Add more tests to the allowed protocols feature

42fb2516 · Patricio Cano · c98f89ea · 42fb2516 · 42fb2516
Commit 42fb2516 authored Jun 22, 2016 by Patricio Cano
Hide whitespace changes
Inline Side-by-side

Showing with 103 additions and 5 deletions

spec/lib/gitlab/git_access_spec.rb spec/lib/gitlab/git_access_spec.rb +37 -0

spec/requests/api/internal_spec.rb spec/requests/api/internal_spec.rb +66 -5

No files found.
--- a/spec/lib/gitlab/git_access_spec.rb
+++ b/spec/lib/gitlab/git_access_spec.rb
@@ -67,6 +67,43 @@ describe Gitlab::GitAccess, lib: true do
    end
  end

+  describe '#check with single protocols allowed' do
+    def disable_protocol(protocol)
+      settings = ::ApplicationSetting.create_from_defaults
+      settings.update_attribute(:enabled_git_access_protocols, protocol)
+    end
+
+    context 'ssh disabled' do
+      before do
+        disable_protocol('ssh')
+        @acc = Gitlab::GitAccess.new(actor, project, 'ssh')
+      end
+
+      it 'blocks ssh git push' do
+        expect(@acc.check('git-receive-pack').allowed?).to be_falsey
+      end
+
+      it 'blocks ssh git pull' do
+        expect(@acc.check('git-upload-pack').allowed?).to be_falsey
+      end
+    end
+
+    context 'http disabled' do
+      before do
+        disable_protocol('http')
+        @acc = Gitlab::GitAccess.new(actor, project, 'http')
+      end
+
+      it 'blocks http push' do
+        expect(@acc.check('git-receive-pack').allowed?).to be_falsey
+      end
+
+      it 'blocks http git pull' do
+        expect(@acc.check('git-upload-pack').allowed?).to be_falsey
+      end
+    end
+  end
+
  describe 'download_access_check' do
    describe 'master permissions' do
      before { project.team << [user, :master] }

--- a/spec/requests/api/internal_spec.rb
+++ b/spec/requests/api/internal_spec.rb
@@ -207,26 +207,86 @@ describe API::API, api: true  do
        expect(json_response["status"]).to be_falsey
      end
    end
+
+    context 'ssh access has been disabled' do
+      before do
+        settings = ::ApplicationSetting.create_from_defaults
+        settings.update_attribute(:enabled_git_access_protocols, 'http')
+      end
+
+      it 'rejects the SSH push' do
+        push(key, project)
+
+        expect(response.status).to eq(200)
+        expect(json_response['status']).to be_falsey
+        expect(json_response['message']).to eq 'Git access over SSH is not allowed'
+      end
+
+      it 'rejects the SSH pull' do
+        pull(key, project)
+
+        expect(response.status).to eq(200)
+        expect(json_response['status']).to be_falsey
+        expect(json_response['message']).to eq 'Git access over SSH is not allowed'
+      end
+    end
+
+    context 'http access has been disabled' do
+      before do
+        settings = ::ApplicationSetting.create_from_defaults
+        settings.update_attribute(:enabled_git_access_protocols, 'ssh')
+      end
+
+      it 'rejects the HTTP push' do
+        push(key, project, 'http')
+
+        expect(response.status).to eq(200)
+        expect(json_response['status']).to be_falsey
+        expect(json_response['message']).to eq 'Git access over HTTP is not allowed'
+      end
+
+      it 'rejects the HTTP pull' do
+        pull(key, project, 'http')
+
+        expect(response.status).to eq(200)
+        expect(json_response['status']).to be_falsey
+        expect(json_response['message']).to eq 'Git access over HTTP is not allowed'
+      end
+    end
+
+    context 'web actions are always allowed' do
+      it 'allows WEB push' do
+        settings = ::ApplicationSetting.create_from_defaults
+        settings.update_attribute(:enabled_git_access_protocols, 'ssh')
+        project.team << [user, :developer]
+        push(key, project, 'web')
+
+        expect(response.status).to eq(200)
+        expect(json_response['status']).to be_truthy
+      end
+    end
  end

-  def pull(key, project)
+  def pull(key, project, protocol = 'ssh')
    post(
      api("/internal/allowed"),
      key_id: key.id,
      project: project.path_with_namespace,
      action: 'git-upload-pack',
-      secret_token: secret_token
+      secret_token: secret_token,
+      protocol: protocol
    )
  end

-  def push(key, project)
+  def push(key, project, protocol = 'ssh')
    post(
      api("/internal/allowed"),
      changes: 'd14d6c0abdd253381df51a723d58691b2ee1ab08 570e7b2abdd848b95f2f578043fc23bd6f6fd24d refs/heads/master',
      key_id: key.id,
      project: project.path_with_namespace,
      action: 'git-receive-pack',
-      secret_token: secret_token
+      secret_token: secret_token,
+      protocol: protocol
    )
  end

@@ -237,7 +297,8 @@ describe API::API, api: true  do
      key_id: key.id,
      project: project.path_with_namespace,
      action: 'git-upload-archive',
-      secret_token: secret_token
+      secret_token: secret_token,
+      protocol: 'ssh'
    )
  end
 end