diff options
author | Kamil Trzcinski <ayufan@ayufan.eu> | 2016-09-15 13:49:11 +0200 |
---|---|---|
committer | Kamil Trzcinski <ayufan@ayufan.eu> | 2016-09-15 13:49:11 +0200 |
commit | 9d1ccd2ad3af37139649100476b568d219343a57 (patch) | |
tree | 4475c8f777e25a3a7708ed7012f190b844fdaa7c | |
parent | 50076ab974348e74514bb4f19169351f08e11636 (diff) | |
download | gitlab-ce-9d1ccd2ad3af37139649100476b568d219343a57.tar.gz |
Fix existing authorization specs
-rw-r--r-- | app/controllers/jwt_controller.rb | 6 | ||||
-rw-r--r-- | app/controllers/projects/git_http_client_controller.rb | 2 | ||||
-rw-r--r-- | app/models/ci/build.rb | 1 | ||||
-rw-r--r-- | app/services/auth/container_registry_authentication_service.rb | 8 | ||||
-rw-r--r-- | lib/api/internal.rb | 18 | ||||
-rw-r--r-- | lib/gitlab/auth.rb | 2 | ||||
-rw-r--r-- | lib/gitlab/git_access.rb | 2 | ||||
-rw-r--r-- | spec/lib/gitlab/git_access_spec.rb | 17 | ||||
-rw-r--r-- | spec/requests/git_http_spec.rb | 9 | ||||
-rw-r--r-- | spec/requests/jwt_controller_spec.rb | 6 | ||||
-rw-r--r-- | spec/services/auth/container_registry_authentication_service_spec.rb | 14 |
11 files changed, 51 insertions, 34 deletions
diff --git a/app/controllers/jwt_controller.rb b/app/controllers/jwt_controller.rb index ed5d28e0d2c..0870a2a8f50 100644 --- a/app/controllers/jwt_controller.rb +++ b/app/controllers/jwt_controller.rb @@ -11,10 +11,10 @@ class JwtController < ApplicationController service = SERVICES[params[:service]] return head :not_found unless service - @@authentication_result ||= Gitlab::Auth.Result.new + @authentication_result ||= Gitlab::Auth::Result.new result = service.new(@authentication_result.project, @authentication_result.user, auth_params). - execute(capabilities: @authentication_result.capabilities || []) + execute(capabilities: @authentication_result.capabilities) render json: result, status: result[:http_status] end @@ -23,7 +23,7 @@ class JwtController < ApplicationController def authenticate_project_or_user authenticate_with_http_basic do |login, password| - @authentication_result = Gitlab::Auth.find_for_git_client(login, password, ip: request.ip) + @authentication_result = Gitlab::Auth.find_for_git_client(login, password, project: nil, ip: request.ip) render_403 unless @authentication_result.succeeded? end diff --git a/app/controllers/projects/git_http_client_controller.rb b/app/controllers/projects/git_http_client_controller.rb index 6870102c296..aabb5b0fe01 100644 --- a/app/controllers/projects/git_http_client_controller.rb +++ b/app/controllers/projects/git_http_client_controller.rb @@ -36,7 +36,7 @@ class Projects::GitHttpClientController < Projects::ApplicationController @capabilities = auth_result.capabilities || [] - if ci? || user + if auth_result.succeeded? return # Allow access end elsif allow_kerberos_spnego_auth? && spnego_provided? diff --git a/app/models/ci/build.rb b/app/models/ci/build.rb index 29788b8285d..0b017c98916 100644 --- a/app/models/ci/build.rb +++ b/app/models/ci/build.rb @@ -43,6 +43,7 @@ module Ci new_build.status = 'pending' new_build.runner_id = nil new_build.trigger_request_id = nil + new_build.token = nil new_build.save end diff --git a/app/services/auth/container_registry_authentication_service.rb b/app/services/auth/container_registry_authentication_service.rb index ba0b60abfe4..df1c9b2851c 100644 --- a/app/services/auth/container_registry_authentication_service.rb +++ b/app/services/auth/container_registry_authentication_service.rb @@ -4,8 +4,8 @@ module Auth AUDIENCE = 'container_registry' - def execute(capabilities: capabilities) - @capabilities = capabilities + def execute(capabilities:) + @capabilities = capabilities || [] return error('not found', 404) unless registry.enabled @@ -76,7 +76,7 @@ module Auth case requested_action when 'pull' - build_can_pull?(requested_project) || user_can_pull?(requested_project) + requested_project.public? || build_can_pull?(requested_project) || user_can_pull?(requested_project) when 'push' build_can_push?(requested_project) || user_can_push?(requested_project) else @@ -88,8 +88,6 @@ module Auth Gitlab.config.registry end - private - def build_can_pull?(requested_project) # Build can: # 1. pull from it's own project (for ex. a build) diff --git a/lib/api/internal.rb b/lib/api/internal.rb index 2ec94570506..2610fd329d6 100644 --- a/lib/api/internal.rb +++ b/lib/api/internal.rb @@ -35,6 +35,14 @@ module API Project.find_with_namespace(project_path) end end + + def ssh_capabilities + [ + :read_project, + :download_code, + :push_code + ] + end end post "/allowed" do @@ -130,16 +138,6 @@ module API { success: true, recovery_codes: codes } end - - private - - def ssh_capabilities - [ - :read_project, - :download_code, - :push_code - ] - end end end end diff --git a/lib/gitlab/auth.rb b/lib/gitlab/auth.rb index 7af9bb9a326..666cf1b3e26 100644 --- a/lib/gitlab/auth.rb +++ b/lib/gitlab/auth.rb @@ -115,7 +115,7 @@ module Gitlab return unless login == 'gitlab-ci-token' return unless password - build = Ci::Build.running.find_by_token(password) + build = ::Ci::Build.running.find_by_token(password) return unless build if build.user diff --git a/lib/gitlab/git_access.rb b/lib/gitlab/git_access.rb index 63b707db814..21286e77dc6 100644 --- a/lib/gitlab/git_access.rb +++ b/lib/gitlab/git_access.rb @@ -7,7 +7,7 @@ module Gitlab attr_reader :actor, :project, :protocol, :user_access, :capabilities - def initialize(actor, project, protocol, capabilities: capabilities) + def initialize(actor, project, protocol, capabilities:) @actor = actor @project = project @protocol = protocol diff --git a/spec/lib/gitlab/git_access_spec.rb b/spec/lib/gitlab/git_access_spec.rb index 77dce676cdb..d418b0be0ed 100644 --- a/spec/lib/gitlab/git_access_spec.rb +++ b/spec/lib/gitlab/git_access_spec.rb @@ -22,7 +22,7 @@ describe Gitlab::GitAccess, lib: true do context 'ssh disabled' do before do disable_protocol('ssh') - @acc = Gitlab::GitAccess.new(actor, project, 'ssh') + @acc = Gitlab::GitAccess.new(actor, project, 'ssh', capabilities: capabilities) end it 'blocks ssh git push' do @@ -37,7 +37,7 @@ describe Gitlab::GitAccess, lib: true do context 'http disabled' do before do disable_protocol('http') - @acc = Gitlab::GitAccess.new(actor, project, 'http') + @acc = Gitlab::GitAccess.new(actor, project, 'http', capabilities: capabilities) end it 'blocks http push' do @@ -318,7 +318,6 @@ describe Gitlab::GitAccess, lib: true do admin: { push_protected_branch: false, push_all: false, merge_into_protected_branch: false })) end end - end shared_examples 'can not push code' do @@ -354,14 +353,14 @@ describe Gitlab::GitAccess, lib: true do describe 'build capabilities permissions' do let(:capabilities) { build_capabilities } - it_behaves_like 'cannot push code' + it_behaves_like 'can not push code' end describe 'deploy key permissions' do let(:key) { create(:deploy_key) } let(:actor) { key } - it_behaves_like 'cannot push code' + it_behaves_like 'can not push code' end private @@ -372,4 +371,12 @@ describe Gitlab::GitAccess, lib: true do :build_download_code ] end + + def full_capabilities + [ + :read_project, + :download_code, + :push_code + ] + end end diff --git a/spec/requests/git_http_spec.rb b/spec/requests/git_http_spec.rb index b7001fede40..5977ee04524 100644 --- a/spec/requests/git_http_spec.rb +++ b/spec/requests/git_http_spec.rb @@ -300,23 +300,22 @@ describe 'Git HTTP requests', lib: true do end context "when a gitlab ci token is provided" do - let(:token) { 123 } - let(:project) { FactoryGirl.create :empty_project } + let(:build) { create(:ci_build, :running) } + let(:project) { build.project } before do - project.update_attributes(runners_token: token) project.project_feature.update_attributes(builds_access_level: ProjectFeature::ENABLED) end it "downloads get status 200" do - clone_get "#{project.path_with_namespace}.git", user: 'gitlab-ci-token', password: token + clone_get "#{project.path_with_namespace}.git", user: 'gitlab-ci-token', password: build.token expect(response).to have_http_status(200) expect(response.content_type.to_s).to eq(Gitlab::Workhorse::INTERNAL_API_CONTENT_TYPE) end it "uploads get status 401 (no project existence information leak)" do - push_get "#{project.path_with_namespace}.git", user: 'gitlab-ci-token', password: token + push_get "#{project.path_with_namespace}.git", user: 'gitlab-ci-token', password: build.token expect(response).to have_http_status(401) end diff --git a/spec/requests/jwt_controller_spec.rb b/spec/requests/jwt_controller_spec.rb index fc42b534dca..93b9cfaf33d 100644 --- a/spec/requests/jwt_controller_spec.rb +++ b/spec/requests/jwt_controller_spec.rb @@ -22,11 +22,13 @@ describe JwtController do context 'when using authorized request' do context 'using CI token' do - let(:project) { create(:empty_project, runners_token: 'token') } - let(:headers) { { authorization: credentials('gitlab-ci-token', project.runners_token) } } + let(:build) { create(:ci_build, :running) } + let(:project) { build.project } + let(:headers) { { authorization: credentials('gitlab-ci-token', build.token) } } context 'project with enabled CI' do subject! { get '/jwt/auth', parameters, headers } + it { expect(service_class).to have_received(:new).with(project, nil, parameters) } end diff --git a/spec/services/auth/container_registry_authentication_service_spec.rb b/spec/services/auth/container_registry_authentication_service_spec.rb index 7cc71f706ce..c82deb7d423 100644 --- a/spec/services/auth/container_registry_authentication_service_spec.rb +++ b/spec/services/auth/container_registry_authentication_service_spec.rb @@ -6,8 +6,14 @@ describe Auth::ContainerRegistryAuthenticationService, services: true do let(:current_params) { {} } let(:rsa_key) { OpenSSL::PKey::RSA.generate(512) } let(:payload) { JWT.decode(subject[:token], rsa_key).first } + let(:capabilities) do + [ + :read_container_image, + :create_container_image + ] + end - subject { described_class.new(current_project, current_user, current_params).execute } + subject { described_class.new(current_project, current_user, current_params).execute(capabilities: capabilities) } before do allow(Gitlab.config.registry).to receive_messages(enabled: true, issuer: 'rspec', key: nil) @@ -42,6 +48,12 @@ describe Auth::ContainerRegistryAuthenticationService, services: true do 'actions' => actions, }] end + let(:capabilities) do + [ + :build_read_container_image, + :build_create_container_image + ] + end it_behaves_like 'a valid token' it { expect(payload).to include('access' => access) } |