Commit f2c46672 authored by Mayra Cabrera's avatar Mayra Cabrera Committed by Grzegorz Bizon

Resolve "Deploy Tokens failed to clone LFS repository"

parent d1f890e9
...@@ -71,7 +71,22 @@ module LfsRequest ...@@ -71,7 +71,22 @@ module LfsRequest
def lfs_download_access? def lfs_download_access?
return false unless project.lfs_enabled? return false unless project.lfs_enabled?
ci? || lfs_deploy_token? || user_can_download_code? || build_can_download_code? ci? || lfs_deploy_token? || user_can_download_code? || build_can_download_code? || deploy_token_can_download_code?
end
def deploy_token_can_download_code?
deploy_token_present? &&
deploy_token.project == project &&
deploy_token.active? &&
deploy_token.read_repository?
end
def deploy_token_present?
user && user.is_a?(DeployToken)
end
def deploy_token
user
end end
def lfs_upload_access? def lfs_upload_access?
...@@ -86,7 +101,7 @@ module LfsRequest ...@@ -86,7 +101,7 @@ module LfsRequest
end end
def user_can_download_code? def user_can_download_code?
has_authentication_ability?(:download_code) && can?(user, :download_code, project) has_authentication_ability?(:download_code) && can?(user, :download_code, project) && !deploy_token_present?
end end
def build_can_download_code? def build_can_download_code?
......
...@@ -27,7 +27,7 @@ class DeployToken < ActiveRecord::Base ...@@ -27,7 +27,7 @@ class DeployToken < ActiveRecord::Base
end end
def active? def active?
!revoked !revoked && expires_at > Date.today
end end
def scopes def scopes
...@@ -58,6 +58,10 @@ class DeployToken < ActiveRecord::Base ...@@ -58,6 +58,10 @@ class DeployToken < ActiveRecord::Base
write_attribute(:expires_at, value.presence || Forever.date) write_attribute(:expires_at, value.presence || Forever.date)
end end
def admin?
false
end
private private
def ensure_at_least_one_scope def ensure_at_least_one_scope
......
---
title: Allow cloning LFS repositories through DeployTokens
merge_request: 20729
author:
type: other
...@@ -62,11 +62,18 @@ describe DeployToken do ...@@ -62,11 +62,18 @@ describe DeployToken do
end end
end end
context "when it hasn't been revoked" do context "when it hasn't been revoked and is not expired" do
it 'should return true' do it 'should return true' do
expect(deploy_token.active?).to be_truthy expect(deploy_token.active?).to be_truthy
end end
end end
context "when it hasn't been revoked and is expired" do
it 'should return true' do
deploy_token.update_attribute(:expires_at, Date.today - 5.days)
expect(deploy_token.active?).to be_falsy
end
end
end end
describe '#username' do describe '#username' do
......
...@@ -575,6 +575,40 @@ describe 'Git LFS API and storage' do ...@@ -575,6 +575,40 @@ describe 'Git LFS API and storage' do
end end
end end
context 'when using Deploy Tokens' do
let(:project) { create(:project, :repository) }
let(:authorization) { authorize_deploy_token }
let(:update_user_permissions) { nil }
let(:role) { nil }
let(:update_lfs_permissions) do
project.lfs_objects << lfs_object
end
context 'when Deploy Token is valid' do
let(:deploy_token) { create(:deploy_token, projects: [project]) }
it_behaves_like 'an authorized requests'
end
context 'when Deploy Token is not valid' do
let(:deploy_token) { create(:deploy_token, projects: [project], read_repository: false) }
it 'responds with access denied' do
expect(response).to have_gitlab_http_status(401)
end
end
context 'when Deploy Token is not related to the project' do
let(:another_project) { create(:project, :repository) }
let(:deploy_token) { create(:deploy_token, projects: [another_project]) }
it 'responds with access forbidden' do
# We render 404, to prevent data leakage about existence of the project
expect(response).to have_gitlab_http_status(404)
end
end
end
context 'when build is authorized as' do context 'when build is authorized as' do
let(:authorization) { authorize_ci_project } let(:authorization) { authorize_ci_project }
...@@ -1381,6 +1415,10 @@ describe 'Git LFS API and storage' do ...@@ -1381,6 +1415,10 @@ describe 'Git LFS API and storage' do
ActionController::HttpAuthentication::Basic.encode_credentials(user.username, Gitlab::LfsToken.new(user).token) ActionController::HttpAuthentication::Basic.encode_credentials(user.username, Gitlab::LfsToken.new(user).token)
end end
def authorize_deploy_token
ActionController::HttpAuthentication::Basic.encode_credentials(deploy_token.username, deploy_token.token)
end
def post_lfs_json(url, body = nil, headers = nil) def post_lfs_json(url, body = nil, headers = nil)
post(url, body.try(:to_json), (headers || {}).merge('Content-Type' => LfsRequest::CONTENT_TYPE)) post(url, body.try(:to_json), (headers || {}).merge('Content-Type' => LfsRequest::CONTENT_TYPE))
end end
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment