Commit 2bdf08e7 authored by Ash McKenzie's avatar Ash McKenzie

Merge remote-tracking branch 'origin/master' into ash.mckenzie/srp-refactor

parents a686b9a0 e3fead94
v8.0.0
- SSH certificate support (!207)
v7.2.0 v7.2.0
- Update gitaly-proto to 0.109.0 (!216) - Update gitaly-proto to 0.109.0 (!216)
......
...@@ -5,19 +5,19 @@ unless ENV['SSH_CONNECTION'] ...@@ -5,19 +5,19 @@ unless ENV['SSH_CONNECTION']
exit exit
end end
key_str = /key-[0-9]+/.match(ARGV.join).to_s
original_cmd = ENV.delete('SSH_ORIGINAL_COMMAND') original_cmd = ENV.delete('SSH_ORIGINAL_COMMAND')
require_relative '../lib/gitlab_init' require_relative '../lib/gitlab_init'
# #
# #
# GitLab shell, invoked from ~/.ssh/authorized_keys # GitLab shell, invoked from ~/.ssh/authorized_keys or from an
# AuthorizedPrincipalsCommand in the key-less SSH CERT mode.
# #
# #
require File.join(ROOT_PATH, 'lib', 'gitlab_shell') require File.join(ROOT_PATH, 'lib', 'gitlab_shell')
if GitlabShell.new(key_str).exec(original_cmd) if GitlabShell.new(ARGV.join).exec(original_cmd)
exit 0 exit 0
else else
exit 1 exit 1
......
#!/usr/bin/env ruby
#
# GitLab shell authorized principals helper. Emits the same sort of
# command="..." line as gitlab-shell-authorized-principals-check, with
# the right options.
#
# Ex.
# bin/gitlab-shell-authorized-keys-check <key-id> <principal1> [<principal2>...]
#
# Returns one line per principal passed in, e.g.:
# command="/bin/gitlab-shell username-{KEY_ID}",no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty {PRINCIPAL}
# [command="/bin/gitlab-shell username-{KEY_ID}",no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty {PRINCIPAL2}]
#
# Expects to be called by the SSH daemon, via configuration like:
# AuthorizedPrincipalsCommandUser root
# AuthorizedPrincipalsCommand /bin/gitlab-shell-authorized-principals-check git %i sshUsers
abort "# Wrong number of arguments. #{ARGV.size}. Usage:
# gitlab-shell-authorized-principals-check <key-id> <principal1> [<principal2>...]" unless ARGV.size >= 2
key_id = ARGV[0]
abort '# No key_id provided' if key_id.nil? || key_id == ''
principals = ARGV[1..-1]
principals.each { |principal|
abort '# An invalid principal was provided' if principal.nil? || principal == ''
}
require_relative '../lib/gitlab_init'
require_relative '../lib/gitlab_net'
require_relative '../lib/gitlab_keys'
principals.each { |principal|
puts GitlabKeys.principal_line("username-#{key_id}", principal.dup)
}
...@@ -3,8 +3,8 @@ require_relative '../gitlab_logger' ...@@ -3,8 +3,8 @@ require_relative '../gitlab_logger'
module Action module Action
class API2FARecovery < Base class API2FARecovery < Base
def initialize(key) def initialize(actor)
@key = key @actor = actor
end end
def execute(_, _) def execute(_, _)
...@@ -13,7 +13,7 @@ module Action ...@@ -13,7 +13,7 @@ module Action
private private
attr_reader :key attr_reader :actor
def continue?(question) def continue?(question)
puts "#{question} (yes/no)" puts "#{question} (yes/no)"
...@@ -34,10 +34,10 @@ module Action ...@@ -34,10 +34,10 @@ module Action
return return
end end
resp = api.two_factor_recovery_codes(key.key_id) resp = api.two_factor_recovery_codes(self)
if resp['success'] if resp['success']
codes = resp['recovery_codes'].join("\n") codes = resp['recovery_codes'].join("\n")
$logger.info('API 2FA recovery success', user: key.log_username) $logger.info('API 2FA recovery success', user: actor.log_username)
puts "Your two-factor authentication recovery codes are:\n\n" \ puts "Your two-factor authentication recovery codes are:\n\n" \
"#{codes}\n\n" \ "#{codes}\n\n" \
"During sign in, use one of the codes above when prompted for\n" \ "During sign in, use one of the codes above when prompted for\n" \
...@@ -45,7 +45,7 @@ module Action ...@@ -45,7 +45,7 @@ module Action
"a new device so you do not lose access to your account again." "a new device so you do not lose access to your account again."
true true
else else
$logger.info('API 2FA recovery error', user: key.log_username) $logger.info('API 2FA recovery error', user: actor.log_username)
puts "An error occurred while trying to generate new recovery codes.\n" \ puts "An error occurred while trying to generate new recovery codes.\n" \
"#{resp['message']}" "#{resp['message']}"
end end
......
...@@ -3,15 +3,15 @@ require_relative '../gitlab_logger' ...@@ -3,15 +3,15 @@ require_relative '../gitlab_logger'
module Action module Action
class GitLFSAuthenticate < Base class GitLFSAuthenticate < Base
def initialize(key, repo_name) def initialize(actor, repo_name)
@key = key @actor = actor
@repo_name = repo_name @repo_name = repo_name
end end
def execute(_, _) def execute(_, _)
GitlabMetrics.measure('lfs-authenticate') do GitlabMetrics.measure('lfs-authenticate') do
$logger.info('Processing LFS authentication', user: key.log_username) $logger.info('Processing LFS authentication', user: actor.log_username)
lfs_access = api.lfs_authenticate(key.key_id, repo_name) lfs_access = api.lfs_authenticate(self, repo_name)
return unless lfs_access return unless lfs_access
puts lfs_access.authentication_payload puts lfs_access.authentication_payload
...@@ -21,6 +21,6 @@ module Action ...@@ -21,6 +21,6 @@ module Action
private private
attr_reader :key, :repo_name attr_reader :actor, :repo_name
end end
end end
require_relative 'actor/base' require_relative 'actor/base'
require_relative 'actor/key' require_relative 'actor/key'
require_relative 'actor/user' require_relative 'actor/user'
require_relative 'actor/username'
module Actor module Actor
class UnsupportedActorError < StandardError; end class UnsupportedActorError < StandardError; end
...@@ -11,6 +12,8 @@ module Actor ...@@ -11,6 +12,8 @@ module Actor
Key.from(str, audit_usernames: audit_usernames) Key.from(str, audit_usernames: audit_usernames)
when User.id_regex when User.id_regex
User.from(str, audit_usernames: audit_usernames) User.from(str, audit_usernames: audit_usernames)
when Username.id_regex
Username.from(str, audit_usernames: audit_usernames)
else else
raise UnsupportedActorError raise UnsupportedActorError
end end
......
...@@ -31,6 +31,10 @@ module Actor ...@@ -31,6 +31,10 @@ module Actor
"#{self.class.identifier_prefix}-#{id}" "#{self.class.identifier_prefix}-#{id}"
end end
def identifier_key
self.class.identifier_key
end
def log_username def log_username
audit_usernames? ? username : "#{klass_name.downcase} with identifier #{identifier}" audit_usernames? ? username : "#{klass_name.downcase} with identifier #{identifier}"
end end
......
...@@ -21,7 +21,7 @@ module Actor ...@@ -21,7 +21,7 @@ module Actor
def username def username
@username ||= begin @username ||= begin
user = GitlabNet.new.discover(key_id) user = GitlabNet.new.discover(self)
user ? "@#{user['username']}" : ANONYMOUS_USER user ? "@#{user['username']}" : ANONYMOUS_USER
end end
end end
......
require_relative 'base'
module Actor
class Username < Base
alias username identifier
def self.identifier_prefix
'username'.freeze
end
def self.identifier_key
'username'.freeze
end
def self.id_regex
/\Ausername\-\d+\Z/
end
end
end
...@@ -9,12 +9,20 @@ class GitlabKeys # rubocop:disable Metrics/ClassLength ...@@ -9,12 +9,20 @@ class GitlabKeys # rubocop:disable Metrics/ClassLength
attr_accessor :auth_file, :key attr_accessor :auth_file, :key
def self.command(key_id) def self.command(whatever)
"#{ROOT_PATH}/bin/gitlab-shell #{whatever}"
end
def self.command_key(key_id)
unless /\A[a-z0-9-]+\z/ =~ key_id unless /\A[a-z0-9-]+\z/ =~ key_id
raise KeyError, "Invalid key_id: #{key_id.inspect}" raise KeyError, "Invalid key_id: #{key_id.inspect}"
end end
"#{ROOT_PATH}/bin/gitlab-shell #{key_id}" command(key_id)
end
def self.whatever_line(command, trailer)
"command=\"#{command}\",no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty #{trailer}"
end end
def self.key_line(key_id, public_key) def self.key_line(key_id, public_key)
...@@ -24,7 +32,17 @@ class GitlabKeys # rubocop:disable Metrics/ClassLength ...@@ -24,7 +32,17 @@ class GitlabKeys # rubocop:disable Metrics/ClassLength
raise KeyError, "Invalid public_key: #{public_key.inspect}" raise KeyError, "Invalid public_key: #{public_key.inspect}"
end end
"command=\"#{command(key_id)}\",no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty #{public_key}" whatever_line(command_key(key_id), public_key)
end
def self.principal_line(username_key_id, principal)
principal.chomp!
if principal.include?("\n")
raise KeyError, "Invalid principal: #{principal.inspect}"
end
whatever_line(command_key(username_key_id), principal)
end end
def initialize def initialize
...@@ -119,7 +137,7 @@ class GitlabKeys # rubocop:disable Metrics/ClassLength ...@@ -119,7 +137,7 @@ class GitlabKeys # rubocop:disable Metrics/ClassLength
$logger.info('Removing key', key_id: @key_id) $logger.info('Removing key', key_id: @key_id)
open_auth_file('r+') do |f| open_auth_file('r+') do |f|
while line = f.gets # rubocop:disable Style/AssignmentInCondition while line = f.gets # rubocop:disable Style/AssignmentInCondition
next unless line.start_with?("command=\"#{self.class.command(@key_id)}\"") next unless line.start_with?("command=\"#{self.class.command_key(@key_id)}\"")
f.seek(-line.length, IO::SEEK_CUR) f.seek(-line.length, IO::SEEK_CUR)
# Overwrite the line with #'s. Because the 'line' variable contains # Overwrite the line with #'s. Because the 'line' variable contains
# a terminating '\n', we write line.length - 1 '#' characters. # a terminating '\n', we write line.length - 1 '#' characters.
......
...@@ -26,22 +26,24 @@ class GitlabNet ...@@ -26,22 +26,24 @@ class GitlabNet
env: env env: env
} }
params[actor.class.identifier_key.to_sym] = actor.id params[actor.identifier_key.to_sym] = actor.id
resp = post("#{internal_api_endpoint}/allowed", params) resp = post("#{internal_api_endpoint}/allowed", params)
determine_action(actor, resp) determine_action(actor, resp)
end end
def discover(key_id) def discover(actor)
resp = get("#{internal_api_endpoint}/discover?key_id=#{key_id}") resp = get("#{internal_api_endpoint}/discover?#{actor.identifier_key}=#{actor.id}")
JSON.parse(resp.body) JSON.parse(resp.body)
rescue JSON::ParserError, ApiUnreachableError rescue JSON::ParserError, ApiUnreachableError
nil nil
end end
def lfs_authenticate(key_id, repo) def lfs_authenticate(actor, repo)
params = { project: sanitize_path(repo), key_id: key_id } params = { project: sanitize_path(repo) }
params[actor.identifier_key.to_sym] = actor.id
resp = post("#{internal_api_endpoint}/lfs_authenticate", params) resp = post("#{internal_api_endpoint}/lfs_authenticate", params)
GitlabLfsAuthentication.build_from_json(resp.body) if resp.code == HTTP_SUCCESS GitlabLfsAuthentication.build_from_json(resp.body) if resp.code == HTTP_SUCCESS
...@@ -75,8 +77,9 @@ class GitlabNet ...@@ -75,8 +77,9 @@ class GitlabNet
nil nil
end end
def two_factor_recovery_codes(key_id) def two_factor_recovery_codes(actor)
resp = post("#{internal_api_endpoint}/two_factor_recovery_codes", key_id: key_id) params = { actor.identifier_key.to_sym => actor.id }
resp = post("#{internal_api_endpoint}/two_factor_recovery_codes", params)
JSON.parse(resp.body) if resp.code == HTTP_SUCCESS JSON.parse(resp.body) if resp.code == HTTP_SUCCESS
rescue rescue
{} {}
......
...@@ -3,7 +3,7 @@ require 'pathname' ...@@ -3,7 +3,7 @@ require 'pathname'
require_relative 'gitlab_net' require_relative 'gitlab_net'
require_relative 'gitlab_metrics' require_relative 'gitlab_metrics'
require_relative 'actor/key' require_relative 'actor'
class GitlabShell class GitlabShell
API_2FA_RECOVERY_CODES_COMMAND = '2fa_recovery_codes'.freeze API_2FA_RECOVERY_CODES_COMMAND = '2fa_recovery_codes'.freeze
...@@ -18,9 +18,9 @@ class GitlabShell ...@@ -18,9 +18,9 @@ class GitlabShell
Struct.new('ParsedCommand', :command, :git_access_command, :repo_name, :args) Struct.new('ParsedCommand', :command, :git_access_command, :repo_name, :args)
def initialize(key_str) def initialize(who)
@key_str = key_str
@config = GitlabConfig.new @config = GitlabConfig.new
@actor = Actor.new_from(who, audit_usernames: @config.audit_usernames)
end end
# The origin_cmd variable contains UNTRUSTED input. If the user ran # The origin_cmd variable contains UNTRUSTED input. If the user ran
...@@ -28,22 +28,22 @@ class GitlabShell ...@@ -28,22 +28,22 @@ class GitlabShell
# 'evil command'. # 'evil command'.
def exec(origin_cmd) def exec(origin_cmd)
if !origin_cmd || origin_cmd.empty? if !origin_cmd || origin_cmd.empty?
puts "Welcome to GitLab, #{key.username}!" puts "Welcome to GitLab, #{actor.username}!"
return true return true
end end
parsed_command = parse_cmd(origin_cmd) parsed_command = parse_cmd(origin_cmd)
action = determine_action(parsed_command) action = determine_action(parsed_command) # FIXME: watch out
action.execute(parsed_command.command, parsed_command.args) action.execute(parsed_command.command, parsed_command.args)
rescue GitlabNet::ApiUnreachableError rescue GitlabNet::ApiUnreachableError
$stderr.puts "GitLab: Failed to authorize your Git request: internal API unreachable" $stderr.puts "GitLab: Failed to authorize your Git request: internal API unreachable"
false false
rescue AccessDeniedError, UnknownError => ex rescue AccessDeniedError, UnknownError => ex
$logger.warn('Access denied', command: origin_cmd, user: key.log_username) $logger.warn('Access denied', command: origin_cmd, user: actor.log_username)
$stderr.puts "GitLab: #{ex.message}" $stderr.puts "GitLab: #{ex.message}"
false false
rescue DisallowedCommandError rescue DisallowedCommandError
$logger.warn('Denied disallowed command', command: origin_cmd, user: key.log_username) $logger.warn('Denied disallowed command', command: origin_cmd, user: actor.log_username)
$stderr.puts 'GitLab: Disallowed command' $stderr.puts 'GitLab: Disallowed command'
false false
rescue InvalidRepositoryPathError rescue InvalidRepositoryPathError
...@@ -53,11 +53,7 @@ class GitlabShell ...@@ -53,11 +53,7 @@ class GitlabShell
private private
attr_reader :config, :key_str attr_reader :config, :actor
def key
@key ||= Actor::Key.from(key_str, audit_usernames: config.audit_usernames)
end
def parse_cmd(cmd) def parse_cmd(cmd)
args = Shellwords.shellwords(cmd) args = Shellwords.shellwords(cmd)
...@@ -99,7 +95,7 @@ class GitlabShell ...@@ -99,7 +95,7 @@ class GitlabShell
end end
def determine_action(parsed_command) def determine_action(parsed_command)
return Action::API2FARecovery.new(key) if parsed_command.command == API_2FA_RECOVERY_CODES_COMMAND return Action::API2FARecovery.new(actor) if parsed_command.command == API_2FA_RECOVERY_CODES_COMMAND
GitlabMetrics.measure('verify-access') do GitlabMetrics.measure('verify-access') do
# GitlatNet#check_access will raise exception in the event of a problem # GitlatNet#check_access will raise exception in the event of a problem
...@@ -107,13 +103,13 @@ class GitlabShell ...@@ -107,13 +103,13 @@ class GitlabShell
parsed_command.git_access_command, parsed_command.git_access_command,
nil, nil,
parsed_command.repo_name, parsed_command.repo_name,
key, actor,
'_any' '_any'
) )
case parsed_command.command case parsed_command.command
when GIT_LFS_AUTHENTICATE_COMMAND when GIT_LFS_AUTHENTICATE_COMMAND
Action::GitLFSAuthenticate.new(key, parsed_command.repo_name) Action::GitLFSAuthenticate.new(actor, parsed_command.repo_name)
else else
initial_action initial_action
end end
......
...@@ -3,18 +3,18 @@ require_relative '../../lib/action/api_2fa_recovery' ...@@ -3,18 +3,18 @@ require_relative '../../lib/action/api_2fa_recovery'
describe Action::API2FARecovery do describe Action::API2FARecovery do
let(:key_id) { '1' } let(:key_id) { '1' }
let(:key) { Actor::Key.new(key_id) } let(:actor) { Actor::Key.new(key_id) }
let(:username) { 'testuser' } let(:username) { 'testuser' }
let(:discover_payload) { { 'username' => username } } let(:discover_payload) { { 'username' => username } }
let(:api) { double(GitlabNet) } let(:api) { double(GitlabNet) }
before do before do
allow(GitlabNet).to receive(:new).and_return(api) allow(GitlabNet).to receive(:new).and_return(api)
allow(api).to receive(:discover).with(key_id).and_return(discover_payload) allow(api).to receive(:discover).with(actor).and_return(discover_payload)
end end
subject do subject do
described_class.new(key) described_class.new(actor)
end end
describe '#execute' do describe '#execute' do
...@@ -46,7 +46,7 @@ describe Action::API2FARecovery do ...@@ -46,7 +46,7 @@ describe Action::API2FARecovery do
before do before do
expect(subject).to receive(:continue?).and_return(true) expect(subject).to receive(:continue?).and_return(true)
expect(api).to receive(:two_factor_recovery_codes).with(key_id).and_return(response) expect(api).to receive(:two_factor_recovery_codes).with(subject).and_return(response)
end end
context 'with a unsuccessful response' do context 'with a unsuccessful response' do
......
...@@ -4,24 +4,24 @@ require_relative '../../lib/action/git_lfs_authenticate' ...@@ -4,24 +4,24 @@ require_relative '../../lib/action/git_lfs_authenticate'
describe Action::GitLFSAuthenticate do describe Action::GitLFSAuthenticate do
let(:key_id) { '1' } let(:key_id) { '1' }
let(:repo_name) { 'gitlab-ci.git' } let(:repo_name) { 'gitlab-ci.git' }
let(:key) { Actor::Key.new(key_id) } let(:actor) { Actor::Key.new(key_id) }
let(:username) { 'testuser' } let(:username) { 'testuser' }
let(:discover_payload) { { 'username' => username } } let(:discover_payload) { { 'username' => username } }
let(:api) { double(GitlabNet) } let(:api) { double(GitlabNet) }
before do before do
allow(GitlabNet).to receive(:new).and_return(api) allow(GitlabNet).to receive(:new).and_return(api)
allow(api).to receive(:discover).with(key_id).and_return(discover_payload) allow(api).to receive(:discover).with(actor).and_return(discover_payload)
end end
subject do subject do
described_class.new(key, repo_name) described_class.new(actor, repo_name)
end end
describe '#execute' do describe '#execute' do
context 'when response from API is not a success' do context 'when response from API is not a success' do
before do before do
expect(api).to receive(:lfs_authenticate).with(key_id, repo_name).and_return(nil) expect(api).to receive(:lfs_authenticate).with(subject, repo_name).and_return(nil)
end end
it 'returns nil' do it 'returns nil' do
...@@ -36,7 +36,7 @@ describe Action::GitLFSAuthenticate do ...@@ -36,7 +36,7 @@ describe Action::GitLFSAuthenticate do
let(:gitlab_lfs_authentication) { GitlabLfsAuthentication.new(username, lfs_token, repository_http_path) } let(:gitlab_lfs_authentication) { GitlabLfsAuthentication.new(username, lfs_token, repository_http_path) }
before do before do
expect(api).to receive(:lfs_authenticate).with(key_id, repo_name).and_return(gitlab_lfs_authentication) expect(api).to receive(:lfs_authenticate).with(subject, repo_name).and_return(gitlab_lfs_authentication)
end end
it 'puts payload to stdout' do it 'puts payload to stdout' do
......
...@@ -11,7 +11,7 @@ describe Actor::Key do ...@@ -11,7 +11,7 @@ describe Actor::Key do
before do before do
allow(GitlabNet).to receive(:new).and_return(api) allow(GitlabNet).to receive(:new).and_return(api)
allow(api).to receive(:discover).with(key_id).and_return(discover_payload) allow(api).to receive(:discover).with(subject).and_return(discover_payload)
end end
describe '.from' do describe '.from' do
......
...@@ -8,13 +8,25 @@ describe GitlabKeys do ...@@ -8,13 +8,25 @@ describe GitlabKeys do
end end
describe '.command' do describe '.command' do
it 'the internal "command" utility function' do
command = "#{ROOT_PATH}/bin/gitlab-shell does-not-validate"
expect(described_class.command('does-not-validate')).to eq(command)
end
it 'does not raise a KeyError on invalid input' do
command = "#{ROOT_PATH}/bin/gitlab-shell foo\nbar\nbaz\n"
expect(described_class.command("foo\nbar\nbaz\n")).to eq(command)
end
end
describe '.command_key' do
it 'returns the "command" part of the key line' do it 'returns the "command" part of the key line' do
command = "#{ROOT_PATH}/bin/gitlab-shell key-123" command = "#{ROOT_PATH}/bin/gitlab-shell key-123"
expect(described_class.command('key-123')).to eq(command) expect(described_class.command_key('key-123')).to eq(command)
end end
it 'raises KeyError on invalid input' do it 'raises KeyError on invalid input' do
expect do described_class.command("\nssh-rsa AAA") end.to raise_error(described_class::KeyError) expect { described_class.command_key("\nssh-rsa AAA") }.to raise_error(described_class::KeyError)
end end
end end
...@@ -30,7 +42,23 @@ describe GitlabKeys do ...@@ -30,7 +42,23 @@ describe GitlabKeys do
end end
it 'raises KeyError on invalid input' do it 'raises KeyError on invalid input' do
expect do described_class.key_line('key-741', "ssh-rsa AAA\nssh-rsa AAA") end.to raise_error(described_class::KeyError) expect { described_class.key_line('key-741', "ssh-rsa AAA\nssh-rsa AAA") }.to raise_error(described_class::KeyError)
end
end
describe '.principal_line' do
let(:line) { %(command="#{ROOT_PATH}/bin/gitlab-shell username-someuser",no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty sshUsers) }
it 'returns the key line' do
expect(described_class.principal_line('username-someuser', 'sshUsers')).to eq(line)
end
it 'silently removes a trailing newline' do
expect(described_class.principal_line('username-someuser', "sshUsers\n")).to eq(line)
end
it 'raises KeyError on invalid input' do
expect { described_class.principal_line('username-someuser', "sshUsers\nloginUsers") }.to raise_error(described_class::KeyError)
end end
end end
......
...@@ -8,11 +8,9 @@ describe GitlabNet, vcr: true do ...@@ -8,11 +8,9 @@ describe GitlabNet, vcr: true do
let(:internal_api_endpoint) { 'http://localhost:3000/api/v4/internal' } let(:internal_api_endpoint) { 'http://localhost:3000/api/v4/internal' }
let(:project) { 'gitlab-org/gitlab-test.git' } let(:project) { 'gitlab-org/gitlab-test.git' }
let(:key_id1) { '1' } let(:actor1) { Actor.new_from('key-1') }
let(:key1_str) { "key-#{key_id1}" } let(:bad_actor1) { Actor.new_from('key-777') }
let(:key1) { Actor::Key.new(key1_str) } let(:actor2) { Actor.new_from('user-1') }
let(:user1) { Actor::User.new('user-1') }
let(:secret) { "0a3938d9d95d807e94d937af3a4fbbea\n" } let(:secret) { "0a3938d9d95d807e94d937af3a4fbbea\n" }
...@@ -46,7 +44,7 @@ describe GitlabNet, vcr: true do ...@@ -46,7 +44,7 @@ describe GitlabNet, vcr: true do
describe '#discover' do describe '#discover' do
it 'should return user has based on key id' do it 'should return user has based on key id' do
VCR.use_cassette("discover-ok") do VCR.use_cassette("discover-ok") do
user = gitlab_net.discover(key_id1) user = gitlab_net.discover(actor1)
expect(user['name']).to eql 'Administrator' expect(user['name']).to eql 'Administrator'
expect(user['username']).to eql 'root' expect(user['username']).to eql 'root'
end end
...@@ -55,14 +53,14 @@ describe GitlabNet, vcr: true do ...@@ -55,14 +53,14 @@ describe GitlabNet, vcr: true do
it 'adds the secret_token to request' do it 'adds the secret_token to request' do
VCR.use_cassette("discover-ok") do VCR.use_cassette("discover-ok") do
allow_any_instance_of(Net::HTTP::Get).to receive(:set_form_data).with(hash_including(secret_token: secret)) allow_any_instance_of(Net::HTTP::Get).to receive(:set_form_data).with(hash_including(secret_token: secret))
gitlab_net.discover(key_id1) gitlab_net.discover(actor1)
end end
end end
it "raises an exception if the connection fails" do it "raises an exception if the connection fails" do
VCR.use_cassette("discover-ok") do VCR.use_cassette("discover-ok") do
allow_any_instance_of(Net::HTTP).to receive(:request).and_raise(StandardError) allow_any_instance_of(Net::HTTP).to receive(:request).and_raise(StandardError)
expect(gitlab_net.discover(key_id1)).to be_nil expect(gitlab_net.discover(actor1)).to be_nil
end end
end end
end end
...@@ -71,7 +69,7 @@ describe GitlabNet, vcr: true do ...@@ -71,7 +69,7 @@ describe GitlabNet, vcr: true do
context 'lfs authentication succeeded' do context 'lfs authentication succeeded' do
it 'should return the correct data' do it 'should return the correct data' do
VCR.use_cassette('lfs-authenticate-ok') do VCR.use_cassette('lfs-authenticate-ok') do
lfs_access = gitlab_net.lfs_authenticate(key_id1, project) lfs_access = gitlab_net.lfs_authenticate(actor1, project)
expect(lfs_access.username).to eql 'root' expect(lfs_access.username).to eql 'root'
expect(lfs_access.lfs_token).to eql 'Hyzhyde_wLUeyUQsR3tHGTG8eNocVQm4ssioTEsBSdb6KwCSzQ' expect(lfs_access.lfs_token).to eql 'Hyzhyde_wLUeyUQsR3tHGTG8eNocVQm4ssioTEsBSdb6KwCSzQ'
expect(lfs_access.repository_http_path).to eql URI.join(internal_api_endpoint.sub('api/v4', ''), project).to_s expect(lfs_access.repository_http_path).to eql URI.join(internal_api_endpoint.sub('api/v4', ''), project).to_s
...@@ -161,7 +159,7 @@ describe GitlabNet, vcr: true do ...@@ -161,7 +159,7 @@ describe GitlabNet, vcr: true do
let(:gl_repository) { "project-1" } let(:gl_repository) { "project-1" }
let(:changes) { "123456 789012 refs/heads/test\n654321 210987 refs/tags/tag" } let(:changes) { "123456 789012 refs/heads/test\n654321 210987 refs/tags/tag" }
let(:params) do let(:params) do
{ gl_repository: gl_repository, identifier: key1.identifier, changes: changes } { gl_repository: gl_repository, identifier: actor1.identifier, changes: changes }
end end
let(:merge_request_urls) do let(:merge_request_urls) do
[{ [{
...@@ -171,7 +169,7 @@ describe GitlabNet, vcr: true do ...@@ -171,7 +169,7 @@ describe GitlabNet, vcr: true do
}] }]
end end
subject { gitlab_net.post_receive(gl_repository, key1, changes) } subject { gitlab_net.post_receive(gl_repository, actor1, changes) }
it 'sends the correct parameters' do it 'sends the correct parameters' do
allow_any_instance_of(Net::HTTP::Post).to receive(:set_form_data).with(hash_including(params)) allow_any_instance_of(Net::HTTP::Post).to receive(:set_form_data).with(hash_including(params))
...@@ -230,7 +228,7 @@ describe GitlabNet, vcr: true do ...@@ -230,7 +228,7 @@ describe GitlabNet, vcr: true do
describe '#two_factor_recovery_codes' do describe '#two_factor_recovery_codes' do
it 'returns two factor recovery codes' do it 'returns two factor recovery codes' do
VCR.use_cassette('two-factor-recovery-codes') do VCR.use_cassette('two-factor-recovery-codes') do
result = gitlab_net.two_factor_recovery_codes(key1_str) result = gitlab_net.two_factor_recovery_codes(actor1)
expect(result['success']).to be_truthy expect(result['success']).to be_truthy
expect(result['recovery_codes']).to eq(['f67c514de60c4953','41278385fc00c1e0']) expect(result['recovery_codes']).to eq(['f67c514de60c4953','41278385fc00c1e0'])
end end
...@@ -238,7 +236,7 @@ describe GitlabNet, vcr: true do ...@@ -238,7 +236,7 @@ describe GitlabNet, vcr: true do
it 'returns false when recovery codes cannot be generated' do it 'returns false when recovery codes cannot be generated' do
VCR.use_cassette('two-factor-recovery-codes-fail') do VCR.use_cassette('two-factor-recovery-codes-fail') do
result = gitlab_net.two_factor_recovery_codes('key-777') result = gitlab_net.two_factor_recovery_codes(bad_actor1)
expect(result['success']).to be_falsey expect(result['success']).to be_falsey
expect(result['message']).to eq('Could not find the given key') expect(result['message']).to eq('Could not find the given key')
end end
...@@ -272,7 +270,7 @@ describe GitlabNet, vcr: true do ...@@ -272,7 +270,7 @@ describe GitlabNet, vcr: true do
it 'raises an UnknownError exception' do it 'raises an UnknownError exception' do
VCR.use_cassette('failed-push') do VCR.use_cassette('failed-push') do
expect do expect do
gitlab_net.check_access('git-receive-pack', nil, project, key1, changes, 'ssh') gitlab_net.check_access('git-receive-pack', nil, project, actor1, changes, 'ssh')
end.to raise_error(UnknownError, 'API is not accessible: An internal server error occurred') end.to raise_error(UnknownError, 'API is not accessible: An internal server error occurred')
end end
end end
...@@ -282,7 +280,7 @@ describe GitlabNet, vcr: true do ...@@ -282,7 +280,7 @@ describe GitlabNet, vcr: true do
it 'raises an UnknownError exception' do it 'raises an UnknownError exception' do
VCR.use_cassette('failed-push-unparsable') do VCR.use_cassette('failed-push-unparsable') do
expect do expect do
gitlab_net.check_access('git-receive-pack', nil, project, key1, changes, 'ssh') gitlab_net.check_access('git-receive-pack', nil, project, actor1, changes, 'ssh')
end.to raise_error(UnknownError, 'API is not accessible') end.to raise_error(UnknownError, 'API is not accessible')
end end
end end
...@@ -292,7 +290,7 @@ describe GitlabNet, vcr: true do ...@@ -292,7 +290,7 @@ describe GitlabNet, vcr: true do
context 'ssh key with access nil, to project' do context 'ssh key with access nil, to project' do
it 'should allow push access for host' do it 'should allow push access for host' do
VCR.use_cassette('allowed-push') do VCR.use_cassette('allowed-push') do
action = gitlab_net.check_access('git-receive-pack', nil, project, key1, changes, 'ssh') action = gitlab_net.check_access('git-receive-pack', nil, project, actor1, changes, 'ssh')
expect(action).to be_instance_of(Action::Gitaly) expect(action).to be_instance_of(Action::Gitaly)
end end
end end
...@@ -300,13 +298,13 @@ describe GitlabNet, vcr: true do ...@@ -300,13 +298,13 @@ describe GitlabNet, vcr: true do
it 'adds the secret_token to the request' do it 'adds the secret_token to the request' do
VCR.use_cassette('allowed-pull') do VCR.use_cassette('allowed-pull') do
allow_any_instance_of(Net::HTTP::Post).to receive(:set_form_data).with(hash_including(secret_token: secret)) allow_any_instance_of(Net::HTTP::Post).to receive(:set_form_data).with(hash_including(secret_token: secret))
gitlab_net.check_access('git-receive-pack', nil, project, key1, changes, 'ssh') gitlab_net.check_access('git-receive-pack', nil, project, actor1, changes, 'ssh')
end end
end end
it 'should allow pull access for host' do it 'should allow pull access for host' do
VCR.use_cassette("allowed-pull") do VCR.use_cassette("allowed-pull") do
action = gitlab_net.check_access('git-upload-pack', nil, project, key1, changes, 'ssh') action = gitlab_net.check_access('git-upload-pack', nil, project, actor1, changes, 'ssh')
expect(action).to be_instance_of(Action::Gitaly) expect(action).to be_instance_of(Action::Gitaly)
end end
end end
...@@ -316,13 +314,13 @@ describe GitlabNet, vcr: true do ...@@ -316,13 +314,13 @@ describe GitlabNet, vcr: true do
it 'should deny pull access for host' do it 'should deny pull access for host' do
VCR.use_cassette('ssh-pull-disabled-old') do VCR.use_cassette('ssh-pull-disabled-old') do
expect do expect do
gitlab_net.check_access('git-upload-pack', nil, project, key1, changes, 'http') gitlab_net.check_access('git-upload-pack', nil, project, actor1, changes, 'http')
end.to raise_error(AccessDeniedError, 'Git access over SSH is not allowed') end.to raise_error(AccessDeniedError, 'Git access over SSH is not allowed')
end end
VCR.use_cassette('ssh-pull-disabled') do VCR.use_cassette('ssh-pull-disabled') do
expect do expect do
gitlab_net.check_access('git-upload-pack', nil, project, key1, changes, 'http') gitlab_net.check_access('git-upload-pack', nil, project, actor1, changes, 'http')
end.to raise_error(AccessDeniedError, 'Git access over SSH is not allowed') end.to raise_error(AccessDeniedError, 'Git access over SSH is not allowed')
end end
end end
...@@ -330,13 +328,13 @@ describe GitlabNet, vcr: true do ...@@ -330,13 +328,13 @@ describe GitlabNet, vcr: true do
it 'should deny push access for host' do it 'should deny push access for host' do
VCR.use_cassette('ssh-push-disabled-old') do VCR.use_cassette('ssh-push-disabled-old') do
expect do expect do
gitlab_net.check_access('git-receive-pack', nil, project, key1, changes, 'ssh') gitlab_net.check_access('git-receive-pack', nil, project, actor1, changes, 'ssh')
end.to raise_error(AccessDeniedError, 'Git access over SSH is not allowed') end.to raise_error(AccessDeniedError, 'Git access over SSH is not allowed')
end end
VCR.use_cassette('ssh-push-disabled') do VCR.use_cassette('ssh-push-disabled') do
expect do expect do
gitlab_net.check_access('git-receive-pack', nil, project, key1, changes, 'ssh') gitlab_net.check_access('git-receive-pack', nil, project, actor1, changes, 'ssh')
end.to raise_error(AccessDeniedError, 'Git access over SSH is not allowed') end.to raise_error(AccessDeniedError, 'Git access over SSH is not allowed')
end end
end end
...@@ -346,13 +344,13 @@ describe GitlabNet, vcr: true do ...@@ -346,13 +344,13 @@ describe GitlabNet, vcr: true do
it 'should deny pull access for host' do it 'should deny pull access for host' do
VCR.use_cassette('http-pull-disabled-old') do VCR.use_cassette('http-pull-disabled-old') do
expect do expect do
gitlab_net.check_access('git-upload-pack', nil, project, key1, changes, 'http') gitlab_net.check_access('git-upload-pack', nil, project, actor1, changes, 'http')
end.to raise_error(AccessDeniedError, 'Pulling over HTTP is not allowed.') end.to raise_error(AccessDeniedError, 'Pulling over HTTP is not allowed.')
end end
VCR.use_cassette('http-pull-disabled') do VCR.use_cassette('http-pull-disabled') do
expect do expect do
gitlab_net.check_access('git-upload-pack', nil, project, key1, changes, 'http') gitlab_net.check_access('git-upload-pack', nil, project, actor1, changes, 'http')
end.to raise_error(AccessDeniedError, 'Pulling over HTTP is not allowed.') end.to raise_error(AccessDeniedError, 'Pulling over HTTP is not allowed.')
end end
end end
...@@ -360,13 +358,13 @@ describe GitlabNet, vcr: true do ...@@ -360,13 +358,13 @@ describe GitlabNet, vcr: true do
it 'should deny push access for host' do it 'should deny push access for host' do
VCR.use_cassette('http-push-disabled-old') do VCR.use_cassette('http-push-disabled-old') do
expect do expect do
gitlab_net.check_access('git-receive-pack', nil, project, key1, changes, 'http') gitlab_net.check_access('git-receive-pack', nil, project, actor1, changes, 'http')
end.to raise_error(AccessDeniedError, 'Pushing over HTTP is not allowed.') end.to raise_error(AccessDeniedError, 'Pushing over HTTP is not allowed.')
end end
VCR.use_cassette('http-push-disabled') do VCR.use_cassette('http-push-disabled') do
expect do expect do
gitlab_net.check_access('git-receive-pack', nil, project, key1, changes, 'http') gitlab_net.check_access('git-receive-pack', nil, project, actor1, changes, 'http')
end.to raise_error(AccessDeniedError, 'Pushing over HTTP is not allowed.') end.to raise_error(AccessDeniedError, 'Pushing over HTTP is not allowed.')
end end
end end
...@@ -376,13 +374,13 @@ describe GitlabNet, vcr: true do ...@@ -376,13 +374,13 @@ describe GitlabNet, vcr: true do
it 'should deny pull access for host' do it 'should deny pull access for host' do
VCR.use_cassette('ssh-pull-project-denied-old') do VCR.use_cassette('ssh-pull-project-denied-old') do
expect do expect do
gitlab_net.check_access('git-receive-pack', nil, project, user1, changes, 'ssh') gitlab_net.check_access('git-receive-pack', nil, project, actor2, changes, 'ssh')
end.to raise_error(AccessDeniedError, 'Git access over SSH is not allowed') end.to raise_error(AccessDeniedError, 'Git access over SSH is not allowed')
end end
VCR.use_cassette('ssh-pull-project-denied') do VCR.use_cassette('ssh-pull-project-denied') do
expect do expect do
gitlab_net.check_access('git-receive-pack', nil, project, user1, changes, 'ssh') gitlab_net.check_access('git-receive-pack', nil, project, actor2, changes, 'ssh')
end.to raise_error(AccessDeniedError, 'Git access over SSH is not allowed') end.to raise_error(AccessDeniedError, 'Git access over SSH is not allowed')
end end
end end
...@@ -390,13 +388,13 @@ describe GitlabNet, vcr: true do ...@@ -390,13 +388,13 @@ describe GitlabNet, vcr: true do
it 'should deny push access for host' do it 'should deny push access for host' do
VCR.use_cassette('ssh-push-project-denied-old') do VCR.use_cassette('ssh-push-project-denied-old') do
expect do expect do
gitlab_net.check_access('git-upload-pack', nil, project, user1, changes, 'ssh') gitlab_net.check_access('git-upload-pack', nil, project, actor2, changes, 'ssh')
end.to raise_error(AccessDeniedError, 'Git access over SSH is not allowed') end.to raise_error(AccessDeniedError, 'Git access over SSH is not allowed')
end end
VCR.use_cassette('ssh-push-project-denied') do VCR.use_cassette('ssh-push-project-denied') do
expect do expect do
gitlab_net.check_access('git-upload-pack', nil, project, user1, changes, 'ssh') gitlab_net.check_access('git-upload-pack', nil, project, actor2, changes, 'ssh')
end.to raise_error(AccessDeniedError, 'Git access over SSH is not allowed') end.to raise_error(AccessDeniedError, 'Git access over SSH is not allowed')
end end
end end
...@@ -404,13 +402,13 @@ describe GitlabNet, vcr: true do ...@@ -404,13 +402,13 @@ describe GitlabNet, vcr: true do
it 'should deny push access for host (with user)' do it 'should deny push access for host (with user)' do
VCR.use_cassette('ssh-push-project-denied-with-user-old') do VCR.use_cassette('ssh-push-project-denied-with-user-old') do
expect do expect do
gitlab_net.check_access('git-upload-pack', nil, project, user1, changes, 'ssh') gitlab_net.check_access('git-upload-pack', nil, project, actor2, changes, 'ssh')
end.to raise_error(AccessDeniedError, 'Git access over SSH is not allowed') end.to raise_error(AccessDeniedError, 'Git access over SSH is not allowed')
end end
VCR.use_cassette('ssh-push-project-denied-with-user') do VCR.use_cassette('ssh-push-project-denied-with-user') do
expect do expect do
gitlab_net.check_access('git-upload-pack', nil, project, user1, changes, 'ssh') gitlab_net.check_access('git-upload-pack', nil, project, actor2, changes, 'ssh')
end.to raise_error(AccessDeniedError, 'Git access over SSH is not allowed') end.to raise_error(AccessDeniedError, 'Git access over SSH is not allowed')
end end
end end
...@@ -419,7 +417,7 @@ describe GitlabNet, vcr: true do ...@@ -419,7 +417,7 @@ describe GitlabNet, vcr: true do
it "raises an exception if the connection fails" do it "raises an exception if the connection fails" do
allow_any_instance_of(Net::HTTP).to receive(:request).and_raise(StandardError) allow_any_instance_of(Net::HTTP).to receive(:request).and_raise(StandardError)
expect { expect {
gitlab_net.check_access('git-upload-pack', nil, project, key1, changes, 'ssh') gitlab_net.check_access('git-upload-pack', nil, project, actor1, changes, 'ssh')
}.to raise_error(GitlabNet::ApiUnreachableError) }.to raise_error(GitlabNet::ApiUnreachableError)
end end
end end
......
...@@ -10,44 +10,44 @@ describe GitlabShell do ...@@ -10,44 +10,44 @@ describe GitlabShell do
after { FileUtils.rm_rf(tmp_repos_path) } after { FileUtils.rm_rf(tmp_repos_path) }
subject { described_class.new(key_id) } subject { described_class.new(who) }
let(:key_id) { '1' } let(:who) { 'key-1' }
let(:key) { Actor::Key.new(key_id) } let(:audit_usernames) { true }
let(:actor) { Actor.new_from(who, audit_usernames: audit_usernames) }
let(:tmp_repos_path) { File.join(ROOT_PATH, 'tmp', 'repositories') } let(:tmp_repos_path) { File.join(ROOT_PATH, 'tmp', 'repositories') }
let(:repo_name) { 'gitlab-ci.git' } let(:repo_name) { 'gitlab-ci.git' }
let(:repo_path) { File.join(tmp_repos_path, repo_name) } let(:repo_path) { File.join(tmp_repos_path, repo_name) }
let(:gl_repository) { 'project-1' } let(:gl_repository) { 'project-1' }
let(:gl_username) { 'testuser' } let(:gl_username) { 'testuser' }
let(:audit_usernames) { true }
let(:api) { double(GitlabNet) } let(:api) { double(GitlabNet) }
let(:config) { double(GitlabConfig) } let(:config) { double(GitlabConfig) }
let(:gitaly_action) { Action::Gitaly.new( let(:gitaly_action) { Action::Gitaly.new(
key_id, actor,
gl_repository, gl_repository,
gl_username, gl_username,
repo_path, repo_path,
{ 'repository' => { 'relative_path' => repo_name, 'storage_name' => 'default' } , 'address' => 'unix:gitaly.socket' }) { 'repository' => { 'relative_path' => repo_name, 'storage_name' => 'default' } , 'address' => 'unix:gitaly.socket' })
} }
let(:api_2fa_recovery_action) { Action::API2FARecovery.new(key_id) } let(:api_2fa_recovery_action) { Action::API2FARecovery.new(actor) }
let(:git_lfs_authenticate_action) { Action::GitLFSAuthenticate.new(key_id, repo_name) } let(:git_lfs_authenticate_action) { Action::GitLFSAuthenticate.new(actor, repo_name) }
before do before do
allow(GitlabConfig).to receive(:new).and_return(config) allow(GitlabConfig).to receive(:new).and_return(config)
allow(config).to receive(:audit_usernames).and_return(audit_usernames) allow(config).to receive(:audit_usernames).and_return(audit_usernames)
allow(Actor::Key).to receive(:from).with(key_id, audit_usernames: audit_usernames).and_return(key) allow(Actor).to receive(:new_from).with(who, audit_usernames: audit_usernames).and_return(actor)
allow(GitlabNet).to receive(:new).and_return(api) allow(GitlabNet).to receive(:new).and_return(api)
allow(api).to receive(:discover).with(key_id).and_return('username' => gl_username) allow(api).to receive(:discover).with(actor).and_return('username' => gl_username)
end end
describe '#exec' do describe '#exec' do
context "when we don't have a valid user" do context "when we don't have a valid user" do
before do before do
allow(api).to receive(:discover).with(key_id).and_return(nil) allow(api).to receive(:discover).with(actor).and_return(nil)
end end
it 'prints Welcome.. and returns true' do it 'prints Welcome.. and returns true' do
...@@ -114,7 +114,7 @@ describe GitlabShell do ...@@ -114,7 +114,7 @@ describe GitlabShell do
let(:git_access) { '2fa_recovery_codes' } let(:git_access) { '2fa_recovery_codes' }
before do before do
expect(Action::API2FARecovery).to receive(:new).with(key).and_return(api_2fa_recovery_action) expect(Action::API2FARecovery).to receive(:new).with(actor).and_return(api_2fa_recovery_action)
end end
it 'returns true' do it 'returns true' do
...@@ -125,7 +125,7 @@ describe GitlabShell do ...@@ -125,7 +125,7 @@ describe GitlabShell do
context 'when access to the repo is denied' do context 'when access to the repo is denied' do
before do before do
expect(api).to receive(:check_access).with('git-upload-pack', nil, repo_name, key, '_any').and_raise(AccessDeniedError, 'Sorry, access denied') expect(api).to receive(:check_access).with('git-upload-pack', nil, repo_name, actor, '_any').and_raise(AccessDeniedError, 'Sorry, access denied')
end end
it 'prints a message to stderr and returns false' do it 'prints a message to stderr and returns false' do
...@@ -136,7 +136,7 @@ describe GitlabShell do ...@@ -136,7 +136,7 @@ describe GitlabShell do
context 'when the API is unavailable' do context 'when the API is unavailable' do
before do before do
expect(api).to receive(:check_access).with('git-upload-pack', nil, repo_name, key, '_any').and_raise(GitlabNet::ApiUnreachableError) expect(api).to receive(:check_access).with('git-upload-pack', nil, repo_name, actor, '_any').and_raise(GitlabNet::ApiUnreachableError)
end end
it 'prints a message to stderr and returns false' do it 'prints a message to stderr and returns false' do
...@@ -147,7 +147,7 @@ describe GitlabShell do ...@@ -147,7 +147,7 @@ describe GitlabShell do
context 'when access has been verified OK' do context 'when access has been verified OK' do
before do before do
expect(api).to receive(:check_access).with(git_access, nil, repo_name, key, '_any').and_return(gitaly_action) expect(api).to receive(:check_access).with(git_access, nil, repo_name, actor, '_any').and_return(gitaly_action)
end end
context 'when origin_cmd is git-upload-pack' do context 'when origin_cmd is git-upload-pack' do
...@@ -180,7 +180,7 @@ describe GitlabShell do ...@@ -180,7 +180,7 @@ describe GitlabShell do
let(:lfs_access) { double(GitlabLfsAuthentication, authentication_payload: fake_payload)} let(:lfs_access) { double(GitlabLfsAuthentication, authentication_payload: fake_payload)}
before do before do
expect(Action::GitLFSAuthenticate).to receive(:new).with(key, repo_name).and_return(git_lfs_authenticate_action) expect(Action::GitLFSAuthenticate).to receive(:new).with(actor, repo_name).and_return(git_lfs_authenticate_action)
end end
context 'upload' do context 'upload' do
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment