Commit b0fac091 authored by Bob Van Landuyt's avatar Bob Van Landuyt 🥚

Authenticate the internal API using a header

Instead of mixing in the shared secret into the querystring or body,
we could also specify it in a header.
parent 8a59c9fd
......@@ -6,6 +6,7 @@ module API
include Helpers::Pagination
SUDO_HEADER = "HTTP_SUDO".freeze
GITLAB_SHARED_SECRET_HEADER = "Gitlab-Shared-Secret".freeze
SUDO_PARAM = :sudo
API_USER_ENV = 'gitlab.api.user'.freeze
......@@ -212,10 +213,12 @@ module API
end
def authenticate_by_gitlab_shell_token!
input = params['secret_token'].try(:chomp)
unless Devise.secure_compare(secret_token, input)
unauthorized!
end
input = params['secret_token']
input ||= Base64.decode64(headers[GITLAB_SHARED_SECRET_HEADER]) if headers.key?(GITLAB_SHARED_SECRET_HEADER)
input&.chomp!
unauthorized! unless Devise.secure_compare(secret_token, input)
end
def authenticated_with_full_private_access!
......
......@@ -26,6 +26,21 @@ describe API::Internal do
expect(json_response['redis']).to be(false)
end
context 'authenticating' do
it 'authenticates using a header' do
get api("/internal/check"),
headers: { API::Helpers::GITLAB_SHARED_SECRET_HEADER => Base64.encode64(secret_token) }
expect(response).to have_gitlab_http_status(200)
end
it 'returns 401 when no credentials provided' do
get(api("/internal/check"))
expect(response).to have_gitlab_http_status(401)
end
end
end
describe 'GET /internal/broadcast_message' do
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment