Add all sort of checks on maven package api

Signed-off-by: Dmitriy Zaporozhets <dmitriy.zaporozhets@gmail.com>

Add all sort of checks on maven package api
Signed-off-by: Dmitriy Zaporozhets <dmitriy.zaporozhets@gmail.com>
ca9d5265 · Dmitriy Zaporozhets · ab8a23ed · ca9d5265 · ca9d5265
Commit ca9d5265 authored Aug 07, 2018 by Dmitriy Zaporozhets
Hide whitespace changes
Inline Side-by-side

Showing with 43 additions and 8 deletions

ee/lib/api/maven_packages.rb ee/lib/api/maven_packages.rb +24 -6

ee/spec/requests/api/maven_packages_spec.rb ee/spec/requests/api/maven_packages_spec.rb +19 -2

No files found.
--- a/ee/lib/api/maven_packages.rb
+++ b/ee/lib/api/maven_packages.rb
@@ -11,9 +11,29 @@ module API
    content_type :sha1, 'text/plain'
    content_type :binary, 'application/octet-stream'

-    before { authenticate_non_get! }
+    before do
+      require_packages_enabled!
+      authenticate_non_get!
+      authorize_packages_feature!
+    end

    helpers do
+      def require_packages_enabled!
+        not_found! unless Gitlab.config.packages.enabled
+      end
+
+      def authorize_packages_feature!
+        forbidden! unless user_project.feature_available?(:packages)
+      end
+
+      def authorize_can_read!
+        authorize!(:read_package, user_project)
+      end
+
+      def authorize_can_admin!
+        authorize!(:admin_package, user_project)
+      end
+
      def extract_format(file_name)
        name, _, format = file_name.rpartition('.')

@@ -37,7 +57,7 @@ module API
        requires :file_name, type: String, desc: 'Package file name'
      end
      get ':id/packages/maven/*path/:file_name', requirements: MAVEN_ENDPOINT_REQUIREMENTS do
-        unauthorized! unless can?(current_user, :read_package, user_project)
+        authorize_can_read!

        file_name, format = extract_format(params[:file_name])

@@ -64,8 +84,7 @@ module API
        requires :file_name, type: String, desc: 'Package file name'
      end
      put ':id/packages/maven/*path/:file_name/authorize', requirements: MAVEN_ENDPOINT_REQUIREMENTS do
-        not_allowed! unless Gitlab.config.packages.enabled
-        unauthorized! unless can?(current_user, :admin_package, user_project)
+        authorize_can_admin!

        require_gitlab_workhorse!
        Gitlab::Workhorse.verify_api_request!(headers)
@@ -90,8 +109,7 @@ module API
        optional 'file.sha256', type: String, desc: %q(sha256 checksum of the file (generated by Workhorse))
      end
      put ':id/packages/maven/*path/:file_name', requirements: MAVEN_ENDPOINT_REQUIREMENTS do
-        not_allowed! unless Gitlab.config.packages.enabled
-        unauthorized! unless can?(current_user, :admin_package, user_project)
+        authorize_can_admin!

        require_gitlab_workhorse!


--- a/ee/spec/requests/api/maven_packages_spec.rb
+++ b/ee/spec/requests/api/maven_packages_spec.rb
@@ -11,6 +11,7 @@ describe API::MavenPackages do

  before do
    project.add_developer(user)
+    stub_licensed_features(packages: true)
  end

  describe 'GET /api/v4/projects/:id/packages/maven/*path/:file_name' do
@@ -52,7 +53,7 @@ describe API::MavenPackages do

        download_file_with_token(package_file_xml.file_name)

-        expect(response).to have_gitlab_http_status(401)
+        expect(response).to have_gitlab_http_status(403)
      end

      it 'denies download when no private token' do
@@ -62,6 +63,14 @@ describe API::MavenPackages do
      end
    end

+    it 'rejects request if feature is not in the license' do
+      stub_licensed_features(packages: false)
+
+      download_file(package_file_xml.file_name)
+
+      expect(response).to have_gitlab_http_status(403)
+    end
+
    def download_file(file_name, params = {}, request_headers = headers)
      get api("/projects/#{project.id}/packages/maven/" \
              "#{maven_metadatum.path}/#{file_name}"), params, request_headers
@@ -94,7 +103,7 @@ describe API::MavenPackages do

      authorize_upload_with_token

-      expect(response).to have_gitlab_http_status(401)
+      expect(response).to have_gitlab_http_status(403)
    end

    it 'rejects requests that did not go through gitlab-workhorse' do
@@ -134,6 +143,14 @@ describe API::MavenPackages do
      expect(response).to have_gitlab_http_status(401)
    end

+    it 'rejects request if feature is not in the license' do
+      stub_licensed_features(packages: false)
+
+      upload_file_with_token
+
+      expect(response).to have_gitlab_http_status(403)
+    end
+
    context 'when params from workhorse are correct' do
      let(:package) { project.packages.reload.last }
      let(:package_file) { package.package_files.reload.last }