ORGANIC-467. Restored authorize() capability.

Author: thomasyip

api/api.go

@@ -77,10 +77,10 @@ func NewAPIWithVersion(ctx context.Context, globalConfig *conf.GlobalConfigurati
 			r.Use(api.loadJWSSignatureHeader)
 			r.Use(api.loadInstanceConfig)
 		}
-		r.With(api.auth.authenticate).Mount("/github", NewGitHubGateway())
-		r.With(api.auth.authenticate).Mount("/gitlab", NewGitLabGateway())
-		r.With(api.auth.authenticate).Mount("/bitbucket", NewBitBucketGateway())
-		r.With(api.auth.authenticate).Get("/settings", api.Settings)
+		r.With(api.auth.accessControl).Mount("/github", NewGitHubGateway())
+		r.With(api.auth.accessControl).Mount("/gitlab", NewGitLabGateway())
+		r.With(api.auth.accessControl).Mount("/bitbucket", NewBitBucketGateway())
+		r.With(api.auth.accessControl).Get("/settings", api.Settings)
 	})
 
 	if globalConfig.MultiInstanceMode {

api/auth.go

@@ -2,7 +2,6 @@ package api
 
 import (
 	"context"
-	"errors"
 	"net/http"
 
 	"github.com/netlify/git-gateway/conf"
@@ -15,7 +14,17 @@ type Auth struct {
 	version string
 }
 
-// authenicate checks incoming requests for tokens presented using the Authorization header
+// check both authentication and authorization
+func (a *Auth) accessControl(w http.ResponseWriter, r *http.Request) (context.Context, error) {
+	_, err := a.authenticate(w, r)
+	if err != nil {
+		return nil, err
+	}
+
+    return a.authorize(w, r)
+}
+
+// authenticate checks incoming requests for tokens presented using the Authorization header
 func (a *Auth) authenticate(w http.ResponseWriter, r *http.Request) (context.Context, error) {
 	logrus.Info("Getting auth token")
 	token, err := a.extractBearerToken(w, r)
@@ -33,13 +42,9 @@ func (a *Auth) authorize(w http.ResponseWriter, r *http.Request) (context.Contex
 	claims := getClaims(ctx)
 	config := getConfig(ctx)
 
-	logrus.Infof("authenticate context: %v+", ctx)
+	logrus.Infof("authenticate url: %v+", r.URL)
 	if claims == nil {
-		return nil, errors.New("Access to endpoint not allowed: no claims found in Bearer token")
-	}
-
-	if !allowedRegexp.MatchString(r.URL.Path) {
-		return nil, errors.New("Access to endpoint not allowed: this part of GitHub's API has been restricted")
+		return nil, unauthorizedError("Access to endpoint not allowed: no claims found in Bearer token")
 	}
 
 	if len(config.Roles) == 0 {
@@ -59,7 +64,7 @@ func (a *Auth) authorize(w http.ResponseWriter, r *http.Request) (context.Contex
 		}
 	}
 
-	return nil, errors.New("Access to endpoint not allowed: your role doesn't allow access")
+	return nil, unauthorizedError("Access to endpoint not allowed: your role doesn't allow access")
 }
 
 func NewAuthWithVersion(ctx context.Context, globalConfig *conf.GlobalConfiguration, version string) *Auth {

api/bitbucket.go

@@ -117,6 +117,11 @@ func (bb *BitBucketGateway) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
+	if !bitbucketAllowedRegexp.MatchString(r.URL.Path) {
+		handleError(unauthorizedError("Access to endpoint not allowed: this part of BitBucket's API has been restricted"), w, r)
+		return
+	}
+
 	endpoint := config.BitBucket.Endpoint
 	apiURL := singleJoiningSlash(endpoint, "/repositories/"+config.BitBucket.Repo)
 	target, err := url.Parse(apiURL)

api/github.go

@@ -59,6 +59,11 @@ func (gh *GitHubGateway) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
+	if !allowedRegexp.MatchString(r.URL.Path) {
+		handleError(unauthorizedError("Access to endpoint not allowed: this part of GitHub's API has been restricted"), w, r)
+		return
+	}
+
 	endpoint := config.GitHub.Endpoint
 	apiURL := singleJoiningSlash(endpoint, "/repos/"+config.GitHub.Repo)
 	target, err := url.Parse(apiURL)

api/gitlab.go

@@ -78,6 +78,11 @@ func (gl *GitLabGateway) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
+	if !gitlabAllowedRegexp.MatchString(r.URL.Path) {
+		handleError(unauthorizedError("Access to endpoint not allowed: this part of GitLab's API has been restricted"), w, r)
+		return
+	}
+
 	endpoint := config.GitLab.Endpoint
 	// repos in the form of userName/repoName must be encoded as
 	// userName%2FrepoName