Update authn/authz for Go module proxy

- Allow CI job tokens - Return 401 when project is not public and request is not authenticated - Add assertions to spec to verify authn/authz

Update authn/authz for Go module proxy
- Allow CI job tokens - Return 401 when project is not public and request is not authenticated - Add assertions to spec to verify authn/authz
30232ef8 · Ethan Reesor · f96bd4bb · 30232ef8 · 30232ef8
Commit 30232ef8 authored Mar 31, 2020 by Ethan Reesor
Expand all Hide whitespace changes
Inline Side-by-side

Showing with 210 additions and 165 deletions

ee/lib/api/go_proxy.rb ee/lib/api/go_proxy.rb +16 -0

ee/spec/requests/api/go_proxy_spec.rb ee/spec/requests/api/go_proxy_spec.rb +194 -165

No files found.
--- a/ee/lib/api/go_proxy.rb
+++ b/ee/lib/api/go_proxy.rb
@@ -32,12 +32,28 @@ module API

        ver
      end
+
+      # override :find_project!
+      def find_project!(id)
+        project = find_project(id)
+
+        ability = job_token_authentication? ? :build_read_project : :read_project
+
+        if can?(current_user, ability, project)
+          project
+        elsif current_user.nil?
+          unauthorized!
+        else
+          not_found!('Project')
+        end
+      end
    end

    params do
      requires :id, type: String, desc: 'The ID of a project'
      requires :module_name, type: String, desc: 'Module name'
    end
+    route_setting :authentication, job_token_allowed: true
    resource :projects, requirements: API::NAMESPACE_OR_PROJECT_REQUIREMENTS do
      before do
        authorize_read_package!

--- a/ee/spec/requests/api/go_proxy_spec.rb
+++ b/ee/spec/requests/api/go_proxy_spec.rb