Commit ca9d5265 authored by Dmitriy Zaporozhets's avatar Dmitriy Zaporozhets

Add all sort of checks on maven package api

Signed-off-by: default avatarDmitriy Zaporozhets <dmitriy.zaporozhets@gmail.com>
parent ab8a23ed
......@@ -11,9 +11,29 @@ module API
content_type :sha1, 'text/plain'
content_type :binary, 'application/octet-stream'
before { authenticate_non_get! }
before do
require_packages_enabled!
authenticate_non_get!
authorize_packages_feature!
end
helpers do
def require_packages_enabled!
not_found! unless Gitlab.config.packages.enabled
end
def authorize_packages_feature!
forbidden! unless user_project.feature_available?(:packages)
end
def authorize_can_read!
authorize!(:read_package, user_project)
end
def authorize_can_admin!
authorize!(:admin_package, user_project)
end
def extract_format(file_name)
name, _, format = file_name.rpartition('.')
......@@ -37,7 +57,7 @@ module API
requires :file_name, type: String, desc: 'Package file name'
end
get ':id/packages/maven/*path/:file_name', requirements: MAVEN_ENDPOINT_REQUIREMENTS do
unauthorized! unless can?(current_user, :read_package, user_project)
authorize_can_read!
file_name, format = extract_format(params[:file_name])
......@@ -64,8 +84,7 @@ module API
requires :file_name, type: String, desc: 'Package file name'
end
put ':id/packages/maven/*path/:file_name/authorize', requirements: MAVEN_ENDPOINT_REQUIREMENTS do
not_allowed! unless Gitlab.config.packages.enabled
unauthorized! unless can?(current_user, :admin_package, user_project)
authorize_can_admin!
require_gitlab_workhorse!
Gitlab::Workhorse.verify_api_request!(headers)
......@@ -90,8 +109,7 @@ module API
optional 'file.sha256', type: String, desc: %q(sha256 checksum of the file (generated by Workhorse))
end
put ':id/packages/maven/*path/:file_name', requirements: MAVEN_ENDPOINT_REQUIREMENTS do
not_allowed! unless Gitlab.config.packages.enabled
unauthorized! unless can?(current_user, :admin_package, user_project)
authorize_can_admin!
require_gitlab_workhorse!
......
......@@ -11,6 +11,7 @@ describe API::MavenPackages do
before do
project.add_developer(user)
stub_licensed_features(packages: true)
end
describe 'GET /api/v4/projects/:id/packages/maven/*path/:file_name' do
......@@ -52,7 +53,7 @@ describe API::MavenPackages do
download_file_with_token(package_file_xml.file_name)
expect(response).to have_gitlab_http_status(401)
expect(response).to have_gitlab_http_status(403)
end
it 'denies download when no private token' do
......@@ -62,6 +63,14 @@ describe API::MavenPackages do
end
end
it 'rejects request if feature is not in the license' do
stub_licensed_features(packages: false)
download_file(package_file_xml.file_name)
expect(response).to have_gitlab_http_status(403)
end
def download_file(file_name, params = {}, request_headers = headers)
get api("/projects/#{project.id}/packages/maven/" \
"#{maven_metadatum.path}/#{file_name}"), params, request_headers
......@@ -94,7 +103,7 @@ describe API::MavenPackages do
authorize_upload_with_token
expect(response).to have_gitlab_http_status(401)
expect(response).to have_gitlab_http_status(403)
end
it 'rejects requests that did not go through gitlab-workhorse' do
......@@ -134,6 +143,14 @@ describe API::MavenPackages do
expect(response).to have_gitlab_http_status(401)
end
it 'rejects request if feature is not in the license' do
stub_licensed_features(packages: false)
upload_file_with_token
expect(response).to have_gitlab_http_status(403)
end
context 'when params from workhorse are correct' do
let(:package) { project.packages.reload.last }
let(:package_file) { package.package_files.reload.last }
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment