Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Support
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
G
gitlab-ce
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Issues
0
Issues
0
List
Boards
Labels
Milestones
Merge Requests
0
Merge Requests
0
Analytics
Analytics
Repository
Value Stream
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Create a new issue
Commits
Issue Boards
Open sidebar
Léo-Paul Géneau
gitlab-ce
Commits
11f87700
Commit
11f87700
authored
Sep 15, 2016
by
Kamil Trzcinski
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
Add access specs
parent
6b381f3f
Changes
5
Hide whitespace changes
Inline
Side-by-side
Showing
5 changed files
with
168 additions
and
45 deletions
+168
-45
app/controllers/jwt_controller.rb
app/controllers/jwt_controller.rb
+1
-1
lib/api/internal.rb
lib/api/internal.rb
+12
-2
lib/gitlab/auth.rb
lib/gitlab/auth.rb
+8
-12
spec/lib/gitlab/auth_spec.rb
spec/lib/gitlab/auth_spec.rb
+69
-7
spec/lib/gitlab/git_access_spec.rb
spec/lib/gitlab/git_access_spec.rb
+78
-23
No files found.
app/controllers/jwt_controller.rb
View file @
11f87700
...
@@ -25,7 +25,7 @@ class JwtController < ApplicationController
...
@@ -25,7 +25,7 @@ class JwtController < ApplicationController
authenticate_with_http_basic
do
|
login
,
password
|
authenticate_with_http_basic
do
|
login
,
password
|
@authentication_result
=
Gitlab
::
Auth
.
find_for_git_client
(
login
,
password
,
ip:
request
.
ip
)
@authentication_result
=
Gitlab
::
Auth
.
find_for_git_client
(
login
,
password
,
ip:
request
.
ip
)
render_403
unless
@authentication_result
.
succe
ss
?
render_403
unless
@authentication_result
.
succe
eded
?
end
end
end
end
...
...
lib/api/internal.rb
View file @
11f87700
...
@@ -51,9 +51,9 @@ module API
...
@@ -51,9 +51,9 @@ module API
access
=
access
=
if
wiki?
if
wiki?
Gitlab
::
GitAccessWiki
.
new
(
actor
,
project
,
protocol
)
Gitlab
::
GitAccessWiki
.
new
(
actor
,
project
,
protocol
,
capabilities:
ssh_capabilities
)
else
else
Gitlab
::
GitAccess
.
new
(
actor
,
project
,
protocol
)
Gitlab
::
GitAccess
.
new
(
actor
,
project
,
protocol
,
capabilities:
ssh_capabilities
)
end
end
access_status
=
access
.
check
(
params
[
:action
],
params
[
:changes
])
access_status
=
access
.
check
(
params
[
:action
],
params
[
:changes
])
...
@@ -130,6 +130,16 @@ module API
...
@@ -130,6 +130,16 @@ module API
{
success:
true
,
recovery_codes:
codes
}
{
success:
true
,
recovery_codes:
codes
}
end
end
private
def
ssh_capabilities
[
:read_project
,
:download_code
,
:push_code
]
end
end
end
end
end
end
end
lib/gitlab/auth.rb
View file @
11f87700
module
Gitlab
module
Gitlab
module
Auth
module
Auth
class
Result
Result
=
Struct
.
new
(
:user
,
:project
,
:type
,
:capabilities
)
do
attr_reader
:user
,
:project
,
:type
,
:capabilities
def
succeeded?
user
.
present?
||
[
:ci
].
include?
(
type
)
def
initialize?
(
user
=
nil
,
project
=
nil
,
type
=
nil
,
capabilities
=
nil
)
@user
,
@project
,
@type
,
@capabilities
=
user
,
project
,
type
,
capabilities
end
def
success?
user
.
present?
||
[
:ci
,
:missing_personal_token
].
include?
(
type
)
end
end
end
end
...
@@ -23,7 +17,7 @@ module Gitlab
...
@@ -23,7 +17,7 @@ module Gitlab
personal_access_token_check
(
login
,
password
)
||
personal_access_token_check
(
login
,
password
)
||
Result
.
new
Result
.
new
rate_limit!
(
ip
,
success:
result
.
succe
ss
?
,
login:
login
)
rate_limit!
(
ip
,
success:
result
.
succe
eded
?
,
login:
login
)
result
result
end
end
...
@@ -94,7 +88,7 @@ module Gitlab
...
@@ -94,7 +88,7 @@ module Gitlab
:gitlab_or_ldap
:gitlab_or_ldap
end
end
Result
.
new
(
user
,
type
,
nil
,
full_capabilities
)
Result
.
new
(
user
,
nil
,
type
,
full_capabilities
)
end
end
def
oauth_access_token_check
(
login
,
password
)
def
oauth_access_token_check
(
login
,
password
)
...
@@ -111,7 +105,9 @@ module Gitlab
...
@@ -111,7 +105,9 @@ module Gitlab
if
login
&&
password
if
login
&&
password
user
=
User
.
find_by_personal_access_token
(
password
)
user
=
User
.
find_by_personal_access_token
(
password
)
validation
=
User
.
by_login
(
login
)
validation
=
User
.
by_login
(
login
)
Result
.
new
(
user
,
nil
,
:personal_token
,
full_capabilities
)
if
user
==
validation
if
user
&&
user
==
validation
Result
.
new
(
user
,
nil
,
:personal_token
,
full_capabilities
)
end
end
end
end
end
...
...
spec/lib/gitlab/auth_spec.rb
View file @
11f87700
...
@@ -4,15 +4,51 @@ describe Gitlab::Auth, lib: true do
...
@@ -4,15 +4,51 @@ describe Gitlab::Auth, lib: true do
let
(
:gl_auth
)
{
described_class
}
let
(
:gl_auth
)
{
described_class
}
describe
'find_for_git_client'
do
describe
'find_for_git_client'
do
it
'recognizes CI'
do
context
'build token'
do
token
=
'123'
subject
{
gl_auth
.
find_for_git_client
(
'gitlab-ci-token'
,
build
.
token
,
project:
project
,
ip:
'ip'
)
}
context
'for running build'
do
let!
(
:build
)
{
create
(
:ci_build
,
:running
)
}
let
(
:project
)
{
build
.
project
}
before
do
expect
(
gl_auth
).
to
receive
(
:rate_limit!
).
with
(
'ip'
,
success:
true
,
login:
'gitlab-ci-token'
)
end
it
'recognises user-less build'
do
expect
(
subject
).
to
eq
(
Gitlab
::
Auth
::
Result
.
new
(
nil
,
build
.
project
,
:ci
,
build_capabilities
))
end
it
'recognises user token'
do
build
.
update
(
user:
create
(
:user
))
expect
(
subject
).
to
eq
(
Gitlab
::
Auth
::
Result
.
new
(
build
.
user
,
build
.
project
,
:build
,
build_capabilities
))
end
end
context
'for non-running build'
do
let!
(
:build
)
{
create
(
:ci_build
,
:pending
)
}
let
(
:project
)
{
build
.
project
}
before
do
expect
(
gl_auth
).
to
receive
(
:rate_limit!
).
with
(
'ip'
,
success:
false
,
login:
'gitlab-ci-token'
)
end
it
'denies authentication'
do
expect
(
subject
).
to
eq
(
Gitlab
::
Auth
::
Result
.
new
)
end
end
end
it
'recognizes other ci services'
do
project
=
create
(
:empty_project
)
project
=
create
(
:empty_project
)
project
.
update_attributes
(
runners_token:
token
)
project
.
create_drone_ci_service
(
active:
true
)
project
.
drone_ci_service
.
update
(
token:
'token'
)
ip
=
'ip'
ip
=
'ip'
expect
(
gl_auth
).
to
receive
(
:rate_limit!
).
with
(
ip
,
success:
true
,
login:
'
gitlab
-ci-token'
)
expect
(
gl_auth
).
to
receive
(
:rate_limit!
).
with
(
ip
,
success:
true
,
login:
'
drone
-ci-token'
)
expect
(
gl_auth
.
find_for_git_client
(
'
gitlab-ci-token'
,
token
,
project:
project
,
ip:
ip
)).
to
eq
(
Gitlab
::
Auth
::
Result
.
new
(
nil
,
:ci
))
expect
(
gl_auth
.
find_for_git_client
(
'
drone-ci-token'
,
'token'
,
project:
project
,
ip:
ip
)).
to
eq
(
Gitlab
::
Auth
::
Result
.
new
(
nil
,
project
,
:ci
,
build_capabilities
))
end
end
it
'recognizes master passwords'
do
it
'recognizes master passwords'
do
...
@@ -20,7 +56,7 @@ describe Gitlab::Auth, lib: true do
...
@@ -20,7 +56,7 @@ describe Gitlab::Auth, lib: true do
ip
=
'ip'
ip
=
'ip'
expect
(
gl_auth
).
to
receive
(
:rate_limit!
).
with
(
ip
,
success:
true
,
login:
user
.
username
)
expect
(
gl_auth
).
to
receive
(
:rate_limit!
).
with
(
ip
,
success:
true
,
login:
user
.
username
)
expect
(
gl_auth
.
find_for_git_client
(
user
.
username
,
'password'
,
project:
nil
,
ip:
ip
)).
to
eq
(
Gitlab
::
Auth
::
Result
.
new
(
user
,
:gitlab_or_ldap
))
expect
(
gl_auth
.
find_for_git_client
(
user
.
username
,
'password'
,
project:
nil
,
ip:
ip
)).
to
eq
(
Gitlab
::
Auth
::
Result
.
new
(
user
,
nil
,
:gitlab_or_ldap
,
full_capabilities
))
end
end
it
'recognizes OAuth tokens'
do
it
'recognizes OAuth tokens'
do
...
@@ -30,7 +66,7 @@ describe Gitlab::Auth, lib: true do
...
@@ -30,7 +66,7 @@ describe Gitlab::Auth, lib: true do
ip
=
'ip'
ip
=
'ip'
expect
(
gl_auth
).
to
receive
(
:rate_limit!
).
with
(
ip
,
success:
true
,
login:
'oauth2'
)
expect
(
gl_auth
).
to
receive
(
:rate_limit!
).
with
(
ip
,
success:
true
,
login:
'oauth2'
)
expect
(
gl_auth
.
find_for_git_client
(
"oauth2"
,
token
.
token
,
project:
nil
,
ip:
ip
)).
to
eq
(
Gitlab
::
Auth
::
Result
.
new
(
user
,
:oauth
))
expect
(
gl_auth
.
find_for_git_client
(
"oauth2"
,
token
.
token
,
project:
nil
,
ip:
ip
)).
to
eq
(
Gitlab
::
Auth
::
Result
.
new
(
user
,
nil
,
:oauth
,
read_capabilities
))
end
end
it
'returns double nil for invalid credentials'
do
it
'returns double nil for invalid credentials'
do
...
@@ -92,4 +128,30 @@ describe Gitlab::Auth, lib: true do
...
@@ -92,4 +128,30 @@ describe Gitlab::Auth, lib: true do
end
end
end
end
end
end
private
def
build_capabilities
[
:read_project
,
:build_download_code
,
:build_read_container_image
,
:build_create_container_image
]
end
def
read_capabilities
[
:read_project
,
:download_code
,
:read_container_image
]
end
def
full_capabilities
read_capabilities
+
[
:push_code
,
:update_container_image
]
end
end
end
spec/lib/gitlab/git_access_spec.rb
View file @
11f87700
require
'spec_helper'
require
'spec_helper'
describe
Gitlab
::
GitAccess
,
lib:
true
do
describe
Gitlab
::
GitAccess
,
lib:
true
do
let
(
:access
)
{
Gitlab
::
GitAccess
.
new
(
actor
,
project
,
'web'
)
}
let
(
:access
)
{
Gitlab
::
GitAccess
.
new
(
actor
,
project
,
'web'
,
capabilities:
capabilities
)
}
let
(
:project
)
{
create
(
:project
)
}
let
(
:project
)
{
create
(
:project
)
}
let
(
:user
)
{
create
(
:user
)
}
let
(
:user
)
{
create
(
:user
)
}
let
(
:actor
)
{
user
}
let
(
:actor
)
{
user
}
let
(
:capabilities
)
do
[
:read_project
,
:download_code
,
:push_code
]
end
describe
'#check with single protocols allowed'
do
describe
'#check with single protocols allowed'
do
def
disable_protocol
(
protocol
)
def
disable_protocol
(
protocol
)
...
@@ -111,6 +118,36 @@ describe Gitlab::GitAccess, lib: true do
...
@@ -111,6 +118,36 @@ describe Gitlab::GitAccess, lib: true do
end
end
end
end
end
end
describe
'build capabilities permissions'
do
let
(
:capabilities
)
{
build_capabilities
}
describe
'reporter user'
do
before
{
project
.
team
<<
[
user
,
:reporter
]
}
context
'pull code'
do
it
{
expect
(
subject
).
to
be_allowed
}
end
end
describe
'admin user'
do
let
(
:user
)
{
create
(
:admin
)
}
context
'when member of the project'
do
before
{
project
.
team
<<
[
user
,
:reporter
]
}
context
'pull code'
do
it
{
expect
(
subject
).
to
be_allowed
}
end
end
context
'when is not member of the project'
do
context
'pull code'
do
it
{
expect
(
subject
).
not_to
be_allowed
}
end
end
end
end
end
end
describe
'push_access_check'
do
describe
'push_access_check'
do
...
@@ -281,40 +318,58 @@ describe Gitlab::GitAccess, lib: true do
...
@@ -281,40 +318,58 @@ describe Gitlab::GitAccess, lib: true do
admin:
{
push_protected_branch:
false
,
push_all:
false
,
merge_into_protected_branch:
false
}))
admin:
{
push_protected_branch:
false
,
push_all:
false
,
merge_into_protected_branch:
false
}))
end
end
end
end
end
end
describe
'deploy key permissions'
do
shared_examples
'can not push code'
do
let
(
:key
)
{
create
(
:deploy_key
)
}
subject
{
access
.
check
(
'git-receive-pack'
,
'_any'
)
}
let
(
:actor
)
{
key
}
context
'
push code
'
do
context
'
when project is authorized
'
do
subject
{
access
.
check
(
'git-receive-pack'
,
'_any'
)
}
before
{
key
.
projects
<<
project
}
context
'when project is authorized'
do
it
{
expect
(
subject
).
not_to
be_allowed
}
before
{
key
.
projects
<<
project
}
end
context
'when unauthorized'
do
context
'to public project'
do
let
(
:project
)
{
create
(
:project
,
:public
)
}
it
{
expect
(
subject
).
not_to
be_allowed
}
it
{
expect
(
subject
).
not_to
be_allowed
}
end
end
context
'when unauthorized'
do
context
'to internal project'
do
context
'to public project'
do
let
(
:project
)
{
create
(
:project
,
:internal
)
}
let
(
:project
)
{
create
(
:project
,
:public
)
}
it
{
expect
(
subject
).
not_to
be_allowed
}
end
context
'to internal project'
do
let
(
:project
)
{
create
(
:project
,
:internal
)
}
it
{
expect
(
subject
).
not_to
be_allowed
}
it
{
expect
(
subject
).
not_to
be_allowed
}
end
end
context
'to private project'
do
context
'to private project'
do
let
(
:project
)
{
create
(
:project
,
:internal
)
}
let
(
:project
)
{
create
(
:project
,
:internal
)
}
it
{
expect
(
subject
).
not_to
be_allowed
}
it
{
expect
(
subject
).
not_to
be_allowed
}
end
end
end
end
end
end
end
describe
'build capabilities permissions'
do
let
(
:capabilities
)
{
build_capabilities
}
it_behaves_like
'cannot push code'
end
describe
'deploy key permissions'
do
let
(
:key
)
{
create
(
:deploy_key
)
}
let
(
:actor
)
{
key
}
it_behaves_like
'cannot push code'
end
private
def
build_capabilities
[
:read_project
,
:build_download_code
]
end
end
end
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment