Commit 0672c5a9 authored by Kamil Trzcinski's avatar Kamil Trzcinski

Post-merge improve of CI permissions

parent f30005f0
......@@ -32,11 +32,11 @@ class Projects::GitHttpClientController < Projects::ApplicationController
return # Allow access
end
elsif allow_kerberos_spnego_auth? && spnego_provided?
user = find_kerberos_user
kerberos_user = find_kerberos_user
if user
if kerberos_user
@authentication_result = Gitlab::Auth::Result.new(
user, nil, :kerberos, Gitlab::Auth.full_authentication_abilities)
kerberos_user, nil, :kerberos, Gitlab::Auth.full_authentication_abilities)
send_final_spnego_response
return # Allow access
......
......@@ -493,8 +493,11 @@ module Ci
end
def hide_secrets(trace)
trace = Ci::MaskSecret.mask(trace, project.runners_token) if project
trace = Ci::MaskSecret.mask(trace, token)
return unless trace
trace = trace.dup
Ci::MaskSecret.mask!(trace, project.runners_token) if project
Ci::MaskSecret.mask!(trace, token)
trace
end
end
......
module Ci::MaskSecret
class << self
def mask(value, token)
return value unless value.present? && token.present?
def mask!(value, token)
return unless value.present? && token.present?
value.gsub(token, 'x' * token.length)
value.gsub!(token, 'x' * token.length)
end
end
end
......@@ -5,15 +5,21 @@ describe Ci::MaskSecret, lib: true do
describe '#mask' do
it 'masks exact number of characters' do
expect(subject.mask('token', 'oke')).to eq('txxxn')
expect(mask('token', 'oke')).to eq('txxxn')
end
it 'masks multiple occurrences' do
expect(subject.mask('token token token', 'oke')).to eq('txxxn txxxn txxxn')
expect(mask('token token token', 'oke')).to eq('txxxn txxxn txxxn')
end
it 'does not mask if not found' do
expect(subject.mask('token', 'not')).to eq('token')
expect(mask('token', 'not')).to eq('token')
end
def mask(value, token)
value = value.dup
subject.mask!(value, token)
value
end
end
end
......@@ -343,7 +343,7 @@ describe Gitlab::GitAccess, lib: true do
end
context 'to private project' do
let(:project) { create(:project, :internal) }
let(:project) { create(:project) }
it { expect(subject).not_to be_allowed }
end
......
......@@ -335,7 +335,7 @@ describe 'Git HTTP requests', lib: true do
project.team << [user, :reporter]
end
shared_examples 'can download code only from own projects' do
shared_examples 'can download code only' do
it 'downloads get status 200' do
clone_get "#{project.path_with_namespace}.git", user: 'gitlab-ci-token', password: build.token
......@@ -353,7 +353,7 @@ describe 'Git HTTP requests', lib: true do
context 'administrator' do
let(:user) { create(:admin) }
it_behaves_like 'can download code only from own projects'
it_behaves_like 'can download code only'
it 'downloads from other project get status 403' do
clone_get "#{other_project.path_with_namespace}.git", user: 'gitlab-ci-token', password: build.token
......@@ -365,7 +365,7 @@ describe 'Git HTTP requests', lib: true do
context 'regular user' do
let(:user) { create(:user) }
it_behaves_like 'can download code only from own projects'
it_behaves_like 'can download code only'
it 'downloads from other project get status 404' do
clone_get "#{other_project.path_with_namespace}.git", user: 'gitlab-ci-token', password: build.token
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment