Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Support
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
G
gitlab-ce
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Issues
0
Issues
0
List
Boards
Labels
Milestones
Merge Requests
1
Merge Requests
1
Analytics
Analytics
Repository
Value Stream
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Create a new issue
Commits
Issue Boards
Open sidebar
nexedi
gitlab-ce
Commits
9d1ccd2a
Commit
9d1ccd2a
authored
Sep 15, 2016
by
Kamil Trzcinski
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
Fix existing authorization specs
parent
50076ab9
Changes
11
Show whitespace changes
Inline
Side-by-side
Showing
11 changed files
with
51 additions
and
34 deletions
+51
-34
app/controllers/jwt_controller.rb
app/controllers/jwt_controller.rb
+3
-3
app/controllers/projects/git_http_client_controller.rb
app/controllers/projects/git_http_client_controller.rb
+1
-1
app/models/ci/build.rb
app/models/ci/build.rb
+1
-0
app/services/auth/container_registry_authentication_service.rb
...ervices/auth/container_registry_authentication_service.rb
+3
-5
lib/api/internal.rb
lib/api/internal.rb
+8
-10
lib/gitlab/auth.rb
lib/gitlab/auth.rb
+1
-1
lib/gitlab/git_access.rb
lib/gitlab/git_access.rb
+1
-1
spec/lib/gitlab/git_access_spec.rb
spec/lib/gitlab/git_access_spec.rb
+12
-5
spec/requests/git_http_spec.rb
spec/requests/git_http_spec.rb
+4
-5
spec/requests/jwt_controller_spec.rb
spec/requests/jwt_controller_spec.rb
+4
-2
spec/services/auth/container_registry_authentication_service_spec.rb
...es/auth/container_registry_authentication_service_spec.rb
+13
-1
No files found.
app/controllers/jwt_controller.rb
View file @
9d1ccd2a
...
@@ -11,10 +11,10 @@ class JwtController < ApplicationController
...
@@ -11,10 +11,10 @@ class JwtController < ApplicationController
service
=
SERVICES
[
params
[
:service
]]
service
=
SERVICES
[
params
[
:service
]]
return
head
:not_found
unless
service
return
head
:not_found
unless
service
@
@authentication_result
||=
Gitlab
::
Auth
.
Result
.
new
@
authentication_result
||=
Gitlab
::
Auth
::
Result
.
new
result
=
service
.
new
(
@authentication_result
.
project
,
@authentication_result
.
user
,
auth_params
).
result
=
service
.
new
(
@authentication_result
.
project
,
@authentication_result
.
user
,
auth_params
).
execute
(
capabilities:
@authentication_result
.
capabilities
||
[]
)
execute
(
capabilities:
@authentication_result
.
capabilities
)
render
json:
result
,
status:
result
[
:http_status
]
render
json:
result
,
status:
result
[
:http_status
]
end
end
...
@@ -23,7 +23,7 @@ class JwtController < ApplicationController
...
@@ -23,7 +23,7 @@ class JwtController < ApplicationController
def
authenticate_project_or_user
def
authenticate_project_or_user
authenticate_with_http_basic
do
|
login
,
password
|
authenticate_with_http_basic
do
|
login
,
password
|
@authentication_result
=
Gitlab
::
Auth
.
find_for_git_client
(
login
,
password
,
ip:
request
.
ip
)
@authentication_result
=
Gitlab
::
Auth
.
find_for_git_client
(
login
,
password
,
project:
nil
,
ip:
request
.
ip
)
render_403
unless
@authentication_result
.
succeeded?
render_403
unless
@authentication_result
.
succeeded?
end
end
...
...
app/controllers/projects/git_http_client_controller.rb
View file @
9d1ccd2a
...
@@ -36,7 +36,7 @@ class Projects::GitHttpClientController < Projects::ApplicationController
...
@@ -36,7 +36,7 @@ class Projects::GitHttpClientController < Projects::ApplicationController
@capabilities
=
auth_result
.
capabilities
||
[]
@capabilities
=
auth_result
.
capabilities
||
[]
if
ci?
||
user
if
auth_result
.
succeeded?
return
# Allow access
return
# Allow access
end
end
elsif
allow_kerberos_spnego_auth?
&&
spnego_provided?
elsif
allow_kerberos_spnego_auth?
&&
spnego_provided?
...
...
app/models/ci/build.rb
View file @
9d1ccd2a
...
@@ -43,6 +43,7 @@ module Ci
...
@@ -43,6 +43,7 @@ module Ci
new_build
.
status
=
'pending'
new_build
.
status
=
'pending'
new_build
.
runner_id
=
nil
new_build
.
runner_id
=
nil
new_build
.
trigger_request_id
=
nil
new_build
.
trigger_request_id
=
nil
new_build
.
token
=
nil
new_build
.
save
new_build
.
save
end
end
...
...
app/services/auth/container_registry_authentication_service.rb
View file @
9d1ccd2a
...
@@ -4,8 +4,8 @@ module Auth
...
@@ -4,8 +4,8 @@ module Auth
AUDIENCE
=
'container_registry'
AUDIENCE
=
'container_registry'
def
execute
(
capabilities:
capabilities
)
def
execute
(
capabilities
:)
@capabilities
=
capabilities
@capabilities
=
capabilities
||
[]
return
error
(
'not found'
,
404
)
unless
registry
.
enabled
return
error
(
'not found'
,
404
)
unless
registry
.
enabled
...
@@ -76,7 +76,7 @@ module Auth
...
@@ -76,7 +76,7 @@ module Auth
case
requested_action
case
requested_action
when
'pull'
when
'pull'
build_can_pull?
(
requested_project
)
||
user_can_pull?
(
requested_project
)
requested_project
.
public?
||
build_can_pull?
(
requested_project
)
||
user_can_pull?
(
requested_project
)
when
'push'
when
'push'
build_can_push?
(
requested_project
)
||
user_can_push?
(
requested_project
)
build_can_push?
(
requested_project
)
||
user_can_push?
(
requested_project
)
else
else
...
@@ -88,8 +88,6 @@ module Auth
...
@@ -88,8 +88,6 @@ module Auth
Gitlab
.
config
.
registry
Gitlab
.
config
.
registry
end
end
private
def
build_can_pull?
(
requested_project
)
def
build_can_pull?
(
requested_project
)
# Build can:
# Build can:
# 1. pull from it's own project (for ex. a build)
# 1. pull from it's own project (for ex. a build)
...
...
lib/api/internal.rb
View file @
9d1ccd2a
...
@@ -35,6 +35,14 @@ module API
...
@@ -35,6 +35,14 @@ module API
Project
.
find_with_namespace
(
project_path
)
Project
.
find_with_namespace
(
project_path
)
end
end
end
end
def
ssh_capabilities
[
:read_project
,
:download_code
,
:push_code
]
end
end
end
post
"/allowed"
do
post
"/allowed"
do
...
@@ -130,16 +138,6 @@ module API
...
@@ -130,16 +138,6 @@ module API
{
success:
true
,
recovery_codes:
codes
}
{
success:
true
,
recovery_codes:
codes
}
end
end
private
def
ssh_capabilities
[
:read_project
,
:download_code
,
:push_code
]
end
end
end
end
end
end
end
lib/gitlab/auth.rb
View file @
9d1ccd2a
...
@@ -115,7 +115,7 @@ module Gitlab
...
@@ -115,7 +115,7 @@ module Gitlab
return
unless
login
==
'gitlab-ci-token'
return
unless
login
==
'gitlab-ci-token'
return
unless
password
return
unless
password
build
=
Ci
::
Build
.
running
.
find_by_token
(
password
)
build
=
::
Ci
::
Build
.
running
.
find_by_token
(
password
)
return
unless
build
return
unless
build
if
build
.
user
if
build
.
user
...
...
lib/gitlab/git_access.rb
View file @
9d1ccd2a
...
@@ -7,7 +7,7 @@ module Gitlab
...
@@ -7,7 +7,7 @@ module Gitlab
attr_reader
:actor
,
:project
,
:protocol
,
:user_access
,
:capabilities
attr_reader
:actor
,
:project
,
:protocol
,
:user_access
,
:capabilities
def
initialize
(
actor
,
project
,
protocol
,
capabilities:
capabilities
)
def
initialize
(
actor
,
project
,
protocol
,
capabilities
:)
@actor
=
actor
@actor
=
actor
@project
=
project
@project
=
project
@protocol
=
protocol
@protocol
=
protocol
...
...
spec/lib/gitlab/git_access_spec.rb
View file @
9d1ccd2a
...
@@ -22,7 +22,7 @@ describe Gitlab::GitAccess, lib: true do
...
@@ -22,7 +22,7 @@ describe Gitlab::GitAccess, lib: true do
context
'ssh disabled'
do
context
'ssh disabled'
do
before
do
before
do
disable_protocol
(
'ssh'
)
disable_protocol
(
'ssh'
)
@acc
=
Gitlab
::
GitAccess
.
new
(
actor
,
project
,
'ssh'
)
@acc
=
Gitlab
::
GitAccess
.
new
(
actor
,
project
,
'ssh'
,
capabilities:
capabilities
)
end
end
it
'blocks ssh git push'
do
it
'blocks ssh git push'
do
...
@@ -37,7 +37,7 @@ describe Gitlab::GitAccess, lib: true do
...
@@ -37,7 +37,7 @@ describe Gitlab::GitAccess, lib: true do
context
'http disabled'
do
context
'http disabled'
do
before
do
before
do
disable_protocol
(
'http'
)
disable_protocol
(
'http'
)
@acc
=
Gitlab
::
GitAccess
.
new
(
actor
,
project
,
'http'
)
@acc
=
Gitlab
::
GitAccess
.
new
(
actor
,
project
,
'http'
,
capabilities:
capabilities
)
end
end
it
'blocks http push'
do
it
'blocks http push'
do
...
@@ -318,7 +318,6 @@ describe Gitlab::GitAccess, lib: true do
...
@@ -318,7 +318,6 @@ describe Gitlab::GitAccess, lib: true do
admin:
{
push_protected_branch:
false
,
push_all:
false
,
merge_into_protected_branch:
false
}))
admin:
{
push_protected_branch:
false
,
push_all:
false
,
merge_into_protected_branch:
false
}))
end
end
end
end
end
end
shared_examples
'can not push code'
do
shared_examples
'can not push code'
do
...
@@ -354,14 +353,14 @@ describe Gitlab::GitAccess, lib: true do
...
@@ -354,14 +353,14 @@ describe Gitlab::GitAccess, lib: true do
describe
'build capabilities permissions'
do
describe
'build capabilities permissions'
do
let
(
:capabilities
)
{
build_capabilities
}
let
(
:capabilities
)
{
build_capabilities
}
it_behaves_like
'cannot push code'
it_behaves_like
'can
not push code'
end
end
describe
'deploy key permissions'
do
describe
'deploy key permissions'
do
let
(
:key
)
{
create
(
:deploy_key
)
}
let
(
:key
)
{
create
(
:deploy_key
)
}
let
(
:actor
)
{
key
}
let
(
:actor
)
{
key
}
it_behaves_like
'cannot push code'
it_behaves_like
'can
not push code'
end
end
private
private
...
@@ -372,4 +371,12 @@ describe Gitlab::GitAccess, lib: true do
...
@@ -372,4 +371,12 @@ describe Gitlab::GitAccess, lib: true do
:build_download_code
:build_download_code
]
]
end
end
def
full_capabilities
[
:read_project
,
:download_code
,
:push_code
]
end
end
end
spec/requests/git_http_spec.rb
View file @
9d1ccd2a
...
@@ -300,23 +300,22 @@ describe 'Git HTTP requests', lib: true do
...
@@ -300,23 +300,22 @@ describe 'Git HTTP requests', lib: true do
end
end
context
"when a gitlab ci token is provided"
do
context
"when a gitlab ci token is provided"
do
let
(
:
token
)
{
123
}
let
(
:
build
)
{
create
(
:ci_build
,
:running
)
}
let
(
:project
)
{
FactoryGirl
.
create
:empty_
project
}
let
(
:project
)
{
build
.
project
}
before
do
before
do
project
.
update_attributes
(
runners_token:
token
)
project
.
project_feature
.
update_attributes
(
builds_access_level:
ProjectFeature
::
ENABLED
)
project
.
project_feature
.
update_attributes
(
builds_access_level:
ProjectFeature
::
ENABLED
)
end
end
it
"downloads get status 200"
do
it
"downloads get status 200"
do
clone_get
"
#{
project
.
path_with_namespace
}
.git"
,
user:
'gitlab-ci-token'
,
password:
token
clone_get
"
#{
project
.
path_with_namespace
}
.git"
,
user:
'gitlab-ci-token'
,
password:
build
.
token
expect
(
response
).
to
have_http_status
(
200
)
expect
(
response
).
to
have_http_status
(
200
)
expect
(
response
.
content_type
.
to_s
).
to
eq
(
Gitlab
::
Workhorse
::
INTERNAL_API_CONTENT_TYPE
)
expect
(
response
.
content_type
.
to_s
).
to
eq
(
Gitlab
::
Workhorse
::
INTERNAL_API_CONTENT_TYPE
)
end
end
it
"uploads get status 401 (no project existence information leak)"
do
it
"uploads get status 401 (no project existence information leak)"
do
push_get
"
#{
project
.
path_with_namespace
}
.git"
,
user:
'gitlab-ci-token'
,
password:
token
push_get
"
#{
project
.
path_with_namespace
}
.git"
,
user:
'gitlab-ci-token'
,
password:
build
.
token
expect
(
response
).
to
have_http_status
(
401
)
expect
(
response
).
to
have_http_status
(
401
)
end
end
...
...
spec/requests/jwt_controller_spec.rb
View file @
9d1ccd2a
...
@@ -22,11 +22,13 @@ describe JwtController do
...
@@ -22,11 +22,13 @@ describe JwtController do
context
'when using authorized request'
do
context
'when using authorized request'
do
context
'using CI token'
do
context
'using CI token'
do
let
(
:project
)
{
create
(
:empty_project
,
runners_token:
'token'
)
}
let
(
:build
)
{
create
(
:ci_build
,
:running
)
}
let
(
:headers
)
{
{
authorization:
credentials
(
'gitlab-ci-token'
,
project
.
runners_token
)
}
}
let
(
:project
)
{
build
.
project
}
let
(
:headers
)
{
{
authorization:
credentials
(
'gitlab-ci-token'
,
build
.
token
)
}
}
context
'project with enabled CI'
do
context
'project with enabled CI'
do
subject!
{
get
'/jwt/auth'
,
parameters
,
headers
}
subject!
{
get
'/jwt/auth'
,
parameters
,
headers
}
it
{
expect
(
service_class
).
to
have_received
(
:new
).
with
(
project
,
nil
,
parameters
)
}
it
{
expect
(
service_class
).
to
have_received
(
:new
).
with
(
project
,
nil
,
parameters
)
}
end
end
...
...
spec/services/auth/container_registry_authentication_service_spec.rb
View file @
9d1ccd2a
...
@@ -6,8 +6,14 @@ describe Auth::ContainerRegistryAuthenticationService, services: true do
...
@@ -6,8 +6,14 @@ describe Auth::ContainerRegistryAuthenticationService, services: true do
let
(
:current_params
)
{
{}
}
let
(
:current_params
)
{
{}
}
let
(
:rsa_key
)
{
OpenSSL
::
PKey
::
RSA
.
generate
(
512
)
}
let
(
:rsa_key
)
{
OpenSSL
::
PKey
::
RSA
.
generate
(
512
)
}
let
(
:payload
)
{
JWT
.
decode
(
subject
[
:token
],
rsa_key
).
first
}
let
(
:payload
)
{
JWT
.
decode
(
subject
[
:token
],
rsa_key
).
first
}
let
(
:capabilities
)
do
[
:read_container_image
,
:create_container_image
]
end
subject
{
described_class
.
new
(
current_project
,
current_user
,
current_params
).
execute
}
subject
{
described_class
.
new
(
current_project
,
current_user
,
current_params
).
execute
(
capabilities:
capabilities
)
}
before
do
before
do
allow
(
Gitlab
.
config
.
registry
).
to
receive_messages
(
enabled:
true
,
issuer:
'rspec'
,
key:
nil
)
allow
(
Gitlab
.
config
.
registry
).
to
receive_messages
(
enabled:
true
,
issuer:
'rspec'
,
key:
nil
)
...
@@ -42,6 +48,12 @@ describe Auth::ContainerRegistryAuthenticationService, services: true do
...
@@ -42,6 +48,12 @@ describe Auth::ContainerRegistryAuthenticationService, services: true do
'actions'
=>
actions
,
'actions'
=>
actions
,
}]
}]
end
end
let
(
:capabilities
)
do
[
:build_read_container_image
,
:build_create_container_image
]
end
it_behaves_like
'a valid token'
it_behaves_like
'a valid token'
it
{
expect
(
payload
).
to
include
(
'access'
=>
access
)
}
it
{
expect
(
payload
).
to
include
(
'access'
=>
access
)
}
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment