diff options
author | James Edwards-Jones <jedwardsjones@gitlab.com> | 2018-05-21 13:13:30 +0100 |
---|---|---|
committer | James Edwards-Jones <jedwardsjones@gitlab.com> | 2018-05-22 18:12:22 +0100 |
commit | 61bea3317982d426cba067a247f1c337bd08d8a9 (patch) | |
tree | d7d3cab402c97d58abf6a176c1228fc7387cf5fd | |
parent | 592b8d716f77944e61a7b532028ccf27c8401755 (diff) | |
download | gitlab-ce-ce-jej/group-saml-metadata-endpoint.tar.gz |
Adds Group#discovery_token to permit anonymous discoveryce-jej/group-saml-metadata-endpoint
-rw-r--r-- | app/models/group.rb | 11 | ||||
-rw-r--r-- | db/migrate/20180520211048_add_discovery_token_to_namespaces.rb | 9 | ||||
-rw-r--r-- | db/schema.rb | 3 | ||||
-rw-r--r-- | spec/models/group_spec.rb | 33 |
4 files changed, 55 insertions, 1 deletions
diff --git a/app/models/group.rb b/app/models/group.rb index 8fb77a7869d..127668bfbe1 100644 --- a/app/models/group.rb +++ b/app/models/group.rb @@ -334,6 +334,17 @@ class Group < Namespace ensure_runners_token! end + # Helps avoid revealing that a group exists on a given path + # The token conveys that the anonymous user is allowed to know of the group + def discovery_token + super.presence || begin + self.discovery_token = Devise.friendly_token(8) + + save if Gitlab::Database.read_write? + super + end + end + private def update_two_factor_requirement diff --git a/db/migrate/20180520211048_add_discovery_token_to_namespaces.rb b/db/migrate/20180520211048_add_discovery_token_to_namespaces.rb new file mode 100644 index 00000000000..416833ac6de --- /dev/null +++ b/db/migrate/20180520211048_add_discovery_token_to_namespaces.rb @@ -0,0 +1,9 @@ +class AddDiscoveryTokenToNamespaces < ActiveRecord::Migration + include Gitlab::Database::MigrationHelpers + + DOWNTIME = false + + def change + add_column :namespaces, :discovery_token, :string + end +end diff --git a/db/schema.rb b/db/schema.rb index ed29d202f91..c8079cff773 100644 --- a/db/schema.rb +++ b/db/schema.rb @@ -11,7 +11,7 @@ # # It's strongly recommended that you check this file into your version control system. -ActiveRecord::Schema.define(version: 20180512061621) do +ActiveRecord::Schema.define(version: 20180520211048) do # These are extensions that must be enabled in order to support this database enable_extension "plpgsql" @@ -1289,6 +1289,7 @@ ActiveRecord::Schema.define(version: 20180512061621) do t.integer "two_factor_grace_period", default: 48, null: false t.integer "cached_markdown_version" t.string "runners_token" + t.string "discovery_token" end add_index "namespaces", ["created_at"], name: "index_namespaces_on_created_at", using: :btree diff --git a/spec/models/group_spec.rb b/spec/models/group_spec.rb index f83b52e8975..e2003b699ca 100644 --- a/spec/models/group_spec.rb +++ b/spec/models/group_spec.rb @@ -699,4 +699,37 @@ describe Group do let(:uploader_class) { AttachmentUploader } end end + + describe '#discovery_token' do + it 'returns existing tokens' do + group = create(:group, discovery_token: 'existing') + + expect(group.discovery_token).to eq 'existing' + end + + context 'when missing on read' do + it 'generates a token' do + expect(group.discovery_token.length).to eq 8 + end + + it 'saves the generated token' do + expect { group.discovery_token }.to change { group.reload.read_attribute(:discovery_token) } + end + + context 'in read only mode' do + before do + allow(Gitlab::Database).to receive(:read_only?).and_return(true) + allow(group).to receive(:create_or_update).and_raise(ActiveRecord::ReadOnlyRecord) + end + + it "doesn't raise an error as that could expose group existance" do + expect { group.discovery_token }.not_to raise_error + end + + it 'returns a random value to prevent access' do + expect(group.discovery_token).not_to be_blank + end + end + end + end end |