Merge branch...

Merge branch '292041-geo-personal-snippets-with-private-or-internal-visibility-level-are-not-replicated' into 'master' Fix: Geo should be able to replicate Personal snippets See merge request gitlab-org/gitlab!49583

Merge branch...
Merge branch '292041-geo-personal-snippets-with-private-or-internal-visibility-level-are-not-replicated' into 'master' Fix: Geo should be able to replicate Personal snippets See merge request gitlab-org/gitlab!49583
280a3103 · Michael Kozono · 13522720 · 74112de9 · 280a3103 · 280a3103
Commit 280a3103 authored Dec 10, 2020 by Michael Kozono
3 changed files
--- a/ee/app/controllers/ee/repositories/git_http_controller.rb
+++ b/ee/app/controllers/ee/repositories/git_http_controller.rb
@@ -47,7 +47,7 @@ module EE
      end

      def geo?
-        authentication_result.geo?(project)
+        authentication_result.geo?
      end

      override :access_actor

--- a/ee/lib/ee/gitlab/auth/result.rb
+++ b/ee/lib/ee/gitlab/auth/result.rb
@@ -8,13 +8,11 @@ module EE

        override :success?
        def success?
-          type == :geo || super
+          geo? || super
        end

-        def geo?(for_project)
-          type == :geo &&
-            project &&
-            project == for_project
+        def geo?
+          type == :geo
        end
      end
    end

--- a/ee/spec/requests/repositories/git_http_controller_spec.rb
+++ b/ee/spec/requests/repositories/git_http_controller_spec.rb
@@ -15,6 +15,33 @@ RSpec.describe Repositories::GitHttpController, type: :request do
    project.add_developer(user)
  end

+  describe 'POST #git_upload_pack' do
+    context 'geo pulls a personal snippet' do
+      let_it_be(:snippet) { create(:personal_snippet, :repository, author: user) }
+      let_it_be(:path) { "snippets/#{snippet.id}.git" }
+
+      before do
+        allow(::Gitlab::Geo::JwtRequestDecoder).to receive(:geo_auth_attempt?).and_return(true)
+      end
+
+      it 'allows access' do
+        allow_any_instance_of(::Gitlab::Geo::JwtRequestDecoder).to receive(:decode).and_return({ scope: "snippets/#{snippet.id}" })
+
+        clone_get(path, **env)
+
+        expect(response).to have_gitlab_http_status(:ok)
+      end
+
+      it 'does not allow access if scope is wrong' do
+        allow_any_instance_of(::Gitlab::Geo::JwtRequestDecoder).to receive(:decode).and_return({ scope: "wron-scope" })
+
+        clone_get(path, **env)
+
+        expect(response).to have_gitlab_http_status(:unauthorized)
+      end
+    end
+  end
+
  describe 'GET #info_refs' do
    context 'smartcard session required' do
      subject { clone_get(path, **env) }