9 files changed, 12 insertions, 73 deletions

diff --git a/go/internal/command/lfsauthenticate/lfsauthenticate_test.go b/go/internal/command/lfsauthenticate/lfsauthenticate_test.go
index 3b5d11c..a6836a8 100644
--- a/go/internal/command/lfsauthenticate/lfsauthenticate_test.go
+++ b/go/internal/command/lfsauthenticate/lfsauthenticate_test.go
@@ -90,7 +90,7 @@ func TestLfsAuthenticateRequests(t *testing.T) {
 			},
 		},
 		{
-			Path: "/api/v4/internal/allowed/secure",
+			Path: "/api/v4/internal/allowed",
 			Handler: func(w http.ResponseWriter, r *http.Request) {
 				b, err := ioutil.ReadAll(r.Body)
 				defer r.Body.Close()
diff --git a/go/internal/command/receivepack/customaction_test.go b/go/internal/command/receivepack/customaction_test.go
index 045dd6c..bd4991d 100644
--- a/go/internal/command/receivepack/customaction_test.go
+++ b/go/internal/command/receivepack/customaction_test.go
@@ -22,7 +22,7 @@ func TestCustomReceivePack(t *testing.T) {
 
 	requests := []testserver.TestRequestHandler{
 		{
-			Path: "/api/v4/internal/allowed/secure",
+			Path: "/api/v4/internal/allowed",
 			Handler: func(w http.ResponseWriter, r *http.Request) {
 				b, err := ioutil.ReadAll(r.Body)
 				require.NoError(t, err)
diff --git a/go/internal/command/shared/accessverifier/accessverifier_test.go b/go/internal/command/shared/accessverifier/accessverifier_test.go
index df9c834..c19ed37 100644
--- a/go/internal/command/shared/accessverifier/accessverifier_test.go
+++ b/go/internal/command/shared/accessverifier/accessverifier_test.go
@@ -24,7 +24,7 @@ var (
 func setup(t *testing.T) (*Command, *bytes.Buffer, *bytes.Buffer, func()) {
 	requests := []testserver.TestRequestHandler{
 		{
-			Path: "/api/v4/internal/allowed/secure",
+			Path: "/api/v4/internal/allowed",
 			Handler: func(w http.ResponseWriter, r *http.Request) {
 				b, err := ioutil.ReadAll(r.Body)
 				require.NoError(t, err)
diff --git a/go/internal/gitlabnet/accessverifier/client.go b/go/internal/gitlabnet/accessverifier/client.go
index f0dea7d..880fff5 100644
--- a/go/internal/gitlabnet/accessverifier/client.go
+++ b/go/internal/gitlabnet/accessverifier/client.go
@@ -8,6 +8,7 @@ import (
 	"gitlab.com/gitlab-org/gitlab-shell/go/internal/command/commandargs"
 	"gitlab.com/gitlab-org/gitlab-shell/go/internal/config"
 	"gitlab.com/gitlab-org/gitlab-shell/go/internal/gitlabnet"
+	"gitlab.com/gitlab-org/gitlab-shell/go/internal/sshenv"
 )
 
 const (
@@ -26,6 +27,7 @@ type Request struct {
 	Protocol string                  `json:"protocol"`
 	KeyId    string                  `json:"key_id,omitempty"`
 	Username string                  `json:"username,omitempty"`
+	CheckIp  string                  `json:"check_ip,omitempty"`
 }
 
 type Gitaly struct {
@@ -80,7 +82,9 @@ func (c *Client) Verify(args *commandargs.Shell, action commandargs.CommandType,
 		request.KeyId = args.GitlabKeyId
 	}
 
-	response, err := c.client.Post("/allowed/secure", request)
+	request.CheckIp = sshenv.LocalAddr()
+
+	response, err := c.client.Post("/allowed", request)
 	if err != nil {
 		return nil, err
 	}
diff --git a/go/internal/gitlabnet/accessverifier/client_test.go b/go/internal/gitlabnet/accessverifier/client_test.go
index 0f08c0b..f534185 100644
--- a/go/internal/gitlabnet/accessverifier/client_test.go
+++ b/go/internal/gitlabnet/accessverifier/client_test.go
@@ -157,7 +157,7 @@ func setup(t *testing.T) (*Client, func()) {
 
 	requests := []testserver.TestRequestHandler{
 		{
-			Path: "/api/v4/internal/allowed/secure",
+			Path: "/api/v4/internal/allowed",
 			Handler: func(w http.ResponseWriter, r *http.Request) {
 				b, err := ioutil.ReadAll(r.Body)
 				require.NoError(t, err)
diff --git a/go/internal/gitlabnet/client.go b/go/internal/gitlabnet/client.go
index e61b58d..6b253e0 100644
--- a/go/internal/gitlabnet/client.go
+++ b/go/internal/gitlabnet/client.go
@@ -10,7 +10,6 @@ import (
 	"strings"
 
 	"gitlab.com/gitlab-org/gitlab-shell/go/internal/config"
-	"gitlab.com/gitlab-org/gitlab-shell/go/internal/sshenv"
 )
 
 const (
@@ -110,10 +109,6 @@ func (c *GitlabClient) DoRequest(method, path string, data interface{}) (*http.R
 	request.Header.Set(secretHeaderName, encodedSecret)
 
 	request.Header.Add("Content-Type", "application/json")
-	ipAddr := sshenv.LocalAddr()
-	if ipAddr != "" {
-		request.Header.Add("X-Forwarded-For", ipAddr)
-	}
 
 	request.Close = true
 
diff --git a/go/internal/gitlabnet/client_test.go b/go/internal/gitlabnet/client_test.go
index f4ab62f..3bff18a 100644
--- a/go/internal/gitlabnet/client_test.go
+++ b/go/internal/gitlabnet/client_test.go
@@ -51,20 +51,6 @@ func TestClients(t *testing.T) {
 			},
 		},
 		{
-			Path: "/api/v4/internal/with_ip",
-			Handler: func(w http.ResponseWriter, r *http.Request) {
-				header := r.Header.Get("X-Forwarded-For")
-				require.Equal(t, "127.0.0.1", header)
-			},
-		},
-		{
-			Path: "/api/v4/internal/with_empty_ip",
-			Handler: func(w http.ResponseWriter, r *http.Request) {
-				header := r.Header.Get("X-Forwarded-For")
-				require.Equal(t, "", header)
-			},
-		},
-		{
 			Path: "/api/v4/internal/error",
 			Handler: func(w http.ResponseWriter, r *http.Request) {
 				w.Header().Set("Content-Type", "application/json")
@@ -233,49 +219,3 @@ func testAuthenticationHeader(t *testing.T, client *GitlabClient) {
 		assert.Equal(t, "sssh, it's a secret", string(header))
 	})
 }
-
-func testXForwardedForHeader(t *testing.T, client *GitlabClient) {
-	t.Run("X-Forwarded-For for GET", func(t *testing.T) {
-		cleanup, err := testhelper.Setenv("SSH_CONNECTION", "127.0.0.1 0")
-		require.NoError(t, err)
-		defer cleanup()
-
-		response, err := client.Get("/with_ip")
-
-		require.NoError(t, err)
-		require.NotNil(t, response)
-		response.Body.Close()
-	})
-
-	t.Run("X-Forwarded-For for POST", func(t *testing.T) {
-		data := map[string]string{"key": "value"}
-		cleanup, err := testhelper.Setenv("SSH_CONNECTION", "127.0.0.1 0")
-		require.NoError(t, err)
-		defer cleanup()
-
-		response, err := client.Post("/with_ip", data)
-
-		require.NoError(t, err)
-		require.NotNil(t, response)
-		response.Body.Close()
-	})
-}
-
-func testEmptyForwardedForHeader(t *testing.T, client *GitlabClient) {
-	t.Run("X-Forwarded-For empty for GET", func(t *testing.T) {
-		response, err := client.Get("/with_empty_ip")
-
-		require.NoError(t, err)
-		require.NotNil(t, response)
-		response.Body.Close()
-	})
-
-	t.Run("X-Forwarded-For empty for POST", func(t *testing.T) {
-		data := map[string]string{"key": "value"}
-		response, err := client.Post("/with_empty_ip", data)
-
-		require.NoError(t, err)
-		require.NotNil(t, response)
-		response.Body.Close()
-	})
-}
diff --git a/go/internal/sshenv/sshenv.go b/go/internal/sshenv/sshenv.go
index c16e262..387feb2 100644
--- a/go/internal/sshenv/sshenv.go
+++ b/go/internal/sshenv/sshenv.go
@@ -11,5 +11,5 @@ func LocalAddr() string {
 	if address != "" {
 		return strings.Fields(address)[0]
 	}
-	return address
+	return ""
 }
diff --git a/go/internal/testhelper/requesthandlers/requesthandlers.go b/go/internal/testhelper/requesthandlers/requesthandlers.go
index 89366cf..b168cf7 100644
--- a/go/internal/testhelper/requesthandlers/requesthandlers.go
+++ b/go/internal/testhelper/requesthandlers/requesthandlers.go
@@ -13,7 +13,7 @@ import (
 func BuildDisallowedByApiHandlers(t *testing.T) []testserver.TestRequestHandler {
 	requests := []testserver.TestRequestHandler{
 		{
-			Path: "/api/v4/internal/allowed/secure",
+		  Path: "/api/v4/internal/allowed",
 			Handler: func(w http.ResponseWriter, r *http.Request) {
 				body := map[string]interface{}{
 					"status":  false,
@@ -31,7 +31,7 @@ func BuildDisallowedByApiHandlers(t *testing.T) []testserver.TestRequestHandler
 func BuildAllowedWithGitalyHandlers(t *testing.T, gitalyAddress string) []testserver.TestRequestHandler {
 	requests := []testserver.TestRequestHandler{
 		{
-			Path: "/api/v4/internal/allowed/secure",
+			Path: "/api/v4/internal/allowed",
 			Handler: func(w http.ResponseWriter, r *http.Request) {
 				body := map[string]interface{}{
 					"status": true,