Skip to content

G
gitlab-ce
Commit 7f8682d9 authored by Nick Thomas's avatar Nick Thomas
Browse files
Options

Fix conflicts in git / wiki access

parent 3275a767
Hide whitespace changes
Inline Side-by-side
Showing with 6 additions and 406 deletions
lib/gitlab/git_access_wiki.rb
View file @ 7f8682d9
module Gitlab
class GitAccessWiki < GitAccess
ERROR_MESSAGES = {
<<<<<<< HEAD
geo: "You can't push code to a secondary GitLab Geo node.",
=======
>>>>>>> master
write_to_wiki: "You are not allowed to write to this project's wiki."
}.freeze
......@@ -17,17 +14,14 @@ module Gitlab
end
def check_single_change_access(change)
<<<<<<< HEAD
if Gitlab::Geo.enabled? && Gitlab::Geo.secondary?
raise UnauthorizedError, ERROR_MESSAGES[:geo]
end
=======
>>>>>>> master
unless user_access.can_do_action?(:create_wiki)
raise UnauthorizedError, ERROR_MESSAGES[:write_to_wiki]
end
if Gitlab::Geo.enabled? && Gitlab::Geo.secondary?
raise UnauthorizedError, ERROR_MESSAGES[:geo]
end
true
end
end
......
spec/lib/gitlab/git_access_spec.rb
View file @ 7f8682d9
......@@ -8,10 +8,7 @@ describe Gitlab::GitAccess, lib: true do
let(:user) { create(:user) }
let(:actor) { user }
let(:protocol) { 'ssh' }
<<<<<<< HEAD
=======
>>>>>>> master
let(:authentication_abilities) do
[
:read_project,
......@@ -172,7 +169,6 @@ describe Gitlab::GitAccess, lib: true do
before do
allow(Gitlab.config.gitlab_shell).to receive(:upload_pack).and_return(false)
end
<<<<<<< HEAD
context 'when calling git-upload-pack' do
it { expect { pull_access_check }.to raise_unauthorized('Pulling over HTTP is not allowed.') }
......@@ -199,34 +195,6 @@ describe Gitlab::GitAccess, lib: true do
end
end
=======
context 'when calling git-upload-pack' do
it { expect { pull_access_check }.to raise_unauthorized('Pulling over HTTP is not allowed.') }
end
context 'when calling git-receive-pack' do
it { expect { push_access_check }.not_to raise_error }
end
end
context 'when the git-receive-pack command is disabled in config' do
before do
allow(Gitlab.config.gitlab_shell).to receive(:receive_pack).and_return(false)
end
context 'when calling git-receive-pack' do
it { expect { push_access_check }.to raise_unauthorized('Pushing over HTTP is not allowed.') }
end
context 'when calling git-upload-pack' do
it { expect { pull_access_check }.not_to raise_error }
end
end
end
end
>>>>>>> master
describe '#check_download_access!' do
describe 'master permissions' do
before { project.team << [user, :master] }
......
spec/lib/gitlab/git_access_wiki_spec.rb
View file @ 7f8682d9
......@@ -31,13 +31,9 @@ describe Gitlab::GitAccessWiki, lib: true do
allow(Gitlab::Geo).to receive(:license_allows?) { true }
end
<<<<<<< HEAD
it { expect { subject }.to raise_error(Gitlab::GitAccess::UnauthorizedError, "You can't push code to a secondary GitLab Geo node.") }
=======
it 'does not give access to upload wiki code' do
expect { subject }.to raise_error(Gitlab::GitAccess::UnauthorizedError, "You can't push code to a secondary GitLab Geo node.")
end
>>>>>>> master
end
end
end
......
spec/requests/git_http_spec.rb
View file @ 7f8682d9
......@@ -14,7 +14,6 @@ describe 'Git HTTP requests', lib: true do
end
end
end
<<<<<<< HEAD
context "when only username is provided" do
it "responds to downloads with status 401 Unauthorized" do
......@@ -69,22 +68,6 @@ describe 'Git HTTP requests', lib: true do
context "when authentication fails" do
it "responds to uploads with status 401 Unauthorized" do
upload(path, user: user.username, password: "wrong-password") do |response|
=======
context "when only username is provided" do
it "responds to downloads with status 401 Unauthorized" do
download(path, user: user.username) do |response|
expect(response).to have_http_status(:unauthorized)
expect(response.header['WWW-Authenticate']).to start_with('Basic ')
end
end
end
context "when username and password are provided" do
context "when authentication fails" do
it "responds to downloads with status 401 Unauthorized" do
download(path, user: user.username, password: "wrong-password") do |response|
>>>>>>> master
expect(response).to have_http_status(:unauthorized)
expect(response.header['WWW-Authenticate']).to start_with('Basic ')
end
......@@ -92,13 +75,8 @@ describe 'Git HTTP requests', lib: true do
end
context "when authentication succeeds" do
<<<<<<< HEAD
it "does not respond to uploads with status 401 Unauthorized" do
upload(path, user: user.username, password: user.password) do |response|
=======
it "does not respond to downloads with status 401 Unauthorized" do
download(path, user: user.username, password: user.password) do |response|
>>>>>>> master
expect(response).not_to have_http_status(:unauthorized)
expect(response.header['WWW-Authenticate']).to be_nil
end
......@@ -107,7 +85,6 @@ describe 'Git HTTP requests', lib: true do
end
end
<<<<<<< HEAD
shared_examples_for 'pulls are allowed' do
it do
download(path, env) do |response|
......@@ -140,19 +117,10 @@ describe 'Git HTTP requests', lib: true do
download_or_upload(path, user: user.username, password: user.password) do |response|
expect(response).to have_http_status(:not_found)
end
=======
shared_examples 'pushes require Basic HTTP Authentication' do
context "when no credentials are provided" do
it "responds to uploads with status 401 Unauthorized (no project existence information leak)" do
upload(path) do |response|
expect(response).to have_http_status(:unauthorized)
expect(response.header['WWW-Authenticate']).to start_with('Basic ')
>>>>>>> master
end
end
end
<<<<<<< HEAD
context "when requesting the Wiki" do
let(:wiki) { ProjectWiki.new(project) }
let(:path) { "/#{wiki.repository.path_with_namespace}.git" }
......@@ -174,18 +142,8 @@ describe 'Git HTTP requests', lib: true do
expect(json_body['RepoPath']).to include(wiki.repository.path_with_namespace)
end
end
=======
context "when only username is provided" do
it "responds to uploads with status 401 Unauthorized" do
upload(path, user: user.username) do |response|
expect(response).to have_http_status(:unauthorized)
expect(response.header['WWW-Authenticate']).to start_with('Basic ')
>>>>>>> master
end
end
end
<<<<<<< HEAD
context 'when authenticated' do
let(:env) { { user: user.username, password: user.password } }
......@@ -211,19 +169,10 @@ describe 'Git HTTP requests', lib: true do
expect(response.body).to eq(git_access_wiki_error(:write_to_wiki))
end
end
=======
context "when username and password are provided" do
context "when authentication fails" do
it "responds to uploads with status 401 Unauthorized" do
upload(path, user: user.username, password: "wrong-password") do |response|
expect(response).to have_http_status(:unauthorized)
expect(response.header['WWW-Authenticate']).to start_with('Basic ')
>>>>>>> master
end
end
end
<<<<<<< HEAD
context "when the project is private" do
let(:project) { create(:project, :repository, :private, :wiki_enabled) }
......@@ -267,234 +216,6 @@ describe 'Git HTTP requests', lib: true do
expect(response.body).to eq(git_access_error(:project_not_found))
end
end
=======
context "when authentication succeeds" do
it "does not respond to uploads with status 401 Unauthorized" do
upload(path, user: user.username, password: user.password) do |response|
expect(response).not_to have_http_status(:unauthorized)
expect(response.header['WWW-Authenticate']).to be_nil
>>>>>>> master
end
end
end
end
end
shared_examples_for 'pulls are allowed' do
it do
download(path, env) do |response|
expect(response).to have_http_status(:ok)
expect(response.content_type.to_s).to eq(Gitlab::Workhorse::INTERNAL_API_CONTENT_TYPE)
end
end
end
<<<<<<< HEAD
context "when the project is public" do
let(:project) { create(:project, :repository, :public) }
it_behaves_like 'pushes require Basic HTTP Authentication'
context 'when not authenticated' do
let(:env) { {} }
it_behaves_like 'pulls are allowed'
end
context "when authenticated" do
let(:env) { { user: user.username, password: user.password } }
context 'as a developer on the team' do
before do
project.team << [user, :developer]
=======
shared_examples_for 'pushes are allowed' do
it do
upload(path, env) do |response|
expect(response).to have_http_status(:ok)
expect(response.content_type.to_s).to eq(Gitlab::Workhorse::INTERNAL_API_CONTENT_TYPE)
end
end
end
describe "User with no identities" do
let(:user) { create(:user) }
context "when the project doesn't exist" do
let(:path) { 'doesnt/exist.git' }
it_behaves_like 'pulls require Basic HTTP Authentication'
it_behaves_like 'pushes require Basic HTTP Authentication'
context 'when authenticated' do
it 'rejects downloads and uploads with 404 Not Found' do
download_or_upload(path, user: user.username, password: user.password) do |response|
expect(response).to have_http_status(:not_found)
end
end
end
end
context "when requesting the Wiki" do
let(:wiki) { ProjectWiki.new(project) }
let(:path) { "/#{wiki.repository.path_with_namespace}.git" }
context "when the project is public" do
let(:project) { create(:project, :repository, :public, :wiki_enabled) }
it_behaves_like 'pushes require Basic HTTP Authentication'
context 'when unauthenticated' do
let(:env) { {} }
it_behaves_like 'pulls are allowed'
it "responds to pulls with the wiki's repo" do
download(path) do |response|
json_body = ActiveSupport::JSON.decode(response.body)
expect(json_body['RepoPath']).to include(wiki.repository.path_with_namespace)
end
end
end
context 'when authenticated' do
let(:env) { { user: user.username, password: user.password } }
context 'and as a developer on the team' do
before do
project.team << [user, :developer]
end
context 'but the repo is disabled' do
let(:project) { create(:project, :repository, :public, :repository_disabled, :wiki_enabled) }
it_behaves_like 'pulls are allowed'
it_behaves_like 'pushes are allowed'
>>>>>>> master
end
<<<<<<< HEAD
it_behaves_like 'pulls are allowed'
it_behaves_like 'pushes are allowed'
context 'but git-receive-pack over HTTP is disabled in config' do
before do
allow(Gitlab.config.gitlab_shell).to receive(:receive_pack).and_return(false)
end
it 'rejects pushes with 403 Forbidden' do
upload(path, env) do |response|
expect(response).to have_http_status(:forbidden)
expect(response.body).to eq(git_access_error(:receive_pack_disabled_over_http))
end
end
end
context 'but git-upload-pack over HTTP is disabled in config' do
it "rejects pushes with 403 Forbidden" do
allow(Gitlab.config.gitlab_shell).to receive(:upload_pack).and_return(false)
download(path, env) do |response|
expect(response).to have_http_status(:forbidden)
expect(response.body).to eq(git_access_error(:upload_pack_disabled_over_http))
end
end
end
end
context 'and not a member of the team' do
it_behaves_like 'pulls are allowed'
it 'rejects pushes with 403 Forbidden' do
upload(path, env) do |response|
expect(response).to have_http_status(:forbidden)
expect(response.body).to eq(change_access_error(:push_code))
end
=======
context 'and not on the team' do
it_behaves_like 'pulls are allowed'
it 'rejects pushes with 403 Forbidden' do
upload(path, env) do |response|
expect(response).to have_http_status(:forbidden)
expect(response.body).to eq(git_access_wiki_error(:write_to_wiki))
end
end
end
end
end
context "when the project is private" do
let(:project) { create(:project, :repository, :private, :wiki_enabled) }
it_behaves_like 'pulls require Basic HTTP Authentication'
it_behaves_like 'pushes require Basic HTTP Authentication'
context 'when authenticated' do
context 'and as a developer on the team' do
before do
project.team << [user, :developer]
>>>>>>> master
end
context 'but the repo is disabled' do
let(:project) { create(:project, :repository, :private, :repository_disabled, :wiki_enabled) }
<<<<<<< HEAD
context 'when the repo is public' do
context 'but the repo is disabled' do
let(:project) { create(:project, :public, :repository, :repository_disabled) }
let(:path) { "#{project.path_with_namespace}.git" }
let(:env) { {} }
it_behaves_like 'pulls require Basic HTTP Authentication'
it_behaves_like 'pushes require Basic HTTP Authentication'
end
context 'but the repo is enabled' do
let(:project) { create(:project, :public, :repository, :repository_enabled) }
let(:path) { "#{project.path_with_namespace}.git" }
let(:env) { {} }
it_behaves_like 'pulls are allowed'
end
context 'but only project members are allowed' do
let(:project) { create(:project, :public, :repository, :repository_private) }
it_behaves_like 'pulls require Basic HTTP Authentication'
it_behaves_like 'pushes require Basic HTTP Authentication'
=======
it 'allows clones' do
download(path, user: user.username, password: user.password) do |response|
expect(response).to have_http_status(:ok)
end
end
it 'pushes are allowed' do
upload(path, user: user.username, password: user.password) do |response|
expect(response).to have_http_status(:ok)
end
end
end
end
context 'and not on the team' do
it 'rejects clones with 404 Not Found' do
download(path, user: user.username, password: user.password) do |response|
expect(response).to have_http_status(:not_found)
expect(response.body).to eq(git_access_error(:project_not_found))
end
end
it 'rejects pushes with 404 Not Found' do
upload(path, user: user.username, password: user.password) do |response|
expect(response).to have_http_status(:not_found)
expect(response.body).to eq(git_access_error(:project_not_found))
end
end
>>>>>>> master
end
end
end
......@@ -752,11 +473,7 @@ describe 'Git HTTP requests', lib: true do
end
context "when the user doesn't have access to the project" do
<<<<<<< HEAD
it "pulls get status 404" do
=======
it "pulls get status 404 Not Found" do
>>>>>>> master
download(path, user: user.username, password: user.password) do |response|
expect(response).to have_http_status(:not_found)
end
......@@ -866,39 +583,6 @@ describe 'Git HTTP requests', lib: true do
end
end
end
<<<<<<< HEAD
end
context "when the project path doesn't end in .git" do
let(:project) { create(:project, :repository, :public, path: 'project.git-project') }
context "GET info/refs" do
let(:path) { "/#{project.path_with_namespace}/info/refs" }
context "when no params are added" do
before { get path }
it "redirects to the .git suffix version" do
expect(response).to redirect_to("/#{project.path_with_namespace}.git/info/refs")
end
end
context "when the upload-pack service is requested" do
let(:params) { { service: 'git-upload-pack' } }
before { get path, params }
it "redirects to the .git suffix version" do
expect(response).to redirect_to("/#{project.path_with_namespace}.git/info/refs?service=#{params[:service]}")
end
end
context "when the receive-pack service is requested" do
let(:params) { { service: 'git-receive-pack' } }
before { get path, params }
it "redirects to the .git suffix version" do
expect(response).to redirect_to("/#{project.path_with_namespace}.git/info/refs?service=#{params[:service]}")
=======
context "when Kerberos token is provided" do
let(:env) { { spnego_request_token: 'opaque_request_token' } }
......@@ -990,31 +674,10 @@ describe 'Git HTTP requests', lib: true do
expect(response.headers['WWW-Authenticate'].split("\n")).to include("Negotiate #{::Base64.strict_encode64('opaque_response_token')}")
end
end
>>>>>>> master
end
end
<<<<<<< HEAD
context "when the params are anything else" do
let(:params) { { service: 'git-implode-pack' } }
before { get path, params }
it "redirects to the sign-in page" do
expect(response).to redirect_to(new_user_session_path)
end
end
end
context "POST git-upload-pack" do
it "fails to find a route" do
expect { clone_post(project.path_with_namespace) }.to raise_error(ActionController::RoutingError)
end
end
context "POST git-receive-pack" do
it "failes to find a route" do
expect { push_post(project.path_with_namespace) }.to raise_error(ActionController::RoutingError)
=======
context "when repository is above size limit" do
let(:env) { { user: user.username, password: user.password } }
......@@ -1046,29 +709,10 @@ describe 'Git HTTP requests', lib: true do
expect(response).to have_http_status(:forbidden)
expect(response.body).to eq(msg)
end
>>>>>>> master
end
end
end
<<<<<<< HEAD
context "retrieving an info/refs file" do
let(:project) { create(:project, :repository, :public) }
context "when the file exists" do
before do
# Provide a dummy file in its place
allow_any_instance_of(Repository).to receive(:blob_at).and_call_original
allow_any_instance_of(Repository).to receive(:blob_at).with('b83d6e391c22777fca1ed3012fce84f633d7fed0', 'info/refs') do
Gitlab::Git::Blob.find(project.repository, 'master', 'bar/branch-test.txt')
end
get "/#{project.path_with_namespace}/blob/master/info/refs"
end
it "returns the file" do
expect(response).to have_http_status(:ok)
=======
context "when the project path doesn't end in .git" do
let(:project) { create(:project, :repository, :public, path: 'project.git-project') }
......@@ -1120,12 +764,10 @@ describe 'Git HTTP requests', lib: true do
context "POST git-receive-pack" do
it "failes to find a route" do
expect { push_post(project.path_with_namespace) }.to raise_error(ActionController::RoutingError)
>>>>>>> master
end
end
end
<<<<<<< HEAD
=======
context "retrieving an info/refs file" do
let(:project) { create(:project, :repository, :public) }
......@@ -1145,7 +787,6 @@ describe 'Git HTTP requests', lib: true do
end
end
>>>>>>> master
context "when the file does not exist" do
before { get "/#{project.path_with_namespace}/blob/master/info/refs" }
......@@ -1203,3 +844,4 @@ describe 'Git HTTP requests', lib: true do
end
end
end
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment
GitLab Nexedi Edition | About GitLab | About Nexedi | 沪ICP备2021021310号-2 | 沪ICP备2021021310号-7