Refactor LFS token logic to use a Redis key instead of a DB field, making it a 1 use only token.

5 files changed, 44 insertions, 27 deletions

diff --git a/spec/lib/gitlab/auth_spec.rb b/spec/lib/gitlab/auth_spec.rb
index cd00a15be3b..6ce680e3c26 100644
--- a/spec/lib/gitlab/auth_spec.rb
+++ b/spec/lib/gitlab/auth_spec.rb
@@ -26,17 +26,19 @@ describe Gitlab::Auth, lib: true do
     it 'recognizes user lfs tokens' do
       user = create(:user)
       ip = 'ip'
+      token = Gitlab::LfsToken.new(user).set_token
 
       expect(gl_auth).to receive(:rate_limit!).with(ip, success: true, login: user.username)
-      expect(gl_auth.find_for_git_client(user.username, user.lfs_token, project: nil, ip: ip)).to eq(Gitlab::Auth::Result.new(user, :lfs_token))
+      expect(gl_auth.find_for_git_client(user.username, token, project: nil, ip: ip)).to eq(Gitlab::Auth::Result.new(user, :lfs_token))
     end
 
     it 'recognizes deploy key lfs tokens' do
       key = create(:deploy_key)
       ip = 'ip'
+      token = Gitlab::LfsToken.new(key).set_token
 
-      expect(gl_auth).to receive(:rate_limit!).with(ip, success: true, login: 'lfs-deploy-key')
-      expect(gl_auth.find_for_git_client('lfs-deploy-key', key.lfs_token, project: nil, ip: ip)).to eq(Gitlab::Auth::Result.new(key, :lfs_deploy_token))
+      expect(gl_auth).to receive(:rate_limit!).with(ip, success: true, login: "lfs-deploy-key-#{key.id}")
+      expect(gl_auth.find_for_git_client("lfs-deploy-key-#{key.id}", token, project: nil, ip: ip)).to eq(Gitlab::Auth::Result.new(key, :lfs_deploy_token))
     end
 
     it 'recognizes OAuth tokens' do
diff --git a/spec/lib/gitlab/lfs_token_spec.rb b/spec/lib/gitlab/lfs_token_spec.rb
new file mode 100644
index 00000000000..76b348637c7
--- /dev/null
+++ b/spec/lib/gitlab/lfs_token_spec.rb
@@ -0,0 +1,35 @@
+require 'spec_helper'
+
+describe Gitlab::LfsToken, lib: true do
+  describe '#set_token and #get_value' do
+    shared_examples 'an LFS token generator' do
+      it 'returns a randomly generated token' do
+        token = handler.set_token
+
+        expect(token).not_to be_nil
+        expect(token).to be_a String
+        expect(token.length).to eq 50
+      end
+
+      it 'returns the correct token based on the key' do
+        token = handler.set_token
+
+        expect(handler.get_value).to eq(token)
+      end
+    end
+
+    context 'when the actor is a user' do
+      let(:actor) { create(:user) }
+      let(:handler) { described_class.new(actor) }
+
+      it_behaves_like 'an LFS token generator'
+    end
+
+    context 'when the actor is a deploy key' do
+      let(:actor) { create(:deploy_key) }
+      let(:handler) { described_class.new(actor) }
+
+      it_behaves_like 'an LFS token generator'
+    end
+  end
+end
diff --git a/spec/models/concerns/token_authenticatable_spec.rb b/spec/models/concerns/token_authenticatable_spec.rb
index 82076600f3b..eb64f3d0c83 100644
--- a/spec/models/concerns/token_authenticatable_spec.rb
+++ b/spec/models/concerns/token_authenticatable_spec.rb
@@ -18,26 +18,6 @@ describe User, 'TokenAuthenticatable' do
     subject { create(:user).send(token_field) }
     it { is_expected.to be_a String }
   end
-
-  describe 'lfs token' do
-    let(:token_field) { :lfs_token }
-    it_behaves_like 'TokenAuthenticatable'
-
-    describe 'ensure it' do
-      subject { create(:user).send(token_field) }
-      it { is_expected.to be_a String }
-    end
-  end
-end
-
-describe DeployKey, 'TokenAuthenticatable' do
-  let(:token_field) { :lfs_token }
-  it_behaves_like 'TokenAuthenticatable'
-
-  describe 'ensures authentication token' do
-    subject { create(:deploy_key).send(token_field) }
-    it { is_expected.to be_a String }
-  end
 end
 
 describe ApplicationSetting, 'TokenAuthenticatable' do
diff --git a/spec/requests/api/internal_spec.rb b/spec/requests/api/internal_spec.rb
index 95fc5f790e8..59df5af770b 100644
--- a/spec/requests/api/internal_spec.rb
+++ b/spec/requests/api/internal_spec.rb
@@ -108,7 +108,7 @@ describe API::API, api: true  do
         expect(response).to have_http_status(200)
 
         expect(json_response['name']).to eq(user.name)
-        expect(json_response['lfs_token']).to eq(user.lfs_token)
+        expect(json_response['lfs_token']).to eq(Gitlab::LfsToken.new(user).get_value)
       end
     end
 
@@ -120,8 +120,8 @@ describe API::API, api: true  do
 
         expect(response).to have_http_status(200)
 
-        expect(json_response['username']).to eq('lfs-deploy-key')
-        expect(json_response['lfs_token']).to eq(key.lfs_token)
+        expect(json_response['username']).to eq("lfs-deploy-key-#{key.id}")
+        expect(json_response['lfs_token']).to eq(Gitlab::LfsToken.new(key).get_value)
       end
     end
   end
diff --git a/spec/requests/lfs_http_spec.rb b/spec/requests/lfs_http_spec.rb
index 58f8515c0e2..d15e72b2570 100644
--- a/spec/requests/lfs_http_spec.rb
+++ b/spec/requests/lfs_http_spec.rb
@@ -917,7 +917,7 @@ describe 'Git LFS API and storage' do
   end
 
   def authorize_deploy_key
-    ActionController::HttpAuthentication::Basic.encode_credentials('lfs-deploy-key', key.lfs_token)
+    ActionController::HttpAuthentication::Basic.encode_credentials("lfs-deploy-key-#{key.id}", Gitlab::LfsToken.new(key).set_token)
   end
 
   def fork_project(project, user, object = nil)