From bee780e8fdf56fa24b54326e9c27f0b1ab7446f7 Mon Sep 17 00:00:00 2001
From: Timothy Andrew <mail@timothyandrew.net>
Date: Thu, 13 Apr 2017 11:34:16 +0000
Subject: [PATCH] Allow OAuth clients to push code

- We currently support fetching code with username = 'oauth2' and
  password = <access_token>.
- Trying to _push_ code with the same credentials fails with an authentication
  error.
- There's no reason this shouldn't be enabled, especially since we allow the
  OAuth client to create deploy keys with push access:

  https://docs.gitlab.com/ce/api/deploy_keys.html#add-deploy-key
---
 changelogs/unreleased/30305-oauth-token-push-code.yml | 4 ++++
 lib/gitlab/auth.rb                                    | 2 +-
 spec/lib/gitlab/auth_spec.rb                          | 2 +-
 spec/requests/git_http_spec.rb                        | 4 ++--
 4 files changed, 8 insertions(+), 4 deletions(-)
 create mode 100644 changelogs/unreleased/30305-oauth-token-push-code.yml

diff --git a/changelogs/unreleased/30305-oauth-token-push-code.yml b/changelogs/unreleased/30305-oauth-token-push-code.yml
new file mode 100644
index 00000000000..aadfb5ca419
--- /dev/null
+++ b/changelogs/unreleased/30305-oauth-token-push-code.yml
@@ -0,0 +1,4 @@
+---
+title: Allow OAuth clients to push code
+merge_request: 10677
+author:
diff --git a/lib/gitlab/auth.rb b/lib/gitlab/auth.rb
index eee5601b0ed..ea918b23a63 100644
--- a/lib/gitlab/auth.rb
+++ b/lib/gitlab/auth.rb
@@ -108,7 +108,7 @@ module Gitlab
           token = Doorkeeper::AccessToken.by_token(password)
           if valid_oauth_token?(token)
             user = User.find_by(id: token.resource_owner_id)
-            Gitlab::Auth::Result.new(user, nil, :oauth, read_authentication_abilities)
+            Gitlab::Auth::Result.new(user, nil, :oauth, full_authentication_abilities)
           end
         end
       end
diff --git a/spec/lib/gitlab/auth_spec.rb b/spec/lib/gitlab/auth_spec.rb
index 03c4879ed6f..d4a43192d03 100644
--- a/spec/lib/gitlab/auth_spec.rb
+++ b/spec/lib/gitlab/auth_spec.rb
@@ -118,7 +118,7 @@ describe Gitlab::Auth, lib: true do
 
       it 'succeeds for OAuth tokens with the `api` scope' do
         expect(gl_auth).to receive(:rate_limit!).with('ip', success: true, login: 'oauth2')
-        expect(gl_auth.find_for_git_client("oauth2", token_w_api_scope.token, project: nil, ip: 'ip')).to eq(Gitlab::Auth::Result.new(user, nil, :oauth, read_authentication_abilities))
+        expect(gl_auth.find_for_git_client("oauth2", token_w_api_scope.token, project: nil, ip: 'ip')).to eq(Gitlab::Auth::Result.new(user, nil, :oauth, full_authentication_abilities))
       end
 
       it 'fails for OAuth tokens with other scopes' do
diff --git a/spec/requests/git_http_spec.rb b/spec/requests/git_http_spec.rb
index 006d6a6af1c..02a618388be 100644
--- a/spec/requests/git_http_spec.rb
+++ b/spec/requests/git_http_spec.rb
@@ -270,10 +270,10 @@ describe 'Git HTTP requests', lib: true do
                   expect(response.content_type.to_s).to eq(Gitlab::Workhorse::INTERNAL_API_CONTENT_TYPE)
                 end
 
-                it "uploads get status 401 (no project existence information leak)" do
+                it "uploads get status 200" do
                   push_get "#{project.path_with_namespace}.git", user: 'oauth2', password: @token.token
 
-                  expect(response).to have_http_status(401)
+                  expect(response).to have_http_status(200)
                 end
               end
 
-- 
2.30.9