Nemcio/SCM-Manager
1
0
Fork 0
mirror of https://github.com/scm-manager/scm-manager.git synced 2026-02-05 22:29:11 +01:00
Code Issues Packages Projects Releases Activity

Do not create web tokens for api keys

Browse Source 
This fixes a way for privilege escalation with api keys.
This commit is contained in:
René Pfeuffer
2020-10-23 14:42:56 +02:00
parent ab5043eb93
commit 1ca18cd44c
4 changed files with 119 additions and 83 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
scm-webapp/src/main/java/sonia/scm/security/ApiKeyRealm.java
View File

@@ -46,6 +46,8 @@ import static com.google.common.base.Preconditions.checkArgument;
@Extension
public class ApiKeyRealm extends AuthenticatingRealm {
public static final String API_TOKEN_REALM_NAME = "ApiTokenRealm";
private static final Logger LOG = LoggerFactory.getLogger(ApiKeyRealm.class);
private final ApiKeyService apiKeyService;
@@ -55,7 +57,7 @@ public class ApiKeyRealm extends AuthenticatingRealm {
@Inject
public ApiKeyRealm(ApiKeyService apiKeyService, DAORealmHelperFactory helperFactory, RepositoryRoleManager repositoryRoleManager) {
this.apiKeyService = apiKeyService;
this.helper = helperFactory.create("ApiTokenRealm");
this.helper = helperFactory.create(API_TOKEN_REALM_NAME);
this.repositoryRoleManager = repositoryRoleManager;
setAuthenticationTokenClass(BearerToken.class);
setCredentialsMatcher(new AllowAllCredentialsMatcher());