go/oauth2-proxy
1
0
Fork 0
mirror of https://github.com/oauth2-proxy/oauth2-proxy.git synced 2025-07-03 01:07:02 +02:00
Code Issues Releases Activity

Panic with GitLab project repository auth (#1113)

Browse Source 
* panic with GitLab project repository auth

* /api/v4/projects/:id can return nil permissions

Signed-off-by: Piers Harding <piers@ompka.net>

* Add GitLab test for group no access

Signed-off-by: Piers Harding <piers@ompka.net>
This commit is contained in:
Piers Harding
2021-03-26 04:48:20 +13:00
committed by GitHub
parent 5788bebfee
commit 73d9f3809e
2 changed files with 30 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
providers/gitlab.go
View File

@ -329,9 +329,14 @@ func (p *GitLabProvider) addProjectsToSession(ctx context.Context, s *sessions.S
if perms == nil { if perms == nil {
// use group project access as fallback // use group project access as fallback
perms = projectInfo.Permissions.GroupAccess perms = projectInfo.Permissions.GroupAccess
// group project access is not set for this user then we give up
if perms == nil {
logger.Errorf("Warning: user %q has no project level access to %s", s.Email, project.Name)
continue
}
} }
if perms.AccessLevel >= project.AccessLevel { if perms != nil && perms.AccessLevel >= project.AccessLevel {
s.Groups = append(s.Groups, fmt.Sprintf("project:%s", project.Name)) s.Groups = append(s.Groups, fmt.Sprintf("project:%s", project.Name))
} else { } else {
logger.Errorf("Warning: user %q does not have the minimum required access level for project %q", s.Email, project.Name) logger.Errorf("Warning: user %q does not have the minimum required access level for project %q", s.Email, project.Name)

24
providers/gitlab_test.go
View File

@ -41,6 +41,7 @@ func testGitLabBackend() *httptest.Server {
"groups": ["foo", "bar"] "groups": ["foo", "bar"]
} }
` `
projectInfo := ` projectInfo := `
{ {
"name": "MyProject", "name": "MyProject",
@ -56,6 +57,18 @@ func testGitLabBackend() *httptest.Server {
} }
` `
noAccessProjectInfo := `
{
"name": "NoAccessProject",
"archived": false,
"path_with_namespace": "no_access_group/no_access_project",
"permissions": {
"project_access": null,
"group_access": null,
}
}
`
personalProjectInfo := ` personalProjectInfo := `
{ {
"name": "MyPersonalProject", "name": "MyPersonalProject",
@ -105,6 +118,13 @@ func testGitLabBackend() *httptest.Server {
} else { } else {
w.WriteHeader(401) w.WriteHeader(401)
} }
case "/api/v4/projects/no_access_group/no_access_project":
if r.Header["Authorization"][0] == authHeader {
w.WriteHeader(200)
w.Write([]byte(noAccessProjectInfo))
} else {
w.WriteHeader(401)
}
case "/api/v4/projects/my_group/my_archived_project": case "/api/v4/projects/my_group/my_archived_project":
if r.Header["Authorization"][0] == authHeader { if r.Header["Authorization"][0] == authHeader {
w.WriteHeader(200) w.WriteHeader(200)
@ -219,6 +239,10 @@ var _ = Describe("Gitlab Provider Tests", func() {
expectedValue: nil, expectedValue: nil,
projects: []string{"my_group/my_project=40"}, projects: []string{"my_group/my_project=40"},
}), }),
Entry("project membership invalid on group project, no access at all", entitiesTableInput{
expectedValue: nil,
projects: []string{"no_access_group/no_access_project=30"},
}),
Entry("project membership valid on personnal project", entitiesTableInput{ Entry("project membership valid on personnal project", entitiesTableInput{
expectedValue: []string{"project:my_profile/my_personal_project"}, expectedValue: []string{"project:my_profile/my_personal_project"},
projects: []string{"my_profile/my_personal_project"}, projects: []string{"my_profile/my_personal_project"},