Merge branch 'ci-lfs-fetch' into 'master'

Allow to fetch LFS from CI ## What does this MR do? This adds support for fetching LFS object from CI jobs (mostly it's made for supporting GitLab CI). ## What is left? - [x] Write tests covering a new authorization mechanism cc @grzesiek @marin See merge request !4465

Merge branch 'ci-lfs-fetch' into 'master'
Allow to fetch LFS from CI ## What does this MR do? This adds support for fetching LFS object from CI jobs (mostly it's made for supporting GitLab CI). ## What is left? - [x] Write tests covering a new authorization mechanism cc @grzesiek @marin See merge request !4465
6d0f9bbc · Rémy Coutable · Robert Speicher · 95621c01 · 6d0f9bbc · 6d0f9bbc
Commit 6d0f9bbc authored Jun 21, 2016 by Rémy Coutable Committed by Robert Speicher Jun 21, 2016
5 changed files
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -76,6 +76,7 @@ v 8.9.0 (unreleased)
  - Pipelines can be canceled only when there are running builds
  - Allow authentication using personal access tokens
  - Use downcased path to container repository as this is expected path by Docker
+  - Allow to use CI token to fetch LFS objects
  - Custom notification settings
  - Projects pending deletion will render a 404 page
  - Measure queue duration between gitlab-workhorse and Rails

--- a/lib/gitlab/backend/grack_auth.rb
+++ b/lib/gitlab/backend/grack_auth.rb
@@ -31,7 +31,7 @@ module Grack

      auth!

-      lfs_response = Gitlab::Lfs::Router.new(project, @user, @request).try_call
+      lfs_response = Gitlab::Lfs::Router.new(project, @user, @ci, @request).try_call
      return lfs_response unless lfs_response.nil?

      if @user.nil? && !@ci

--- a/lib/gitlab/lfs/response.rb
+++ b/lib/gitlab/lfs/response.rb
@@ -2,10 +2,11 @@ module Gitlab
  module Lfs
    class Response

-      def initialize(project, user, request)
+      def initialize(project, user, ci, request)
        @origin_project = project
        @project = storage_project(project)
        @user = user
+        @ci = ci
        @env = request.env
        @request = request
      end
@@ -189,7 +190,7 @@ module Gitlab
        return render_not_enabled unless Gitlab.config.lfs.enabled

        unless @project.public?
-          return render_unauthorized unless @user
+          return render_unauthorized unless @user || @ci
          return render_forbidden unless user_can_fetch?
        end

@@ -210,7 +211,7 @@ module Gitlab

      def user_can_fetch?
        # Check user access against the project they used to initiate the pull
-        @user.can?(:download_code, @origin_project)
+        @ci || @user.can?(:download_code, @origin_project)
      end

      def user_can_push?

--- a/lib/gitlab/lfs/router.rb
+++ b/lib/gitlab/lfs/router.rb
 module Gitlab
  module Lfs
    class Router
-      def initialize(project, user, request)
+      attr_reader :project, :user, :ci, :request
+
+      def initialize(project, user, ci, request)
        @project = project
        @user = user
+        @ci = ci
        @env = request.env
        @request = request
      end
@@ -80,7 +83,7 @@ module Gitlab
      def lfs
        return unless @project

-        Gitlab::Lfs::Response.new(@project, @user, @request)
+        Gitlab::Lfs::Response.new(@project, @user, @ci, @request)
      end

      def sanitize_tmp_filename(name)

--- a/spec/lib/gitlab/lfs/lfs_router_spec.rb
+++ b/spec/lib/gitlab/lfs/lfs_router_spec.rb