5 files changed, 200 insertions, 11 deletions

diff --git a/spec/lib/banzai/renderer_spec.rb b/spec/lib/banzai/renderer_spec.rb
index da42272bbef..81a04a2d46d 100644
--- a/spec/lib/banzai/renderer_spec.rb
+++ b/spec/lib/banzai/renderer_spec.rb
@@ -31,7 +31,14 @@ describe Banzai::Renderer do
         let(:object) { fake_object(fresh: false) }
 
         it 'caches and returns the result' do
-          expect(object).to receive(:refresh_markdown_cache!).with(do_update: true)
+          expect(object).to receive(:refresh_markdown_cache!)
+
+          is_expected.to eq('field_html')
+        end
+
+        it "skips database caching on a GitLab read-only instance" do
+          allow(Gitlab::Database).to receive(:read_only?).and_return(true)
+          expect(object).to receive(:refresh_markdown_cache!)
 
           is_expected.to eq('field_html')
         end
diff --git a/spec/lib/gitlab/git_access_spec.rb b/spec/lib/gitlab/git_access_spec.rb
index 458627ee4de..c54327bd2e4 100644
--- a/spec/lib/gitlab/git_access_spec.rb
+++ b/spec/lib/gitlab/git_access_spec.rb
@@ -598,6 +598,19 @@ describe Gitlab::GitAccess do
                                                             admin: { push_protected_branch: false, push_all: false, merge_into_protected_branch: false }))
       end
     end
+
+    context "when in a read-only GitLab instance" do
+      before do
+        create(:protected_branch, name: 'feature', project: project)
+        allow(Gitlab::Database).to receive(:read_only?) { true }
+      end
+
+      # Only check admin; if an admin can't do it, other roles can't either
+      matrix = permissions_matrix[:admin].dup
+      matrix.each { |key, _| matrix[key] = false }
+
+      run_permission_checks(admin: matrix)
+    end
   end
 
   describe 'build authentication abilities' do
@@ -632,6 +645,16 @@ describe Gitlab::GitAccess do
     end
   end
 
+  context 'when the repository is read only' do
+    let(:project) { create(:project, :repository, :read_only) }
+
+    it 'denies push access' do
+      project.add_master(user)
+
+      expect { push_access_check }.to raise_unauthorized('The repository is temporarily read-only. Please try again later.')
+    end
+  end
+
   describe 'deploy key permissions' do
     let(:key) { create(:deploy_key, user: user, can_push: can_push) }
     let(:actor) { key }
diff --git a/spec/lib/gitlab/git_access_wiki_spec.rb b/spec/lib/gitlab/git_access_wiki_spec.rb
index 0376b4ee783..1056074264a 100644
--- a/spec/lib/gitlab/git_access_wiki_spec.rb
+++ b/spec/lib/gitlab/git_access_wiki_spec.rb
@@ -4,6 +4,7 @@ describe Gitlab::GitAccessWiki do
   let(:access) { described_class.new(user, project, 'web', authentication_abilities: authentication_abilities, redirected_path: redirected_path) }
   let(:project) { create(:project, :repository) }
   let(:user) { create(:user) }
+  let(:changes) { ['6f6d7e7ed 570e7b2ab refs/heads/master'] }
   let(:redirected_path) { nil }
   let(:authentication_abilities) do
     [
@@ -13,19 +14,27 @@ describe Gitlab::GitAccessWiki do
     ]
   end
 
-  describe 'push_allowed?' do
-    before do
-      create(:protected_branch, name: 'master', project: project)
-      project.team << [user, :developer]
-    end
+  describe '#push_access_check' do
+    context 'when user can :create_wiki' do
+      before do
+        create(:protected_branch, name: 'master', project: project)
+        project.team << [user, :developer]
+      end
 
-    subject { access.check('git-receive-pack', changes) }
+      subject { access.check('git-receive-pack', changes) }
 
-    it { expect { subject }.not_to raise_error }
-  end
+      it { expect { subject }.not_to raise_error }
+
+      context 'when in a read-only GitLab instance' do
+        before do
+          allow(Gitlab::Database).to receive(:read_only?) { true }
+        end
 
-  def changes
-    ['6f6d7e7ed 570e7b2ab refs/heads/master']
+        it 'does not give access to upload wiki code' do
+          expect { subject }.to raise_error(Gitlab::GitAccess::UnauthorizedError, "You can't push code to a read-only GitLab instance.")
+        end
+      end
+    end
   end
 
   describe '#access_check_download!' do
diff --git a/spec/lib/gitlab/middleware/read_only_spec.rb b/spec/lib/gitlab/middleware/read_only_spec.rb
new file mode 100644
index 00000000000..742a792a1af
--- /dev/null
+++ b/spec/lib/gitlab/middleware/read_only_spec.rb
@@ -0,0 +1,142 @@
+require 'spec_helper'
+
+describe Gitlab::Middleware::ReadOnly do
+  include Rack::Test::Methods
+
+  RSpec::Matchers.define :be_a_redirect do
+    match do |response|
+      response.status == 301
+    end
+  end
+
+  RSpec::Matchers.define :disallow_request do
+    match do |middleware|
+      flash = middleware.send(:rack_flash)
+      flash['alert'] && flash['alert'].include?('You cannot do writing operations')
+    end
+  end
+
+  RSpec::Matchers.define :disallow_request_in_json do
+    match do |response|
+      json_response = JSON.parse(response.body)
+      response.body.include?('You cannot do writing operations') && json_response.key?('message')
+    end
+  end
+
+  let(:rack_stack) do
+    rack = Rack::Builder.new do
+      use ActionDispatch::Session::CacheStore
+      use ActionDispatch::Flash
+      use ActionDispatch::ParamsParser
+    end
+
+    rack.run(subject)
+    rack.to_app
+  end
+
+  subject { described_class.new(fake_app) }
+
+  let(:request) { Rack::MockRequest.new(rack_stack) }
+
+  context 'normal requests to a read-only Gitlab instance' do
+    let(:fake_app) { lambda { |env| [200, { 'Content-Type' => 'text/plain' }, ['OK']] } }
+
+    before do
+      allow(Gitlab::Database).to receive(:read_only?) { true }
+    end
+
+    it 'expects PATCH requests to be disallowed' do
+      response = request.patch('/test_request')
+
+      expect(response).to be_a_redirect
+      expect(subject).to disallow_request
+    end
+
+    it 'expects PUT requests to be disallowed' do
+      response = request.put('/test_request')
+
+      expect(response).to be_a_redirect
+      expect(subject).to disallow_request
+    end
+
+    it 'expects POST requests to be disallowed' do
+      response = request.post('/test_request')
+
+      expect(response).to be_a_redirect
+      expect(subject).to disallow_request
+    end
+
+    it 'expects a internal POST request to be allowed after a disallowed request' do
+      response = request.post('/test_request')
+
+      expect(response).to be_a_redirect
+
+      response = request.post("/api/#{API::API.version}/internal")
+
+      expect(response).not_to be_a_redirect
+    end
+
+    it 'expects DELETE requests to be disallowed' do
+      response = request.delete('/test_request')
+
+      expect(response).to be_a_redirect
+      expect(subject).to disallow_request
+    end
+
+    context 'whitelisted requests' do
+      it 'expects DELETE request to logout to be allowed' do
+        response = request.delete('/users/sign_out')
+
+        expect(response).not_to be_a_redirect
+        expect(subject).not_to disallow_request
+      end
+
+      it 'expects a POST internal request to be allowed' do
+        response = request.post("/api/#{API::API.version}/internal")
+
+        expect(response).not_to be_a_redirect
+        expect(subject).not_to disallow_request
+      end
+
+      it 'expects a POST LFS request to batch URL to be allowed' do
+        response = request.post('/root/rouge.git/info/lfs/objects/batch')
+
+        expect(response).not_to be_a_redirect
+        expect(subject).not_to disallow_request
+      end
+    end
+  end
+
+  context 'json requests to a read-only GitLab instance' do
+    let(:fake_app) { lambda { |env| [200, { 'Content-Type' => 'application/json' }, ['OK']] } }
+    let(:content_json) { { 'CONTENT_TYPE' => 'application/json' } }
+
+    before do
+      allow(Gitlab::Database).to receive(:read_only?) { true }
+    end
+
+    it 'expects PATCH requests to be disallowed' do
+      response = request.patch('/test_request', content_json)
+
+      expect(response).to disallow_request_in_json
+    end
+
+    it 'expects PUT requests to be disallowed' do
+      response = request.put('/test_request', content_json)
+
+      expect(response).to disallow_request_in_json
+    end
+
+    it 'expects POST requests to be disallowed' do
+      response = request.post('/test_request', content_json)
+
+      expect(response).to disallow_request_in_json
+    end
+
+    it 'expects DELETE requests to be disallowed' do
+      response = request.delete('/test_request', content_json)
+
+      expect(response).to disallow_request_in_json
+    end
+  end
+end
diff --git a/spec/lib/system_check/app/git_user_default_ssh_config_check_spec.rb b/spec/lib/system_check/app/git_user_default_ssh_config_check_spec.rb
index a0fb86345f3..b4b83b70d1c 100644
--- a/spec/lib/system_check/app/git_user_default_ssh_config_check_spec.rb
+++ b/spec/lib/system_check/app/git_user_default_ssh_config_check_spec.rb
@@ -39,6 +39,14 @@ describe SystemCheck::App::GitUserDefaultSSHConfigCheck do
 
       it { is_expected.to eq(expected_result) }
     end
+
+    it 'skips GitLab read-only instances' do
+      stub_user
+      stub_home_dir
+      allow(Gitlab::Database).to receive(:read_only?).and_return(true)
+
+      is_expected.to be_truthy
+    end
   end
 
   describe '#check?' do