Commit e0768a9b authored by Bob Van Landuyt's avatar Bob Van Landuyt

Allow triggered builds git access

Allow builds that have been triggered by a user before terms were
enforced access to git. That way the builds can complete as usual.
parent d801dd17
module Gitlab
class BuildAccess < UserAccess
attr_accessor :user, :project
# This bypasses the `can?(:access_git)`-check we normally do in `UserAccess`
# for CI. That way if a user was able to trigger a pipeline, then the
# build is allowed to clone the project.
def can_access_git?
true
end
end
end
...@@ -105,7 +105,9 @@ module Gitlab ...@@ -105,7 +105,9 @@ module Gitlab
end end
def check_active_user! def check_active_user!
if user && !user_access.allowed? return unless user
unless user_access.allowed?
message = Gitlab::Auth::UserAccessDeniedReason.new(user).rejection_message message = Gitlab::Auth::UserAccessDeniedReason.new(user).rejection_message
raise UnauthorizedError, message raise UnauthorizedError, message
end end
...@@ -338,6 +340,8 @@ module Gitlab ...@@ -338,6 +340,8 @@ module Gitlab
def user_access def user_access
@user_access ||= if ci? @user_access ||= if ci?
CiAccess.new CiAccess.new
elsif user && request_from_ci_build?
BuildAccess.new(user, project: project)
else else
UserAccess.new(user, project: project) UserAccess.new(user, project: project)
end end
......
require 'spec_helper'
describe Gitlab::BuildAccess do
let(:user) { create(:user) }
let(:project) { create(:project) }
describe '#can_do_action' do
subject { described_class.new(user, project: project).can_do_action?(:download_code) }
context 'when the user can do an action on the project but cannot access git' do
before do
user.block!
project.add_developer(user)
end
it { is_expected.to be(true) }
end
context 'when the user cannot do an action on the project' do
it { is_expected.to be(false) }
end
end
end
...@@ -1114,6 +1114,22 @@ describe Gitlab::GitAccess do ...@@ -1114,6 +1114,22 @@ describe Gitlab::GitAccess do
it_behaves_like 'access after accepting terms' it_behaves_like 'access after accepting terms'
end end
describe 'when a ci build clones the project' do
let(:protocol) { 'http' }
let(:authentication_abilities) { [:build_download_code] }
let(:auth_result_type) { :build }
before do
project.add_developer(user)
end
it "doesn't block http pull" do
aggregate_failures do
expect { pull_access_check }.not_to raise_error
end
end
end
end end
private private
......
require "spec_helper" require "spec_helper"
describe 'Git HTTP requests' do describe 'Git HTTP requests' do
include TermsHelper
include GitHttpHelpers include GitHttpHelpers
include WorkhorseHelpers include WorkhorseHelpers
include UserActivitiesHelpers include UserActivitiesHelpers
...@@ -824,4 +825,56 @@ describe 'Git HTTP requests' do ...@@ -824,4 +825,56 @@ describe 'Git HTTP requests' do
end end
end end
end end
context 'when terms are enforced' do
let(:project) { create(:project, :repository) }
let(:user) { create(:user) }
let(:path) { "#{project.full_path}.git" }
let(:env) { { user: user.username, password: user.password } }
before do
project.add_master(user)
enforce_terms
end
it 'blocks git access when the user did not accept terms', :aggregate_failures do
clone_get(path, env) do |response|
expect(response).to have_gitlab_http_status(:forbidden)
end
download(path, env) do |response|
expect(response).to have_gitlab_http_status(:forbidden)
end
upload(path, env) do |response|
expect(response).to have_gitlab_http_status(:forbidden)
end
end
context 'when the user accepted the terms' do
before do
accept_terms(user)
end
it 'allows clones' do
clone_get(path, env) do |response|
expect(response).to have_gitlab_http_status(:ok)
end
end
it_behaves_like 'pulls are allowed'
it_behaves_like 'pushes are allowed'
end
context 'from CI' do
let(:build) { create(:ci_build, :running) }
let(:env) { { user: 'gitlab-ci-token', password: build.token } }
before do
build.update!(user: user, project: project)
end
it_behaves_like 'pulls are allowed'
end
end
end end
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment