From 8bf2ee1e02316237e12e47c8c95f3b234e6803b9 Mon Sep 17 00:00:00 2001 From: zeripath Date: Sat, 22 Aug 2020 22:09:14 +0100 Subject: [PATCH] Skip SSPI authentication attempts for /api/internal (#12556) (#12559) Backport #12556 SSPI fails badly on authentication attempts to /api/internal which it can never succesfully authenticate. Fix #11260 Signed-off-by: Andrew Thornton Co-authored-by: Lauris BH --- modules/auth/sso/oauth2.go | 2 +- modules/auth/sso/sso.go | 5 +++++ modules/auth/sso/sspi_windows.go | 2 ++ 3 files changed, 8 insertions(+), 1 deletion(-) diff --git a/modules/auth/sso/oauth2.go b/modules/auth/sso/oauth2.go index 6860c12e3..3f530f036 100644 --- a/modules/auth/sso/oauth2.go +++ b/modules/auth/sso/oauth2.go @@ -121,7 +121,7 @@ func (o *OAuth2) VerifyAuthData(ctx *macaron.Context, sess session.Store) *model return nil } - if !isAPIPath(ctx) && !isAttachmentDownload(ctx) { + if isInternalPath(ctx) || !isAPIPath(ctx) && !isAttachmentDownload(ctx) { return nil } diff --git a/modules/auth/sso/sso.go b/modules/auth/sso/sso.go index cf8148d89..c2e36f3f5 100644 --- a/modules/auth/sso/sso.go +++ b/modules/auth/sso/sso.go @@ -100,6 +100,11 @@ func isAPIPath(ctx *macaron.Context) bool { return strings.HasPrefix(ctx.Req.URL.Path, "/api/") } +// isInternalPath returns true if the specified URL is an internal API path +func isInternalPath(ctx *macaron.Context) bool { + return strings.HasPrefix(ctx.Req.URL.Path, "/api/internal/") +} + // isAttachmentDownload check if request is a file download (GET) with URL to an attachment func isAttachmentDownload(ctx *macaron.Context) bool { return strings.HasPrefix(ctx.Req.URL.Path, "/attachments/") && ctx.Req.Method == "GET" diff --git a/modules/auth/sso/sspi_windows.go b/modules/auth/sso/sspi_windows.go index 2bced4be2..00f15d97b 100644 --- a/modules/auth/sso/sspi_windows.go +++ b/modules/auth/sso/sspi_windows.go @@ -148,6 +148,8 @@ func (s *SSPI) shouldAuthenticate(ctx *macaron.Context) (shouldAuth bool) { } else if ctx.Req.FormValue("auth_with_sspi") == "1" { shouldAuth = true } + } else if isInternalPath(ctx) { + shouldAuth = false } else if isAPIPath(ctx) || isAttachmentDownload(ctx) { shouldAuth = true }