Refactor git http controllers to rely on auth results differently

Auth results can return an ambiguous actor, either user or deploy token. Refactor to explicitly get user or deploy token rather than accessing the actor directly.

Refactor git http controllers to rely on auth results differently
Auth results can return an ambiguous actor, either user or deploy token. Refactor to explicitly get user or deploy token rather than accessing the actor directly.
e6cc4e90 · Drew Blessing · c3033257 · e6cc4e90 · e6cc4e90 · e6cc4e90
Commit e6cc4e90 authored Nov 22, 2021 by Drew Blessing
4 changed files
--- a/app/controllers/repositories/git_http_client_controller.rb
+++ b/app/controllers/repositories/git_http_client_controller.rb
@@ -8,12 +8,9 @@ module Repositories

    attr_reader :authentication_result, :redirected_path

-    delegate :actor, :authentication_abilities, to: :authentication_result, allow_nil: true
+    delegate :authentication_abilities, to: :authentication_result, allow_nil: true
    delegate :type, to: :authentication_result, allow_nil: true, prefix: :auth_result

-    alias_method :user, :actor
-    alias_method :authenticated_user, :actor
-
    # Git clients will not know what authenticity token to send along
    skip_around_action :set_session_storage
    skip_before_action :verify_authenticity_token
@@ -22,8 +19,16 @@ module Repositories

    feature_category :source_code_management

+    def authenticated_user
+      authentication_result&.user || authentication_result&.deploy_token
+    end
+
    private

+    def user
+      authenticated_user
+    end
+
    def download_request?
      raise NotImplementedError
    end

--- a/ee/app/controllers/ee/repositories/git_http_controller.rb
+++ b/ee/app/controllers/ee/repositories/git_http_controller.rb
@@ -30,6 +30,7 @@ module EE

      private

+      override :user
      def user
        super || geo_push_user&.user
      end

--- a/spec/controllers/repositories/git_http_controller_spec.rb
+++ b/spec/controllers/repositories/git_http_controller_spec.rb
@@ -90,6 +90,14 @@ RSpec.describe Repositories::GitHttpController do
        end
      end
    end
+
+    context 'when the user is a deploy token' do
+      it_behaves_like Repositories::GitHttpController do
+        let(:container) { project }
+        let(:user) { create(:deploy_token, :project, projects: [project]) }
+        let(:access_checker_class) { Gitlab::GitAccess }
+      end
+    end
  end

  context 'when repository container is a project wiki' do

--- a/spec/support/shared_examples/controllers/repositories/git_http_controller_shared_examples.rb
+++ b/spec/support/shared_examples/controllers/repositories/git_http_controller_shared_examples.rb
@@ -50,7 +50,8 @@ RSpec.shared_examples Repositories::GitHttpController do

    context 'with authorized user' do
      before do
-        request.headers.merge! auth_env(user.username, user.password, nil)
+        password = user.try(:password) || user.try(:token)
+        request.headers.merge! auth_env(user.username, password, nil)
      end

      it 'returns 200' do
@@ -71,9 +72,10 @@ RSpec.shared_examples Repositories::GitHttpController do
        it 'adds user info to the logs' do
          get :info_refs, params: params

-          expect(log_data).to include('username' => user.username,
-                                      'user_id' => user.id,
-                                      'meta.user' => user.username)
+          user_log_data = { 'username' => user.username, 'user_id' => user.id }
+          user_log_data['meta.user'] = user.username if user.is_a?(User)
+
+          expect(log_data).to include(user_log_data)
        end
      end
    end