Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Support
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
G
gitlab-ce
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Issues
0
Issues
0
List
Boards
Labels
Milestones
Merge Requests
1
Merge Requests
1
Analytics
Analytics
Repository
Value Stream
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Create a new issue
Commits
Issue Boards
Open sidebar
nexedi
gitlab-ce
Commits
c4f56a88
Commit
c4f56a88
authored
Apr 05, 2018
by
Mayra Cabrera
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
Increase test suite around deploy tokens behavior
Also, fixes broken specs
parent
a475411f
Changes
17
Hide whitespace changes
Inline
Side-by-side
Showing
17 changed files
with
144 additions
and
220 deletions
+144
-220
app/helpers/deploy_tokens_helper.rb
app/helpers/deploy_tokens_helper.rb
+5
-0
app/models/deploy_token.rb
app/models/deploy_token.rb
+1
-5
app/models/project_deploy_token.rb
app/models/project_deploy_token.rb
+0
-6
app/services/auth/container_registry_authentication_service.rb
...ervices/auth/container_registry_authentication_service.rb
+1
-1
app/views/projects/deploy_tokens/_form.html.haml
app/views/projects/deploy_tokens/_form.html.haml
+6
-5
doc/user/project/deploy_tokens/index.md
doc/user/project/deploy_tokens/index.md
+9
-5
lib/gitlab/auth.rb
lib/gitlab/auth.rb
+3
-5
spec/controllers/projects/deploy_tokens_controller_spec.rb
spec/controllers/projects/deploy_tokens_controller_spec.rb
+0
-61
spec/controllers/projects/settings/repository_controller_spec.rb
...ntrollers/projects/settings/repository_controller_spec.rb
+1
-39
spec/lib/gitlab/auth_spec.rb
spec/lib/gitlab/auth_spec.rb
+47
-43
spec/lib/gitlab/git_access_spec.rb
spec/lib/gitlab/git_access_spec.rb
+46
-3
spec/lib/gitlab/import_export/all_models.yml
spec/lib/gitlab/import_export/all_models.yml
+4
-0
spec/models/deploy_token_spec.rb
spec/models/deploy_token_spec.rb
+20
-1
spec/policies/deploy_token_policy_spec.rb
spec/policies/deploy_token_policy_spec.rb
+1
-1
spec/presenters/projects/settings/deploy_tokens_presenter_spec.rb
...senters/projects/settings/deploy_tokens_presenter_spec.rb
+0
-16
spec/services/auth/container_registry_authentication_service_spec.rb
...es/auth/container_registry_authentication_service_spec.rb
+0
-1
spec/services/deploy_tokens/create_service_spec.rb
spec/services/deploy_tokens/create_service_spec.rb
+0
-28
No files found.
app/helpers/deploy_tokens_helper.rb
View file @
c4f56a88
...
@@ -4,4 +4,9 @@ module DeployTokensHelper
...
@@ -4,4 +4,9 @@ module DeployTokensHelper
deploy_token
.
errors
.
present?
||
deploy_token
.
errors
.
present?
||
Rails
.
env
.
test?
Rails
.
env
.
test?
end
end
def
container_registry_enabled?
Gitlab
.
config
.
registry
.
enabled
&&
can?
(
current_user
,
:read_container_image
,
@project
)
end
end
end
app/models/deploy_token.rb
View file @
c4f56a88
...
@@ -17,10 +17,6 @@ class DeployToken < ActiveRecord::Base
...
@@ -17,10 +17,6 @@ class DeployToken < ActiveRecord::Base
scope
:read_repository
,
->
{
where
(
read_repository:
true
)
}
scope
:read_repository
,
->
{
where
(
read_repository:
true
)
}
scope
:read_registry
,
->
{
where
(
read_registry:
true
)
}
scope
:read_registry
,
->
{
where
(
read_registry:
true
)
}
def
self
.
redis_shared_state_key
(
user_id
)
"gitlab:deploy_token:user_
#{
user_id
}
"
end
def
revoke!
def
revoke!
update!
(
revoked:
true
)
update!
(
revoked:
true
)
end
end
...
@@ -38,7 +34,7 @@ class DeployToken < ActiveRecord::Base
...
@@ -38,7 +34,7 @@ class DeployToken < ActiveRecord::Base
end
end
def
has_access_to?
(
requested_project
)
def
has_access_to?
(
requested_project
)
self
.
projects
.
firs
t
==
requested_project
projec
t
==
requested_project
end
end
def
project
def
project
...
...
app/models/project_deploy_token.rb
View file @
c4f56a88
...
@@ -5,10 +5,4 @@ class ProjectDeployToken < ActiveRecord::Base
...
@@ -5,10 +5,4 @@ class ProjectDeployToken < ActiveRecord::Base
validates
:deploy_token
,
presence:
true
validates
:deploy_token
,
presence:
true
validates
:project
,
presence:
true
validates
:project
,
presence:
true
validates
:deploy_token_id
,
uniqueness:
{
scope:
[
:project_id
]
}
validates
:deploy_token_id
,
uniqueness:
{
scope:
[
:project_id
]
}
accepts_nested_attributes_for
:deploy_token
def
redis_shared_state_key
(
user_id
)
"gitlab:deploy_token:
#{
project_id
}
:
#{
user_id
}
"
end
end
end
app/services/auth/container_registry_authentication_service.rb
View file @
c4f56a88
...
@@ -143,7 +143,7 @@ module Auth
...
@@ -143,7 +143,7 @@ module Auth
def
user_can_pull?
(
requested_project
)
def
user_can_pull?
(
requested_project
)
has_authentication_ability?
(
:read_container_image
)
&&
has_authentication_ability?
(
:read_container_image
)
&&
can
_user?
(
:read_container_image
,
requested_project
)
can
?
(
current_user
,
:read_container_image
,
requested_project
)
end
end
def
deploy_token_can_pull?
(
requested_project
)
def
deploy_token_can_pull?
(
requested_project
)
...
...
app/views/projects/deploy_tokens/_form.html.haml
View file @
c4f56a88
...
@@ -18,11 +18,12 @@
...
@@ -18,11 +18,12 @@
=
f
.
check_box
:read_repository
=
f
.
check_box
:read_repository
=
label_tag
(
"deploy_token_read_repository"
),
'read_repository'
=
label_tag
(
"deploy_token_read_repository"
),
'read_repository'
%span
=
s_
(
'DeployTokens|Allows read-only access to the repository'
)
%span
=
s_
(
'DeployTokens|Allows read-only access to the repository'
)
%fieldset
-
if
container_registry_enabled?
=
f
.
check_box
:read_registry
%fieldset
=
label_tag
(
"deploy_token_read_registry"
),
'read_registry'
=
f
.
check_box
:read_registry
%span
=
s_
(
'DeployTokens|Allows read-only access to the registry images'
)
=
label_tag
(
"deploy_token_read_registry"
),
'read_registry'
%span
=
s_
(
'DeployTokens|Allows read-only access to the registry images'
)
.prepend-top-default
.prepend-top-default
=
f
.
submit
s_
(
'DeployTokens|Create deploy token'
),
class:
'btn btn-success'
=
f
.
submit
s_
(
'DeployTokens|Create deploy token'
),
class:
'btn btn-success'
doc/user/project/deploy_tokens/index.md
View file @
c4f56a88
...
@@ -46,26 +46,30 @@ the following table.
...
@@ -46,26 +46,30 @@ the following table.
To download a repository using a Deploy Token, you just need to:
To download a repository using a Deploy Token, you just need to:
1.
Create a Deploy Token with
`read_repository`
as a scope.
1.
Create a Deploy Token with
`read_repository`
as a scope.
2.
`git clone`
the project using the Deploy Token:
2.
Take note of your
`username`
and
`token`
3.
`git clone`
the project using the Deploy Token:
```
bash
```
bash
git clone http://
oauth2
:<deploy_token>@gitlab.example.com/tanuki/awesome_project.git
git clone http://
<username>
:<deploy_token>@gitlab.example.com/tanuki/awesome_project.git
```
```
Just replace
`<
deploy_token>`
with your real token.
Just replace
`<
username>`
and
`<deploy_token>`
with the proper values
### Read container registry images
### Read container registry images
To read the container registry images, you'll need to:
To read the container registry images, you'll need to:
1.
Create a Deploy Token with
`read_registry`
as a scope.
1.
Create a Deploy Token with
`read_registry`
as a scope.
2.
Log in to GitLab’s Container Registry using the deploy token:
2.
Take note of your
`username`
and
`token`
3.
Log in to GitLab’s Container Registry using the deploy token:
```
```
docker login registry.example.com -u <username> -p <deploy_token>
docker login registry.example.com -u <username> -p <deploy_token>
```
```
Just replace
`<username>`
and
`<deploy_token>`
with the proper values.
Just replace
`<username>`
and
`<deploy_token>`
with the proper values. Then you can simply
pull images from your Container Registry.
[
ce-17894
]:
https://gitlab.com/gitlab-org/gitlab-ce/merge_requests/17894
[
ce-17894
]:
https://gitlab.com/gitlab-org/gitlab-ce/merge_requests/17894
[
ce-11845
]:
https://gitlab.com/gitlab-org/gitlab-ce/merge_requests/11845
[
ce-11845
]:
https://gitlab.com/gitlab-org/gitlab-ce/merge_requests/11845
...
...
lib/gitlab/auth.rb
View file @
c4f56a88
...
@@ -173,19 +173,17 @@ module Gitlab
...
@@ -173,19 +173,17 @@ module Gitlab
end
.
uniq
end
.
uniq
end
end
# Project is always sent when using read_scope,
# but is not sent when using read_registry scope
# (since jwt is not context aware of the project)
def
deploy_token_check
(
login
,
password
)
def
deploy_token_check
(
login
,
password
)
return
unless
password
.
present?
return
unless
password
.
present?
token
=
token
=
DeployToken
.
active
.
find_by
(
token:
password
)
DeployToken
.
active
.
find_by
(
token:
password
)
return
unless
token
return
unless
token
&&
login
return
unless
login
!=
"gitlab+deploy-token-
#{
token
.
id
}
"
return
if
login
!=
token
.
username
scopes
=
abilities_for_scopes
(
token
.
scopes
)
scopes
=
abilities_for_scopes
(
token
.
scopes
)
if
valid_scoped_token?
(
token
,
available_scopes
)
if
valid_scoped_token?
(
token
,
available_scopes
)
Gitlab
::
Auth
::
Result
.
new
(
token
,
token
.
project
,
:deploy_token
,
scopes
)
Gitlab
::
Auth
::
Result
.
new
(
token
,
token
.
project
,
:deploy_token
,
scopes
)
end
end
...
...
spec/controllers/projects/deploy_tokens_controller_spec.rb
deleted
100644 → 0
View file @
a475411f
require
'spec_helper'
describe
Projects
::
DeployTokensController
do
let
(
:project
)
{
create
(
:project
)
}
let
(
:user
)
{
create
(
:user
)
}
let!
(
:member
)
{
project
.
add_master
(
user
)
}
before
do
sign_in
(
user
)
end
describe
'POST #create'
do
let
(
:deploy_token_params
)
{
attributes_for
(
:deploy_token
)
}
subject
do
post
:create
,
namespace_id:
project
.
namespace
,
project_id:
project
,
deploy_token:
deploy_token_params
end
context
'with valid params'
do
it
'should create a new DeployToken'
do
expect
{
subject
}.
to
change
(
DeployToken
,
:count
).
by
(
1
)
end
it
'should include a flash notice'
do
subject
expect
(
flash
[
:notice
]).
to
eq
(
'Your new project deploy token has been created.'
)
end
it
'should redirect to project settings repository'
do
subject
expect
(
response
).
to
redirect_to
project_settings_repository_path
(
project
)
end
end
context
'with invalid params'
do
let
(
:deploy_token_params
)
{
attributes_for
(
:deploy_token
,
scopes:
[])
}
it
'should not create a new DeployToken'
do
expect
{
subject
}.
not_to
change
(
DeployToken
,
:count
)
end
it
'should redirect to project settings repository'
do
subject
expect
(
response
).
to
redirect_to
project_settings_repository_path
(
project
)
end
end
context
'when user does not have enough permissions'
do
let!
(
:member
)
{
project
.
add_developer
(
user
)
}
it
'responds with status 404'
do
subject
expect
(
response
).
to
have_gitlab_http_status
(
404
)
end
end
end
end
spec/controllers/projects/settings/repository_controller_spec.rb
View file @
c4f56a88
require
'spec_helper'
require
'spec_helper'
describe
Projects
::
Settings
::
RepositoryController
,
:clean_gitlab_redis_shared_state
do
describe
Projects
::
Settings
::
RepositoryController
do
let
(
:project
)
{
create
(
:project_empty_repo
,
:public
)
}
let
(
:project
)
{
create
(
:project_empty_repo
,
:public
)
}
let
(
:user
)
{
create
(
:user
)
}
let
(
:user
)
{
create
(
:user
)
}
...
@@ -16,43 +16,5 @@ describe Projects::Settings::RepositoryController, :clean_gitlab_redis_shared_st
...
@@ -16,43 +16,5 @@ describe Projects::Settings::RepositoryController, :clean_gitlab_redis_shared_st
expect
(
response
).
to
have_gitlab_http_status
(
200
)
expect
(
response
).
to
have_gitlab_http_status
(
200
)
expect
(
response
).
to
render_template
(
:show
)
expect
(
response
).
to
render_template
(
:show
)
end
end
context
'with no deploy token attributes present'
do
it
'should build an empty instance of DeployToken'
do
get
:show
,
namespace_id:
project
.
namespace
,
project_id:
project
deploy_token
=
assigns
(
:deploy_token
)
expect
(
deploy_token
).
to
be_an_instance_of
(
DeployToken
)
expect
(
deploy_token
.
name
).
to
be_nil
expect
(
deploy_token
.
expires_at
).
to
be_nil
expect
(
deploy_token
.
scopes
).
to
eq
([])
end
end
context
'with deploy token attributes present'
do
let
(
:deploy_token_key
)
{
"gitlab:deploy_token:
#{
project
.
id
}
:
#{
user
.
id
}
:attributes"
}
let
(
:deploy_token_attributes
)
do
{
name:
'test-token'
,
expires_at:
Date
.
today
+
1
.
month
}
end
before
do
Gitlab
::
Redis
::
SharedState
.
with
do
|
redis
|
redis
.
set
(
deploy_token_key
,
deploy_token_attributes
.
to_json
)
end
get
:show
,
namespace_id:
project
.
namespace
,
project_id:
project
end
it
'should build an instance of DeployToken'
do
deploy_token
=
assigns
(
:deploy_token
)
expect
(
deploy_token
).
to
be_an_instance_of
(
DeployToken
)
expect
(
deploy_token
.
name
).
to
eq
(
deploy_token_attributes
[
:name
])
expect
(
deploy_token
.
expires_at
.
to_date
).
to
eq
(
deploy_token_attributes
[
:expires_at
].
to_date
)
end
end
end
end
end
end
spec/lib/gitlab/auth_spec.rb
View file @
c4f56a88
...
@@ -195,7 +195,7 @@ describe Gitlab::Auth do
...
@@ -195,7 +195,7 @@ describe Gitlab::Auth do
personal_access_token
=
create
(
:personal_access_token
,
scopes:
[
'read_registry'
])
personal_access_token
=
create
(
:personal_access_token
,
scopes:
[
'read_registry'
])
expect
(
gl_auth
).
to
receive
(
:rate_limit!
).
with
(
'ip'
,
success:
true
,
login:
''
)
expect
(
gl_auth
).
to
receive
(
:rate_limit!
).
with
(
'ip'
,
success:
true
,
login:
''
)
expect
(
gl_auth
.
find_for_git_client
(
''
,
personal_access_token
.
token
,
project:
nil
,
ip:
'ip'
)).
to
eq
(
Gitlab
::
Auth
::
Result
.
new
(
personal_access_token
.
user
,
nil
,
:personal_access_token
,
[
:
read_project
,
:build_download_code
,
:
build_read_container_image
]))
expect
(
gl_auth
.
find_for_git_client
(
''
,
personal_access_token
.
token
,
project:
nil
,
ip:
'ip'
)).
to
eq
(
Gitlab
::
Auth
::
Result
.
new
(
personal_access_token
.
user
,
nil
,
:personal_access_token
,
[
:build_read_container_image
]))
end
end
end
end
...
@@ -262,25 +262,38 @@ describe Gitlab::Auth do
...
@@ -262,25 +262,38 @@ describe Gitlab::Auth do
context
'when the deploy token has read_repository as scope'
do
context
'when the deploy token has read_repository as scope'
do
let
(
:deploy_token
)
{
create
(
:deploy_token
,
read_registry:
false
,
projects:
[
project
])
}
let
(
:deploy_token
)
{
create
(
:deploy_token
,
read_registry:
false
,
projects:
[
project
])
}
let
(
:login
)
{
deploy_token
.
username
}
it
'succeeds when project is present, token is valid and has read_repository as scope'
do
it
'succeeds when login and token are valid'
do
abilities
=
%i(download_code)
auth_success
=
Gitlab
::
Auth
::
Result
.
new
(
deploy_token
,
project
,
:deploy_token
,
[
:download_code
])
auth_success
=
Gitlab
::
Auth
::
Result
.
new
(
deploy_token
,
project
,
:deploy_token
,
abilities
)
expect
(
gl_auth
).
to
receive
(
:rate_limit!
).
with
(
'ip'
,
success:
true
,
login:
''
)
expect
(
gl_auth
).
to
receive
(
:rate_limit!
).
with
(
'ip'
,
success:
true
,
login:
login
)
expect
(
gl_auth
.
find_for_git_client
(
''
,
deploy_token
.
token
,
project:
project
,
ip:
'ip'
))
expect
(
gl_auth
.
find_for_git_client
(
login
,
deploy_token
.
token
,
project:
project
,
ip:
'ip'
))
.
to
eq
(
auth_success
)
.
to
eq
(
auth_success
)
end
end
it
'fails when login is not valid'
do
expect
(
gl_auth
).
to
receive
(
:rate_limit!
).
with
(
'ip'
,
success:
false
,
login:
'random_login'
)
expect
(
gl_auth
.
find_for_git_client
(
'random_login'
,
deploy_token
.
token
,
project:
project
,
ip:
'ip'
))
.
to
eq
(
auth_failure
)
end
it
'fails when token is not valid'
do
expect
(
gl_auth
).
to
receive
(
:rate_limit!
).
with
(
'ip'
,
success:
false
,
login:
login
)
expect
(
gl_auth
.
find_for_git_client
(
login
,
'123123'
,
project:
project
,
ip:
'ip'
))
.
to
eq
(
auth_failure
)
end
it
'fails if token is nil'
do
it
'fails if token is nil'
do
expect
(
gl_auth
).
to
receive
(
:rate_limit!
).
with
(
'ip'
,
success:
false
,
login:
''
)
expect
(
gl_auth
).
to
receive
(
:rate_limit!
).
with
(
'ip'
,
success:
false
,
login:
login
)
expect
(
gl_auth
.
find_for_git_client
(
''
,
nil
,
project:
project
,
ip:
'ip'
))
expect
(
gl_auth
.
find_for_git_client
(
login
,
nil
,
project:
project
,
ip:
'ip'
))
.
to
eq
(
auth_failure
)
.
to
eq
(
auth_failure
)
end
end
it
'fails if token is not related to project'
do
it
'fails if token is not related to project'
do
expect
(
gl_auth
).
to
receive
(
:rate_limit!
).
with
(
'ip'
,
success:
false
,
login:
''
)
another_deploy_token
=
create
(
:deploy_token
)
expect
(
gl_auth
.
find_for_git_client
(
''
,
'abcdef'
,
project:
project
,
ip:
'ip'
))
expect
(
gl_auth
).
to
receive
(
:rate_limit!
).
with
(
'ip'
,
success:
false
,
login:
login
)
expect
(
gl_auth
.
find_for_git_client
(
login
,
another_deploy_token
.
token
,
project:
project
,
ip:
'ip'
))
.
to
eq
(
auth_failure
)
.
to
eq
(
auth_failure
)
end
end
...
@@ -296,30 +309,42 @@ describe Gitlab::Auth do
...
@@ -296,30 +309,42 @@ describe Gitlab::Auth do
context
'when the deploy token has read_registry as a scope'
do
context
'when the deploy token has read_registry as a scope'
do
let
(
:deploy_token
)
{
create
(
:deploy_token
,
read_repository:
false
,
projects:
[
project
])
}
let
(
:deploy_token
)
{
create
(
:deploy_token
,
read_repository:
false
,
projects:
[
project
])
}
let
(
:login
)
{
deploy_token
.
username
}
context
'when registry enabled'
do
context
'when registry enabled'
do
before
do
before
do
stub_container_registry_config
(
enabled:
true
)
stub_container_registry_config
(
enabled:
true
)
end
end
it
'succeeds if deploy token does have read_registry as scope'
do
it
'succeeds when login and token are valid'
do
abilities
=
%i(read_project build_download_code build_read_container_image)
auth_success
=
Gitlab
::
Auth
::
Result
.
new
(
deploy_token
,
project
,
:deploy_token
,
[
:build_read_container_image
])
auth_success
=
Gitlab
::
Auth
::
Result
.
new
(
deploy_token
,
project
,
:deploy_token
,
abilities
)
expect
(
gl_auth
).
to
receive
(
:rate_limit!
).
with
(
'ip'
,
success:
true
,
login:
''
)
expect
(
gl_auth
).
to
receive
(
:rate_limit!
).
with
(
'ip'
,
success:
true
,
login:
login
)
expect
(
gl_auth
.
find_for_git_client
(
''
,
deploy_token
.
token
,
project:
nil
,
ip:
'ip'
))
expect
(
gl_auth
.
find_for_git_client
(
login
,
deploy_token
.
token
,
project:
nil
,
ip:
'ip'
))
.
to
eq
(
auth_success
)
.
to
eq
(
auth_success
)
end
end
it
'fails when login is not valid'
do
expect
(
gl_auth
).
to
receive
(
:rate_limit!
).
with
(
'ip'
,
success:
false
,
login:
'random_login'
)
expect
(
gl_auth
.
find_for_git_client
(
'random_login'
,
deploy_token
.
token
,
project:
project
,
ip:
'ip'
))
.
to
eq
(
auth_failure
)
end
it
'fails when token is not valid'
do
expect
(
gl_auth
).
to
receive
(
:rate_limit!
).
with
(
'ip'
,
success:
false
,
login:
login
)
expect
(
gl_auth
.
find_for_git_client
(
login
,
'123123'
,
project:
project
,
ip:
'ip'
))
.
to
eq
(
auth_failure
)
end
it
'fails if token is nil'
do
it
'fails if token is nil'
do
expect
(
gl_auth
).
to
receive
(
:rate_limit!
).
with
(
'ip'
,
success:
false
,
login:
''
)
expect
(
gl_auth
).
to
receive
(
:rate_limit!
).
with
(
'ip'
,
success:
false
,
login:
login
)
expect
(
gl_auth
.
find_for_git_client
(
''
,
nil
,
project:
nil
,
ip:
'ip'
))
expect
(
gl_auth
.
find_for_git_client
(
login
,
nil
,
project:
nil
,
ip:
'ip'
))
.
to
eq
(
auth_failure
)
.
to
eq
(
auth_failure
)
end
end
it
'fails if token is not related to project'
do
it
'fails if token is not related to project'
do
expect
(
gl_auth
).
to
receive
(
:rate_limit!
).
with
(
'ip'
,
success:
false
,
login:
''
)
expect
(
gl_auth
).
to
receive
(
:rate_limit!
).
with
(
'ip'
,
success:
false
,
login:
login
)
expect
(
gl_auth
.
find_for_git_client
(
''
,
'abcdef'
,
project:
nil
,
ip:
'ip'
))
expect
(
gl_auth
.
find_for_git_client
(
login
,
'abcdef'
,
project:
nil
,
ip:
'ip'
))
.
to
eq
(
auth_failure
)
.
to
eq
(
auth_failure
)
end
end
...
@@ -338,30 +363,9 @@ describe Gitlab::Auth do
...
@@ -338,30 +363,9 @@ describe Gitlab::Auth do
stub_container_registry_config
(
enabled:
false
)
stub_container_registry_config
(
enabled:
false
)
end
end
it
'fails if deploy token have read_registry as scope'
do
it
'fails when login and token are valid'
do
expect
(
gl_auth
).
to
receive
(
:rate_limit!
).
with
(
'ip'
,
success:
false
,
login:
''
)
expect
(
gl_auth
).
to
receive
(
:rate_limit!
).
with
(
'ip'
,
success:
false
,
login:
login
)
expect
(
gl_auth
.
find_for_git_client
(
''
,
deploy_token
.
token
,
project:
nil
,
ip:
'ip'
))
expect
(
gl_auth
.
find_for_git_client
(
login
,
deploy_token
.
token
,
project:
nil
,
ip:
'ip'
))
.
to
eq
(
auth_failure
)
end
it
'fails if token is nil'
do
expect
(
gl_auth
).
to
receive
(
:rate_limit!
).
with
(
'ip'
,
success:
false
,
login:
''
)
expect
(
gl_auth
.
find_for_git_client
(
''
,
nil
,
project:
nil
,
ip:
'ip'
))
.
to
eq
(
auth_failure
)
end
it
'fails if token is not related to project'
do
expect
(
gl_auth
).
to
receive
(
:rate_limit!
).
with
(
'ip'
,
success:
false
,
login:
''
)
expect
(
gl_auth
.
find_for_git_client
(
''
,
'abcdef'
,
project:
nil
,
ip:
'ip'
))
.
to
eq
(
auth_failure
)
end
it
'fails if token has been revoked'
do
deploy_token
.
revoke!
expect
(
deploy_token
.
revoked?
).
to
be_truthy
expect
(
gl_auth
).
to
receive
(
:rate_limit!
).
with
(
'ip'
,
success:
false
,
login:
'deploy-token'
)
expect
(
gl_auth
.
find_for_git_client
(
'deploy-token'
,
deploy_token
.
token
,
project:
nil
,
ip:
'ip'
))
.
to
eq
(
auth_failure
)
.
to
eq
(
auth_failure
)
end
end
end
end
...
...
spec/lib/gitlab/git_access_spec.rb
View file @
c4f56a88
...
@@ -147,21 +147,29 @@ describe Gitlab::GitAccess do
...
@@ -147,21 +147,29 @@ describe Gitlab::GitAccess do
end
end
context
'when actor is DeployToken'
do
context
'when actor is DeployToken'
do
let
(
:project_deploy_token
)
{
create
(
:project_deploy_token
,
project:
project
)
}
let
(
:actor
)
{
create
(
:deploy_token
,
projects:
[
project
])
}
let
(
:actor
)
{
project_deploy_token
.
deploy_token
}
context
'when DeployToken is active and belongs to project'
do
context
'when DeployToken is active and belongs to project'
do
it
'allows pull access'
do
it
'allows pull access'
do
expect
{
pull_access_check
}.
not_to
raise_error
expect
{
pull_access_check
}.
not_to
raise_error
end
end
it
'blocks the push'
do
expect
{
push_access_check
}.
to
raise_unauthorized
(
described_class
::
ERROR_MESSAGES
[
:upload
])
end
end
end
context
'when DeployToken does not belong to project'
do
context
'when DeployToken does not belong to project'
do
let
(
:actor
)
{
create
(
:deploy_token
)
}
let
(
:another_project
)
{
create
(
:project
)
}
let
(
:actor
)
{
create
(
:deploy_token
,
projects:
[
another_project
])
}
it
'blocks pull access'
do
it
'blocks pull access'
do
expect
{
pull_access_check
}.
to
raise_not_found
expect
{
pull_access_check
}.
to
raise_not_found
end
end
it
'blocks the push'
do
expect
{
push_access_check
}.
to
raise_not_found
end
end
end
end
end
end
end
...
@@ -613,6 +621,41 @@ describe Gitlab::GitAccess do
...
@@ -613,6 +621,41 @@ describe Gitlab::GitAccess do
end
end
end
end
describe
'deploy token permissions'
do
let
(
:deploy_token
)
{
create
(
:deploy_token
)
}
let
(
:actor
)
{
deploy_token
}
context
'pull code'
do
context
'when project is authorized'
do
before
do
deploy_token
.
projects
<<
project
end
it
{
expect
{
pull_access_check
}.
not_to
raise_error
}
end
context
'when unauthorized'
do
context
'from public project'
do
let
(
:project
)
{
create
(
:project
,
:public
,
:repository
)
}
it
{
expect
{
pull_access_check
}.
not_to
raise_error
}
end
context
'from internal project'
do
let
(
:project
)
{
create
(
:project
,
:internal
,
:repository
)
}
it
{
expect
{
pull_access_check
}.
to
raise_not_found
}
end
context
'from private project'
do
let
(
:project
)
{
create
(
:project
,
:private
,
:repository
)
}
it
{
expect
{
pull_access_check
}.
to
raise_not_found
}
end
end
end
end
describe
'build authentication_abilities permissions'
do
describe
'build authentication_abilities permissions'
do
let
(
:authentication_abilities
)
{
build_authentication_abilities
}
let
(
:authentication_abilities
)
{
build_authentication_abilities
}
...
...
spec/lib/gitlab/import_export/all_models.yml
View file @
c4f56a88
...
@@ -145,6 +145,9 @@ pipeline_schedule:
...
@@ -145,6 +145,9 @@ pipeline_schedule:
-
pipelines
-
pipelines
pipeline_schedule_variables
:
pipeline_schedule_variables
:
-
pipeline_schedule
-
pipeline_schedule
deploy_tokens
:
-
project_deploy_tokens
-
projects
deploy_keys
:
deploy_keys
:
-
user
-
user
-
deploy_keys_projects
-
deploy_keys_projects
...
@@ -281,6 +284,7 @@ project:
...
@@ -281,6 +284,7 @@ project:
-
project_badges
-
project_badges
-
source_of_merge_requests
-
source_of_merge_requests
-
internal_ids
-
internal_ids
-
project_deploy_tokens
-
deploy_tokens
-
deploy_tokens
award_emoji
:
award_emoji
:
-
awardable
-
awardable
...
...
spec/models/deploy_token_spec.rb
View file @
c4f56a88
...
@@ -70,8 +70,27 @@ describe DeployToken do
...
@@ -70,8 +70,27 @@ describe DeployToken do
end
end
describe
'#username'
do
describe
'#username'
do
it
'returns
Ghost
username'
do
it
'returns
a harcoded
username'
do
expect
(
deploy_token
.
username
).
to
eq
(
"gitlab+deploy-token-
#{
deploy_token
.
id
}
"
)
expect
(
deploy_token
.
username
).
to
eq
(
"gitlab+deploy-token-
#{
deploy_token
.
id
}
"
)
end
end
end
end
describe
'#has_access_to?'
do
let
(
:project
)
{
create
(
:project
)
}
subject
(
:deploy_token
)
{
create
(
:deploy_token
,
projects:
[
project
])
}
context
'when the deploy token has access to the project'
do
it
'should return true'
do
expect
(
deploy_token
.
has_access_to?
(
project
)).
to
be_truthy
end
end
context
'when the deploy token does not have access to the project'
do
it
'should return false'
do
another_project
=
create
(
:project
)
expect
(
deploy_token
.
has_access_to?
(
another_project
)).
to
be_falsy
end
end
end
end
end
spec/policies/deploy_token_policy_spec.rb
View file @
c4f56a88
...
@@ -3,7 +3,7 @@ require 'spec_helper'
...
@@ -3,7 +3,7 @@ require 'spec_helper'
describe
DeployTokenPolicy
do
describe
DeployTokenPolicy
do
let
(
:current_user
)
{
create
(
:user
)
}
let
(
:current_user
)
{
create
(
:user
)
}
let
(
:project
)
{
create
(
:project
)
}
let
(
:project
)
{
create
(
:project
)
}
let
(
:deploy_token
)
{
create
(
:deploy_token
,
project
:
project
)
}
let
(
:deploy_token
)
{
create
(
:deploy_token
,
project
s:
[
project
]
)
}
subject
{
described_class
.
new
(
current_user
,
deploy_token
)
}
subject
{
described_class
.
new
(
current_user
,
deploy_token
)
}
...
...
spec/presenters/projects/settings/deploy_tokens_presenter_spec.rb
View file @
c4f56a88
...
@@ -13,20 +13,4 @@ describe Projects::Settings::DeployTokensPresenter do
...
@@ -13,20 +13,4 @@ describe Projects::Settings::DeployTokensPresenter do
expect
(
presenter
.
length
).
to
eq
(
3
)
expect
(
presenter
.
length
).
to
eq
(
3
)
end
end
end
end
describe
'#temporal_token'
do
context
'when a deploy token has been created recently'
do
it
'returns the token of the deploy'
do
deploy_token
=
::
DeployTokens
::
CreateService
.
new
(
project
,
user
,
attributes_for
(
:deploy_token
)).
execute
expect
(
presenter
.
temporal_token
).
to
eq
(
deploy_token
.
token
)
end
end
context
'when a deploy token has not been created recently'
do
it
'does returns nil'
do
expect
(
presenter
.
temporal_token
).
to
be_nil
end
end
end
end
end
spec/services/auth/container_registry_authentication_service_spec.rb
View file @
c4f56a88
...
@@ -558,7 +558,6 @@ describe Auth::ContainerRegistryAuthenticationService do
...
@@ -558,7 +558,6 @@ describe Auth::ContainerRegistryAuthenticationService do
let
(
:project
)
{
create
(
:project
,
:public
)
}
let
(
:project
)
{
create
(
:project
,
:public
)
}
context
'when pulling and pushing'
do
context
'when pulling and pushing'
do
let
(
:current_user
)
{
create
(
:deploy_token
,
projects:
[
project
])
}
let
(
:current_params
)
do
let
(
:current_params
)
do
{
scope:
"repository:
#{
project
.
full_path
}
:pull,push"
}
{
scope:
"repository:
#{
project
.
full_path
}
:pull,push"
}
end
end
...
...
spec/services/deploy_tokens/create_service_spec.rb
View file @
c4f56a88
...
@@ -20,20 +20,6 @@ describe DeployTokens::CreateService, :clean_gitlab_redis_shared_state do
...
@@ -20,20 +20,6 @@ describe DeployTokens::CreateService, :clean_gitlab_redis_shared_state do
it
'returns a DeployToken'
do
it
'returns a DeployToken'
do
expect
(
subject
).
to
be_an_instance_of
DeployToken
expect
(
subject
).
to
be_an_instance_of
DeployToken
end
end
it
'should store the token on redis'
do
redis_key
=
DeployToken
.
redis_shared_state_key
(
user
.
id
)
subject
expect
(
Gitlab
::
Redis
::
SharedState
.
with
{
|
redis
|
redis
.
get
(
redis_key
)
}).
not_to
be_nil
end
it
'should not store deploy token attributes on redis'
do
redis_key
=
DeployToken
.
redis_shared_state_key
(
user
.
id
)
+
":attributes"
subject
expect
(
Gitlab
::
Redis
::
SharedState
.
with
{
|
redis
|
redis
.
get
(
redis_key
)
}).
to
be_nil
end
end
end
context
'when the deploy token is invalid'
do
context
'when the deploy token is invalid'
do
...
@@ -46,20 +32,6 @@ describe DeployTokens::CreateService, :clean_gitlab_redis_shared_state do
...
@@ -46,20 +32,6 @@ describe DeployTokens::CreateService, :clean_gitlab_redis_shared_state do
it
'should not create a new ProjectDeployToken'
do
it
'should not create a new ProjectDeployToken'
do
expect
{
subject
}.
not_to
change
{
ProjectDeployToken
.
count
}
expect
{
subject
}.
not_to
change
{
ProjectDeployToken
.
count
}
end
end
it
'should not store the token on redis'
do
redis_key
=
DeployToken
.
redis_shared_state_key
(
user
.
id
)
subject
expect
(
Gitlab
::
Redis
::
SharedState
.
with
{
|
redis
|
redis
.
get
(
redis_key
)
}).
to
be_nil
end
it
'should store deploy token attributes on redis'
do
redis_key
=
DeployToken
.
redis_shared_state_key
(
user
.
id
)
+
":attributes"
subject
expect
(
Gitlab
::
Redis
::
SharedState
.
with
{
|
redis
|
redis
.
get
(
redis_key
)
}).
not_to
be_nil
end
end
end
end
end
end
end
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment