Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Support
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
G
gitlab-ce
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Issues
0
Issues
0
List
Boards
Labels
Milestones
Merge Requests
0
Merge Requests
0
Analytics
Analytics
Repository
Value Stream
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Create a new issue
Commits
Issue Boards
Open sidebar
Boxiang Sun
gitlab-ce
Commits
0672c5a9
Commit
0672c5a9
authored
Sep 20, 2016
by
Kamil Trzcinski
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
Post-merge improve of CI permissions
parent
f30005f0
Changes
6
Show whitespace changes
Inline
Side-by-side
Showing
6 changed files
with
24 additions
and
15 deletions
+24
-15
app/controllers/projects/git_http_client_controller.rb
app/controllers/projects/git_http_client_controller.rb
+3
-3
app/models/ci/build.rb
app/models/ci/build.rb
+5
-2
lib/ci/mask_secret.rb
lib/ci/mask_secret.rb
+3
-3
spec/lib/ci/mask_secret_spec.rb
spec/lib/ci/mask_secret_spec.rb
+9
-3
spec/lib/gitlab/git_access_spec.rb
spec/lib/gitlab/git_access_spec.rb
+1
-1
spec/requests/git_http_spec.rb
spec/requests/git_http_spec.rb
+3
-3
No files found.
app/controllers/projects/git_http_client_controller.rb
View file @
0672c5a9
...
@@ -32,11 +32,11 @@ class Projects::GitHttpClientController < Projects::ApplicationController
...
@@ -32,11 +32,11 @@ class Projects::GitHttpClientController < Projects::ApplicationController
return
# Allow access
return
# Allow access
end
end
elsif
allow_kerberos_spnego_auth?
&&
spnego_provided?
elsif
allow_kerberos_spnego_auth?
&&
spnego_provided?
user
=
find_kerberos_user
kerberos_
user
=
find_kerberos_user
if
user
if
kerberos_
user
@authentication_result
=
Gitlab
::
Auth
::
Result
.
new
(
@authentication_result
=
Gitlab
::
Auth
::
Result
.
new
(
user
,
nil
,
:kerberos
,
Gitlab
::
Auth
.
full_authentication_abilities
)
kerberos_
user
,
nil
,
:kerberos
,
Gitlab
::
Auth
.
full_authentication_abilities
)
send_final_spnego_response
send_final_spnego_response
return
# Allow access
return
# Allow access
...
...
app/models/ci/build.rb
View file @
0672c5a9
...
@@ -493,8 +493,11 @@ module Ci
...
@@ -493,8 +493,11 @@ module Ci
end
end
def
hide_secrets
(
trace
)
def
hide_secrets
(
trace
)
trace
=
Ci
::
MaskSecret
.
mask
(
trace
,
project
.
runners_token
)
if
project
return
unless
trace
trace
=
Ci
::
MaskSecret
.
mask
(
trace
,
token
)
trace
=
trace
.
dup
Ci
::
MaskSecret
.
mask!
(
trace
,
project
.
runners_token
)
if
project
Ci
::
MaskSecret
.
mask!
(
trace
,
token
)
trace
trace
end
end
end
end
...
...
lib/ci/mask_secret.rb
View file @
0672c5a9
module
Ci::MaskSecret
module
Ci::MaskSecret
class
<<
self
class
<<
self
def
mask
(
value
,
token
)
def
mask
!
(
value
,
token
)
return
value
unless
value
.
present?
&&
token
.
present?
return
unless
value
.
present?
&&
token
.
present?
value
.
gsub
(
token
,
'x'
*
token
.
length
)
value
.
gsub
!
(
token
,
'x'
*
token
.
length
)
end
end
end
end
end
end
spec/lib/ci/mask_secret_spec.rb
View file @
0672c5a9
...
@@ -5,15 +5,21 @@ describe Ci::MaskSecret, lib: true do
...
@@ -5,15 +5,21 @@ describe Ci::MaskSecret, lib: true do
describe
'#mask'
do
describe
'#mask'
do
it
'masks exact number of characters'
do
it
'masks exact number of characters'
do
expect
(
subject
.
mask
(
'token'
,
'oke'
)).
to
eq
(
'txxxn'
)
expect
(
mask
(
'token'
,
'oke'
)).
to
eq
(
'txxxn'
)
end
end
it
'masks multiple occurrences'
do
it
'masks multiple occurrences'
do
expect
(
subject
.
mask
(
'token token token'
,
'oke'
)).
to
eq
(
'txxxn txxxn txxxn'
)
expect
(
mask
(
'token token token'
,
'oke'
)).
to
eq
(
'txxxn txxxn txxxn'
)
end
end
it
'does not mask if not found'
do
it
'does not mask if not found'
do
expect
(
subject
.
mask
(
'token'
,
'not'
)).
to
eq
(
'token'
)
expect
(
mask
(
'token'
,
'not'
)).
to
eq
(
'token'
)
end
def
mask
(
value
,
token
)
value
=
value
.
dup
subject
.
mask!
(
value
,
token
)
value
end
end
end
end
end
end
spec/lib/gitlab/git_access_spec.rb
View file @
0672c5a9
...
@@ -343,7 +343,7 @@ describe Gitlab::GitAccess, lib: true do
...
@@ -343,7 +343,7 @@ describe Gitlab::GitAccess, lib: true do
end
end
context
'to private project'
do
context
'to private project'
do
let
(
:project
)
{
create
(
:project
,
:internal
)
}
let
(
:project
)
{
create
(
:project
)
}
it
{
expect
(
subject
).
not_to
be_allowed
}
it
{
expect
(
subject
).
not_to
be_allowed
}
end
end
...
...
spec/requests/git_http_spec.rb
View file @
0672c5a9
...
@@ -335,7 +335,7 @@ describe 'Git HTTP requests', lib: true do
...
@@ -335,7 +335,7 @@ describe 'Git HTTP requests', lib: true do
project
.
team
<<
[
user
,
:reporter
]
project
.
team
<<
[
user
,
:reporter
]
end
end
shared_examples
'can download code only
from own projects
'
do
shared_examples
'can download code only'
do
it
'downloads get status 200'
do
it
'downloads get status 200'
do
clone_get
"
#{
project
.
path_with_namespace
}
.git"
,
user:
'gitlab-ci-token'
,
password:
build
.
token
clone_get
"
#{
project
.
path_with_namespace
}
.git"
,
user:
'gitlab-ci-token'
,
password:
build
.
token
...
@@ -353,7 +353,7 @@ describe 'Git HTTP requests', lib: true do
...
@@ -353,7 +353,7 @@ describe 'Git HTTP requests', lib: true do
context
'administrator'
do
context
'administrator'
do
let
(
:user
)
{
create
(
:admin
)
}
let
(
:user
)
{
create
(
:admin
)
}
it_behaves_like
'can download code only
from own projects
'
it_behaves_like
'can download code only'
it
'downloads from other project get status 403'
do
it
'downloads from other project get status 403'
do
clone_get
"
#{
other_project
.
path_with_namespace
}
.git"
,
user:
'gitlab-ci-token'
,
password:
build
.
token
clone_get
"
#{
other_project
.
path_with_namespace
}
.git"
,
user:
'gitlab-ci-token'
,
password:
build
.
token
...
@@ -365,7 +365,7 @@ describe 'Git HTTP requests', lib: true do
...
@@ -365,7 +365,7 @@ describe 'Git HTTP requests', lib: true do
context
'regular user'
do
context
'regular user'
do
let
(
:user
)
{
create
(
:user
)
}
let
(
:user
)
{
create
(
:user
)
}
it_behaves_like
'can download code only
from own projects
'
it_behaves_like
'can download code only'
it
'downloads from other project get status 404'
do
it
'downloads from other project get status 404'
do
clone_get
"
#{
other_project
.
path_with_namespace
}
.git"
,
user:
'gitlab-ci-token'
,
password:
build
.
token
clone_get
"
#{
other_project
.
path_with_namespace
}
.git"
,
user:
'gitlab-ci-token'
,
password:
build
.
token
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment