1. 16 Dec, 2016 23 commits
    • Timothy Andrew's avatar
      Implement review comments from @dbalexandre. · 0b01f700
      Timothy Andrew authored
      - Don't define "allowed environment variables" in two places.
      - Dispatch to different arities of `Popen.open` without an if/else block.
      - Use `described_class` instead of explicitly stating the class name within a
      - spec.
      - Remove `git_environment_variables_validator_spec` and keep the validation inline.
      0b01f700
    • Timothy Andrew's avatar
      Add CHANGELOG entry. · f6ad0a94
      Timothy Andrew authored
      f6ad0a94
    • Timothy Andrew's avatar
      Check the exit code while invoking git in the force push check. · 5976007b
      Timothy Andrew authored
      Previously, we were calling out to `popen` without asserting on the returned
      exit-code. Now we raise a `RuntimeError` if the exit code is non-zero.
      5976007b
    • Timothy Andrew's avatar
      Validate environment variables in `Gitlab::Git::RevList` · ca928ada
      Timothy Andrew authored
      The list of environment variables in `Gitlab::Git::RevList` need to be validate
      to make sure that they don't reference any other project on disk.
      
      This commit mixes in `ActiveModel::Validations` into `Gitlab::Git::RevList`, and
      validates that the environment variables are on the level (using a custom
      validator class). If the validations fail, the force push is still executed
      without any environment variables set.
      
      Add specs for the validation using shared examples.
      ca928ada
    • Timothy Andrew's avatar
      Accept environment variables from the `pre-receive` script. · de9c758f
      Timothy Andrew authored
      1. Starting version 2.11, git changed the way the pre-receive flow works.
      
        - Previously, the new potential objects would be added to the main repo. If the
          pre-receive passes, the new objects stay in the repo but are linked up. If
          the pre-receive fails, the new objects stay orphaned in the repo, and are
          cleaned up during the next `git gc`.
      
        - In 2.11, the new potential objects are added to a temporary "alternate object
          directory", that git creates for this purpose. If the pre-receive passes, the
          objects from the alternate object directory are migrated to the main repo. If
          the pre-receive fails the alternate object directory is simply deleted.
      
      2. In our workflow, the pre-recieve script (in `gitlab-shell) calls the
         `/allowed` endpoint, which calls out directly to git to perform
         various checks. These direct calls to git do _not_ have the necessary
         environment variables set which allow access to the "alternate object
         directory" (explained above). Therefore these calls to git are not able to
         access any of the new potential objects to be added during this push.
      
      3. We fix this by accepting the relevant environment variables
         (GIT_ALTERNATE_OBJECT_DIRECTORIES, GIT_OBJECT_DIRECTORY) on the
         `/allowed` endpoint, and then include these environment variables while
         calling out to git.
      
      4. This commit includes (whitelisted) these environment variables while making
         the "force push" check. A `Gitlab::Git::RevList` module is extracted to
         prevent `ForcePush` from being littered with these checks.
      de9c758f
    • Rémy Coutable's avatar
      Merge branch '20492-access-token-scopes-ee' into 'master' · 4c7aaa0f
      Rémy Coutable authored
      EE: Resolve "Add a doorkeeper scope suitable for authentication"
      
      - EE counterpart for gitlab-org/gitlab-ce!5951
      - Related to gitlab-org/gitlab-ce#20492
      
      See merge request !946
      4c7aaa0f
    • Nick Thomas's avatar
      Merge branch 'jej-fix-pages-administration-reconfigure-link' into 'master' · aa2c0d14
      Nick Thomas authored
      Fix reconfigure link on doc/pages/administration.md
      
      The link had an extra `../` in it and wasn't working on https://docs.gitlab.com/ee/pages/administration.html#nginx-configuration
      
      See merge request !967
      aa2c0d14
    • Timothy Andrew's avatar
      EE-specific changes related to gitlab-org/gitlab-ce!5951. · ea032a52
      Timothy Andrew authored
      The CE merge request renamed the `Oauth2::AccessTokenValidationService` and
      converted it from a module to a class. There are two invocations of this
      module/class that are EE-only, which needed to be updated.
      ea032a52
    • Timothy Andrew's avatar
      Make `ChangePersonalAccessTokensDefaultBackToEmptyArray` a "post" migration. · 9be9072d
      Timothy Andrew authored
      If we leave this as a regular migration, we could have the following flow:
      
      1. Application knows nothing about scopes.
      2. First migration runs, all existing personal access tokens have `api` scope
      3. Application still knows nothing about scopes.
      4. Second migration runs, all tokens created after this point have no scope
      5. Application still knows nothing about scopes.
      6. Tokens created at this time _should have the API scope, but instead have no scope_
      7. Application code is reloaded, application knows about scopes
      8. Tokens created after this point only have no scope if the user deliberately
         chooses to have no scopes.
      
      Point #6 is the problem here. To avoid this, we move the second migration to a
      "post" migration, which runs after the application code is deployed/reloaded.
      9be9072d
    • Timothy Andrew's avatar
      Rename the `token_has_scope?` method. · 6a62e6db
      Timothy Andrew authored
      `valid_api_token?` is a better name. Scopes are just (potentially) one facet of
      a "valid" token.
      6a62e6db
    • Timothy Andrew's avatar
      Convert AccessTokenValidationService into a class. · b61a4282
      Timothy Andrew authored
      - Previously, AccessTokenValidationService was a module, and all its  public
      methods accepted a token. It makes sense to convert it to a class which accepts
      a token during initialization.
      
      - Also rename the `sufficient_scope?` method to `include_any_scope?`
      
      - Based on feedback from @rymai
      b61a4282
    • Timothy Andrew's avatar
      View-related (and other minor) changes to !5951 based on @rymai's review. · 63d01af4
      Timothy Andrew authored
      - The `scopes_form` partial can be used in the `admin/applications` view
        as well
      
      - Don't allow partials to access instance variables directly. Instead, pass
        in the instance variables as local variables, and use `local_assigns.fetch`
        to assert that the variables are passed in as expected.
      
      - Change a few instances of `render :partial` to `render`
      
      - Remove an instance of `required: false` in a view, since this is the default
      
      - Inline many instances of a local variable (`ip = 'ip'`) in `auth_spec`
      63d01af4
    • Timothy Andrew's avatar
      Add a controller spec for personal access tokens. · ef753965
      Timothy Andrew authored
      Split the existing feature spec into both feature and controller specs.
      Feature specs assert on browser DOM, and controller specs assert on database
      state.
      ef753965
    • Timothy Andrew's avatar
      Modify `ApiHelpers` spec to adhere to the Four-Phase test style. · 7ea04156
      Timothy Andrew authored
      - Use whitespace to separate the setup, expectation and teardown phases.
      7ea04156
    • Timothy Andrew's avatar
      Refactor access token validation in `Gitlab::Auth` · 38c0cbcc
      Timothy Andrew authored
      - Based on @dbalexandre's review
      - Extract token validity conditions into two separate methods, for
        personal access tokens and OAuth tokens.
      38c0cbcc
    • Timothy Andrew's avatar
      Move the scopes form/list view into a partial. · 4c1858c1
      Timothy Andrew authored
      - The list of scopes that's displayed while creating a personal access
        token is identical to the list that's displayed while creating an OAuth
        application. Extract these into a partial.
      
      - The list of scopes that's displayed while in the show page for an OAuth token
        in the profile settings and admin settings are identical. Extract these into
        a partial.
      4c1858c1
    • Timothy Andrew's avatar
      Implement minor changes from @dbalexandre's review. · 07f5be6b
      Timothy Andrew authored
      - Mainly whitespace changes.
      
      - Require the migration adding the `scope` column to the
        `personal_access_tokens` table to have downtime, since API calls will
        fail if the new code is in place, but the migration hasn't run.
      
      - Minor refactoring - load `@scopes` in a `before_action`, since we're
        doing it in three different places.
      07f5be6b
    • Timothy Andrew's avatar
      Update CHANGELOG · c400cae3
      Timothy Andrew authored
      c400cae3
    • Timothy Andrew's avatar
      Validate access token scopes in `Gitlab::Auth` · f7c27fd8
      Timothy Andrew authored
      - This module is used for git-over-http, as well as JWT.
      
      - The only valid scope here is `api`, currently.
      f7c27fd8
    • Timothy Andrew's avatar
      Calls to the API are checked for scope. · 184b923f
      Timothy Andrew authored
      - Move the `Oauth2::AccessTokenValidationService` class to
        `AccessTokenValidationService`, since it is now being used for
        personal access token validation as well.
      
      - Each API endpoint declares the scopes it accepts (if any). Currently,
        the top level API module declares the `api` scope, and the `Users` API
        module declares the `read_user` scope (for GET requests).
      
      - Move the `find_user_by_private_token` from the API `Helpers` module to
        the `APIGuard` module, to avoid littering `Helpers` with more
        auth-related methods to support `find_user_by_private_token`
      184b923f
    • Timothy Andrew's avatar
    • Timothy Andrew's avatar
    • Rémy Coutable's avatar
      API: Memoize the current_user so that the sudo can work properly · ca69c725
      Rémy Coutable authored
      The issue was arising when `#current_user` was called a second time
      after a user was impersonated: the `User#is_admin?` check would be
      performed on it and it would fail.
      Signed-off-by: default avatarRémy Coutable <remy@rymai.me>
      ca69c725
  2. 15 Dec, 2016 9 commits
  3. 14 Dec, 2016 8 commits