Commit 2eb4d004 authored by Rémy Coutable's avatar Rémy Coutable Committed by Ruben Davila

Merge branch 'post-merge-improve-of-ci-permissions' into 'master'

Post-merge improve of CI permissions

Improves code from !6409

See merge request !6432
parent 16ebf6c2
......@@ -11,10 +11,8 @@ class JwtController < ApplicationController
service = SERVICES[params[:service]]
return head :not_found unless service
@authentication_result ||= Gitlab::Auth::Result.new
result = service.new(@authentication_result.project, @authentication_result.actor, auth_params).
execute(authentication_abilities: @authentication_result.authentication_abilities)
execute(authentication_abilities: @authentication_result.authentication_abilities || [])
render json: result, status: result[:http_status]
end
......@@ -22,6 +20,8 @@ class JwtController < ApplicationController
private
def authenticate_project_or_user
@authentication_result = Gitlab::Auth::Result.new
authenticate_with_http_basic do |login, password|
@authentication_result = Gitlab::Auth.find_for_git_client(login, password, project: nil, ip: request.ip)
......
......@@ -32,11 +32,11 @@ class Projects::GitHttpClientController < Projects::ApplicationController
return # Allow access
end
elsif allow_kerberos_spnego_auth? && spnego_provided?
user = find_kerberos_user
kerberos_user = find_kerberos_user
if user
if kerberos_user
@authentication_result = Gitlab::Auth::Result.new(
user, nil, :kerberos, Gitlab::Auth.full_authentication_abilities)
kerberos_user, nil, :kerberos, Gitlab::Auth.full_authentication_abilities)
send_final_spnego_response
return # Allow access
......
......@@ -493,8 +493,11 @@ module Ci
end
def hide_secrets(trace)
trace = Ci::MaskSecret.mask(trace, project.runners_token) if project
trace = Ci::MaskSecret.mask(trace, token)
return unless trace
trace = trace.dup
Ci::MaskSecret.mask!(trace, project.runners_token) if project
Ci::MaskSecret.mask!(trace, token)
trace
end
end
......
......@@ -5,7 +5,7 @@ module Auth
AUDIENCE = 'container_registry'
def execute(authentication_abilities:)
@authentication_abilities = authentication_abilities || []
@authentication_abilities = authentication_abilities
return error('not found', 404) unless registry.enabled
......
module Ci::MaskSecret
class << self
def mask(value, token)
def mask!(value, token)
return value unless value.present? && token.present?
value.gsub(token, 'x' * token.length)
value.gsub!(token, 'x' * token.length)
value
end
end
end
......@@ -5,15 +5,23 @@ describe Ci::MaskSecret, lib: true do
describe '#mask' do
it 'masks exact number of characters' do
expect(subject.mask('token', 'oke')).to eq('txxxn')
expect(mask('token', 'oke')).to eq('txxxn')
end
it 'masks multiple occurrences' do
expect(subject.mask('token token token', 'oke')).to eq('txxxn txxxn txxxn')
expect(mask('token token token', 'oke')).to eq('txxxn txxxn txxxn')
end
it 'does not mask if not found' do
expect(subject.mask('token', 'not')).to eq('token')
expect(mask('token', 'not')).to eq('token')
end
it 'does support null token' do
expect(mask('token', nil)).to eq('token')
end
def mask(value, token)
subject.mask!(value.dup, token)
end
end
end
......@@ -343,7 +343,7 @@ describe Gitlab::GitAccess, lib: true do
end
context 'to private project' do
let(:project) { create(:project, :internal) }
let(:project) { create(:project) }
it { expect(subject).not_to be_allowed }
end
......
......@@ -335,7 +335,7 @@ describe 'Git HTTP requests', lib: true do
project.team << [user, :reporter]
end
shared_examples 'can download code only from own projects' do
shared_examples 'can download code only' do
it 'downloads get status 200' do
clone_get "#{project.path_with_namespace}.git", user: 'gitlab-ci-token', password: build.token
......@@ -353,7 +353,7 @@ describe 'Git HTTP requests', lib: true do
context 'administrator' do
let(:user) { create(:admin) }
it_behaves_like 'can download code only from own projects'
it_behaves_like 'can download code only'
it 'downloads from other project get status 403' do
clone_get "#{other_project.path_with_namespace}.git", user: 'gitlab-ci-token', password: build.token
......@@ -365,7 +365,7 @@ describe 'Git HTTP requests', lib: true do
context 'regular user' do
let(:user) { create(:user) }
it_behaves_like 'can download code only from own projects'
it_behaves_like 'can download code only'
it 'downloads from other project get status 404' do
clone_get "#{other_project.path_with_namespace}.git", user: 'gitlab-ci-token', password: build.token
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment