Commit ca9d5265 authored by Dmitriy Zaporozhets's avatar Dmitriy Zaporozhets

Add all sort of checks on maven package api

Signed-off-by: default avatarDmitriy Zaporozhets <dmitriy.zaporozhets@gmail.com>
parent ab8a23ed
...@@ -11,9 +11,29 @@ module API ...@@ -11,9 +11,29 @@ module API
content_type :sha1, 'text/plain' content_type :sha1, 'text/plain'
content_type :binary, 'application/octet-stream' content_type :binary, 'application/octet-stream'
before { authenticate_non_get! } before do
require_packages_enabled!
authenticate_non_get!
authorize_packages_feature!
end
helpers do helpers do
def require_packages_enabled!
not_found! unless Gitlab.config.packages.enabled
end
def authorize_packages_feature!
forbidden! unless user_project.feature_available?(:packages)
end
def authorize_can_read!
authorize!(:read_package, user_project)
end
def authorize_can_admin!
authorize!(:admin_package, user_project)
end
def extract_format(file_name) def extract_format(file_name)
name, _, format = file_name.rpartition('.') name, _, format = file_name.rpartition('.')
...@@ -37,7 +57,7 @@ module API ...@@ -37,7 +57,7 @@ module API
requires :file_name, type: String, desc: 'Package file name' requires :file_name, type: String, desc: 'Package file name'
end end
get ':id/packages/maven/*path/:file_name', requirements: MAVEN_ENDPOINT_REQUIREMENTS do get ':id/packages/maven/*path/:file_name', requirements: MAVEN_ENDPOINT_REQUIREMENTS do
unauthorized! unless can?(current_user, :read_package, user_project) authorize_can_read!
file_name, format = extract_format(params[:file_name]) file_name, format = extract_format(params[:file_name])
...@@ -64,8 +84,7 @@ module API ...@@ -64,8 +84,7 @@ module API
requires :file_name, type: String, desc: 'Package file name' requires :file_name, type: String, desc: 'Package file name'
end end
put ':id/packages/maven/*path/:file_name/authorize', requirements: MAVEN_ENDPOINT_REQUIREMENTS do put ':id/packages/maven/*path/:file_name/authorize', requirements: MAVEN_ENDPOINT_REQUIREMENTS do
not_allowed! unless Gitlab.config.packages.enabled authorize_can_admin!
unauthorized! unless can?(current_user, :admin_package, user_project)
require_gitlab_workhorse! require_gitlab_workhorse!
Gitlab::Workhorse.verify_api_request!(headers) Gitlab::Workhorse.verify_api_request!(headers)
...@@ -90,8 +109,7 @@ module API ...@@ -90,8 +109,7 @@ module API
optional 'file.sha256', type: String, desc: %q(sha256 checksum of the file (generated by Workhorse)) optional 'file.sha256', type: String, desc: %q(sha256 checksum of the file (generated by Workhorse))
end end
put ':id/packages/maven/*path/:file_name', requirements: MAVEN_ENDPOINT_REQUIREMENTS do put ':id/packages/maven/*path/:file_name', requirements: MAVEN_ENDPOINT_REQUIREMENTS do
not_allowed! unless Gitlab.config.packages.enabled authorize_can_admin!
unauthorized! unless can?(current_user, :admin_package, user_project)
require_gitlab_workhorse! require_gitlab_workhorse!
......
...@@ -11,6 +11,7 @@ describe API::MavenPackages do ...@@ -11,6 +11,7 @@ describe API::MavenPackages do
before do before do
project.add_developer(user) project.add_developer(user)
stub_licensed_features(packages: true)
end end
describe 'GET /api/v4/projects/:id/packages/maven/*path/:file_name' do describe 'GET /api/v4/projects/:id/packages/maven/*path/:file_name' do
...@@ -52,7 +53,7 @@ describe API::MavenPackages do ...@@ -52,7 +53,7 @@ describe API::MavenPackages do
download_file_with_token(package_file_xml.file_name) download_file_with_token(package_file_xml.file_name)
expect(response).to have_gitlab_http_status(401) expect(response).to have_gitlab_http_status(403)
end end
it 'denies download when no private token' do it 'denies download when no private token' do
...@@ -62,6 +63,14 @@ describe API::MavenPackages do ...@@ -62,6 +63,14 @@ describe API::MavenPackages do
end end
end end
it 'rejects request if feature is not in the license' do
stub_licensed_features(packages: false)
download_file(package_file_xml.file_name)
expect(response).to have_gitlab_http_status(403)
end
def download_file(file_name, params = {}, request_headers = headers) def download_file(file_name, params = {}, request_headers = headers)
get api("/projects/#{project.id}/packages/maven/" \ get api("/projects/#{project.id}/packages/maven/" \
"#{maven_metadatum.path}/#{file_name}"), params, request_headers "#{maven_metadatum.path}/#{file_name}"), params, request_headers
...@@ -94,7 +103,7 @@ describe API::MavenPackages do ...@@ -94,7 +103,7 @@ describe API::MavenPackages do
authorize_upload_with_token authorize_upload_with_token
expect(response).to have_gitlab_http_status(401) expect(response).to have_gitlab_http_status(403)
end end
it 'rejects requests that did not go through gitlab-workhorse' do it 'rejects requests that did not go through gitlab-workhorse' do
...@@ -134,6 +143,14 @@ describe API::MavenPackages do ...@@ -134,6 +143,14 @@ describe API::MavenPackages do
expect(response).to have_gitlab_http_status(401) expect(response).to have_gitlab_http_status(401)
end end
it 'rejects request if feature is not in the license' do
stub_licensed_features(packages: false)
upload_file_with_token
expect(response).to have_gitlab_http_status(403)
end
context 'when params from workhorse are correct' do context 'when params from workhorse are correct' do
let(:package) { project.packages.reload.last } let(:package) { project.packages.reload.last }
let(:package_file) { package.package_files.reload.last } let(:package_file) { package.package_files.reload.last }
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment