Merge branch '3271-disable-geo-primary-node-keys' into 'security-9-5-ee'

Disable geo primary node keys (9.5) See merge request gitlab/gitlab-ee!536

Merge branch '3271-disable-geo-primary-node-keys' into 'security-9-5-ee'
Disable geo primary node keys (9.5) See merge request gitlab/gitlab-ee!536
2c4011f0 · Stan Hu · Stan Hu · bfc2fcea · 2c4011f0 · 2c4011f0
Commit 2c4011f0 authored Aug 29, 2017 by Stan Hu Committed by Stan Hu Nov 01, 2017
Showing with 25 additions and 5 deletions

app/models/geo_node_key.rb app/models/geo_node_key.rb +12 -0

lib/gitlab/git_access.rb lib/gitlab/git_access.rb +1 -1

spec/lib/gitlab/git_access_spec.rb spec/lib/gitlab/git_access_spec.rb +12 -4

No files found.
--- a/app/models/geo_node_key.rb
+++ b/app/models/geo_node_key.rb
@@ -12,4 +12,16 @@ class GeoNodeKey < Key
  def destroyed_when_orphaned?
    true
  end
+
+  # Geo secondary nodes use these keys to get read access to all projects.
+  # If the secondary is promoted to a primary, its key is no longer valid.
+  #
+  # This is necessary because keys are placed in the `~git/.ssh` directory;
+  # repository mirroring and other actions that shell out to SSH make use of
+  # the same directory. A Geo secondary does not perform any of these actions,
+  # but if it is made a primary and the keys are not removed, every user on the
+  # GitLab instance will be able to access every project using this key.
+  def active?
+    geo_node&.secondary?
+  end
 end
--- a/lib/gitlab/git_access.rb
+++ b/lib/gitlab/git_access.rb
@@ -269,7 +269,7 @@ module Gitlab
      if deploy_key?
        deploy_key.has_access_to?(project)
      elsif geo_node_key?
-        true
+        geo_node_key.active?
      elsif user
        user.can?(:read_project, project)
      elsif ci?

--- a/spec/lib/gitlab/git_access_spec.rb
+++ b/spec/lib/gitlab/git_access_spec.rb
@@ -352,13 +352,21 @@ describe Gitlab::GitAccess do
    end

    describe 'geo node key permissions' do
-      let(:key) { build(:geo_node_key) }
+      let(:key) { build(:geo_node_key, geo_node: geo_node) }
      let(:actor) { key }

-      context 'pull code' do
-        subject { access.send(:check_download_access!) }
+      context 'assigned to primary geo node' do
+        let(:geo_node) { build(:geo_node, primary: true) }

-        it { expect { subject }.not_to raise_error }
+        it { expect { pull_access_check }.to raise_not_found }
+        it { expect { push_access_check }.to raise_not_found }
+      end
+
+      context 'assigned to secondary geo node' do
+        let(:geo_node) { build(:geo_node, primary: false) }
+
+        it { expect { pull_access_check }.not_to raise_error }
+        it { expect { push_access_check }.to raise_unauthorized(described_class::ERROR_MESSAGES[:upload]) }
      end
    end