Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Support
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
G
gitlab-ce
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Issues
0
Issues
0
List
Boards
Labels
Milestones
Merge Requests
1
Merge Requests
1
Analytics
Analytics
Repository
Value Stream
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Create a new issue
Commits
Issue Boards
Open sidebar
nexedi
gitlab-ce
Commits
9d1ccd2a
Commit
9d1ccd2a
authored
Sep 15, 2016
by
Kamil Trzcinski
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
Fix existing authorization specs
parent
50076ab9
Changes
11
Hide whitespace changes
Inline
Side-by-side
Showing
11 changed files
with
51 additions
and
34 deletions
+51
-34
app/controllers/jwt_controller.rb
app/controllers/jwt_controller.rb
+3
-3
app/controllers/projects/git_http_client_controller.rb
app/controllers/projects/git_http_client_controller.rb
+1
-1
app/models/ci/build.rb
app/models/ci/build.rb
+1
-0
app/services/auth/container_registry_authentication_service.rb
...ervices/auth/container_registry_authentication_service.rb
+3
-5
lib/api/internal.rb
lib/api/internal.rb
+8
-10
lib/gitlab/auth.rb
lib/gitlab/auth.rb
+1
-1
lib/gitlab/git_access.rb
lib/gitlab/git_access.rb
+1
-1
spec/lib/gitlab/git_access_spec.rb
spec/lib/gitlab/git_access_spec.rb
+12
-5
spec/requests/git_http_spec.rb
spec/requests/git_http_spec.rb
+4
-5
spec/requests/jwt_controller_spec.rb
spec/requests/jwt_controller_spec.rb
+4
-2
spec/services/auth/container_registry_authentication_service_spec.rb
...es/auth/container_registry_authentication_service_spec.rb
+13
-1
No files found.
app/controllers/jwt_controller.rb
View file @
9d1ccd2a
...
...
@@ -11,10 +11,10 @@ class JwtController < ApplicationController
service
=
SERVICES
[
params
[
:service
]]
return
head
:not_found
unless
service
@
@authentication_result
||=
Gitlab
::
Auth
.
Result
.
new
@
authentication_result
||=
Gitlab
::
Auth
::
Result
.
new
result
=
service
.
new
(
@authentication_result
.
project
,
@authentication_result
.
user
,
auth_params
).
execute
(
capabilities:
@authentication_result
.
capabilities
||
[]
)
execute
(
capabilities:
@authentication_result
.
capabilities
)
render
json:
result
,
status:
result
[
:http_status
]
end
...
...
@@ -23,7 +23,7 @@ class JwtController < ApplicationController
def
authenticate_project_or_user
authenticate_with_http_basic
do
|
login
,
password
|
@authentication_result
=
Gitlab
::
Auth
.
find_for_git_client
(
login
,
password
,
ip:
request
.
ip
)
@authentication_result
=
Gitlab
::
Auth
.
find_for_git_client
(
login
,
password
,
project:
nil
,
ip:
request
.
ip
)
render_403
unless
@authentication_result
.
succeeded?
end
...
...
app/controllers/projects/git_http_client_controller.rb
View file @
9d1ccd2a
...
...
@@ -36,7 +36,7 @@ class Projects::GitHttpClientController < Projects::ApplicationController
@capabilities
=
auth_result
.
capabilities
||
[]
if
ci?
||
user
if
auth_result
.
succeeded?
return
# Allow access
end
elsif
allow_kerberos_spnego_auth?
&&
spnego_provided?
...
...
app/models/ci/build.rb
View file @
9d1ccd2a
...
...
@@ -43,6 +43,7 @@ module Ci
new_build
.
status
=
'pending'
new_build
.
runner_id
=
nil
new_build
.
trigger_request_id
=
nil
new_build
.
token
=
nil
new_build
.
save
end
...
...
app/services/auth/container_registry_authentication_service.rb
View file @
9d1ccd2a
...
...
@@ -4,8 +4,8 @@ module Auth
AUDIENCE
=
'container_registry'
def
execute
(
capabilities:
capabilities
)
@capabilities
=
capabilities
def
execute
(
capabilities
:)
@capabilities
=
capabilities
||
[]
return
error
(
'not found'
,
404
)
unless
registry
.
enabled
...
...
@@ -76,7 +76,7 @@ module Auth
case
requested_action
when
'pull'
build_can_pull?
(
requested_project
)
||
user_can_pull?
(
requested_project
)
requested_project
.
public?
||
build_can_pull?
(
requested_project
)
||
user_can_pull?
(
requested_project
)
when
'push'
build_can_push?
(
requested_project
)
||
user_can_push?
(
requested_project
)
else
...
...
@@ -88,8 +88,6 @@ module Auth
Gitlab
.
config
.
registry
end
private
def
build_can_pull?
(
requested_project
)
# Build can:
# 1. pull from it's own project (for ex. a build)
...
...
lib/api/internal.rb
View file @
9d1ccd2a
...
...
@@ -35,6 +35,14 @@ module API
Project
.
find_with_namespace
(
project_path
)
end
end
def
ssh_capabilities
[
:read_project
,
:download_code
,
:push_code
]
end
end
post
"/allowed"
do
...
...
@@ -130,16 +138,6 @@ module API
{
success:
true
,
recovery_codes:
codes
}
end
private
def
ssh_capabilities
[
:read_project
,
:download_code
,
:push_code
]
end
end
end
end
lib/gitlab/auth.rb
View file @
9d1ccd2a
...
...
@@ -115,7 +115,7 @@ module Gitlab
return
unless
login
==
'gitlab-ci-token'
return
unless
password
build
=
Ci
::
Build
.
running
.
find_by_token
(
password
)
build
=
::
Ci
::
Build
.
running
.
find_by_token
(
password
)
return
unless
build
if
build
.
user
...
...
lib/gitlab/git_access.rb
View file @
9d1ccd2a
...
...
@@ -7,7 +7,7 @@ module Gitlab
attr_reader
:actor
,
:project
,
:protocol
,
:user_access
,
:capabilities
def
initialize
(
actor
,
project
,
protocol
,
capabilities:
capabilities
)
def
initialize
(
actor
,
project
,
protocol
,
capabilities
:)
@actor
=
actor
@project
=
project
@protocol
=
protocol
...
...
spec/lib/gitlab/git_access_spec.rb
View file @
9d1ccd2a
...
...
@@ -22,7 +22,7 @@ describe Gitlab::GitAccess, lib: true do
context
'ssh disabled'
do
before
do
disable_protocol
(
'ssh'
)
@acc
=
Gitlab
::
GitAccess
.
new
(
actor
,
project
,
'ssh'
)
@acc
=
Gitlab
::
GitAccess
.
new
(
actor
,
project
,
'ssh'
,
capabilities:
capabilities
)
end
it
'blocks ssh git push'
do
...
...
@@ -37,7 +37,7 @@ describe Gitlab::GitAccess, lib: true do
context
'http disabled'
do
before
do
disable_protocol
(
'http'
)
@acc
=
Gitlab
::
GitAccess
.
new
(
actor
,
project
,
'http'
)
@acc
=
Gitlab
::
GitAccess
.
new
(
actor
,
project
,
'http'
,
capabilities:
capabilities
)
end
it
'blocks http push'
do
...
...
@@ -318,7 +318,6 @@ describe Gitlab::GitAccess, lib: true do
admin:
{
push_protected_branch:
false
,
push_all:
false
,
merge_into_protected_branch:
false
}))
end
end
end
shared_examples
'can not push code'
do
...
...
@@ -354,14 +353,14 @@ describe Gitlab::GitAccess, lib: true do
describe
'build capabilities permissions'
do
let
(
:capabilities
)
{
build_capabilities
}
it_behaves_like
'cannot push code'
it_behaves_like
'can
not push code'
end
describe
'deploy key permissions'
do
let
(
:key
)
{
create
(
:deploy_key
)
}
let
(
:actor
)
{
key
}
it_behaves_like
'cannot push code'
it_behaves_like
'can
not push code'
end
private
...
...
@@ -372,4 +371,12 @@ describe Gitlab::GitAccess, lib: true do
:build_download_code
]
end
def
full_capabilities
[
:read_project
,
:download_code
,
:push_code
]
end
end
spec/requests/git_http_spec.rb
View file @
9d1ccd2a
...
...
@@ -300,23 +300,22 @@ describe 'Git HTTP requests', lib: true do
end
context
"when a gitlab ci token is provided"
do
let
(
:
token
)
{
123
}
let
(
:project
)
{
FactoryGirl
.
create
:empty_
project
}
let
(
:
build
)
{
create
(
:ci_build
,
:running
)
}
let
(
:project
)
{
build
.
project
}
before
do
project
.
update_attributes
(
runners_token:
token
)
project
.
project_feature
.
update_attributes
(
builds_access_level:
ProjectFeature
::
ENABLED
)
end
it
"downloads get status 200"
do
clone_get
"
#{
project
.
path_with_namespace
}
.git"
,
user:
'gitlab-ci-token'
,
password:
token
clone_get
"
#{
project
.
path_with_namespace
}
.git"
,
user:
'gitlab-ci-token'
,
password:
build
.
token
expect
(
response
).
to
have_http_status
(
200
)
expect
(
response
.
content_type
.
to_s
).
to
eq
(
Gitlab
::
Workhorse
::
INTERNAL_API_CONTENT_TYPE
)
end
it
"uploads get status 401 (no project existence information leak)"
do
push_get
"
#{
project
.
path_with_namespace
}
.git"
,
user:
'gitlab-ci-token'
,
password:
token
push_get
"
#{
project
.
path_with_namespace
}
.git"
,
user:
'gitlab-ci-token'
,
password:
build
.
token
expect
(
response
).
to
have_http_status
(
401
)
end
...
...
spec/requests/jwt_controller_spec.rb
View file @
9d1ccd2a
...
...
@@ -22,11 +22,13 @@ describe JwtController do
context
'when using authorized request'
do
context
'using CI token'
do
let
(
:project
)
{
create
(
:empty_project
,
runners_token:
'token'
)
}
let
(
:headers
)
{
{
authorization:
credentials
(
'gitlab-ci-token'
,
project
.
runners_token
)
}
}
let
(
:build
)
{
create
(
:ci_build
,
:running
)
}
let
(
:project
)
{
build
.
project
}
let
(
:headers
)
{
{
authorization:
credentials
(
'gitlab-ci-token'
,
build
.
token
)
}
}
context
'project with enabled CI'
do
subject!
{
get
'/jwt/auth'
,
parameters
,
headers
}
it
{
expect
(
service_class
).
to
have_received
(
:new
).
with
(
project
,
nil
,
parameters
)
}
end
...
...
spec/services/auth/container_registry_authentication_service_spec.rb
View file @
9d1ccd2a
...
...
@@ -6,8 +6,14 @@ describe Auth::ContainerRegistryAuthenticationService, services: true do
let
(
:current_params
)
{
{}
}
let
(
:rsa_key
)
{
OpenSSL
::
PKey
::
RSA
.
generate
(
512
)
}
let
(
:payload
)
{
JWT
.
decode
(
subject
[
:token
],
rsa_key
).
first
}
let
(
:capabilities
)
do
[
:read_container_image
,
:create_container_image
]
end
subject
{
described_class
.
new
(
current_project
,
current_user
,
current_params
).
execute
}
subject
{
described_class
.
new
(
current_project
,
current_user
,
current_params
).
execute
(
capabilities:
capabilities
)
}
before
do
allow
(
Gitlab
.
config
.
registry
).
to
receive_messages
(
enabled:
true
,
issuer:
'rspec'
,
key:
nil
)
...
...
@@ -42,6 +48,12 @@ describe Auth::ContainerRegistryAuthenticationService, services: true do
'actions'
=>
actions
,
}]
end
let
(
:capabilities
)
do
[
:build_read_container_image
,
:build_create_container_image
]
end
it_behaves_like
'a valid token'
it
{
expect
(
payload
).
to
include
(
'access'
=>
access
)
}
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment