fix: allow bot account to clone through http (#219551)

a72c4b7a · Philippe Vienne · Imre Farkas · 3027ba6f · a72c4b7a · a72c4b7a
Commit a72c4b7a authored Sep 16, 2020 by Philippe Vienne Committed by Imre Farkas Sep 16, 2020
3 changed files
--- a/changelogs/unreleased/fix-219551_project_token_http.yml
+++ b/changelogs/unreleased/fix-219551_project_token_http.yml
+---
+title: allow project bot account to clone through http
+merge_request: 40635
+author: Philippe Vienne @PhilippeVienne
+type: fixed
--- a/lib/gitlab/auth.rb
+++ b/lib/gitlab/auth.rb
@@ -50,7 +50,7 @@ module Gitlab
          build_access_token_check(login, password) ||
          lfs_token_check(login, password, project) ||
          oauth_access_token_check(login, password) ||
-          personal_access_token_check(password) ||
+          personal_access_token_check(password, project) ||
          deploy_token_check(login, password, project) ||
          user_with_password_for_git(login, password) ||
          Gitlab::Auth::Result.new
@@ -189,12 +189,18 @@ module Gitlab
        end
      end

-      def personal_access_token_check(password)
+      def personal_access_token_check(password, project)
        return unless password.present?

        token = PersonalAccessTokensFinder.new(state: 'active').find_by_token(password)

-        if token && valid_scoped_token?(token, all_available_scopes) && token.user.can?(:log_in)
+        return unless token
+
+        return if project && token.user.project_bot? && !project.bots.include?(token.user)
+
+        return unless valid_scoped_token?(token, all_available_scopes)
+
+        if token.user.project_bot? || token.user.can?(:log_in)
          Gitlab::Auth::Result.new(token.user, nil, :personal_access_token, abilities_for_scopes(token.scopes))
        end
      end

--- a/spec/lib/gitlab/auth_spec.rb
+++ b/spec/lib/gitlab/auth_spec.rb
@@ -358,6 +358,29 @@ RSpec.describe Gitlab::Auth, :use_clean_rails_memory_store_caching do
          .to eq(Gitlab::Auth::Result.new(nil, nil, nil, nil))
        end
      end
+
+      context 'when using a project access token' do
+        let_it_be(:project_bot_user) { create(:user, :project_bot) }
+        let_it_be(:project_access_token) { create(:personal_access_token, user: project_bot_user) }
+
+        context 'with valid project access token' do
+          before_all do
+            project.add_maintainer(project_bot_user)
+          end
+
+          it 'succeeds' do
+            expect(gl_auth.find_for_git_client(project_bot_user.username, project_access_token.token, project: project, ip: 'ip'))
+              .to eq(Gitlab::Auth::Result.new(project_bot_user, nil, :personal_access_token, described_class.full_authentication_abilities))
+          end
+        end
+
+        context 'with invalid project access token' do
+          it 'fails' do
+            expect(gl_auth.find_for_git_client(project_bot_user.username, project_access_token.token, project: project, ip: 'ip'))
+              .to eq(Gitlab::Auth::Result.new(nil, nil, nil, nil))
+          end
+        end
+      end
    end

    context 'while using regular user and password' do