Skip to content

G
gitlab-ce
Commit b2bfd36b authored by Francisco Javier López's avatar Francisco Javier López Committed by Stan Hu
Browse files
Options

Generate LFS token authorization for user LFS requests 

When the user performs an LFS batch request to execute
a download or upload, we generate an LFS token in order
to avoid authenticating them in each latter request.
parent d1bfec9b
Hide whitespace changes
Inline Side-by-side
Showing with 587 additions and 545 deletions
app/controllers/application_controller.rb
View file @ b2bfd36b
......@@ -288,9 +288,7 @@ class ApplicationController < ActionController::Base
def check_password_expiration
return if session[:impersonator_id] || !current_user&.allow_password_authentication?
password_expires_at = current_user&.password_expires_at
if password_expires_at && password_expires_at < Time.now
if current_user&.password_expired?
return redirect_to new_profile_password_path
end
end
......
app/controllers/projects/lfs_api_controller.rb
View file @ b2bfd36b
......@@ -2,6 +2,7 @@
class Projects::LfsApiController < Projects::GitHttpClientController
include LfsRequest
include Gitlab::Utils::StrongMemoize
LFS_TRANSFER_CONTENT_TYPE = 'application/octet-stream'
......@@ -81,7 +82,7 @@ class Projects::LfsApiController < Projects::GitHttpClientController
download: {
href: "#{project.http_url_to_repo}/gitlab-lfs/objects/#{object[:oid]}",
header: {
Authorization: request.headers['Authorization']
Authorization: authorization_header
}.compact
}
}
......@@ -92,7 +93,7 @@ class Projects::LfsApiController < Projects::GitHttpClientController
upload: {
href: "#{project.http_url_to_repo}/gitlab-lfs/objects/#{object[:oid]}/#{object[:size]}",
header: {
Authorization: request.headers['Authorization'],
Authorization: authorization_header,
# git-lfs v2.5.0 sets the Content-Type based on the uploaded file. This
# ensures that Workhorse can intercept the request.
'Content-Type': LFS_TRANSFER_CONTENT_TYPE
......@@ -122,6 +123,18 @@ class Projects::LfsApiController < Projects::GitHttpClientController
def lfs_read_only_message
_('You cannot write to this read-only GitLab instance.')
end
def authorization_header
strong_memoize(:authorization_header) do
lfs_auth_header || request.headers['Authorization']
end
end
def lfs_auth_header
return unless user.is_a?(User)
Gitlab::LfsToken.new(user).basic_encoding
end
end
Projects::LfsApiController.prepend_if_ee('EE::Projects::LfsApiController')
app/models/user.rb
View file @ b2bfd36b
......@@ -1519,6 +1519,10 @@ class User < ApplicationRecord
todos.find_by(target: target, state: :pending)
end
def password_expired?
!!(password_expires_at && password_expires_at < Time.now)
end
# @deprecated
alias_method :owned_or_masters_groups, :owned_or_maintainers_groups
......
changelogs/unreleased/fj-28429-generate-lfs-token-authorization.yml 0 → 100644
View file @ b2bfd36b
---
title: Generate LFS token authorization for user LFS requests
merge_request: 17332
author:
type: fixed
lib/gitlab/auth.rb
View file @ b2bfd36b
......@@ -231,7 +231,7 @@ module Gitlab
authentication_abilities =
if token_handler.user?
full_authentication_abilities
read_write_project_authentication_abilities
elsif token_handler.deploy_key_pushable?(project)
read_write_authentication_abilities
else
......@@ -272,10 +272,21 @@ module Gitlab
]
end
def read_only_authentication_abilities
def read_only_project_authentication_abilities
[
:read_project,
:download_code,
:download_code
]
end
def read_write_project_authentication_abilities
read_only_project_authentication_abilities + [
:push_code
]
end
def read_only_authentication_abilities
read_only_project_authentication_abilities + [
:read_container_image
]
end
......
lib/gitlab/lfs_token.rb
View file @ b2bfd36b
......@@ -34,8 +34,11 @@ module Gitlab
HMACToken.new(actor).token(DEFAULT_EXPIRE_TIME)
end
# When the token is an lfs one and the actor
# is blocked or the password has been changed,
# the token is no longer valid
def token_valid?(token_to_check)
HMACToken.new(actor).token_valid?(token_to_check)
HMACToken.new(actor).token_valid?(token_to_check) && valid_user?
end
def deploy_key_pushable?(project)
......@@ -46,6 +49,12 @@ module Gitlab
user? ? :lfs_token : :lfs_deploy_token
end
def valid_user?
return true unless user?
!actor.blocked? && (!actor.allow_password_authentication? || !actor.password_expired?)
end
def authentication_payload(repository_http_path)
{
username: actor_name,
......@@ -55,6 +64,10 @@ module Gitlab
}
end
def basic_encoding
ActionController::HttpAuthentication::Basic.encode_credentials(actor_name, token)
end
private # rubocop:disable Lint/UselessAccessModifier
class HMACToken
......
spec/lib/gitlab/auth_spec.rb
View file @ b2bfd36b
......@@ -4,6 +4,7 @@ require 'spec_helper'
describe Gitlab::Auth do
let(:gl_auth) { described_class }
set(:project) { create(:project) }
describe 'constants' do
it 'API_SCOPES contains all scopes for API access' do
......@@ -90,13 +91,13 @@ describe Gitlab::Auth do
end
it 'recognises user-less build' do
expect(subject).to eq(Gitlab::Auth::Result.new(nil, build.project, :ci, build_authentication_abilities))
expect(subject).to eq(Gitlab::Auth::Result.new(nil, build.project, :ci, described_class.build_authentication_abilities))
end
it 'recognises user token' do
build.update(user: create(:user))
expect(subject).to eq(Gitlab::Auth::Result.new(build.user, build.project, :build, build_authentication_abilities))
expect(subject).to eq(Gitlab::Auth::Result.new(build.user, build.project, :build, described_class.build_authentication_abilities))
end
end
......@@ -117,26 +118,25 @@ describe Gitlab::Auth do
end
it 'recognizes other ci services' do
project = create(:project)
project.create_drone_ci_service(active: true)
project.drone_ci_service.update(token: 'token')
expect(gl_auth).to receive(:rate_limit!).with('ip', success: true, login: 'drone-ci-token')
expect(gl_auth.find_for_git_client('drone-ci-token', 'token', project: project, ip: 'ip')).to eq(Gitlab::Auth::Result.new(nil, project, :ci, build_authentication_abilities))
expect(gl_auth.find_for_git_client('drone-ci-token', 'token', project: project, ip: 'ip')).to eq(Gitlab::Auth::Result.new(nil, project, :ci, described_class.build_authentication_abilities))
end
it 'recognizes master passwords' do
user = create(:user, password: 'password')
expect(gl_auth).to receive(:rate_limit!).with('ip', success: true, login: user.username)
expect(gl_auth.find_for_git_client(user.username, 'password', project: nil, ip: 'ip')).to eq(Gitlab::Auth::Result.new(user, nil, :gitlab_or_ldap, full_authentication_abilities))
expect(gl_auth.find_for_git_client(user.username, 'password', project: nil, ip: 'ip')).to eq(Gitlab::Auth::Result.new(user, nil, :gitlab_or_ldap, described_class.full_authentication_abilities))
end
include_examples 'user login operation with unique ip limit' do
let(:user) { create(:user, password: 'password') }
def operation
expect(gl_auth.find_for_git_client(user.username, 'password', project: nil, ip: 'ip')).to eq(Gitlab::Auth::Result.new(user, nil, :gitlab_or_ldap, full_authentication_abilities))
expect(gl_auth.find_for_git_client(user.username, 'password', project: nil, ip: 'ip')).to eq(Gitlab::Auth::Result.new(user, nil, :gitlab_or_ldap, described_class.full_authentication_abilities))
end
end
......@@ -146,7 +146,7 @@ describe Gitlab::Auth do
token = Gitlab::LfsToken.new(user).token
expect(gl_auth).to receive(:rate_limit!).with('ip', success: true, login: user.username)
expect(gl_auth.find_for_git_client(user.username, token, project: nil, ip: 'ip')).to eq(Gitlab::Auth::Result.new(user, nil, :lfs_token, full_authentication_abilities))
expect(gl_auth.find_for_git_client(user.username, token, project: nil, ip: 'ip')).to eq(Gitlab::Auth::Result.new(user, nil, :lfs_token, described_class.read_write_project_authentication_abilities))
end
it 'recognizes deploy key lfs tokens' do
......@@ -154,7 +154,7 @@ describe Gitlab::Auth do
token = Gitlab::LfsToken.new(key).token
expect(gl_auth).to receive(:rate_limit!).with('ip', success: true, login: "lfs+deploy-key-#{key.id}")
expect(gl_auth.find_for_git_client("lfs+deploy-key-#{key.id}", token, project: nil, ip: 'ip')).to eq(Gitlab::Auth::Result.new(key, nil, :lfs_deploy_token, read_only_authentication_abilities))
expect(gl_auth.find_for_git_client("lfs+deploy-key-#{key.id}", token, project: nil, ip: 'ip')).to eq(Gitlab::Auth::Result.new(key, nil, :lfs_deploy_token, described_class.read_only_authentication_abilities))
end
it 'does not try password auth before oauth' do
......@@ -167,22 +167,20 @@ describe Gitlab::Auth do
end
it 'grants deploy key write permissions' do
project = create(:project)
key = create(:deploy_key)
create(:deploy_keys_project, :write_access, deploy_key: key, project: project)
token = Gitlab::LfsToken.new(key).token
expect(gl_auth).to receive(:rate_limit!).with('ip', success: true, login: "lfs+deploy-key-#{key.id}")
expect(gl_auth.find_for_git_client("lfs+deploy-key-#{key.id}", token, project: project, ip: 'ip')).to eq(Gitlab::Auth::Result.new(key, nil, :lfs_deploy_token, read_write_authentication_abilities))
expect(gl_auth.find_for_git_client("lfs+deploy-key-#{key.id}", token, project: project, ip: 'ip')).to eq(Gitlab::Auth::Result.new(key, nil, :lfs_deploy_token, described_class.read_write_authentication_abilities))
end
it 'does not grant deploy key write permissions' do
project = create(:project)
key = create(:deploy_key)
token = Gitlab::LfsToken.new(key).token
expect(gl_auth).to receive(:rate_limit!).with('ip', success: true, login: "lfs+deploy-key-#{key.id}")
expect(gl_auth.find_for_git_client("lfs+deploy-key-#{key.id}", token, project: project, ip: 'ip')).to eq(Gitlab::Auth::Result.new(key, nil, :lfs_deploy_token, read_only_authentication_abilities))
expect(gl_auth.find_for_git_client("lfs+deploy-key-#{key.id}", token, project: project, ip: 'ip')).to eq(Gitlab::Auth::Result.new(key, nil, :lfs_deploy_token, described_class.read_only_authentication_abilities))
end
end
......@@ -193,7 +191,7 @@ describe Gitlab::Auth do
it 'succeeds for OAuth tokens with the `api` scope' do
expect(gl_auth).to receive(:rate_limit!).with('ip', success: true, login: 'oauth2')
expect(gl_auth.find_for_git_client("oauth2", token_w_api_scope.token, project: nil, ip: 'ip')).to eq(Gitlab::Auth::Result.new(user, nil, :oauth, full_authentication_abilities))
expect(gl_auth.find_for_git_client("oauth2", token_w_api_scope.token, project: nil, ip: 'ip')).to eq(Gitlab::Auth::Result.new(user, nil, :oauth, described_class.full_authentication_abilities))
end
it 'fails for OAuth tokens with other scopes' do
......@@ -214,7 +212,7 @@ describe Gitlab::Auth do
it 'succeeds for personal access tokens with the `api` scope' do
personal_access_token = create(:personal_access_token, scopes: ['api'])
expect_results_with_abilities(personal_access_token, full_authentication_abilities)
expect_results_with_abilities(personal_access_token, described_class.full_authentication_abilities)
end
it 'succeeds for personal access tokens with the `read_repository` scope' do
......@@ -244,7 +242,7 @@ describe Gitlab::Auth do
it 'succeeds if it is an impersonation token' do
impersonation_token = create(:personal_access_token, :impersonation, scopes: ['api'])
expect_results_with_abilities(impersonation_token, full_authentication_abilities)
expect_results_with_abilities(impersonation_token, described_class.full_authentication_abilities)
end
it 'limits abilities based on scope' do
......@@ -267,7 +265,7 @@ describe Gitlab::Auth do
)
expect(gl_auth.find_for_git_client(user.username, user.password, project: nil, ip: 'ip'))
.to eq(Gitlab::Auth::Result.new(user, nil, :gitlab_or_ldap, full_authentication_abilities))
.to eq(Gitlab::Auth::Result.new(user, nil, :gitlab_or_ldap, described_class.full_authentication_abilities))
end
it 'fails through oauth authentication when the username is oauth2' do
......@@ -278,7 +276,7 @@ describe Gitlab::Auth do
)
expect(gl_auth.find_for_git_client(user.username, user.password, project: nil, ip: 'ip'))
.to eq(Gitlab::Auth::Result.new(user, nil, :gitlab_or_ldap, full_authentication_abilities))
.to eq(Gitlab::Auth::Result.new(user, nil, :gitlab_or_ldap, described_class.full_authentication_abilities))
end
end
......@@ -296,7 +294,6 @@ describe Gitlab::Auth do
end
context 'while using deploy tokens' do
let(:project) { create(:project) }
let(:auth_failure) { Gitlab::Auth::Result.new(nil, nil) }
context 'when deploy token and user have the same username' do
......@@ -316,7 +313,7 @@ describe Gitlab::Auth do
end
it 'succeeds for the user' do
auth_success = Gitlab::Auth::Result.new(user, nil, :gitlab_or_ldap, full_authentication_abilities)
auth_success = Gitlab::Auth::Result.new(user, nil, :gitlab_or_ldap, described_class.full_authentication_abilities)
expect(gl_auth.find_for_git_client(username, 'my-secret', project: project, ip: 'ip'))
.to eq(auth_success)
......@@ -344,7 +341,7 @@ describe Gitlab::Auth do
end
context 'and belong to different projects' do
let!(:read_registry) { create(:deploy_token, username: 'deployer', read_repository: false, projects: [create(:project)]) }
let!(:read_registry) { create(:deploy_token, username: 'deployer', read_repository: false, projects: [project]) }
let!(:read_repository) { create(:deploy_token, username: read_registry.username, read_registry: false, projects: [project]) }
it 'succeeds for the right token' do
......@@ -582,37 +579,6 @@ describe Gitlab::Auth do
private
def build_authentication_abilities
[
:read_project,
:build_download_code,
:build_read_container_image,
:build_create_container_image,
:build_destroy_container_image
]
end
def read_only_authentication_abilities
[
:read_project,
:download_code,
:read_container_image
]
end
def read_write_authentication_abilities
read_only_authentication_abilities + [
:push_code,
:create_container_image
]
end
def full_authentication_abilities
read_write_authentication_abilities + [
:admin_container_image
]
end
def expect_results_with_abilities(personal_access_token, abilities, success = true)
expect(gl_auth).to receive(:rate_limit!).with('ip', success: success, login: '')
expect(gl_auth.find_for_git_client('', personal_access_token&.token, project: nil, ip: 'ip'))
......
spec/lib/gitlab/lfs_token_spec.rb
View file @ b2bfd36b
......@@ -115,6 +115,46 @@ describe Gitlab::LfsToken, :clean_gitlab_redis_shared_state do
expect(lfs_token.token_valid?(lfs_token.token)).to be_truthy
end
end
context 'when the actor is a regular user' do
context 'when the user is blocked' do
let(:actor) { create(:user, :blocked) }
it 'returns false' do
expect(lfs_token.token_valid?(lfs_token.token)).to be_falsey
end
end
context 'when the user password is expired' do
let(:actor) { create(:user, password_expires_at: 1.minute.ago) }
it 'returns false' do
expect(lfs_token.token_valid?(lfs_token.token)).to be_falsey
end
end
end
context 'when the actor is an ldap user' do
before do
allow(actor).to receive(:ldap_user?).and_return(true)
end
context 'when the user is blocked' do
let(:actor) { create(:user, :blocked) }
it 'returns false' do
expect(lfs_token.token_valid?(lfs_token.token)).to be_falsey
end
end
context 'when the user password is expired' do
let(:actor) { create(:user, password_expires_at: 1.minute.ago) }
it 'returns true' do
expect(lfs_token.token_valid?(lfs_token.token)).to be_truthy
end
end
end
end
end
......
spec/models/user_spec.rb
View file @ b2bfd36b
......@@ -3616,4 +3616,34 @@ describe User do
end
end
end
describe '#password_expired?' do
let(:user) { build(:user, password_expires_at: password_expires_at) }
subject { user.password_expired? }
context 'when password_expires_at is not set' do
let(:password_expires_at) {}
it 'returns false' do
is_expected.to be_falsey
end
end
context 'when password_expires_at is in the past' do
let(:password_expires_at) { 1.minute.ago }
it 'returns true' do
is_expected.to be_truthy
end
end
context 'when password_expires_at is in the future' do
let(:password_expires_at) { 1.minute.from_now }
it 'returns false' do
is_expected.to be_falsey
end
end
end
end
spec/requests/lfs_http_spec.rb
View file @ b2bfd36b
# frozen_string_literal: true
require 'spec_helper'
describe 'Git LFS API and storage' do
include WorkhorseHelpers
include LfsHttpHelpers
include ProjectForksHelper
let(:user) { create(:user) }
set(:project) { create(:project, :repository) }
set(:other_project) { create(:project, :repository) }
set(:user) { create(:user) }
let!(:lfs_object) { create(:lfs_object, :with_file) }
let(:headers) do
......@@ -19,201 +22,163 @@ describe 'Git LFS API and storage' do
let(:sample_oid) { lfs_object.oid }
let(:sample_size) { lfs_object.size }
let(:sample_object) { { 'oid' => sample_oid, 'size' => sample_size } }
let(:non_existing_object_oid) { '91eff75a492a3ed0dfcb544d7f31326bc4014c8551849c192fd1e48d4dd2c897' }
let(:non_existing_object_size) { 1575078 }
let(:non_existing_object) { { 'oid' => non_existing_object_oid, 'size' => non_existing_object_size } }
let(:multiple_objects) { [sample_object, non_existing_object] }
describe 'when lfs is disabled' do
let(:project) { create(:project) }
let(:body) do
{
'objects' => [
{ 'oid' => '91eff75a492a3ed0dfcb544d7f31326bc4014c8551849c192fd1e48d4dd2c897',
'size' => 1575078 },
{ 'oid' => sample_oid,
'size' => sample_size }
],
'operation' => 'upload'
}
end
let(:lfs_enabled) { true }
before do
stub_lfs_setting(enabled: lfs_enabled)
end
describe 'when LFS is disabled' do
let(:lfs_enabled) { false }
let(:body) { upload_body(multiple_objects) }
let(:authorization) { authorize_user }
before do
allow(Gitlab.config.lfs).to receive(:enabled).and_return(false)
post_lfs_json "#{project.http_url_to_repo}/info/lfs/objects/batch", body, headers
post_lfs_json batch_url(project), body, headers
end
it 'responds with 501' do
expect(response).to have_gitlab_http_status(501)
expect(json_response).to include('message' => 'Git LFS is not enabled on this GitLab server, contact your admin.')
end
it_behaves_like 'LFS http 501 response'
end
context 'project specific LFS settings' do
let(:project) { create(:project) }
let(:body) do
{
'objects' => [
{ 'oid' => '91eff75a492a3ed0dfcb544d7f31326bc4014c8551849c192fd1e48d4dd2c897',
'size' => 1575078 },
{ 'oid' => sample_oid,
'size' => sample_size }
],
'operation' => 'upload'
}
end
let(:body) { upload_body(sample_object) }
let(:authorization) { authorize_user }
before do
project.add_maintainer(user)
project.update_attribute(:lfs_enabled, project_lfs_enabled)
subject
end
context 'with LFS disabled globally' do
before do
project.add_maintainer(user)
allow(Gitlab.config.lfs).to receive(:enabled).and_return(false)
end
let(:lfs_enabled) { false }
describe 'LFS disabled in project' do
before do
project.update_attribute(:lfs_enabled, false)
end
let(:project_lfs_enabled) { false }
it 'responds with a 501 message on upload' do
post_lfs_json "#{project.http_url_to_repo}/info/lfs/objects/batch", body, headers
context 'when uploading' do
subject { post_lfs_json(batch_url(project), body, headers) }
expect(response).to have_gitlab_http_status(501)
it_behaves_like 'LFS http 501 response'
end
it 'responds with a 501 message on download' do
get "#{project.http_url_to_repo}/gitlab-lfs/objects/#{sample_oid}", params: {}, headers: headers
context 'when downloading' do
subject { get(objects_url(project, sample_oid), params: {}, headers: headers) }
expect(response).to have_gitlab_http_status(501)
it_behaves_like 'LFS http 501 response'
end
end
describe 'LFS enabled in project' do
before do
project.update_attribute(:lfs_enabled, true)
end
let(:project_lfs_enabled) { true }
it 'responds with a 501 message on upload' do
post_lfs_json "#{project.http_url_to_repo}/info/lfs/objects/batch", body, headers
context 'when uploading' do
subject { post_lfs_json(batch_url(project), body, headers) }
expect(response).to have_gitlab_http_status(501)
it_behaves_like 'LFS http 501 response'
end
it 'responds with a 501 message on download' do
get "#{project.http_url_to_repo}/gitlab-lfs/objects/#{sample_oid}", params: {}, headers: headers
context 'when downloading' do
subject { get(objects_url(project, sample_oid), params: {}, headers: headers) }
expect(response).to have_gitlab_http_status(501)
it_behaves_like 'LFS http 501 response'
end
end
end
context 'with LFS enabled globally' do
before do
project.add_maintainer(user)
enable_lfs
end
describe 'LFS disabled in project' do
before do
project.update_attribute(:lfs_enabled, false)
end
let(:project_lfs_enabled) { false }
it 'responds with a 403 message on upload' do
post_lfs_json "#{project.http_url_to_repo}/info/lfs/objects/batch", body, headers
context 'when uploading' do
subject { post_lfs_json(batch_url(project), body, headers) }
expect(response).to have_gitlab_http_status(403)
expect(json_response).to include('message' => 'Access forbidden. Check your access level.')
it_behaves_like 'LFS http 403 response'
end
it 'responds with a 403 message on download' do
get "#{project.http_url_to_repo}/gitlab-lfs/objects/#{sample_oid}", params: {}, headers: headers
context 'when downloading' do
subject { get(objects_url(project, sample_oid), params: {}, headers: headers) }
expect(response).to have_gitlab_http_status(403)
expect(json_response).to include('message' => 'Access forbidden. Check your access level.')
it_behaves_like 'LFS http 403 response'
end
end
describe 'LFS enabled in project' do
before do
project.update_attribute(:lfs_enabled, true)
end
let(:project_lfs_enabled) { true }
it 'responds with a 200 message on upload' do
post_lfs_json "#{project.http_url_to_repo}/info/lfs/objects/batch", body, headers
context 'when uploading' do
subject { post_lfs_json(batch_url(project), body, headers) }
expect(response).to have_gitlab_http_status(200)
expect(json_response['objects'].first['size']).to eq(1575078)
it_behaves_like 'LFS http 200 response'
end
it 'responds with a 200 message on download' do
get "#{project.http_url_to_repo}/gitlab-lfs/objects/#{sample_oid}", params: {}, headers: headers
context 'when downloading' do
subject { get(objects_url(project, sample_oid), params: {}, headers: headers) }
expect(response).to have_gitlab_http_status(200)
it_behaves_like 'LFS http 200 response'
end
end
end
end
describe 'deprecated API' do
let(:project) { create(:project) }
before do
enable_lfs
end
let(:authorization) { authorize_user }
shared_examples 'a deprecated' do
it 'responds with 501' do
expect(response).to have_gitlab_http_status(501)
shared_examples 'deprecated request' do
before do
subject
end
it 'returns deprecated message' do
expect(json_response).to include('message' => 'Server supports batch API only, please update your Git LFS client to version 1.0.1 and up.')
it_behaves_like 'LFS http expected response code and message' do
let(:response_code) { 501 }
let(:message) { 'Server supports batch API only, please update your Git LFS client to version 1.0.1 and up.' }
end
end
context 'when fetching lfs object using deprecated API' do
let(:authorization) { authorize_user }
before do
get "#{project.http_url_to_repo}/info/lfs/objects/#{sample_oid}", params: {}, headers: headers
end
context 'when fetching LFS object using deprecated API' do
subject { get(deprecated_objects_url(project, sample_oid), params: {}, headers: headers) }
it_behaves_like 'a deprecated'
it_behaves_like 'deprecated request'
end
context 'when handling lfs request using deprecated API' do
let(:authorization) { authorize_user }
before do
post_lfs_json "#{project.http_url_to_repo}/info/lfs/objects", nil, headers
end
context 'when handling LFS request using deprecated API' do
subject { post_lfs_json(deprecated_objects_url(project), nil, headers) }
it_behaves_like 'a deprecated'
it_behaves_like 'deprecated request'
end
def deprecated_objects_url(project, oid = nil)
File.join(["#{project.http_url_to_repo}/info/lfs/objects/", oid].compact)
end
end
describe 'when fetching lfs object' do
let(:project) { create(:project) }
describe 'when fetching LFS object' do
let(:update_permissions) { }
let(:before_get) { }
before do
enable_lfs
update_permissions
before_get
get "#{project.http_url_to_repo}/gitlab-lfs/objects/#{sample_oid}", params: {}, headers: headers
get objects_url(project, sample_oid), params: {}, headers: headers
end
context 'and request comes from gitlab-workhorse' do
context 'without user being authorized' do
it 'responds with status 401' do
expect(response).to have_gitlab_http_status(401)
end
it_behaves_like 'LFS http 401 response'
end
context 'with required headers' do
shared_examples 'responds with a file' do
let(:sendfile) { 'X-Sendfile' }
it 'responds with status 200' do
expect(response).to have_gitlab_http_status(200)
end
it_behaves_like 'LFS http 200 response'
it 'responds with the file location' do
expect(response.headers['Content-Type']).to eq('application/octet-stream')
......@@ -229,9 +194,7 @@ describe 'Git LFS API and storage' do
project.lfs_objects << lfs_object
end
it 'responds with status 404' do
expect(response).to have_gitlab_http_status(404)
end
it_behaves_like 'LFS http 404 response'
end
context 'and does have project access' do
......@@ -249,9 +212,7 @@ describe 'Git LFS API and storage' do
lfs_object.file.migrate!(LfsObjectUploader::Store::REMOTE)
end
it 'responds with redirect' do
expect(response).to have_gitlab_http_status(200)
end
it_behaves_like 'LFS http 200 response'
it 'responds with the workhorse send-url' do
expect(response.headers[Gitlab::Workhorse::SEND_DATA_HEADER]).to start_with("send-url:")
......@@ -288,7 +249,7 @@ describe 'Git LFS API and storage' do
it_behaves_like 'responds with a file'
end
describe 'when using a user key' do
describe 'when using a user key (LFSToken)' do
let(:authorization) { authorize_user_key }
context 'when user allowed' do
......@@ -298,6 +259,18 @@ describe 'Git LFS API and storage' do
end
it_behaves_like 'responds with a file'
context 'when user password is expired' do
let(:user) { create(:user, password_expires_at: 1.minute.ago)}
it_behaves_like 'LFS http 401 response'
end
context 'when user is blocked' do
let(:user) { create(:user, :blocked)}
it_behaves_like 'LFS http 401 response'
end
end
context 'when user not allowed' do
......@@ -305,9 +278,7 @@ describe 'Git LFS API and storage' do
project.lfs_objects << lfs_object
end
it 'responds with status 404' do
expect(response).to have_gitlab_http_status(404)
end
it_behaves_like 'LFS http 404 response'
end
end
......@@ -337,7 +308,6 @@ describe 'Git LFS API and storage' do
end
context 'for other project' do
let(:other_project) { create(:project) }
let(:pipeline) { create(:ci_empty_pipeline, project: other_project) }
let(:update_permissions) do
......@@ -361,7 +331,6 @@ describe 'Git LFS API and storage' do
end
context 'regular user' do
let(:user) { create(:user) }
let(:build) { create(:ci_build, :running, pipeline: pipeline, user: user) }
it_behaves_like 'can download LFS only from own projects' do
......@@ -384,166 +353,147 @@ describe 'Git LFS API and storage' do
context 'without required headers' do
let(:authorization) { authorize_user }
it 'responds with status 404' do
expect(response).to have_gitlab_http_status(404)
end
it_behaves_like 'LFS http 404 response'
end
end
end
describe 'when handling lfs batch request' do
describe 'when handling LFS batch request' do
let(:update_lfs_permissions) { }
let(:update_user_permissions) { }
before do
enable_lfs
update_lfs_permissions
update_user_permissions
post_lfs_json "#{project.http_url_to_repo}/info/lfs/objects/batch", body, headers
post_lfs_json batch_url(project), body, headers
end
describe 'download' do
let(:project) { create(:project) }
let(:body) do
{
'operation' => 'download',
'objects' => [
{ 'oid' => sample_oid,
'size' => sample_size }
]
}
shared_examples 'process authorization header' do |renew_authorization:|
let(:response_authorization) do
authorization_in_action(lfs_actions.first)
end
shared_examples 'an authorized requests' do
context 'when downloading an lfs object that is assigned to our project' do
let(:update_lfs_permissions) do
project.lfs_objects << lfs_object
if renew_authorization
context 'when the authorization comes from a user' do
it 'returns a new valid LFS token authorization' do
expect(response_authorization).not_to eq(authorization)
end
it 'responds with status 200' do
expect(response).to have_gitlab_http_status(200)
it 'returns a a valid token' do
username, token = ::Base64.decode64(response_authorization.split(' ', 2).last).split(':', 2)
expect(username).to eq(user.username)
expect(Gitlab::LfsToken.new(user).token_valid?(token)).to be_truthy
end
it 'with href to download' do
expect(json_response).to eq({
'objects' => [
{
'oid' => sample_oid,
'size' => sample_size,
'actions' => {
'download' => {
'href' => "#{project.http_url_to_repo}/gitlab-lfs/objects/#{sample_oid}",
'header' => { 'Authorization' => authorization }
}
}
}
]
})
it 'generates only one new token per each request' do
authorizations = lfs_actions.map do |action|
authorization_in_action(action)
end.compact
expect(authorizations.uniq.count).to eq 1
end
end
else
context 'when the authorization comes from a token' do
it 'returns the same authorization header' do
expect(response_authorization).to eq(authorization)
end
end
end
def lfs_actions
json_response['objects'].map { |a| a['actions'] }.compact
end
context 'when downloading an lfs object that is assigned to other project' do
let(:other_project) { create(:project) }
def authorization_in_action(action)
(action['upload'] || action['download']).dig('header', 'Authorization')
end
end
describe 'download' do
let(:body) { download_body(sample_object) }
shared_examples 'an authorized request' do |renew_authorization:|
context 'when downloading an LFS object that is assigned to our project' do
let(:update_lfs_permissions) do
other_project.lfs_objects << lfs_object
project.lfs_objects << lfs_object
end
it 'responds with status 200' do
expect(response).to have_gitlab_http_status(200)
end
it_behaves_like 'LFS http 200 response'
it 'with href to download' do
expect(json_response).to eq({
'objects' => [
{
'oid' => sample_oid,
'size' => sample_size,
'error' => {
'code' => 404,
'message' => "Object does not exist on the server or you don't have permissions to access it"
}
}
]
})
expect(json_response['objects'].first).to include(sample_object)
expect(json_response['objects'].first['actions']['download']['href']).to eq(objects_url(project, sample_oid))
end
it_behaves_like 'process authorization header', renew_authorization: renew_authorization
end
context 'when downloading a lfs object that does not exist' do
let(:body) do
{
'operation' => 'download',
'objects' => [
{ 'oid' => '91eff75a492a3ed0dfcb544d7f31326bc4014c8551849c192fd1e48d4dd2c897',
'size' => 1575078 }
]
}
context 'when downloading an LFS object that is assigned to other project' do
let(:update_lfs_permissions) do
other_project.lfs_objects << lfs_object
end
it 'responds with status 200' do
expect(response).to have_gitlab_http_status(200)
end
it_behaves_like 'LFS http 200 response'
it 'with an 404 for specific object' do
expect(json_response).to eq({
'objects' => [
{
'oid' => '91eff75a492a3ed0dfcb544d7f31326bc4014c8551849c192fd1e48d4dd2c897',
'size' => 1575078,
'error' => {
'code' => 404,
'message' => "Object does not exist on the server or you don't have permissions to access it"
}
}
]
})
expect(json_response['objects'].first).to include(sample_object)
expect(json_response['objects'].first['error']).to include('code' => 404, 'message' => "Object does not exist on the server or you don't have permissions to access it")
end
end
context 'when downloading one new and one existing lfs object' do
let(:body) do
{
'operation' => 'download',
'objects' => [
{ 'oid' => '91eff75a492a3ed0dfcb544d7f31326bc4014c8551849c192fd1e48d4dd2c897',
'size' => 1575078 },
{ 'oid' => sample_oid,
'size' => sample_size }
]
}
context 'when downloading a LFS object that does not exist' do
let(:body) { download_body(non_existing_object) }
it_behaves_like 'LFS http 200 response'
it 'with an 404 for specific object' do
expect(json_response['objects'].first).to include(non_existing_object)
expect(json_response['objects'].first['error']).to include('code' => 404, 'message' => "Object does not exist on the server or you don't have permissions to access it")
end
end
context 'when downloading one new and one existing LFS object' do
let(:body) { download_body(multiple_objects) }
let(:update_lfs_permissions) do
project.lfs_objects << lfs_object
end
it 'responds with status 200' do
expect(response).to have_gitlab_http_status(200)
end
it_behaves_like 'LFS http 200 response'
it 'responds with upload hypermedia link for the new object' do
expect(json_response).to eq({
'objects' => [
{
'oid' => '91eff75a492a3ed0dfcb544d7f31326bc4014c8551849c192fd1e48d4dd2c897',
'size' => 1575078,
'error' => {
'code' => 404,
'message' => "Object does not exist on the server or you don't have permissions to access it"
}
},
{
'oid' => sample_oid,
'size' => sample_size,
'actions' => {
'download' => {
'href' => "#{project.http_url_to_repo}/gitlab-lfs/objects/#{sample_oid}",
'header' => { 'Authorization' => authorization }
}
}
}
]
it 'responds with download hypermedia link for the new object' do
expect(json_response['objects'].first).to include(sample_object)
expect(json_response['objects'].first['actions']['download']).to include('href' => objects_url(project, sample_oid))
expect(json_response['objects'].last).to eq({
'oid' => non_existing_object_oid,
'size' => non_existing_object_size,
'error' => {
'code' => 404,
'message' => "Object does not exist on the server or you don't have permissions to access it"
}
})
end
it_behaves_like 'process authorization header', renew_authorization: renew_authorization
end
context 'when downloading two existing LFS objects' do
let(:body) { download_body(multiple_objects) }
let(:other_object) { create(:lfs_object, :with_file, oid: non_existing_object_oid, size: non_existing_object_size) }
let(:update_lfs_permissions) do
project.lfs_objects << [lfs_object, other_object]
end
it 'responds with the download hypermedia link for each object' do
expect(json_response['objects'].first).to include(sample_object)
expect(json_response['objects'].first['actions']['download']).to include('href' => objects_url(project, sample_oid))
expect(json_response['objects'].last).to include(non_existing_object)
expect(json_response['objects'].last['actions']['download']).to include('href' => objects_url(project, non_existing_object_oid))
end
it_behaves_like 'process authorization header', renew_authorization: renew_authorization
end
end
......@@ -554,29 +504,41 @@ describe 'Git LFS API and storage' do
project.add_role(user, role)
end
it_behaves_like 'an authorized requests' do
it_behaves_like 'an authorized request', renew_authorization: true do
let(:role) { :reporter }
end
context 'when user does is not member of the project' do
let(:update_user_permissions) { nil }
it 'responds with 404' do
expect(response).to have_gitlab_http_status(404)
end
it_behaves_like 'LFS http 404 response'
end
context 'when user does not have download access' do
let(:role) { :guest }
it 'responds with 403' do
expect(response).to have_gitlab_http_status(403)
it_behaves_like 'LFS http 403 response'
end
context 'when user password is expired' do
let(:role) { :reporter}
let(:user) { create(:user, password_expires_at: 1.minute.ago)}
it 'with an 404 for specific object' do
expect(json_response['objects'].first).to include(sample_object)
expect(json_response['objects'].first['error']).to include('code' => 404, 'message' => "Object does not exist on the server or you don't have permissions to access it")
end
end
context 'when user is blocked' do
let(:role) { :reporter}
let(:user) { create(:user, :blocked)}
it_behaves_like 'LFS http 401 response'
end
end
context 'when using Deploy Tokens' do
let(:project) { create(:project, :repository) }
let(:authorization) { authorize_deploy_token }
let(:update_user_permissions) { nil }
let(:role) { nil }
......@@ -587,25 +549,19 @@ describe 'Git LFS API and storage' do
context 'when Deploy Token is valid' do
let(:deploy_token) { create(:deploy_token, projects: [project]) }
it_behaves_like 'an authorized requests'
it_behaves_like 'an authorized request', renew_authorization: false
end
context 'when Deploy Token is not valid' do
let(:deploy_token) { create(:deploy_token, projects: [project], read_repository: false) }
it 'responds with access denied' do
expect(response).to have_gitlab_http_status(401)
end
it_behaves_like 'LFS http 401 response'
end
context 'when Deploy Token is not related to the project' do
let(:another_project) { create(:project, :repository) }
let(:deploy_token) { create(:deploy_token, projects: [another_project]) }
let(:deploy_token) { create(:deploy_token, projects: [other_project]) }
it 'responds with access forbidden' do
# We render 404, to prevent data leakage about existence of the project
expect(response).to have_gitlab_http_status(404)
end
it_behaves_like 'LFS http 404 response'
end
end
......@@ -616,7 +572,7 @@ describe 'Git LFS API and storage' do
project.lfs_objects << lfs_object
end
shared_examples 'can download LFS only from own projects' do
shared_examples 'can download LFS only from own projects' do |renew_authorization:|
context 'for own project' do
let(:pipeline) { create(:ci_empty_pipeline, project: project) }
......@@ -624,11 +580,10 @@ describe 'Git LFS API and storage' do
project.add_reporter(user)
end
it_behaves_like 'an authorized requests'
it_behaves_like 'an authorized request', renew_authorization: renew_authorization
end
context 'for other project' do
let(:other_project) { create(:project) }
let(:pipeline) { create(:ci_empty_pipeline, project: other_project) }
it 'rejects downloading code' do
......@@ -641,17 +596,16 @@ describe 'Git LFS API and storage' do
let(:user) { create(:admin) }
let(:build) { create(:ci_build, :running, pipeline: pipeline, user: user) }
it_behaves_like 'can download LFS only from own projects' do
it_behaves_like 'can download LFS only from own projects', renew_authorization: true do
# We render 403, because administrator does have normally access
let(:other_project_status) { 403 }
end
end
context 'regular user' do
let(:user) { create(:user) }
let(:build) { create(:ci_build, :running, pipeline: pipeline, user: user) }
it_behaves_like 'can download LFS only from own projects' do
it_behaves_like 'can download LFS only from own projects', renew_authorization: true do
# We render 404, to prevent data leakage about existence of the project
let(:other_project_status) { 404 }
end
......@@ -660,7 +614,7 @@ describe 'Git LFS API and storage' do
context 'does not have user' do
let(:build) { create(:ci_build, :running, pipeline: pipeline) }
it_behaves_like 'can download LFS only from own projects' do
it_behaves_like 'can download LFS only from own projects', renew_authorization: false do
# We render 404, to prevent data leakage about existence of the project
let(:other_project_status) { 404 }
end
......@@ -675,11 +629,9 @@ describe 'Git LFS API and storage' do
project.lfs_objects << lfs_object
end
it 'responds with status 200 and href to download' do
expect(response).to have_gitlab_http_status(200)
end
it_behaves_like 'LFS http 200 response'
it 'responds with status 200 and href to download' do
it 'returns href to download' do
expect(json_response).to eq({
'objects' => [
{
......@@ -688,7 +640,7 @@ describe 'Git LFS API and storage' do
'authenticated' => true,
'actions' => {
'download' => {
'href' => "#{project.http_url_to_repo}/gitlab-lfs/objects/#{sample_oid}",
'href' => objects_url(project, sample_oid),
'header' => {}
}
}
......@@ -703,37 +655,29 @@ describe 'Git LFS API and storage' do
project.lfs_objects << lfs_object
end
it 'responds with authorization required' do
expect(response).to have_gitlab_http_status(401)
end
it_behaves_like 'LFS http 401 response'
end
end
end
describe 'upload' do
let(:project) { create(:project, :public) }
let(:body) do
{
'operation' => 'upload',
'objects' => [
{ 'oid' => sample_oid,
'size' => sample_size }
]
}
end
let(:body) { upload_body(sample_object) }
shared_examples 'pushes new LFS objects' do
shared_examples 'pushes new LFS objects' do |renew_authorization:|
let(:sample_size) { 150.megabytes }
let(:sample_oid) { '91eff75a492a3ed0dfcb544d7f31326bc4014c8551849c192fd1e48d4dd2c897' }
let(:sample_oid) { non_existing_object_oid }
it_behaves_like 'LFS http 200 response'
it 'responds with upload hypermedia link' do
expect(response).to have_gitlab_http_status(200)
expect(json_response['objects']).to be_kind_of(Array)
expect(json_response['objects'].first['oid']).to eq(sample_oid)
expect(json_response['objects'].first['size']).to eq(sample_size)
expect(json_response['objects'].first['actions']['upload']['href']).to eq("#{Gitlab.config.gitlab.url}/#{project.full_path}.git/gitlab-lfs/objects/#{sample_oid}/#{sample_size}")
expect(json_response['objects'].first['actions']['upload']['header']).to eq({ 'Authorization' => authorization, 'Content-Type' => 'application/octet-stream' })
expect(json_response['objects'].first).to include(sample_object)
expect(json_response['objects'].first['actions']['upload']['href']).to eq(objects_url(project, sample_oid, sample_size))
expect(json_response['objects'].first['actions']['upload']['header']).to include('Content-Type' => 'application/octet-stream')
end
it_behaves_like 'process authorization header', renew_authorization: renew_authorization
end
describe 'when request is authenticated' do
......@@ -744,107 +688,80 @@ describe 'Git LFS API and storage' do
project.add_developer(user)
end
context 'when pushing an lfs object that already exists' do
let(:other_project) { create(:project) }
context 'when pushing an LFS object that already exists' do
let(:update_lfs_permissions) do
other_project.lfs_objects << lfs_object
end
it 'responds with status 200' do
expect(response).to have_gitlab_http_status(200)
end
it_behaves_like 'LFS http 200 response'
it 'responds with links the object to the project' do
expect(json_response['objects']).to be_kind_of(Array)
expect(json_response['objects'].first['oid']).to eq(sample_oid)
expect(json_response['objects'].first['size']).to eq(sample_size)
expect(json_response['objects'].first).to include(sample_object)
expect(lfs_object.projects.pluck(:id)).not_to include(project.id)
expect(lfs_object.projects.pluck(:id)).to include(other_project.id)
expect(json_response['objects'].first['actions']['upload']['href']).to eq("#{project.http_url_to_repo}/gitlab-lfs/objects/#{sample_oid}/#{sample_size}")
expect(json_response['objects'].first['actions']['upload']['header']).to eq({ 'Authorization' => authorization, 'Content-Type' => 'application/octet-stream' })
expect(json_response['objects'].first['actions']['upload']['href']).to eq(objects_url(project, sample_oid, sample_size))
expect(json_response['objects'].first['actions']['upload']['header']).to include('Content-Type' => 'application/octet-stream')
end
end
context 'when pushing a lfs object that does not exist' do
it_behaves_like 'pushes new LFS objects'
it_behaves_like 'process authorization header', renew_authorization: true
end
context 'when pushing one new and one existing lfs object' do
let(:body) do
{
'operation' => 'upload',
'objects' => [
{ 'oid' => '91eff75a492a3ed0dfcb544d7f31326bc4014c8551849c192fd1e48d4dd2c897',
'size' => 1575078 },
{ 'oid' => sample_oid,
'size' => sample_size }
]
}
end
context 'when pushing a LFS object that does not exist' do
it_behaves_like 'pushes new LFS objects', renew_authorization: true
end
context 'when pushing one new and one existing LFS object' do
let(:body) { upload_body(multiple_objects) }
let(:update_lfs_permissions) do
project.lfs_objects << lfs_object
end
it 'responds with status 200' do
expect(response).to have_gitlab_http_status(200)
end
it_behaves_like 'LFS http 200 response'
it 'responds with upload hypermedia link for the new object' do
expect(json_response['objects']).to be_kind_of(Array)
expect(json_response['objects'].first['oid']).to eq("91eff75a492a3ed0dfcb544d7f31326bc4014c8551849c192fd1e48d4dd2c897")
expect(json_response['objects'].first['size']).to eq(1575078)
expect(json_response['objects'].first['actions']['upload']['href']).to eq("#{project.http_url_to_repo}/gitlab-lfs/objects/91eff75a492a3ed0dfcb544d7f31326bc4014c8551849c192fd1e48d4dd2c897/1575078")
expect(json_response['objects'].first['actions']['upload']['header']).to eq({ 'Authorization' => authorization, 'Content-Type' => 'application/octet-stream' })
expect(json_response['objects'].first).to include(sample_object)
expect(json_response['objects'].first).not_to have_key('actions')
expect(json_response['objects'].last['oid']).to eq(sample_oid)
expect(json_response['objects'].last['size']).to eq(sample_size)
expect(json_response['objects'].last).not_to have_key('actions')
expect(json_response['objects'].last).to include(non_existing_object)
expect(json_response['objects'].last['actions']['upload']['href']).to eq(objects_url(project, non_existing_object_oid, non_existing_object_size))
expect(json_response['objects'].last['actions']['upload']['header']).to include('Content-Type' => 'application/octet-stream')
end
it_behaves_like 'process authorization header', renew_authorization: true
end
end
context 'when user does not have push access' do
let(:authorization) { authorize_user }
it 'responds with 403' do
expect(response).to have_gitlab_http_status(403)
end
it_behaves_like 'LFS http 403 response'
end
context 'when build is authorized' do
let(:authorization) { authorize_ci_project }
context 'build has an user' do
let(:user) { create(:user) }
let(:build) { create(:ci_build, :running, pipeline: pipeline, user: user) }
context 'tries to push to own project' do
let(:build) { create(:ci_build, :running, pipeline: pipeline, user: user) }
it 'responds with 403 (not 404 because project is public)' do
expect(response).to have_gitlab_http_status(403)
end
it_behaves_like 'LFS http 403 response'
end
context 'tries to push to other project' do
let(:other_project) { create(:project) }
let(:pipeline) { create(:ci_empty_pipeline, project: other_project) }
let(:build) { create(:ci_build, :running, pipeline: pipeline, user: user) }
# I'm not sure what this tests that is different from the previous test
it 'responds with 403 (not 404 because project is public)' do
expect(response).to have_gitlab_http_status(403)
end
it_behaves_like 'LFS http 403 response'
end
end
context 'does not have user' do
let(:build) { create(:ci_build, :running, pipeline: pipeline) }
it 'responds with 403 (not 404 because project is public)' do
expect(response).to have_gitlab_http_status(403)
end
it_behaves_like 'LFS http 403 response'
end
end
......@@ -856,7 +773,7 @@ describe 'Git LFS API and storage' do
project.deploy_keys_projects.create(deploy_key: key, can_push: true)
end
it_behaves_like 'pushes new LFS objects'
it_behaves_like 'pushes new LFS objects', renew_authorization: false
end
end
......@@ -866,80 +783,60 @@ describe 'Git LFS API and storage' do
project.add_maintainer(user)
end
it 'responds with status 401' do
expect(response).to have_gitlab_http_status(401)
end
it_behaves_like 'LFS http 401 response'
end
context 'when user does not have push access' do
it 'responds with status 401' do
expect(response).to have_gitlab_http_status(401)
end
it_behaves_like 'LFS http 401 response'
end
end
end
describe 'unsupported' do
let(:project) { create(:project) }
let(:authorization) { authorize_user }
let(:body) do
{
'operation' => 'other',
'objects' => [
{ 'oid' => sample_oid,
'size' => sample_size }
]
}
end
let(:body) { request_body('other', sample_object) }
it 'responds with status 404' do
expect(response).to have_gitlab_http_status(404)
end
it_behaves_like 'LFS http 404 response'
end
end
describe 'when handling lfs batch request on a read-only GitLab instance' do
describe 'when handling LFS batch request on a read-only GitLab instance' do
let(:authorization) { authorize_user }
let(:project) { create(:project) }
let(:path) { "#{project.http_url_to_repo}/info/lfs/objects/batch" }
let(:body) do
{ 'objects' => [{ 'oid' => sample_oid, 'size' => sample_size }] }
end
subject { post_lfs_json(batch_url(project), body, headers) }
before do
allow(Gitlab::Database).to receive(:read_only?) { true }
project.add_maintainer(user)
enable_lfs
subject
end
it 'responds with a 200 message on download' do
post_lfs_json path, body.merge('operation' => 'download'), headers
context 'when downloading' do
let(:body) { download_body(sample_object) }
expect(response).to have_gitlab_http_status(200)
it_behaves_like 'LFS http 200 response'
end
it 'responds with a 403 message on upload' do
post_lfs_json path, body.merge('operation' => 'upload'), headers
context 'when uploading' do
let(:body) { upload_body(sample_object) }
expect(response).to have_gitlab_http_status(403)
expect(json_response).to include('message' => 'You cannot write to this read-only GitLab instance.')
it_behaves_like 'LFS http expected response code and message' do
let(:response_code) { 403 }
let(:message) { 'You cannot write to this read-only GitLab instance.' }
end
end
end
describe 'when pushing a lfs object' do
before do
enable_lfs
end
describe 'when pushing a LFS object' do
shared_examples 'unauthorized' do
context 'and request is sent by gitlab-workhorse to authorize the request' do
before do
put_authorize
end
it 'responds with status 401' do
expect(response).to have_gitlab_http_status(401)
end
it_behaves_like 'LFS http 401 response'
end
context 'and request is sent by gitlab-workhorse to finalize the upload' do
......@@ -947,9 +844,7 @@ describe 'Git LFS API and storage' do
put_finalize
end
it 'responds with status 401' do
expect(response).to have_gitlab_http_status(401)
end
it_behaves_like 'LFS http 401 response'
end
context 'and request is sent with a malformed headers' do
......@@ -957,9 +852,7 @@ describe 'Git LFS API and storage' do
put_finalize('/etc/passwd')
end
it 'does not recognize it as a valid lfs command' do
expect(response).to have_gitlab_http_status(401)
end
it_behaves_like 'LFS http 401 response'
end
end
......@@ -969,9 +862,7 @@ describe 'Git LFS API and storage' do
put_authorize
end
it 'responds with 403' do
expect(response).to have_gitlab_http_status(403)
end
it_behaves_like 'LFS http 403 response'
end
context 'and request is sent by gitlab-workhorse to finalize the upload' do
......@@ -979,9 +870,7 @@ describe 'Git LFS API and storage' do
put_finalize
end
it 'responds with 403' do
expect(response).to have_gitlab_http_status(403)
end
it_behaves_like 'LFS http 403 response'
end
context 'and request is sent with a malformed headers' do
......@@ -989,15 +878,11 @@ describe 'Git LFS API and storage' do
put_finalize('/etc/passwd')
end
it 'does not recognize it as a valid lfs command' do
expect(response).to have_gitlab_http_status(403)
end
it_behaves_like 'LFS http 403 response'
end
end
describe 'to one project' do
let(:project) { create(:project) }
describe 'when user is authenticated' do
let(:authorization) { authorize_user }
......@@ -1018,9 +903,7 @@ describe 'Git LFS API and storage' do
put_authorize
end
it 'responds with status 200' do
expect(response).to have_gitlab_http_status(200)
end
it_behaves_like 'LFS http 200 response'
it 'uses the gitlab-workhorse content type' do
expect(response.content_type.to_s).to eq(Gitlab::Workhorse::INTERNAL_API_CONTENT_TYPE)
......@@ -1029,7 +912,7 @@ describe 'Git LFS API and storage' do
shared_examples 'a local file' do
it_behaves_like 'a valid response' do
it 'responds with status 200, location of lfs store and object details' do
it 'responds with status 200, location of LFS store and object details' do
expect(json_response['TempPath']).to eq(LfsObjectUploader.workhorse_local_upload_path)
expect(json_response['RemoteObject']).to be_nil
expect(json_response['LfsOid']).to eq(sample_oid)
......@@ -1049,7 +932,7 @@ describe 'Git LFS API and storage' do
end
it_behaves_like 'a valid response' do
it 'responds with status 200, location of lfs remote store and object details' do
it 'responds with status 200, location of LFS remote store and object details' do
expect(json_response['TempPath']).to eq(LfsObjectUploader.workhorse_local_upload_path)
expect(json_response['RemoteObject']).to have_key('ID')
expect(json_response['RemoteObject']).to have_key('GetURL')
......@@ -1077,11 +960,9 @@ describe 'Git LFS API and storage' do
put_finalize
end
it 'responds with status 200' do
expect(response).to have_gitlab_http_status(200)
end
it_behaves_like 'LFS http 200 response'
it 'lfs object is linked to the project' do
it 'LFS object is linked to the project' do
expect(lfs_object.projects.pluck(:id)).to include(project.id)
end
end
......@@ -1092,7 +973,7 @@ describe 'Git LFS API and storage' do
end
end
context 'and workhorse requests upload finalize for a new lfs object' do
context 'and workhorse requests upload finalize for a new LFS object' do
before do
lfs_object.destroy
end
......@@ -1202,33 +1083,25 @@ describe 'Git LFS API and storage' do
let(:authorization) { authorize_ci_project }
context 'build has an user' do
let(:user) { create(:user) }
let(:build) { create(:ci_build, :running, pipeline: pipeline, user: user) }
context 'tries to push to own project' do
let(:build) { create(:ci_build, :running, pipeline: pipeline, user: user) }
before do
project.add_developer(user)
put_authorize
end
it 'responds with 403 (not 404 because the build user can read the project)' do
expect(response).to have_gitlab_http_status(403)
end
it_behaves_like 'LFS http 403 response'
end
context 'tries to push to other project' do
let(:other_project) { create(:project) }
let(:pipeline) { create(:ci_empty_pipeline, project: other_project) }
let(:build) { create(:ci_build, :running, pipeline: pipeline, user: user) }
before do
put_authorize
end
it 'responds with 404 (do not leak non-public project existence)' do
expect(response).to have_gitlab_http_status(404)
end
it_behaves_like 'LFS http 404 response'
end
end
......@@ -1239,9 +1112,40 @@ describe 'Git LFS API and storage' do
put_authorize
end
it 'responds with 404 (do not leak non-public project existence)' do
expect(response).to have_gitlab_http_status(404)
it_behaves_like 'LFS http 404 response'
end
end
describe 'when using a user key (LFSToken)' do
let(:authorization) { authorize_user_key }
context 'when user allowed' do
before do
project.add_developer(user)
put_authorize
end
it_behaves_like 'LFS http 200 response'
context 'when user password is expired' do
let(:user) { create(:user, password_expires_at: 1.minute.ago)}
it_behaves_like 'LFS http 401 response'
end
context 'when user is blocked' do
let(:user) { create(:user, :blocked)}
it_behaves_like 'LFS http 401 response'
end
end
context 'when user not allowed' do
before do
put_authorize
end
it_behaves_like 'LFS http 404 response'
end
end
......@@ -1268,11 +1172,9 @@ describe 'Git LFS API and storage' do
put_authorize
end
it 'responds with status 200' do
expect(response).to have_gitlab_http_status(200)
end
it_behaves_like 'LFS http 200 response'
it 'with location of lfs store and object details' do
it 'with location of LFS store and object details' do
expect(json_response['TempPath']).to eq(LfsObjectUploader.workhorse_local_upload_path)
expect(json_response['LfsOid']).to eq(sample_oid)
expect(json_response['LfsSize']).to eq(sample_size)
......@@ -1284,11 +1186,9 @@ describe 'Git LFS API and storage' do
put_finalize
end
it 'responds with status 200' do
expect(response).to have_gitlab_http_status(200)
end
it_behaves_like 'LFS http 200 response'
it 'lfs object is linked to the source project' do
it 'LFS object is linked to the source project' do
expect(lfs_object.projects.pluck(:id)).to include(upstream_project.id)
end
end
......@@ -1307,34 +1207,24 @@ describe 'Git LFS API and storage' do
end
context 'build has an user' do
let(:user) { create(:user) }
let(:build) { create(:ci_build, :running, pipeline: pipeline, user: user) }
context 'tries to push to own project' do
let(:build) { create(:ci_build, :running, pipeline: pipeline, user: user) }
it 'responds with 403 (not 404 because project is public)' do
expect(response).to have_gitlab_http_status(403)
end
it_behaves_like 'LFS http 403 response'
end
context 'tries to push to other project' do
let(:other_project) { create(:project) }
let(:pipeline) { create(:ci_empty_pipeline, project: other_project) }
let(:build) { create(:ci_build, :running, pipeline: pipeline, user: user) }
# I'm not sure what this tests that is different from the previous test
it 'responds with 403 (not 404 because project is public)' do
expect(response).to have_gitlab_http_status(403)
end
it_behaves_like 'LFS http 403 response'
end
end
context 'does not have user' do
let(:build) { create(:ci_build, :running, pipeline: pipeline) }
it 'responds with 403 (not 404 because project is public)' do
expect(response).to have_gitlab_http_status(403)
end
it_behaves_like 'LFS http 403 response'
end
end
......@@ -1351,22 +1241,20 @@ describe 'Git LFS API and storage' do
upstream_project.lfs_objects << lfs_object
end
context 'when pushing the same lfs object to the second project' do
context 'when pushing the same LFS object to the second project' do
before do
finalize_headers = headers
.merge('X-Gitlab-Lfs-Tmp' => lfs_tmp_file)
.merge(workhorse_internal_api_request_header)
put "#{second_project.http_url_to_repo}/gitlab-lfs/objects/#{sample_oid}/#{sample_size}",
params: {},
headers: finalize_headers
put objects_url(second_project, sample_oid, sample_size),
params: {},
headers: finalize_headers
end
it 'responds with status 200' do
expect(response).to have_gitlab_http_status(200)
end
it_behaves_like 'LFS http 200 response'
it 'links the lfs object to the project' do
it 'links the LFS object to the project' do
expect(lfs_object.projects.pluck(:id)).to include(second_project.id, upstream_project.id)
end
end
......@@ -1377,7 +1265,7 @@ describe 'Git LFS API and storage' do
authorize_headers = headers
authorize_headers.merge!(workhorse_internal_api_request_header) if verified
put "#{project.http_url_to_repo}/gitlab-lfs/objects/#{sample_oid}/#{sample_size}/authorize", params: {}, headers: authorize_headers
put authorize_url(project, sample_oid, sample_size), params: {}, headers: authorize_headers
end
def put_finalize(lfs_tmp = lfs_tmp_file, with_tempfile: false, verified: true, args: {})
......@@ -1401,42 +1289,11 @@ describe 'Git LFS API and storage' do
finalize_headers = headers
finalize_headers.merge!(workhorse_internal_api_request_header) if verified
put "#{project.http_url_to_repo}/gitlab-lfs/objects/#{sample_oid}/#{sample_size}", params: args, headers: finalize_headers
put objects_url(project, sample_oid, sample_size), params: args, headers: finalize_headers
end
def lfs_tmp_file
"#{sample_oid}012345678"
end
end
def enable_lfs
allow(Gitlab.config.lfs).to receive(:enabled).and_return(true)
end
def authorize_ci_project
ActionController::HttpAuthentication::Basic.encode_credentials('gitlab-ci-token', build.token)
end
def authorize_user
ActionController::HttpAuthentication::Basic.encode_credentials(user.username, user.password)
end
def authorize_deploy_key
ActionController::HttpAuthentication::Basic.encode_credentials("lfs+deploy-key-#{key.id}", Gitlab::LfsToken.new(key).token)
end
def authorize_user_key
ActionController::HttpAuthentication::Basic.encode_credentials(user.username, Gitlab::LfsToken.new(user).token)
end
def authorize_deploy_token
ActionController::HttpAuthentication::Basic.encode_credentials(deploy_token.username, deploy_token.token)
end
def post_lfs_json(url, body = nil, headers = nil)
params = body.try(:to_json)
headers = (headers || {}).merge('Content-Type' => LfsRequest::CONTENT_TYPE)
post(url, params: params, headers: headers)
end
end
spec/support/helpers/lfs_http_helpers.rb 0 → 100644
View file @ b2bfd36b
# frozen_string_literal: true
require_relative 'workhorse_helpers'
module LfsHttpHelpers
include WorkhorseHelpers
def authorize_ci_project
ActionController::HttpAuthentication::Basic.encode_credentials('gitlab-ci-token', build.token)
end
def authorize_user
ActionController::HttpAuthentication::Basic.encode_credentials(user.username, user.password)
end
def authorize_deploy_key
Gitlab::LfsToken.new(key).basic_encoding
end
def authorize_user_key
Gitlab::LfsToken.new(user).basic_encoding
end
def authorize_deploy_token
ActionController::HttpAuthentication::Basic.encode_credentials(deploy_token.username, deploy_token.token)
end
def post_lfs_json(url, body = nil, headers = nil)
params = body.try(:to_json)
headers = (headers || {}).merge('Content-Type' => LfsRequest::CONTENT_TYPE)
post(url, params: params, headers: headers)
end
def batch_url(project)
"#{project.http_url_to_repo}/info/lfs/objects/batch"
end
def objects_url(project, oid = nil, size = nil)
File.join(["#{project.http_url_to_repo}/gitlab-lfs/objects", oid, size].compact.map(&:to_s))
end
def authorize_url(project, oid, size)
File.join(objects_url(project, oid, size), 'authorize')
end
def download_body(objects)
request_body('download', objects)
end
def upload_body(objects)
request_body('upload', objects)
end
def request_body(operation, objects)
objects = [objects] unless objects.is_a?(Array)
{
'operation' => operation,
'objects' => objects
}
end
end
spec/support/shared_examples/lfs_http_shared_examples.rb 0 → 100644
View file @ b2bfd36b
# frozen_string_literal: true
shared_examples 'LFS http 200 response' do
it_behaves_like 'LFS http expected response code and message' do
let(:response_code) { 200 }
end
end
shared_examples 'LFS http 401 response' do
it_behaves_like 'LFS http expected response code and message' do
let(:response_code) { 401 }
end
end
shared_examples 'LFS http 403 response' do
it_behaves_like 'LFS http expected response code and message' do
let(:response_code) { 403 }
let(:message) { 'Access forbidden. Check your access level.' }
end
end
shared_examples 'LFS http 501 response' do
it_behaves_like 'LFS http expected response code and message' do
let(:response_code) { 501 }
let(:message) { 'Git LFS is not enabled on this GitLab server, contact your admin.' }
end
end
shared_examples 'LFS http 404 response' do
it_behaves_like 'LFS http expected response code and message' do
let(:response_code) { 404 }
end
end
shared_examples 'LFS http expected response code and message' do
let(:response_code) { }
let(:message) { }
it 'responds with the expected response code and message' do
expect(response).to have_gitlab_http_status(response_code)
expect(json_response['message']).to eq(message) if message
end
end
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment
GitLab Nexedi Edition | About GitLab | About Nexedi | 沪ICP备2021021310号-2 | 沪ICP备2021021310号-7