Merge branch 'constant-gitlab-ci-token-username' into 'master'

Extract literal string into constant (gitlab-ci-token) See merge request gitlab-org/gitlab!37899

Merge branch 'constant-gitlab-ci-token-username' into 'master'
Extract literal string into constant (gitlab-ci-token) See merge request gitlab-org/gitlab!37899
6b120d08 · Fabio Pitino · e10b129e · 842f683f · 6b120d08 · 6b120d08
Commit 6b120d08 authored Jul 30, 2020 by Fabio Pitino
6 changed files
--- a/app/models/ci/build.rb
+++ b/app/models/ci/build.rb
@@ -524,8 +524,6 @@ module Ci
      end
    end

-    CI_REGISTRY_USER = 'gitlab-ci-token'
-
    def persisted_variables
      Gitlab::Ci::Variables::Collection.new.tap do |variables|
        break variables unless persisted?
@@ -537,7 +535,7 @@ module Ci
          .append(key: 'CI_JOB_TOKEN', value: token.to_s, public: false, masked: true)
          .append(key: 'CI_BUILD_ID', value: id.to_s)
          .append(key: 'CI_BUILD_TOKEN', value: token.to_s, public: false, masked: true)
-          .append(key: 'CI_REGISTRY_USER', value: CI_REGISTRY_USER)
+          .append(key: 'CI_REGISTRY_USER', value: ::Gitlab::Auth::CI_REGISTRY_USER)
          .append(key: 'CI_REGISTRY_PASSWORD', value: token.to_s, public: false, masked: true)
          .append(key: 'CI_REPOSITORY_URL', value: repo_url.to_s, public: false)
          .concat(deploy_token_variables)
@@ -596,7 +594,7 @@ module Ci
    def repo_url
      return unless token

-      auth = "gitlab-ci-token:#{token}@"
+      auth = "#{::Gitlab::Auth::CI_JOB_USER}:#{token}@"
      project.http_url_to_repo.sub(%r{^https?://}) do |prefix|
        prefix + auth
      end

--- a/lib/gitlab/auth.rb
+++ b/lib/gitlab/auth.rb
@@ -26,6 +26,9 @@ module Gitlab
    # Default scopes for OAuth applications that don't define their own
    DEFAULT_SCOPES = [:api].freeze

+    CI_JOB_USER = 'gitlab-ci-token'
+    CI_REGISTRY_USER = 'gitlab-ci-token'
+
    class << self
      prepend_if_ee('EE::Gitlab::Auth') # rubocop: disable Cop/InjectEnterpriseEditionModule

@@ -126,7 +129,7 @@ module Gitlab
      # rubocop:enable Gitlab/RailsLogger

      def skip_rate_limit?(login:)
-        ::Ci::Build::CI_REGISTRY_USER == login
+        CI_REGISTRY_USER == login
      end

      def look_to_limit_user(actor)
@@ -254,7 +257,7 @@ module Gitlab
      end

      def build_access_token_check(login, password)
-        return unless login == 'gitlab-ci-token'
+        return unless login == CI_JOB_USER
        return unless password

        build = find_build_by_token(password)

--- a/lib/gitlab/auth/auth_finders.rb
+++ b/lib/gitlab/auth/auth_finders.rb
@@ -82,7 +82,7 @@ module Gitlab

        login, password = user_name_and_password(current_request)
        return unless login.present? && password.present?
-        return unless ::Ci::Build::CI_REGISTRY_USER == login
+        return unless ::Gitlab::Auth::CI_REGISTRY_USER == login

        job = ::Ci::Build.find_by_token(password)
        raise UnauthorizedError unless job

--- a/spec/lib/gitlab/auth/auth_finders_spec.rb
+++ b/spec/lib/gitlab/auth/auth_finders_spec.rb
@@ -554,7 +554,7 @@ RSpec.describe Gitlab::Auth::AuthFinders do
    end

    context 'with CI username' do
-      let(:username) { ::Ci::Build::CI_REGISTRY_USER }
+      let(:username) { ::Gitlab::Auth::CI_REGISTRY_USER }
      let(:user) { create(:user) }
      let(:build) { create(:ci_build, user: user) }

@@ -727,7 +727,7 @@ RSpec.describe Gitlab::Auth::AuthFinders do

    context 'when the job token is provided via basic auth' do
      let(:route_authentication_setting) { { job_token_allowed: :basic_auth } }
-      let(:username) { Ci::Build::CI_REGISTRY_USER }
+      let(:username) { ::Gitlab::Auth::CI_REGISTRY_USER }
      let(:token) { job.token }

      before do

--- a/spec/lib/gitlab/auth_spec.rb
+++ b/spec/lib/gitlab/auth_spec.rb
@@ -149,7 +149,9 @@ RSpec.describe Gitlab::Auth, :use_clean_rails_memory_store_caching do
    end

    context 'build token' do
-      subject { gl_auth.find_for_git_client('gitlab-ci-token', build.token, project: project, ip: 'ip') }
+      subject { gl_auth.find_for_git_client(username, build.token, project: project, ip: 'ip') }
+
+      let(:username) { 'gitlab-ci-token' }

      context 'for running build' do
        let!(:build) { create(:ci_build, :running) }
@@ -170,6 +172,14 @@ RSpec.describe Gitlab::Auth, :use_clean_rails_memory_store_caching do

          expect(subject).to eq(Gitlab::Auth::Result.new(nil, nil, nil, nil))
        end
+
+        context 'username is not gitlab-ci-token' do
+          let(:username) { 'another_username' }
+
+          it 'fails to authenticate' do
+            expect(subject).to eq(Gitlab::Auth::Result.new(nil, nil, nil, nil))
+          end
+        end
      end

      (Ci::HasStatus::AVAILABLE_STATUSES - ['running']).each do |build_status|

--- a/spec/support/helpers/http_basic_auth_helpers.rb
+++ b/spec/support/helpers/http_basic_auth_helpers.rb
@@ -8,7 +8,7 @@ module HttpBasicAuthHelpers
  end

  def job_basic_auth_header(job)
-    basic_auth_header(Ci::Build::CI_REGISTRY_USER, job.token)
+    basic_auth_header(::Gitlab::Auth::CI_REGISTRY_USER, job.token)
  end

  def client_basic_auth_header(client)