Commit 0672c5a9 authored by Kamil Trzcinski's avatar Kamil Trzcinski

Post-merge improve of CI permissions

parent f30005f0
...@@ -32,11 +32,11 @@ class Projects::GitHttpClientController < Projects::ApplicationController ...@@ -32,11 +32,11 @@ class Projects::GitHttpClientController < Projects::ApplicationController
return # Allow access return # Allow access
end end
elsif allow_kerberos_spnego_auth? && spnego_provided? elsif allow_kerberos_spnego_auth? && spnego_provided?
user = find_kerberos_user kerberos_user = find_kerberos_user
if user if kerberos_user
@authentication_result = Gitlab::Auth::Result.new( @authentication_result = Gitlab::Auth::Result.new(
user, nil, :kerberos, Gitlab::Auth.full_authentication_abilities) kerberos_user, nil, :kerberos, Gitlab::Auth.full_authentication_abilities)
send_final_spnego_response send_final_spnego_response
return # Allow access return # Allow access
......
...@@ -493,8 +493,11 @@ module Ci ...@@ -493,8 +493,11 @@ module Ci
end end
def hide_secrets(trace) def hide_secrets(trace)
trace = Ci::MaskSecret.mask(trace, project.runners_token) if project return unless trace
trace = Ci::MaskSecret.mask(trace, token)
trace = trace.dup
Ci::MaskSecret.mask!(trace, project.runners_token) if project
Ci::MaskSecret.mask!(trace, token)
trace trace
end end
end end
......
module Ci::MaskSecret module Ci::MaskSecret
class << self class << self
def mask(value, token) def mask!(value, token)
return value unless value.present? && token.present? return unless value.present? && token.present?
value.gsub(token, 'x' * token.length) value.gsub!(token, 'x' * token.length)
end end
end end
end end
...@@ -5,15 +5,21 @@ describe Ci::MaskSecret, lib: true do ...@@ -5,15 +5,21 @@ describe Ci::MaskSecret, lib: true do
describe '#mask' do describe '#mask' do
it 'masks exact number of characters' do it 'masks exact number of characters' do
expect(subject.mask('token', 'oke')).to eq('txxxn') expect(mask('token', 'oke')).to eq('txxxn')
end end
it 'masks multiple occurrences' do it 'masks multiple occurrences' do
expect(subject.mask('token token token', 'oke')).to eq('txxxn txxxn txxxn') expect(mask('token token token', 'oke')).to eq('txxxn txxxn txxxn')
end end
it 'does not mask if not found' do it 'does not mask if not found' do
expect(subject.mask('token', 'not')).to eq('token') expect(mask('token', 'not')).to eq('token')
end
def mask(value, token)
value = value.dup
subject.mask!(value, token)
value
end end
end end
end end
...@@ -343,7 +343,7 @@ describe Gitlab::GitAccess, lib: true do ...@@ -343,7 +343,7 @@ describe Gitlab::GitAccess, lib: true do
end end
context 'to private project' do context 'to private project' do
let(:project) { create(:project, :internal) } let(:project) { create(:project) }
it { expect(subject).not_to be_allowed } it { expect(subject).not_to be_allowed }
end end
......
...@@ -335,7 +335,7 @@ describe 'Git HTTP requests', lib: true do ...@@ -335,7 +335,7 @@ describe 'Git HTTP requests', lib: true do
project.team << [user, :reporter] project.team << [user, :reporter]
end end
shared_examples 'can download code only from own projects' do shared_examples 'can download code only' do
it 'downloads get status 200' do it 'downloads get status 200' do
clone_get "#{project.path_with_namespace}.git", user: 'gitlab-ci-token', password: build.token clone_get "#{project.path_with_namespace}.git", user: 'gitlab-ci-token', password: build.token
...@@ -353,7 +353,7 @@ describe 'Git HTTP requests', lib: true do ...@@ -353,7 +353,7 @@ describe 'Git HTTP requests', lib: true do
context 'administrator' do context 'administrator' do
let(:user) { create(:admin) } let(:user) { create(:admin) }
it_behaves_like 'can download code only from own projects' it_behaves_like 'can download code only'
it 'downloads from other project get status 403' do it 'downloads from other project get status 403' do
clone_get "#{other_project.path_with_namespace}.git", user: 'gitlab-ci-token', password: build.token clone_get "#{other_project.path_with_namespace}.git", user: 'gitlab-ci-token', password: build.token
...@@ -365,7 +365,7 @@ describe 'Git HTTP requests', lib: true do ...@@ -365,7 +365,7 @@ describe 'Git HTTP requests', lib: true do
context 'regular user' do context 'regular user' do
let(:user) { create(:user) } let(:user) { create(:user) }
it_behaves_like 'can download code only from own projects' it_behaves_like 'can download code only'
it 'downloads from other project get status 404' do it 'downloads from other project get status 404' do
clone_get "#{other_project.path_with_namespace}.git", user: 'gitlab-ci-token', password: build.token clone_get "#{other_project.path_with_namespace}.git", user: 'gitlab-ci-token', password: build.token
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment