diff options
| author | GitLab Bot <gitlab-bot@gitlab.com> | 2020-08-18 08:52:04 +0000 |
|---|---|---|
| committer | GitLab Bot <gitlab-bot@gitlab.com> | 2020-08-18 08:52:04 +0000 |
| commit | 7e2d89989a48ecd55d3f118d7bf8c3a00e1038cb (patch) | |
| tree | 11f24f04e0f11b451c84a224e0d1f07cfed25928 /spec/requests/api | |
| parent | a12a8608e6160bef7f2edca1e20192b69a83ff54 (diff) | |
| download | gitlab-ce-7e2d89989a48ecd55d3f118d7bf8c3a00e1038cb.tar.gz | |
Add latest changes from gitlab-org/gitlab@13-2-stable-ee
Diffstat (limited to 'spec/requests/api')
| -rw-r--r-- | spec/requests/api/maven_packages_spec.rb | 46 |
1 files changed, 46 insertions, 0 deletions
diff --git a/spec/requests/api/maven_packages_spec.rb b/spec/requests/api/maven_packages_spec.rb index 189d6a4c1a4..b9351308545 100644 --- a/spec/requests/api/maven_packages_spec.rb +++ b/spec/requests/api/maven_packages_spec.rb @@ -193,6 +193,24 @@ RSpec.describe API::MavenPackages do it_behaves_like 'downloads with a job token' it_behaves_like 'downloads with a deploy token' + + it 'does not allow download by a unauthorized deploy token with same id as a user with access' do + unauthorized_deploy_token = create(:deploy_token, read_package_registry: true, write_package_registry: true) + + another_user = create(:user) + project.add_developer(another_user) + + # We force the id of the deploy token and the user to be the same + unauthorized_deploy_token.update!(id: another_user.id) + + download_file( + package_file.file_name, + {}, + Gitlab::Auth::AuthFinders::DEPLOY_TOKEN_HEADER => unauthorized_deploy_token.token + ) + + expect(response).to have_gitlab_http_status(:forbidden) + end end context 'project name is different from a package name' do @@ -451,6 +469,20 @@ RSpec.describe API::MavenPackages do expect(response).to have_gitlab_http_status(:ok) end + it 'rejects requests by a unauthorized deploy token with same id as a user with access' do + unauthorized_deploy_token = create(:deploy_token, read_package_registry: true, write_package_registry: true) + + another_user = create(:user) + project.add_developer(another_user) + + # We force the id of the deploy token and the user to be the same + unauthorized_deploy_token.update!(id: another_user.id) + + authorize_upload({}, headers.merge(Gitlab::Auth::AuthFinders::DEPLOY_TOKEN_HEADER => unauthorized_deploy_token.token)) + + expect(response).to have_gitlab_http_status(:forbidden) + end + def authorize_upload(params = {}, request_headers = headers) put api("/projects/#{project.id}/packages/maven/com/example/my-app/#{version}/maven-metadata.xml/authorize"), params: params, headers: request_headers end @@ -538,6 +570,20 @@ RSpec.describe API::MavenPackages do expect(response).to have_gitlab_http_status(:ok) end + it 'rejects uploads by a unauthorized deploy token with same id as a user with access' do + unauthorized_deploy_token = create(:deploy_token, read_package_registry: true, write_package_registry: true) + + another_user = create(:user) + project.add_developer(another_user) + + # We force the id of the deploy token and the user to be the same + unauthorized_deploy_token.update!(id: another_user.id) + + upload_file(params, headers.merge(Gitlab::Auth::AuthFinders::DEPLOY_TOKEN_HEADER => unauthorized_deploy_token.token)) + + expect(response).to have_gitlab_http_status(:forbidden) + end + context 'version is not correct' do let(:version) { '$%123' } |