Remove unused Grack::Auth code paths

78fdc2f1 · Jacob Vosmaer · 3020dce2 · 78fdc2f1 · 3020dce2 · 3020dce2
Commit 78fdc2f1 authored Jul 01, 2016 by Jacob Vosmaer
3 changed files
--- a/lib/gitlab/backend/grack_auth.rb
+++ b/lib/gitlab/backend/grack_auth.rb
@@ -41,10 +41,7 @@ module Grack
      lfs_response = Gitlab::Lfs::Router.new(project, @user, @ci, @request).try_call
      return lfs_response unless lfs_response.nil?
-      if project && authorized_request?
+      if @user.nil? && !@ci
-        # Tell gitlab-workhorse the request is OK, and what the GL_ID is
-        render_grack_auth_ok
-      elsif @user.nil? && !@ci
        unauthorized
      else
        render_not_found
@@ -119,11 +116,6 @@ module Grack
        @user = authenticate_user(login, password)
      end
-      if @user
-        Gitlab::ShellEnv.set_env(@user)
-        @env['REMOTE_USER'] = @auth.username
-      end
    end
    def ci_request?(login, password)
@@ -252,24 +244,6 @@ module Grack
      end
    end
-    def render_grack_auth_ok
-      repo_path =
-        if @request.path_info =~ /^([\w\.\/-]+)\.wiki\.git/
-          ProjectWiki.new(project).repository.path_to_repo
-        else
-          project.repository.path_to_repo
-        end
-      [
-        200,
-        { "Content-Type" => "application/json" },
-        [JSON.dump({
-          'GL_ID' => Gitlab::ShellEnv.gl_id(@user),
-          'RepoPath' => repo_path,
-        })]
-      ]
-    end
    def render_not_found
      [404, { "Content-Type" => "text/plain" }, ["Not Found"]]
    end

--- a/lib/gitlab/backend/shell_env.rb
+++ b/lib/gitlab/backend/shell_env.rb
-module Gitlab
-  # This module provide 2 methods
-  # to set specific ENV variables for GitLab Shell
-  module ShellEnv
-    extend self
-    def set_env(user)
-      # Set GL_ID env variable
-      if user
-        ENV['GL_ID'] = gl_id(user)
-      end
-    end
-    def reset_env
-      # Reset GL_ID env variable
-      ENV['GL_ID'] = nil
-    end
-    def gl_id(user)
-      if user.present?
-        "user-#{user.id}"
-      else
-        # This empty string is used in the render_grack_auth_ok method
-        ""
-      end
-    end
-  end
-end
--- a/spec/lib/gitlab/backend/grack_auth_spec.rb
+++ b/spec/lib/gitlab/backend/grack_auth_spec.rb
-require "spec_helper"
-describe Grack::Auth, lib: true do
-  let(:user)    { create(:user) }
-  let(:project) { create(:project) }
-  let(:app)   { lambda { |env| [200, {}, "Success!"] } }
-  let(:env) do
-    {
-      'rack.input'     => '',
-      'REQUEST_METHOD' => 'GET',
-      'QUERY_STRING'   => 'service=git-upload-pack'
-    }
-  end
-  let(:status) { Grack::AuthSpawner::call(env).first }
-  describe "#call" do
-    context "when the project doesn't exist" do
-      before do
-        env["PATH_INFO"] = "doesnt/exist.git"
-      end
-      context "when no authentication is provided" do
-        it "responds with status 401" do
-          expect(status).to eq(401)
-        end
-      end
-      context "when username and password are provided" do
-        context "when authentication fails" do
-          before do
-            env["HTTP_AUTHORIZATION"] = ActionController::HttpAuthentication::Basic.encode_credentials(user.username, "nope")
-          end
-          it "responds with status 401" do
-            expect(status).to eq(401)
-          end
-        end
-        context "when authentication succeeds" do
-          before do
-            env["HTTP_AUTHORIZATION"] = ActionController::HttpAuthentication::Basic.encode_credentials(user.username, user.password)
-          end
-          it "responds with status 404" do
-            expect(status).to eq(404)
-          end
-        end
-      end
-    end
-    context "when the Wiki for a project exists" do
-      before do
-        @wiki = ProjectWiki.new(project)
-        env["PATH_INFO"] = "#{@wiki.repository.path_with_namespace}.git/info/refs"
-        project.update_attribute(:visibility_level, Project::PUBLIC)
-      end
-      it "responds with the right project" do
-        response = Grack::AuthSpawner::call(env)
-        json_body = ActiveSupport::JSON.decode(response[2][0])
-        expect(response.first).to eq(200)
-        expect(json_body['RepoPath']).to include(@wiki.repository.path_with_namespace)
-      end
-    end
-    context "when the project exists" do
-      before do
-        env["PATH_INFO"] = project.path_with_namespace + ".git"
-      end
-      context "when the project is public" do
-        before do
-          project.update_attribute(:visibility_level, Project::PUBLIC)
-        end
-        it "responds with status 200" do
-          expect(status).to eq(200)
-        end
-      end
-      context "when the project is private" do
-        before do
-          project.update_attribute(:visibility_level, Project::PRIVATE)
-        end
-        context "when no authentication is provided" do
-          it "responds with status 401" do
-            expect(status).to eq(401)
-          end
-        end
-        context "when Kerberos token is provided" do
-          before do
-            allow_any_instance_of(Grack::Auth).to receive(:allow_kerberos_auth?).and_return(true)
-            env["HTTP_AUTHORIZATION"] = "Negotiate #{::Base64.strict_encode64('opaque_request_token')}"
-          end
-          shared_examples "RFC4559 compliance" do
-            it "complies with RFC4559" do
-              allow_any_instance_of(Grack::Auth::Request).to receive(:spnego_response_token).and_return("opaque_response_token")
-              headers = Grack::AuthSpawner::call(env)[1]
-              expect(headers['WWW-Authenticate'].split("\n")).to include("Negotiate #{::Base64.strict_encode64('opaque_response_token')}")
-            end
-          end
-          context "when authentication fails because of invalid Kerberos token" do
-            before do
-              allow_any_instance_of(Grack::Auth::Request).to receive(:spnego_credentials!).and_return(nil)
-            end
-            it "responds with status 401" do
-              expect(status).to eq(401)
-            end
-          end
-          context "when authentication fails because of unknown Kerberos identity" do
-            before do
-              allow_any_instance_of(Grack::Auth::Request).to receive(:spnego_credentials!).and_return("mylogin@FOO.COM")
-            end
-            it "responds with status 401" do
-              expect(status).to eq(401)
-            end
-          end
-          context "when authentication succeeds" do
-            before do
-              allow_any_instance_of(Grack::Auth::Request).to receive(:spnego_credentials!).and_return("mylogin@FOO.COM")
-              user.identities.build(provider: "kerberos", extern_uid: "mylogin@FOO.COM").save
-            end
-            context "when the user has access to the project" do
-              before do
-                project.team << [user, :master]
-              end
-              context "when the user is blocked" do
-                before do
-                  user.block
-                  project.team << [user, :master]
-                end
-                it "responds with status 404" do
-                  expect(status).to eq(404)
-                end
-              end
-              context "when the user isn't blocked" do
-                it "responds with status 200" do
-                  expect(status).to eq(200)
-                end
-              end
-              include_examples "RFC4559 compliance"
-            end
-            context "when the user doesn't have access to the project" do
-              it "responds with status 404" do
-                expect(status).to eq(404)
-              end
-              include_examples "RFC4559 compliance"
-            end
-          end
-        end
-        context "when username and password are provided" do
-          context "when authentication fails" do
-            before do
-              env["HTTP_AUTHORIZATION"] = ActionController::HttpAuthentication::Basic.encode_credentials(user.username, "nope")
-            end
-            it "responds with status 401" do
-              expect(status).to eq(401)
-            end
-            context "when the user is IP banned" do
-              before do
-                expect(Rack::Attack::Allow2Ban).to receive(:filter).and_return(true)
-                allow_any_instance_of(Rack::Request).to receive(:ip).and_return('1.2.3.4')
-              end
-              it "responds with status 401" do
-                expect(status).to eq(401)
-              end
-            end
-          end
-          context "when authentication succeeds" do
-            before do
-              env["HTTP_AUTHORIZATION"] = ActionController::HttpAuthentication::Basic.encode_credentials(user.username, user.password)
-            end
-            context "when the user has access to the project" do
-              before do
-                project.team << [user, :master]
-              end
-              context "when the user is blocked" do
-                before do
-                  user.block
-                  project.team << [user, :master]
-                end
-                it "responds with status 404" do
-                  expect(status).to eq(404)
-                end
-              end
-              context "when the user isn't blocked" do
-                before do
-                  expect(Rack::Attack::Allow2Ban).to receive(:reset)
-                end
-                it "responds with status 200" do
-                  expect(status).to eq(200)
-                end
-              end
-              context "when blank password attempts follow a valid login" do
-                let(:options) { Gitlab.config.rack_attack.git_basic_auth }
-                let(:maxretry) { options[:maxretry] - 1 }
-                let(:ip) { '1.2.3.4' }
-                before do
-                  allow_any_instance_of(Rack::Request).to receive(:ip).and_return(ip)
-                  Rack::Attack::Allow2Ban.reset(ip, options)
-                end
-                after do
-                  Rack::Attack::Allow2Ban.reset(ip, options)
-                end
-                def attempt_login(include_password)
-                  password = include_password ? user.password : ""
-                  env["HTTP_AUTHORIZATION"] = ActionController::HttpAuthentication::Basic.encode_credentials(user.username, password)
-                  Grack::AuthSpawner::call(env).first
-                end
-                it "repeated attempts followed by successful attempt" do
-                  maxretry.times.each do
-                    expect(attempt_login(false)).to eq(401)
-                  end
-                  expect(attempt_login(true)).to eq(200)
-                  expect(Rack::Attack::Allow2Ban.banned?(ip)).to be_falsey
-                  maxretry.times.each do
-                    expect(attempt_login(false)).to eq(401)
-                  end
-                end
-              end
-            end
-            context "when the user doesn't have access to the project" do
-              it "responds with status 404" do
-                expect(status).to eq(404)
-              end
-            end
-          end
-        end
-        context "when a gitlab ci token is provided" do
-          let(:token) { "123" }
-          let(:project) { FactoryGirl.create :empty_project }
-          before do
-            project.update_attributes(runners_token: token, builds_enabled: true)
-            env["HTTP_AUTHORIZATION"] = ActionController::HttpAuthentication::Basic.encode_credentials("gitlab-ci-token", token)
-          end
-          it "responds with status 200" do
-            expect(status).to eq(200)
-          end
-        end
-      end
-    end
-  end
-end