Commit 2e6c1720 authored by Rémy Coutable's avatar Rémy Coutable

Allow Repositories API GET endpoints to be requested anonymously

Signed-off-by: default avatarRémy Coutable <remy@rymai.me>
parent 40a6a077
---
title: Allow Repositories API GET endpoints to be requested anonymously
merge_request:
author:
...@@ -2,7 +2,8 @@ ...@@ -2,7 +2,8 @@
## List repository tree ## List repository tree
Get a list of repository files and directories in a project. Get a list of repository files and directories in a project. This endpoint can
be accessed without authentication if the repository is publicly accessible.
``` ```
GET /projects/:id/repository/tree GET /projects/:id/repository/tree
...@@ -71,7 +72,8 @@ Parameters: ...@@ -71,7 +72,8 @@ Parameters:
## Raw file content ## Raw file content
Get the raw file contents for a file by commit SHA and path. Get the raw file contents for a file by commit SHA and path. This endpoint can
be accessed without authentication if the repository is publicly accessible.
``` ```
GET /projects/:id/repository/blobs/:sha GET /projects/:id/repository/blobs/:sha
...@@ -85,7 +87,8 @@ Parameters: ...@@ -85,7 +87,8 @@ Parameters:
## Raw blob content ## Raw blob content
Get the raw file contents for a blob by blob SHA. Get the raw file contents for a blob by blob SHA. This endpoint can be accessed
without authentication if the repository is publicly accessible.
``` ```
GET /projects/:id/repository/raw_blobs/:sha GET /projects/:id/repository/raw_blobs/:sha
...@@ -98,7 +101,8 @@ Parameters: ...@@ -98,7 +101,8 @@ Parameters:
## Get file archive ## Get file archive
Get an archive of the repository Get an archive of the repository. This endpoint can be accessed without
authentication if the repository is publicly accessible.
``` ```
GET /projects/:id/repository/archive GET /projects/:id/repository/archive
...@@ -111,6 +115,9 @@ Parameters: ...@@ -111,6 +115,9 @@ Parameters:
## Compare branches, tags or commits ## Compare branches, tags or commits
This endpoint can be accessed without authentication if the repository is
publicly accessible.
``` ```
GET /projects/:id/repository/compare GET /projects/:id/repository/compare
``` ```
...@@ -163,7 +170,8 @@ Response: ...@@ -163,7 +170,8 @@ Response:
## Contributors ## Contributors
Get repository contributors list Get repository contributors list. This endpoint can be accessed without
authentication if the repository is publicly accessible.
``` ```
GET /projects/:id/repository/contributors GET /projects/:id/repository/contributors
......
...@@ -2,7 +2,6 @@ require 'mime/types' ...@@ -2,7 +2,6 @@ require 'mime/types'
module API module API
class Repositories < Grape::API class Repositories < Grape::API
before { authenticate! }
before { authorize! :download_code, user_project } before { authorize! :download_code, user_project }
params do params do
...@@ -79,8 +78,6 @@ module API ...@@ -79,8 +78,6 @@ module API
optional :format, type: String, desc: 'The archive format' optional :format, type: String, desc: 'The archive format'
end end
get ':id/repository/archive', requirements: { format: Gitlab::Regex.archive_formats_regex } do get ':id/repository/archive', requirements: { format: Gitlab::Regex.archive_formats_regex } do
authorize! :download_code, user_project
begin begin
send_git_archive user_project.repository, ref: params[:sha], format: params[:format] send_git_archive user_project.repository, ref: params[:sha], format: params[:format]
rescue rescue
...@@ -96,7 +93,6 @@ module API ...@@ -96,7 +93,6 @@ module API
requires :to, type: String, desc: 'The commit, branch name, or tag name to stop comparison' requires :to, type: String, desc: 'The commit, branch name, or tag name to stop comparison'
end end
get ':id/repository/compare' do get ':id/repository/compare' do
authorize! :download_code, user_project
compare = Gitlab::Git::Compare.new(user_project.repository.raw_repository, params[:from], params[:to]) compare = Gitlab::Git::Compare.new(user_project.repository.raw_repository, params[:from], params[:to])
present compare, with: Entities::Compare present compare, with: Entities::Compare
end end
...@@ -105,8 +101,6 @@ module API ...@@ -105,8 +101,6 @@ module API
success Entities::Contributor success Entities::Contributor
end end
get ':id/repository/contributors' do get ':id/repository/contributors' do
authorize! :download_code, user_project
begin begin
present user_project.repository.contributors, present user_project.repository.contributors,
with: Entities::Contributor with: Entities::Contributor
......
...@@ -16,15 +16,32 @@ describe API::Repositories, api: true do ...@@ -16,15 +16,32 @@ describe API::Repositories, api: true do
context "authorized user" do context "authorized user" do
before { project.team << [user2, :reporter] } before { project.team << [user2, :reporter] }
it "returns project commits" do shared_examples_for 'repository tree' do
get api("/projects/#{project.id}/repository/tree", user) it 'returns the repository tree' do
get api("/projects/#{project.id}/repository/tree", current_user)
expect(response).to have_http_status(200) expect(response).to have_http_status(200)
first_commit = json_response.first
expect(json_response).to be_an Array expect(json_response).to be_an Array
expect(json_response.first['name']).to eq('bar') expect(first_commit['name']).to eq('bar')
expect(json_response.first['type']).to eq('tree') expect(first_commit['type']).to eq('tree')
expect(json_response.first['mode']).to eq('040000') expect(first_commit['mode']).to eq('040000')
end
end
context 'when unauthenticated' do
it_behaves_like 'repository tree' do
let(:project) { create(:project, :public) }
let(:current_user) { nil }
end
end
context 'when authenticated' do
it_behaves_like 'repository tree' do
let(:current_user) { user }
end
end end
it 'returns a 404 for unknown ref' do it 'returns a 404 for unknown ref' do
...@@ -39,7 +56,8 @@ describe API::Repositories, api: true do ...@@ -39,7 +56,8 @@ describe API::Repositories, api: true do
context "unauthorized user" do context "unauthorized user" do
it "does not return project commits" do it "does not return project commits" do
get api("/projects/#{project.id}/repository/tree") get api("/projects/#{project.id}/repository/tree")
expect(response).to have_http_status(401)
expect(response).to have_http_status(404)
end end
end end
end end
...@@ -72,17 +90,40 @@ describe API::Repositories, api: true do ...@@ -72,17 +90,40 @@ describe API::Repositories, api: true do
context "unauthorized user" do context "unauthorized user" do
it "does not return project commits" do it "does not return project commits" do
get api("/projects/#{project.id}/repository/tree?recursive=1") get api("/projects/#{project.id}/repository/tree?recursive=1")
expect(response).to have_http_status(401)
expect(response).to have_http_status(404)
end end
end end
end end
describe "GET /projects/:id/repository/blobs/:sha" do describe "GET /projects/:id/repository/blobs/:sha & /projects/:id/repository/commits/:sha" do
it "gets the raw file contents" do shared_examples_for 'repository blob' do
get api("/projects/#{project.id}/repository/blobs/master?filepath=README.md", user) it 'returns the repository blob for /repository/blobs/master' do
get api("/projects/#{project.id}/repository/blobs/master?filepath=README.md", current_user)
expect(response).to have_http_status(200) expect(response).to have_http_status(200)
end end
it 'returns the repository blob for /repository/commits/master' do
get api("/projects/#{project.id}/repository/commits/master/blob?filepath=README.md", current_user)
expect(response).to have_http_status(200)
end
end
context 'when unauthenticated' do
it_behaves_like 'repository blob' do
let(:project) { create(:project, :public) }
let(:current_user) { nil }
end
end
context 'when authenticated' do
it_behaves_like 'repository blob' do
let(:current_user) { user }
end
end
it "returns 404 for invalid branch_name" do it "returns 404 for invalid branch_name" do
get api("/projects/#{project.id}/repository/blobs/invalid_branch_name?filepath=README.md", user) get api("/projects/#{project.id}/repository/blobs/invalid_branch_name?filepath=README.md", user)
expect(response).to have_http_status(404) expect(response).to have_http_status(404)
...@@ -99,17 +140,26 @@ describe API::Repositories, api: true do ...@@ -99,17 +140,26 @@ describe API::Repositories, api: true do
end end
end end
describe "GET /projects/:id/repository/commits/:sha/blob" do describe "GET /projects/:id/repository/raw_blobs/:sha" do
it "gets the raw file contents" do shared_examples_for 'repository raw blob' do
get api("/projects/#{project.id}/repository/commits/master/blob?filepath=README.md", user) it 'returns the repository raw blob' do
get api("/projects/#{project.id}/repository/raw_blobs/#{sample_blob.oid}", current_user)
expect(response).to have_http_status(200) expect(response).to have_http_status(200)
end end
end end
describe "GET /projects/:id/repository/raw_blobs/:sha" do context 'when unauthenticated' do
it "gets the raw file contents" do it_behaves_like 'repository raw blob' do
get api("/projects/#{project.id}/repository/raw_blobs/#{sample_blob.oid}", user) let(:project) { create(:project, :public) }
expect(response).to have_http_status(200) let(:current_user) { nil }
end
end
context 'when authenticated' do
it_behaves_like 'repository raw blob' do
let(:current_user) { user }
end
end end
it 'returns a 404 for unknown blob' do it 'returns a 404 for unknown blob' do
...@@ -122,32 +172,56 @@ describe API::Repositories, api: true do ...@@ -122,32 +172,56 @@ describe API::Repositories, api: true do
end end
describe "GET /projects/:id/repository/archive(.:format)?:sha" do describe "GET /projects/:id/repository/archive(.:format)?:sha" do
it "gets the archive" do shared_examples_for 'repository archive' do
get api("/projects/#{project.id}/repository/archive", user) it 'returns the repository archive' do
repo_name = project.repository.name.gsub("\.git", "") get api("/projects/#{project.id}/repository/archive", current_user)
expect(response).to have_http_status(200) expect(response).to have_http_status(200)
repo_name = project.repository.name.gsub("\.git", "")
type, params = workhorse_send_data type, params = workhorse_send_data
expect(type).to eq('git-archive') expect(type).to eq('git-archive')
expect(params['ArchivePath']).to match(/#{repo_name}\-[^\.]+\.tar.gz/) expect(params['ArchivePath']).to match(/#{repo_name}\-[^\.]+\.tar.gz/)
end end
it "gets the archive.zip" do it 'returns the repository archive archive.zip' do
get api("/projects/#{project.id}/repository/archive.zip", user) get api("/projects/#{project.id}/repository/archive.zip", user)
repo_name = project.repository.name.gsub("\.git", "")
expect(response).to have_http_status(200) expect(response).to have_http_status(200)
repo_name = project.repository.name.gsub("\.git", "")
type, params = workhorse_send_data type, params = workhorse_send_data
expect(type).to eq('git-archive') expect(type).to eq('git-archive')
expect(params['ArchivePath']).to match(/#{repo_name}\-[^\.]+\.zip/) expect(params['ArchivePath']).to match(/#{repo_name}\-[^\.]+\.zip/)
end end
it "gets the archive.tar.bz2" do it 'returns the repository archive archive.tar.bz2' do
get api("/projects/#{project.id}/repository/archive.tar.bz2", user) get api("/projects/#{project.id}/repository/archive.tar.bz2", user)
repo_name = project.repository.name.gsub("\.git", "")
expect(response).to have_http_status(200) expect(response).to have_http_status(200)
repo_name = project.repository.name.gsub("\.git", "")
type, params = workhorse_send_data type, params = workhorse_send_data
expect(type).to eq('git-archive') expect(type).to eq('git-archive')
expect(params['ArchivePath']).to match(/#{repo_name}\-[^\.]+\.tar.bz2/) expect(params['ArchivePath']).to match(/#{repo_name}\-[^\.]+\.tar.bz2/)
end end
end
context 'when unauthenticated' do
it_behaves_like 'repository archive' do
let(:project) { create(:project, :public) }
let(:current_user) { nil }
end
end
context 'when authenticated' do
it_behaves_like 'repository archive' do
let(:current_user) { user }
end
end
it "returns 404 for invalid sha" do it "returns 404 for invalid sha" do
get api("/projects/#{project.id}/repository/archive/?sha=xxx", user) get api("/projects/#{project.id}/repository/archive/?sha=xxx", user)
...@@ -156,22 +230,26 @@ describe API::Repositories, api: true do ...@@ -156,22 +230,26 @@ describe API::Repositories, api: true do
end end
describe 'GET /projects/:id/repository/compare' do describe 'GET /projects/:id/repository/compare' do
shared_examples_for 'repository compare' do
it "compares branches" do it "compares branches" do
get api("/projects/#{project.id}/repository/compare", user), from: 'master', to: 'feature' get api("/projects/#{project.id}/repository/compare", current_user), from: 'master', to: 'feature'
expect(response).to have_http_status(200) expect(response).to have_http_status(200)
expect(json_response['commits']).to be_present expect(json_response['commits']).to be_present
expect(json_response['diffs']).to be_present expect(json_response['diffs']).to be_present
end end
it "compares tags" do it "compares tags" do
get api("/projects/#{project.id}/repository/compare", user), from: 'v1.0.0', to: 'v1.1.0' get api("/projects/#{project.id}/repository/compare", current_user), from: 'v1.0.0', to: 'v1.1.0'
expect(response).to have_http_status(200) expect(response).to have_http_status(200)
expect(json_response['commits']).to be_present expect(json_response['commits']).to be_present
expect(json_response['diffs']).to be_present expect(json_response['diffs']).to be_present
end end
it "compares commits" do it "compares commits" do
get api("/projects/#{project.id}/repository/compare", user), from: sample_commit.id, to: sample_commit.parent_id get api("/projects/#{project.id}/repository/compare", current_user), from: sample_commit.id, to: sample_commit.parent_id
expect(response).to have_http_status(200) expect(response).to have_http_status(200)
expect(json_response['commits']).to be_empty expect(json_response['commits']).to be_empty
expect(json_response['diffs']).to be_empty expect(json_response['diffs']).to be_empty
...@@ -179,14 +257,16 @@ describe API::Repositories, api: true do ...@@ -179,14 +257,16 @@ describe API::Repositories, api: true do
end end
it "compares commits in reverse order" do it "compares commits in reverse order" do
get api("/projects/#{project.id}/repository/compare", user), from: sample_commit.parent_id, to: sample_commit.id get api("/projects/#{project.id}/repository/compare", current_user), from: sample_commit.parent_id, to: sample_commit.id
expect(response).to have_http_status(200) expect(response).to have_http_status(200)
expect(json_response['commits']).to be_present expect(json_response['commits']).to be_present
expect(json_response['diffs']).to be_present expect(json_response['diffs']).to be_present
end end
it "compares same refs" do it "compares same refs" do
get api("/projects/#{project.id}/repository/compare", user), from: 'master', to: 'master' get api("/projects/#{project.id}/repository/compare", current_user), from: 'master', to: 'master'
expect(response).to have_http_status(200) expect(response).to have_http_status(200)
expect(json_response['commits']).to be_empty expect(json_response['commits']).to be_empty
expect(json_response['diffs']).to be_empty expect(json_response['diffs']).to be_empty
...@@ -194,17 +274,49 @@ describe API::Repositories, api: true do ...@@ -194,17 +274,49 @@ describe API::Repositories, api: true do
end end
end end
context 'when unauthenticated' do
it_behaves_like 'repository compare' do
let(:project) { create(:project, :public) }
let(:current_user) { nil }
end
end
context 'when authenticated' do
it_behaves_like 'repository compare' do
let(:current_user) { user }
end
end
end
describe 'GET /projects/:id/repository/contributors' do describe 'GET /projects/:id/repository/contributors' do
shared_examples_for 'repository contributors' do
it 'returns valid data' do it 'returns valid data' do
get api("/projects/#{project.id}/repository/contributors", user) get api("/projects/#{project.id}/repository/contributors", user)
expect(response).to have_http_status(200) expect(response).to have_http_status(200)
expect(json_response).to be_an Array expect(json_response).to be_an Array
contributor = json_response.first
expect(contributor['email']).to eq('tiagonbotelho@hotmail.com') first_contributor = json_response.first
expect(contributor['name']).to eq('tiagonbotelho')
expect(contributor['commits']).to eq(1) expect(first_contributor['email']).to eq('tiagonbotelho@hotmail.com')
expect(contributor['additions']).to eq(0) expect(first_contributor['name']).to eq('tiagonbotelho')
expect(contributor['deletions']).to eq(0) expect(first_contributor['commits']).to eq(1)
expect(first_contributor['additions']).to eq(0)
expect(first_contributor['deletions']).to eq(0)
end
end
context 'when unauthenticated' do
it_behaves_like 'repository contributors' do
let(:project) { create(:project, :public) }
let(:current_user) { nil }
end
end
context 'when authenticated' do
it_behaves_like 'repository contributors' do
let(:current_user) { user }
end
end end
end end
end end
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment