Fix existing authorization specs

app/controllers/jwt_controller.rb

@@ -11,10 +11,10 @@ class JwtController < ApplicationController
     service = SERVICES[params[:service]]
     return head :not_found unless service
 
-    @@authentication_result ||= Gitlab::Auth.Result.new
+    @authentication_result ||= Gitlab::Auth::Result.new
 
     result = service.new(@authentication_result.project, @authentication_result.user, auth_params).
-      execute(capabilities: @authentication_result.capabilities || [])
+      execute(capabilities: @authentication_result.capabilities)
 
     render json: result, status: result[:http_status]
   end
@@ -23,7 +23,7 @@ class JwtController < ApplicationController
 
   def authenticate_project_or_user
     authenticate_with_http_basic do |login, password|
-      @authentication_result = Gitlab::Auth.find_for_git_client(login, password, ip: request.ip)
+      @authentication_result = Gitlab::Auth.find_for_git_client(login, password, project: nil, ip: request.ip)
 
       render_403 unless @authentication_result.succeeded?
     end

app/controllers/projects/git_http_client_controller.rb

@@ -36,7 +36,7 @@ class Projects::GitHttpClientController < Projects::ApplicationController
 
       @capabilities = auth_result.capabilities || []
 
-      if ci? || user
+      if auth_result.succeeded?
         return # Allow access
       end
     elsif allow_kerberos_spnego_auth? && spnego_provided?

app/models/ci/build.rb

@@ -43,6 +43,7 @@ module Ci
         new_build.status = 'pending'
         new_build.runner_id = nil
         new_build.trigger_request_id = nil
+        new_build.token = nil
         new_build.save
       end
 

app/services/auth/container_registry_authentication_service.rb

@@ -4,8 +4,8 @@ module Auth
 
     AUDIENCE = 'container_registry'
 
-    def execute(capabilities: capabilities)
-      @capabilities = capabilities
+    def execute(capabilities:)
+      @capabilities = capabilities || []
 
       return error('not found', 404) unless registry.enabled
 
@@ -76,7 +76,7 @@ module Auth
 
       case requested_action
       when 'pull'
-        build_can_pull?(requested_project) || user_can_pull?(requested_project)
+        requested_project.public? || build_can_pull?(requested_project) || user_can_pull?(requested_project)
       when 'push'
         build_can_push?(requested_project) || user_can_push?(requested_project)
       else
@@ -88,8 +88,6 @@ module Auth
       Gitlab.config.registry
     end
 
-    private
-
     def build_can_pull?(requested_project)
       # Build can:
       # 1. pull from it's own project (for ex. a build)

lib/api/internal.rb

@@ -35,6 +35,14 @@ module API
             Project.find_with_namespace(project_path)
           end
         end
+
+        def ssh_capabilities
+          [
+            :read_project,
+            :download_code,
+            :push_code
+          ]
+        end
       end
 
       post "/allowed" do
@@ -130,16 +138,6 @@ module API
 
         { success: true, recovery_codes: codes }
       end
-
-      private
-
-      def ssh_capabilities
-        [
-          :read_project,
-          :download_code,
-          :push_code
-        ]
-      end
     end
   end
 end

lib/gitlab/auth.rb

@@ -115,7 +115,7 @@ module Gitlab
         return unless login == 'gitlab-ci-token'
         return unless password
 
-        build = Ci::Build.running.find_by_token(password)
+        build = ::Ci::Build.running.find_by_token(password)
         return unless build
 
         if build.user

lib/gitlab/git_access.rb

@@ -7,7 +7,7 @@ module Gitlab
 
     attr_reader :actor, :project, :protocol, :user_access, :capabilities
 
-    def initialize(actor, project, protocol, capabilities: capabilities)
+    def initialize(actor, project, protocol, capabilities:)
       @actor    = actor
       @project  = project
       @protocol = protocol

spec/lib/gitlab/git_access_spec.rb

@@ -22,7 +22,7 @@ describe Gitlab::GitAccess, lib: true do
     context 'ssh disabled' do
       before do
         disable_protocol('ssh')
-        @acc = Gitlab::GitAccess.new(actor, project, 'ssh')
+        @acc = Gitlab::GitAccess.new(actor, project, 'ssh', capabilities: capabilities)
       end
 
       it 'blocks ssh git push' do
@@ -37,7 +37,7 @@ describe Gitlab::GitAccess, lib: true do
     context 'http disabled' do
       before do
         disable_protocol('http')
-        @acc = Gitlab::GitAccess.new(actor, project, 'http')
+        @acc = Gitlab::GitAccess.new(actor, project, 'http', capabilities: capabilities)
       end
 
       it 'blocks http push' do
@@ -318,7 +318,6 @@ describe Gitlab::GitAccess, lib: true do
                                                             admin: { push_protected_branch: false, push_all: false, merge_into_protected_branch: false }))
       end
     end
-
   end
 
   shared_examples 'can not push code' do
@@ -354,14 +353,14 @@ describe Gitlab::GitAccess, lib: true do
   describe 'build capabilities permissions' do
     let(:capabilities) { build_capabilities }
 
-    it_behaves_like 'cannot push code'
+    it_behaves_like 'can not push code'
   end
 
   describe 'deploy key permissions' do
     let(:key) { create(:deploy_key) }
     let(:actor) { key }
 
-    it_behaves_like 'cannot push code'
+    it_behaves_like 'can not push code'
   end
 
   private
@@ -372,4 +371,12 @@ describe Gitlab::GitAccess, lib: true do
       :build_download_code
     ]
   end
+
+  def full_capabilities
+    [
+      :read_project,
+      :download_code,
+      :push_code
+    ]
+  end
 end

spec/requests/git_http_spec.rb

@@ -300,23 +300,22 @@ describe 'Git HTTP requests', lib: true do
       end
 
       context "when a gitlab ci token is provided" do
-        let(:token) { 123 }
-        let(:project) { FactoryGirl.create :empty_project }
+        let(:build) { create(:ci_build, :running) }
+        let(:project) { build.project }
 
         before do
-          project.update_attributes(runners_token: token)
           project.project_feature.update_attributes(builds_access_level: ProjectFeature::ENABLED)
         end
 
         it "downloads get status 200" do
-          clone_get "#{project.path_with_namespace}.git", user: 'gitlab-ci-token', password: token
+          clone_get "#{project.path_with_namespace}.git", user: 'gitlab-ci-token', password: build.token
 
           expect(response).to have_http_status(200)
           expect(response.content_type.to_s).to eq(Gitlab::Workhorse::INTERNAL_API_CONTENT_TYPE)
         end
 
         it "uploads get status 401 (no project existence information leak)" do
-          push_get "#{project.path_with_namespace}.git", user: 'gitlab-ci-token', password: token
+          push_get "#{project.path_with_namespace}.git", user: 'gitlab-ci-token', password: build.token
 
           expect(response).to have_http_status(401)
         end

spec/requests/jwt_controller_spec.rb

@@ -22,11 +22,13 @@ describe JwtController do
 
   context 'when using authorized request' do
     context 'using CI token' do
-      let(:project) { create(:empty_project, runners_token: 'token') }
-      let(:headers) { { authorization: credentials('gitlab-ci-token', project.runners_token) } }
+      let(:build) { create(:ci_build, :running) }
+      let(:project) { build.project }
+      let(:headers) { { authorization: credentials('gitlab-ci-token', build.token) } }
 
       context 'project with enabled CI' do
         subject! { get '/jwt/auth', parameters, headers }
+
         it { expect(service_class).to have_received(:new).with(project, nil, parameters) }
       end
 

spec/services/auth/container_registry_authentication_service_spec.rb

@@ -6,8 +6,14 @@ describe Auth::ContainerRegistryAuthenticationService, services: true do
   let(:current_params) { {} }
   let(:rsa_key) { OpenSSL::PKey::RSA.generate(512) }
   let(:payload) { JWT.decode(subject[:token], rsa_key).first }
+  let(:capabilities) do
+    [
+      :read_container_image,
+      :create_container_image
+    ]
+  end
 
-  subject { described_class.new(current_project, current_user, current_params).execute }
+  subject { described_class.new(current_project, current_user, current_params).execute(capabilities: capabilities) }
 
   before do
     allow(Gitlab.config.registry).to receive_messages(enabled: true, issuer: 'rspec', key: nil)
@@ -42,6 +48,12 @@ describe Auth::ContainerRegistryAuthenticationService, services: true do
          'actions' => actions,
        }]
     end
+    let(:capabilities) do
+      [
+        :build_read_container_image,
+        :build_create_container_image
+      ]
+    end
 
     it_behaves_like 'a valid token'
     it { expect(payload).to include('access' => access) }