Fix existing authorization specs

9d1ccd2a · Kamil Trzcinski · 50076ab9 · 9d1ccd2a · 9d1ccd2a · 9d1ccd2a
Commit 9d1ccd2a authored Sep 15, 2016 by Kamil Trzcinski
11 changed files
--- a/app/controllers/jwt_controller.rb
+++ b/app/controllers/jwt_controller.rb
@@ -11,10 +11,10 @@ class JwtController < ApplicationController
    service = SERVICES[params[:service]]
    return head :not_found unless service
-    @@authentication_result ||= Gitlab::Auth.Result.new
+    @authentication_result ||= Gitlab::Auth::Result.new
    result = service.new(@authentication_result.project, @authentication_result.user, auth_params).
-      execute(capabilities: @authentication_result.capabilities || [])
+      execute(capabilities: @authentication_result.capabilities)
    render json: result, status: result[:http_status]
  end
@@ -23,7 +23,7 @@ class JwtController < ApplicationController
  def authenticate_project_or_user
    authenticate_with_http_basic do |login, password|
-      @authentication_result = Gitlab::Auth.find_for_git_client(login, password, ip: request.ip)
+      @authentication_result = Gitlab::Auth.find_for_git_client(login, password, project: nil, ip: request.ip)
      render_403 unless @authentication_result.succeeded?
    end

--- a/app/controllers/projects/git_http_client_controller.rb
+++ b/app/controllers/projects/git_http_client_controller.rb
@@ -36,7 +36,7 @@ class Projects::GitHttpClientController < Projects::ApplicationController
      @capabilities = auth_result.capabilities || []
-      if ci? || user
+      if auth_result.succeeded?
        return # Allow access
      end
    elsif allow_kerberos_spnego_auth? && spnego_provided?

--- a/app/models/ci/build.rb
+++ b/app/models/ci/build.rb
@@ -43,6 +43,7 @@ module Ci
        new_build.status = 'pending'
        new_build.runner_id = nil
        new_build.trigger_request_id = nil
+        new_build.token = nil
        new_build.save
      end

--- a/app/services/auth/container_registry_authentication_service.rb
+++ b/app/services/auth/container_registry_authentication_service.rb
@@ -4,8 +4,8 @@ module Auth
    AUDIENCE = 'container_registry'
-    def execute(capabilities: capabilities)
+    def execute(capabilities:)
-      @capabilities = capabilities
+      @capabilities = capabilities || []
      return error('not found', 404) unless registry.enabled
@@ -76,7 +76,7 @@ module Auth
      case requested_action
      when 'pull'
-        build_can_pull?(requested_project) || user_can_pull?(requested_project)
+        requested_project.public? || build_can_pull?(requested_project) || user_can_pull?(requested_project)
      when 'push'
        build_can_push?(requested_project) || user_can_push?(requested_project)
      else
@@ -88,8 +88,6 @@ module Auth
      Gitlab.config.registry
    end
-    private
    def build_can_pull?(requested_project)
      # Build can:
      # 1. pull from it's own project (for ex. a build)

--- a/lib/api/internal.rb
+++ b/lib/api/internal.rb
@@ -35,6 +35,14 @@ module API
            Project.find_with_namespace(project_path)
          end
        end
+        def ssh_capabilities
+          [
+            :read_project,
+            :download_code,
+            :push_code
+          ]
+        end
      end
      post "/allowed" do
@@ -130,16 +138,6 @@ module API
        { success: true, recovery_codes: codes }
      end
-      private
-      def ssh_capabilities
-        [
-          :read_project,
-          :download_code,
-          :push_code
-        ]
-      end
    end
  end
 end
--- a/lib/gitlab/auth.rb
+++ b/lib/gitlab/auth.rb
@@ -115,7 +115,7 @@ module Gitlab
        return unless login == 'gitlab-ci-token'
        return unless password
-        build = Ci::Build.running.find_by_token(password)
+        build = ::Ci::Build.running.find_by_token(password)
        return unless build
        if build.user

--- a/lib/gitlab/git_access.rb
+++ b/lib/gitlab/git_access.rb
@@ -7,7 +7,7 @@ module Gitlab
    attr_reader :actor, :project, :protocol, :user_access, :capabilities
-    def initialize(actor, project, protocol, capabilities: capabilities)
+    def initialize(actor, project, protocol, capabilities:)
      @actor    = actor
      @project  = project
      @protocol = protocol

--- a/spec/lib/gitlab/git_access_spec.rb
+++ b/spec/lib/gitlab/git_access_spec.rb
@@ -22,7 +22,7 @@ describe Gitlab::GitAccess, lib: true do
    context 'ssh disabled' do
      before do
        disable_protocol('ssh')
-        @acc = Gitlab::GitAccess.new(actor, project, 'ssh')
+        @acc = Gitlab::GitAccess.new(actor, project, 'ssh', capabilities: capabilities)
      end
      it 'blocks ssh git push' do
@@ -37,7 +37,7 @@ describe Gitlab::GitAccess, lib: true do
    context 'http disabled' do
      before do
        disable_protocol('http')
-        @acc = Gitlab::GitAccess.new(actor, project, 'http')
+        @acc = Gitlab::GitAccess.new(actor, project, 'http', capabilities: capabilities)
      end
      it 'blocks http push' do
@@ -318,7 +318,6 @@ describe Gitlab::GitAccess, lib: true do
                                                            admin: { push_protected_branch: false, push_all: false, merge_into_protected_branch: false }))
      end
    end
  end
  shared_examples 'can not push code' do
@@ -354,14 +353,14 @@ describe Gitlab::GitAccess, lib: true do
  describe 'build capabilities permissions' do
    let(:capabilities) { build_capabilities }
-    it_behaves_like 'cannot push code'
+    it_behaves_like 'can not push code'
  end
  describe 'deploy key permissions' do
    let(:key) { create(:deploy_key) }
    let(:actor) { key }
-    it_behaves_like 'cannot push code'
+    it_behaves_like 'can not push code'
  end
  private
@@ -372,4 +371,12 @@ describe Gitlab::GitAccess, lib: true do
      :build_download_code
    ]
  end
+  def full_capabilities
+    [
+      :read_project,
+      :download_code,
+      :push_code
+    ]
+  end
 end
--- a/spec/requests/git_http_spec.rb
+++ b/spec/requests/git_http_spec.rb
@@ -300,23 +300,22 @@ describe 'Git HTTP requests', lib: true do
      end
      context "when a gitlab ci token is provided" do
-        let(:token) { 123 }
+        let(:build) { create(:ci_build, :running) }
-        let(:project) { FactoryGirl.create :empty_project }
+        let(:project) { build.project }
        before do
-          project.update_attributes(runners_token: token)
          project.project_feature.update_attributes(builds_access_level: ProjectFeature::ENABLED)
        end
        it "downloads get status 200" do
-          clone_get "#{project.path_with_namespace}.git", user: 'gitlab-ci-token', password: token
+          clone_get "#{project.path_with_namespace}.git", user: 'gitlab-ci-token', password: build.token
          expect(response).to have_http_status(200)
          expect(response.content_type.to_s).to eq(Gitlab::Workhorse::INTERNAL_API_CONTENT_TYPE)
        end
        it "uploads get status 401 (no project existence information leak)" do
-          push_get "#{project.path_with_namespace}.git", user: 'gitlab-ci-token', password: token
+          push_get "#{project.path_with_namespace}.git", user: 'gitlab-ci-token', password: build.token
          expect(response).to have_http_status(401)
        end

--- a/spec/requests/jwt_controller_spec.rb
+++ b/spec/requests/jwt_controller_spec.rb
@@ -22,11 +22,13 @@ describe JwtController do
  context 'when using authorized request' do
    context 'using CI token' do
-      let(:project) { create(:empty_project, runners_token: 'token') }
+      let(:build) { create(:ci_build, :running) }
-      let(:headers) { { authorization: credentials('gitlab-ci-token', project.runners_token) } }
+      let(:project) { build.project }
+      let(:headers) { { authorization: credentials('gitlab-ci-token', build.token) } }
      context 'project with enabled CI' do
        subject! { get '/jwt/auth', parameters, headers }
        it { expect(service_class).to have_received(:new).with(project, nil, parameters) }
      end

--- a/spec/services/auth/container_registry_authentication_service_spec.rb
+++ b/spec/services/auth/container_registry_authentication_service_spec.rb
@@ -6,8 +6,14 @@ describe Auth::ContainerRegistryAuthenticationService, services: true do
  let(:current_params) { {} }
  let(:rsa_key) { OpenSSL::PKey::RSA.generate(512) }
  let(:payload) { JWT.decode(subject[:token], rsa_key).first }
+  let(:capabilities) do
+    [
+      :read_container_image,
+      :create_container_image
+    ]
+  end
-  subject { described_class.new(current_project, current_user, current_params).execute }
+  subject { described_class.new(current_project, current_user, current_params).execute(capabilities: capabilities) }
  before do
    allow(Gitlab.config.registry).to receive_messages(enabled: true, issuer: 'rspec', key: nil)
@@ -42,6 +48,12 @@ describe Auth::ContainerRegistryAuthenticationService, services: true do
         'actions' => actions,
       }]
    end
+    let(:capabilities) do
+      [
+        :build_read_container_image,
+        :build_create_container_image
+      ]
+    end
    it_behaves_like 'a valid token'
    it { expect(payload).to include('access' => access) }