Merge branch '54826-use-read_repository-scope-on-read-only-files-endpoints' into 'master'

Resolve "Use read_repository scope on read-only files endpoints" Closes #54826 See merge request gitlab-org/gitlab-ce!23534

Merge branch '54826-use-read_repository-scope-on-read-only-files-endpoints' into 'master'
Resolve "Use read_repository scope on read-only files endpoints" Closes #54826 See merge request gitlab-org/gitlab-ce!23534
1c9b1001 · Grzegorz Bizon · 5ea6b08e · 9f4a3111 · 1c9b1001 · 1c9b1001
Commit 1c9b1001 authored Dec 05, 2018 by Grzegorz Bizon
4 changed files
--- a/changelogs/unreleased/54826-use-read_repository-scope-on-read-only-files-endpoints.yml
+++ b/changelogs/unreleased/54826-use-read_repository-scope-on-read-only-files-endpoints.yml
+---
+title: Use read_repository scope on read-only files API
+merge_request: 23534
+author:
+type: fixed
--- a/doc/api/repository_files.md
+++ b/doc/api/repository_files.md
@@ -4,6 +4,16 @@

 **Create, read, update and delete repository files using this API**

+The different scopes available using [personal access tokens](../user/profile/personal_access_tokens.md) are depicted
+in the following table.
+
+| Scope | Description |
+| ----- | ----------- |
+| `read_repository` | Allows read-access to the repository files. |
+| `api` | Allows read-write access to the repository files. |
+
+> `read_repository` scope was [introduced](https://gitlab.com/gitlab-org/gitlab-ce/merge_requests/23534) in GitLab 11.6.
+
 ## Get file from repository

 Allows you to receive information about file in repository like name, size,

--- a/lib/api/files.rb
+++ b/lib/api/files.rb
@@ -2,6 +2,8 @@

 module API
  class Files < Grape::API
+    include APIGuard
+
    FILE_ENDPOINT_REQUIREMENTS = API::NAMESPACE_OR_PROJECT_REQUIREMENTS.merge(file_path: API::NO_SLASH_URL_PART_REGEX)

    # Prevents returning plain/text responses for files with .txt extension
@@ -79,6 +81,8 @@ module API
      requires :id, type: String, desc: 'The project ID'
    end
    resource :projects, requirements: FILE_ENDPOINT_REQUIREMENTS do
+      allow_access_with_scope :read_repository, if: -> (request) { request.get? || request.head? }
+
      desc 'Get raw file metadata from repository'
      params do
        requires :file_path, type: String, desc: 'The url encoded path to the file. Ex. lib%2Fclass%2Erb'

--- a/spec/requests/api/files_spec.rb
+++ b/spec/requests/api/files_spec.rb
@@ -121,6 +121,13 @@ describe API::Files do
      end
    end

+    context 'when PATs are used' do
+      it_behaves_like 'repository files' do
+        let(:token) { create(:personal_access_token, scopes: ['read_repository'], user: user) }
+        let(:current_user) { { personal_access_token: token } }
+      end
+    end
+
    context 'when authenticated', 'as a developer' do
      it_behaves_like 'repository files' do
        let(:current_user) { user }
@@ -217,6 +224,13 @@ describe API::Files do
      end
    end

+    context 'when PATs are used' do
+      it_behaves_like 'repository files' do
+        let(:token) { create(:personal_access_token, scopes: ['read_repository'], user: user) }
+        let(:current_user) { { personal_access_token: token } }
+      end
+    end
+
    context 'when unauthenticated', 'and project is private' do
      it_behaves_like '404 response' do
        let(:request) { get api(route(file_path)), params }
@@ -317,6 +331,21 @@ describe API::Files do
        let(:request) { get api(route(file_path), guest), params }
      end
    end
+
+    context 'when PATs are used' do
+      it 'returns file by commit sha' do
+        token = create(:personal_access_token, scopes: ['read_repository'], user: user)
+
+        # This file is deleted on HEAD
+        file_path = "files%2Fjs%2Fcommit%2Ejs%2Ecoffee"
+        params[:ref] = "6f6d7e7ed97bb5f0054f2b1df789b39ca89b6ff9"
+        expect(Gitlab::Workhorse).to receive(:send_git_blob)
+
+        get api(route(file_path) + "/raw", personal_access_token: token), params
+
+        expect(response).to have_gitlab_http_status(200)
+      end
+    end
  end

  describe "POST /projects/:id/repository/files/:file_path" do
@@ -362,6 +391,24 @@ describe API::Files do
      expect(response).to have_gitlab_http_status(400)
    end

+    context 'with PATs' do
+      it 'returns 403 with `read_repository` scope' do
+        token = create(:personal_access_token, scopes: ['read_repository'], user: user)
+
+        post api(route(file_path), personal_access_token: token), params
+
+        expect(response).to have_gitlab_http_status(403)
+      end
+
+      it 'returns 201 with `api` scope' do
+        token = create(:personal_access_token, scopes: ['api'], user: user)
+
+        post api(route(file_path), personal_access_token: token), params
+
+        expect(response).to have_gitlab_http_status(201)
+      end
+    end
+
    context "when specifying an author" do
      it "creates a new file with the specified author" do
        params.merge!(author_email: author_email, author_name: author_name)