Commit 17c6bec7 authored by Kamil Trzcinski's avatar Kamil Trzcinski

WIP

parent acfbeced
...@@ -22,6 +22,7 @@ v 8.9.0 (unreleased) ...@@ -22,6 +22,7 @@ v 8.9.0 (unreleased)
- Remove 'main language' feature - Remove 'main language' feature
- Pipelines can be canceled only when there are running builds - Pipelines can be canceled only when there are running builds
- Use downcased path to container repository as this is expected path by Docker - Use downcased path to container repository as this is expected path by Docker
- Allow to use CI token to fetch LFS objects
- Projects pending deletion will render a 404 page - Projects pending deletion will render a 404 page
- Measure queue duration between gitlab-workhorse and Rails - Measure queue duration between gitlab-workhorse and Rails
- Make authentication service for Container Registry to be compatible with < Docker 1.11 - Make authentication service for Container Registry to be compatible with < Docker 1.11
......
...@@ -33,7 +33,7 @@ module Grack ...@@ -33,7 +33,7 @@ module Grack
auth! auth!
lfs_response = Gitlab::Lfs::Router.new(project, @user, @request).try_call lfs_response = Gitlab::Lfs::Router.new(project, @user, @ci, @request).try_call
return lfs_response unless lfs_response.nil? return lfs_response unless lfs_response.nil?
if project && authorized_request? if project && authorized_request?
......
...@@ -2,10 +2,11 @@ module Gitlab ...@@ -2,10 +2,11 @@ module Gitlab
module Lfs module Lfs
class Response class Response
def initialize(project, user, request) def initialize(project, user, ci, request)
@origin_project = project @origin_project = project
@project = storage_project(project) @project = storage_project(project)
@user = user @user = user
@ci = ci
@env = request.env @env = request.env
@request = request @request = request
end end
...@@ -189,7 +190,7 @@ module Gitlab ...@@ -189,7 +190,7 @@ module Gitlab
return render_not_enabled unless Gitlab.config.lfs.enabled return render_not_enabled unless Gitlab.config.lfs.enabled
unless @project.public? unless @project.public?
return render_unauthorized unless @user return render_unauthorized unless @user || @ci
return render_forbidden unless user_can_fetch? return render_forbidden unless user_can_fetch?
end end
...@@ -210,7 +211,7 @@ module Gitlab ...@@ -210,7 +211,7 @@ module Gitlab
def user_can_fetch? def user_can_fetch?
# Check user access against the project they used to initiate the pull # Check user access against the project they used to initiate the pull
@user.can?(:download_code, @origin_project) @ci || @user.can?(:download_code, @origin_project)
end end
def user_can_push? def user_can_push?
......
module Gitlab module Gitlab
module Lfs module Lfs
class Router class Router
def initialize(project, user, request) def initialize(project, user, ci, request)
@project = project @project = project
@user = user @user = user
@ci = ci
@env = request.env @env = request.env
@request = request @request = request
end end
...@@ -80,7 +81,7 @@ module Gitlab ...@@ -80,7 +81,7 @@ module Gitlab
def lfs def lfs
return unless @project return unless @project
Gitlab::Lfs::Response.new(@project, @user, @request) Gitlab::Lfs::Response.new(@project, @user, @ci, @request)
end end
def sanitize_tmp_filename(name) def sanitize_tmp_filename(name)
......
...@@ -17,12 +17,15 @@ describe Gitlab::Lfs::Router, lib: true do ...@@ -17,12 +17,15 @@ describe Gitlab::Lfs::Router, lib: true do
} }
end end
let(:lfs_router_auth) { new_lfs_router(project, user) } let(:lfs_router_auth) { new_lfs_router(project, user: user) }
let(:lfs_router_noauth) { new_lfs_router(project, nil) } let(:lfs_router_ci_auth) { new_lfs_router(project, ci: true) }
let(:lfs_router_public_auth) { new_lfs_router(public_project, user) } let(:lfs_router_noauth) { new_lfs_router(project) }
let(:lfs_router_public_noauth) { new_lfs_router(public_project, nil) } let(:lfs_router_public_auth) { new_lfs_router(public_project, user: user) }
let(:lfs_router_forked_noauth) { new_lfs_router(forked_project, nil) } let(:lfs_router_public_ci_auth) { new_lfs_router(public_project, ci: true) }
let(:lfs_router_forked_auth) { new_lfs_router(forked_project, user_two) } let(:lfs_router_public_noauth) { new_lfs_router(public_project) }
let(:lfs_router_forked_noauth) { new_lfs_router(forked_project) }
let(:lfs_router_forked_auth) { new_lfs_router(forked_project, user: user_two) }
let(:lfs_router_forked_ci_auth) { new_lfs_router(forked_project, ci: true) }
let(:sample_oid) { "b68143e6463773b1b6c6fd009a76c32aeec041faff32ba2ed42fd7f708a17f80" } let(:sample_oid) { "b68143e6463773b1b6c6fd009a76c32aeec041faff32ba2ed42fd7f708a17f80" }
let(:sample_size) { 499013 } let(:sample_size) { 499013 }
...@@ -104,6 +107,17 @@ describe Gitlab::Lfs::Router, lib: true do ...@@ -104,6 +107,17 @@ describe Gitlab::Lfs::Router, lib: true do
expect(lfs_router_auth.try_call[1]['X-Sendfile']).to eq(lfs_object.file.path) expect(lfs_router_auth.try_call[1]['X-Sendfile']).to eq(lfs_object.file.path)
end end
end end
context 'when CI is authorized' do
it "responds with status 200" do
expect(lfs_router_ci_auth.try_call.first).to eq(200)
end
it "responds with the file location" do
expect(lfs_router_ci_auth.try_call[1]['Content-Type']).to eq("application/octet-stream")
expect(lfs_router_ci_auth.try_call[1]['X-Sendfile']).to eq(lfs_object.file.path)
end
end
end end
context 'without required headers' do context 'without required headers' do
...@@ -525,7 +539,7 @@ describe Gitlab::Lfs::Router, lib: true do ...@@ -525,7 +539,7 @@ describe Gitlab::Lfs::Router, lib: true do
end end
describe 'when user is unauthenticated' do describe 'when user is unauthenticated' do
let(:lfs_router_noauth) { new_lfs_router(project, nil) } let(:lfs_router_noauth) { new_lfs_router(project) }
context 'and request is sent by gitlab-workhorse to authorize the request' do context 'and request is sent by gitlab-workhorse to authorize the request' do
before do before do
...@@ -584,7 +598,7 @@ describe Gitlab::Lfs::Router, lib: true do ...@@ -584,7 +598,7 @@ describe Gitlab::Lfs::Router, lib: true do
end end
describe 'when user is unauthenticated' do describe 'when user is unauthenticated' do
let(:lfs_router_noauth) { new_lfs_router(project, nil) } let(:lfs_router_noauth) { new_lfs_router(project) }
context 'and request is sent by gitlab-workhorse to authorize the request' do context 'and request is sent by gitlab-workhorse to authorize the request' do
before do before do
...@@ -716,7 +730,7 @@ describe Gitlab::Lfs::Router, lib: true do ...@@ -716,7 +730,7 @@ describe Gitlab::Lfs::Router, lib: true do
describe 'and second project not related to fork or a source project' do describe 'and second project not related to fork or a source project' do
let(:second_project) { create(:project) } let(:second_project) { create(:project) }
let(:lfs_router_second_project) { new_lfs_router(second_project, user) } let(:lfs_router_second_project) { new_lfs_router(second_project, user: user) }
before do before do
public_project.lfs_objects << lfs_object public_project.lfs_objects << lfs_object
...@@ -745,8 +759,8 @@ describe Gitlab::Lfs::Router, lib: true do ...@@ -745,8 +759,8 @@ describe Gitlab::Lfs::Router, lib: true do
ActionController::HttpAuthentication::Basic.encode_credentials(user.username, user.password) ActionController::HttpAuthentication::Basic.encode_credentials(user.username, user.password)
end end
def new_lfs_router(project, user) def new_lfs_router(project, user: nil, ci: false)
Gitlab::Lfs::Router.new(project, user, request) Gitlab::Lfs::Router.new(project, user, ci, request)
end end
def header_for_upload_authorize(project) def header_for_upload_authorize(project)
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment