJoiningSlash(endpoint, "/repos/"+config.GitHub.Repo)
6469
target, err := url.Parse(apiURL)

api/gitlab.go

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -78,6 +78,11 @@ func (gl *GitLabGateway) ServeHTTP(w http.ResponseWriter, r *http.Request) {
7878
return
7979
}
8080

81+
if !gitlabAllowedRegexp.MatchString(r.URL.Path) {
82+
handleError(unauthorizedError("Access to endpoint not allowed: this part of GitLab's API has been restricted"), w, r)
83+
return
84+
}
85+
8186
endpoint := config.GitLab.Endpoint
8287
// repos in the form of userName/repoName must be encoded as
8388
// userName%2FrepoName

0 commit comments

Comments
 (0)