Commit 6df3dd9d authored by Rémy Coutable's avatar Rémy Coutable

Merge branch 'post-merge-improve-of-ci-permissions' into 'master'

Post-merge improve of CI permissions

Improves code from !6409

See merge request !6432
parents 49405ac7 cf6a35f0
...@@ -11,10 +11,8 @@ class JwtController < ApplicationController ...@@ -11,10 +11,8 @@ class JwtController < ApplicationController
service = SERVICES[params[:service]] service = SERVICES[params[:service]]
return head :not_found unless service return head :not_found unless service
@authentication_result ||= Gitlab::Auth::Result.new
result = service.new(@authentication_result.project, @authentication_result.actor, auth_params). result = service.new(@authentication_result.project, @authentication_result.actor, auth_params).
execute(authentication_abilities: @authentication_result.authentication_abilities) execute(authentication_abilities: @authentication_result.authentication_abilities || [])
render json: result, status: result[:http_status] render json: result, status: result[:http_status]
end end
...@@ -22,6 +20,8 @@ class JwtController < ApplicationController ...@@ -22,6 +20,8 @@ class JwtController < ApplicationController
private private
def authenticate_project_or_user def authenticate_project_or_user
@authentication_result = Gitlab::Auth::Result.new
authenticate_with_http_basic do |login, password| authenticate_with_http_basic do |login, password|
@authentication_result = Gitlab::Auth.find_for_git_client(login, password, project: nil, ip: request.ip) @authentication_result = Gitlab::Auth.find_for_git_client(login, password, project: nil, ip: request.ip)
......
...@@ -32,11 +32,11 @@ class Projects::GitHttpClientController < Projects::ApplicationController ...@@ -32,11 +32,11 @@ class Projects::GitHttpClientController < Projects::ApplicationController
return # Allow access return # Allow access
end end
elsif allow_kerberos_spnego_auth? && spnego_provided? elsif allow_kerberos_spnego_auth? && spnego_provided?
user = find_kerberos_user kerberos_user = find_kerberos_user
if user if kerberos_user
@authentication_result = Gitlab::Auth::Result.new( @authentication_result = Gitlab::Auth::Result.new(
user, nil, :kerberos, Gitlab::Auth.full_authentication_abilities) kerberos_user, nil, :kerberos, Gitlab::Auth.full_authentication_abilities)
send_final_spnego_response send_final_spnego_response
return # Allow access return # Allow access
......
...@@ -493,8 +493,11 @@ module Ci ...@@ -493,8 +493,11 @@ module Ci
end end
def hide_secrets(trace) def hide_secrets(trace)
trace = Ci::MaskSecret.mask(trace, project.runners_token) if project return unless trace
trace = Ci::MaskSecret.mask(trace, token)
trace = trace.dup
Ci::MaskSecret.mask!(trace, project.runners_token) if project
Ci::MaskSecret.mask!(trace, token)
trace trace
end end
end end
......
...@@ -5,7 +5,7 @@ module Auth ...@@ -5,7 +5,7 @@ module Auth
AUDIENCE = 'container_registry' AUDIENCE = 'container_registry'
def execute(authentication_abilities:) def execute(authentication_abilities:)
@authentication_abilities = authentication_abilities || [] @authentication_abilities = authentication_abilities
return error('not found', 404) unless registry.enabled return error('not found', 404) unless registry.enabled
......
module Ci::MaskSecret module Ci::MaskSecret
class << self class << self
def mask(value, token) def mask!(value, token)
return value unless value.present? && token.present? return value unless value.present? && token.present?
value.gsub(token, 'x' * token.length) value.gsub!(token, 'x' * token.length)
value
end end
end end
end end
...@@ -5,15 +5,23 @@ describe Ci::MaskSecret, lib: true do ...@@ -5,15 +5,23 @@ describe Ci::MaskSecret, lib: true do
describe '#mask' do describe '#mask' do
it 'masks exact number of characters' do it 'masks exact number of characters' do
expect(subject.mask('token', 'oke')).to eq('txxxn') expect(mask('token', 'oke')).to eq('txxxn')
end end
it 'masks multiple occurrences' do it 'masks multiple occurrences' do
expect(subject.mask('token token token', 'oke')).to eq('txxxn txxxn txxxn') expect(mask('token token token', 'oke')).to eq('txxxn txxxn txxxn')
end end
it 'does not mask if not found' do it 'does not mask if not found' do
expect(subject.mask('token', 'not')).to eq('token') expect(mask('token', 'not')).to eq('token')
end
it 'does support null token' do
expect(mask('token', nil)).to eq('token')
end
def mask(value, token)
subject.mask!(value.dup, token)
end end
end end
end end
...@@ -343,7 +343,7 @@ describe Gitlab::GitAccess, lib: true do ...@@ -343,7 +343,7 @@ describe Gitlab::GitAccess, lib: true do
end end
context 'to private project' do context 'to private project' do
let(:project) { create(:project, :internal) } let(:project) { create(:project) }
it { expect(subject).not_to be_allowed } it { expect(subject).not_to be_allowed }
end end
......
...@@ -335,7 +335,7 @@ describe 'Git HTTP requests', lib: true do ...@@ -335,7 +335,7 @@ describe 'Git HTTP requests', lib: true do
project.team << [user, :reporter] project.team << [user, :reporter]
end end
shared_examples 'can download code only from own projects' do shared_examples 'can download code only' do
it 'downloads get status 200' do it 'downloads get status 200' do
clone_get "#{project.path_with_namespace}.git", user: 'gitlab-ci-token', password: build.token clone_get "#{project.path_with_namespace}.git", user: 'gitlab-ci-token', password: build.token
...@@ -353,7 +353,7 @@ describe 'Git HTTP requests', lib: true do ...@@ -353,7 +353,7 @@ describe 'Git HTTP requests', lib: true do
context 'administrator' do context 'administrator' do
let(:user) { create(:admin) } let(:user) { create(:admin) }
it_behaves_like 'can download code only from own projects' it_behaves_like 'can download code only'
it 'downloads from other project get status 403' do it 'downloads from other project get status 403' do
clone_get "#{other_project.path_with_namespace}.git", user: 'gitlab-ci-token', password: build.token clone_get "#{other_project.path_with_namespace}.git", user: 'gitlab-ci-token', password: build.token
...@@ -365,7 +365,7 @@ describe 'Git HTTP requests', lib: true do ...@@ -365,7 +365,7 @@ describe 'Git HTTP requests', lib: true do
context 'regular user' do context 'regular user' do
let(:user) { create(:user) } let(:user) { create(:user) }
it_behaves_like 'can download code only from own projects' it_behaves_like 'can download code only'
it 'downloads from other project get status 404' do it 'downloads from other project get status 404' do
clone_get "#{other_project.path_with_namespace}.git", user: 'gitlab-ci-token', password: build.token clone_get "#{other_project.path_with_namespace}.git", user: 'gitlab-ci-token', password: build.token
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment