Skip to content

G
gitlab-ce
Commit a33ec9fe authored by Serena Fang's avatar Serena Fang
Browse files
Options

Allow group bot to http authenticate 

Update bot in resource method

Add specs for resource access token auth

Add auth specs

Return early if bot not in project or group

Changelog: fixed
parent d5ba9ec7
Hide whitespace changes
Inline Side-by-side
Showing with 68 additions and 19 deletions
lib/gitlab/auth.rb
View file @ a33ec9fe
......@@ -190,6 +190,7 @@ module Gitlab
end
end
# rubocop: disable CodeReuse/ActiveRecord
def personal_access_token_check(password, project)
return unless password.present?
......@@ -199,12 +200,20 @@ module Gitlab
return unless valid_scoped_token?(token, all_available_scopes)
return if project && token.user.project_bot? && !project.bots.include?(token.user)
if project && token.user.project_bot? && !project.bots.include?(token.user)
return unless project.group
group_ids = project.group.self_and_ancestors.pluck(:id)
user_groups = token.user.groups.pluck(:id)
return if (group_ids & user_groups).empty?
end
if can_user_login_with_non_expired_password?(token.user) || token.user.project_bot?
Gitlab::Auth::Result.new(token.user, nil, :personal_access_token, abilities_for_scopes(token.scopes))
end
end
# rubocop: enable CodeReuse/ActiveRecord
def valid_oauth_token?(token)
token && token.accessible? && valid_scoped_token?(token, [:api])
......
spec/lib/gitlab/auth_spec.rb
View file @ a33ec9fe
......@@ -360,32 +360,23 @@ RSpec.describe Gitlab::Auth, :use_clean_rails_memory_store_caching do
end
end
context 'when using a project access token' do
let_it_be(:project_bot_user) { create(:user, :project_bot) }
let_it_be(:project_access_token) { create(:personal_access_token, user: project_bot_user) }
context 'with valid project access token' do
before do
project.add_maintainer(project_bot_user)
end
context 'when using a resource access token' do
shared_examples 'with a valid access token' do
it 'successfully authenticates the project bot' do
expect(gl_auth.find_for_git_client(project_bot_user.username, project_access_token.token, project: project, ip: 'ip'))
expect(gl_auth.find_for_git_client(project_bot_user.username, access_token.token, project: project, ip: 'ip'))
.to eq(Gitlab::Auth::Result.new(project_bot_user, nil, :personal_access_token, described_class.full_authentication_abilities))
end
it 'successfully authenticates the project bot with a nil project' do
expect(gl_auth.find_for_git_client(project_bot_user.username, project_access_token.token, project: nil, ip: 'ip'))
expect(gl_auth.find_for_git_client(project_bot_user.username, access_token.token, project: nil, ip: 'ip'))
.to eq(Gitlab::Auth::Result.new(project_bot_user, nil, :personal_access_token, described_class.full_authentication_abilities))
end
end
context 'with invalid project access token' do
context 'when project bot is not a project member' do
it 'fails for a non-project member' do
expect(gl_auth.find_for_git_client(project_bot_user.username, project_access_token.token, project: project, ip: 'ip'))
.to eq(Gitlab::Auth::Result.new(nil, nil, nil, nil))
end
shared_examples 'with an invalid access token' do
it 'fails for a non-member' do
expect(gl_auth.find_for_git_client(project_bot_user.username, access_token.token, project: project, ip: 'ip'))
.to eq(Gitlab::Auth::Result.new(nil, nil, nil, nil))
end
context 'when project bot user is blocked' do
......@@ -394,11 +385,60 @@ RSpec.describe Gitlab::Auth, :use_clean_rails_memory_store_caching do
end
it 'fails for a blocked project bot' do
expect(gl_auth.find_for_git_client(project_bot_user.username, project_access_token.token, project: project, ip: 'ip'))
expect(gl_auth.find_for_git_client(project_bot_user.username, access_token.token, project: project, ip: 'ip'))
.to eq(Gitlab::Auth::Result.new(nil, nil, nil, nil))
end
end
end
context 'when using a personal namespace project access token' do
let_it_be(:project_bot_user) { create(:user, :project_bot) }
let_it_be(:access_token) { create(:personal_access_token, user: project_bot_user) }
context 'when the token belongs to the project' do
before do
project.add_maintainer(project_bot_user)
end
it_behaves_like 'with a valid access token'
end
it_behaves_like 'with an invalid access token'
end
context 'when using a group namespace project access token' do
let_it_be(:group) { create(:group) }
let_it_be(:project) { create(:project, group: group) }
let_it_be(:project_bot_user) { create(:user, :project_bot) }
let_it_be(:access_token) { create(:personal_access_token, user: project_bot_user) }
context 'when the token belongs to the project' do
before do
project.add_maintainer(project_bot_user)
end
it_behaves_like 'with a valid access token'
end
it_behaves_like 'with an invalid access token'
end
context 'when using a group access token' do
let_it_be(:group) { create(:group) }
let_it_be(:project) { create(:project, group: group) }
let_it_be(:project_bot_user) { create(:user, name: 'Group token bot', email: "group_#{group.id}_bot@example.com", username: "group_#{group.id}_bot", user_type: 'project_bot'.to_sym) }
let_it_be(:access_token) { create(:personal_access_token, user: project_bot_user) }
context 'when the token belongs to the group' do
before do
group.add_maintainer(project_bot_user)
end
it_behaves_like 'with a valid access token'
end
it_behaves_like 'with an invalid access token'
end
end
end
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment
GitLab Nexedi Edition | About GitLab | About Nexedi | 沪ICP备2021021310号-2 | 沪ICP备2021021310号-7