Add frozen literals and permission checks

Signed-off-by: Dmitriy Zaporozhets <dmitriy.zaporozhets@gmail.com>

Add frozen literals and permission checks
Signed-off-by: Dmitriy Zaporozhets <dmitriy.zaporozhets@gmail.com>
b4e8bca6 · Dmitriy Zaporozhets · 540dface · b4e8bca6 · b4e8bca6 · b4e8bca6
Commit b4e8bca6 authored Aug 03, 2018 by Dmitriy Zaporozhets
17 changed files
--- a/ee/app/models/license.rb
+++ b/ee/app/models/license.rb
@@ -64,6 +64,7 @@ class License < ActiveRecord::Base
    protected_environments
    system_header_footer
    custom_project_templates
+    packages
  ].freeze
  EEU_FEATURES = EEP_FEATURES + %i[

--- a/ee/app/models/packages.rb
+++ b/ee/app/models/packages.rb
+# frozen_string_literal: true
 module Packages
  def self.table_name_prefix
    'packages_'

--- a/ee/app/models/packages/maven_metadatum.rb
+++ b/ee/app/models/packages/maven_metadatum.rb
+# frozen_string_literal: true
 class Packages::MavenMetadatum < ActiveRecord::Base
  belongs_to :package

--- a/ee/app/models/packages/package.rb
+++ b/ee/app/models/packages/package.rb
+# frozen_string_literal: true
 class Packages::Package < ActiveRecord::Base
  belongs_to :project
  has_many :package_files

--- a/ee/app/models/packages/package_file.rb
+++ b/ee/app/models/packages/package_file.rb
+# frozen_string_literal: true
 class Packages::PackageFile < ActiveRecord::Base
  belongs_to :package

--- a/ee/app/policies/ee/project_policy.rb
+++ b/ee/app/policies/ee/project_policy.rb
@@ -84,6 +84,10 @@ module EE
      rule { can?(:read_issue) }.enable :read_issue_link
+      rule { can?(:public_access) }.policy do
+        enable :read_packages
+      end
      rule { can?(:reporter_access) }.policy do
        enable :admin_board
        enable :read_deploy_board
@@ -95,6 +99,7 @@ module EE
      rule { can?(:developer_access) }.policy do
        enable :admin_board
        enable :admin_vulnerability_feedback
+        enable :write_packages
      end
      rule { can?(:developer_access) & security_reports_feature_available }.enable :read_project_security_dashboard

--- a/ee/app/services/packages/create_maven_package_service.rb
+++ b/ee/app/services/packages/create_maven_package_service.rb
+# frozen_string_literal: true
 module Packages
  class CreateMavenPackageService < BaseService
    def execute

--- a/ee/app/uploaders/packages/package_file_uploader.rb
+++ b/ee/app/uploaders/packages/package_file_uploader.rb
+# frozen_string_literal: true
 class Packages::PackageFileUploader < GitlabUploader
  extend Workhorse::UploadPath
  include ObjectStorage::Concern

--- a/ee/db/migrate/20180720120716_create_packages_packages.rb
+++ b/ee/db/migrate/20180720120716_create_packages_packages.rb
+# frozen_string_literal: true
 class CreatePackagesPackages < ActiveRecord::Migration
  DOWNTIME = false

--- a/ee/db/migrate/20180720120726_create_packages_package_files.rb
+++ b/ee/db/migrate/20180720120726_create_packages_package_files.rb
+# frozen_string_literal: true
 class CreatePackagesPackageFiles < ActiveRecord::Migration
  include Gitlab::Database::MigrationHelpers

--- a/ee/db/migrate/20180720121404_create_packages_maven_metadata.rb
+++ b/ee/db/migrate/20180720121404_create_packages_maven_metadata.rb
+# frozen_string_literal: true
 class CreatePackagesMavenMetadata < ActiveRecord::Migration
  include Gitlab::Database::MigrationHelpers

--- a/ee/lib/api/maven_packages.rb
+++ b/ee/lib/api/maven_packages.rb
+# frozen_string_literal: true
 module API
  class MavenPackages < Grape::API
    MAVEN_ENDPOINT_REQUIREMENTS = {
@@ -48,6 +49,8 @@ module API
        requires :file_name, type: String, desc: 'Package file name'
      end
      get ':id/packages/maven/*app_group/:app_name/:app_version/:file_name', requirements: MAVEN_ENDPOINT_REQUIREMENTS do
+        unauthorized! unless can?(current_user, :read_package, user_project)
        file_name, format = extract_format(params[:file_name])
        metadata = ::Packages::MavenMetadatum.find_by!(app_group: params[:app_group],
@@ -77,6 +80,8 @@ module API
      end
      put ':id/packages/maven/*app_group/:app_name/:app_version/:file_name/authorize', requirements: MAVEN_ENDPOINT_REQUIREMENTS do
        not_allowed! unless Gitlab.config.packages.enabled
+        unauthorized! unless can?(current_user, :write_package, user_project)
        require_gitlab_workhorse!
        Gitlab::Workhorse.verify_api_request!(headers)
@@ -101,6 +106,8 @@ module API
      end
      put ':id/packages/maven/*app_group/:app_name/:app_version/:file_name', requirements: MAVEN_ENDPOINT_REQUIREMENTS do
        not_allowed! unless Gitlab.config.packages.enabled
+        unauthorized! unless can?(current_user, :write_package, user_project)
        require_gitlab_workhorse!
        file_name, format = extract_format(params[:file_name])

--- a/ee/spec/factories/packages.rb
+++ b/ee/spec/factories/packages.rb
+# frozen_string_literal: true
 FactoryBot.define do
  factory :package, class: Packages::Package do
    project

--- a/ee/spec/models/packages/maven_metadatum_spec.rb
+++ b/ee/spec/models/packages/maven_metadatum_spec.rb
+# frozen_string_literal: true
 require 'rails_helper'
 RSpec.describe Packages::MavenMetadatum, type: :model do

--- a/ee/spec/models/packages/package_file_spec.rb
+++ b/ee/spec/models/packages/package_file_spec.rb
+# frozen_string_literal: true
 require 'rails_helper'
 RSpec.describe Packages::PackageFile, type: :model do

--- a/ee/spec/models/packages/package_spec.rb
+++ b/ee/spec/models/packages/package_spec.rb
+# frozen_string_literal: true
 require 'rails_helper'
 RSpec.describe Packages::Package, type: :model do

--- a/ee/spec/requests/api/maven_packages_spec.rb
+++ b/ee/spec/requests/api/maven_packages_spec.rb
+# frozen_string_literal: true
 require 'spec_helper'
 describe API::MavenPackages do
  let(:user) { create(:user) }
-  let(:project) { create(:project) }
+  let(:project) { create(:project, :public) }
  let(:personal_access_token) { create(:personal_access_token, user: user) }
  let(:jwt_token) { JWT.encode({ 'iss' => 'gitlab-workhorse' }, Gitlab::Workhorse.secret, 'HS256') }
  let(:headers) { { 'GitLab-Workhorse' => '1.0', Gitlab::Workhorse::INTERNAL_API_REQUEST_HEADER => jwt_token } }
@@ -35,7 +36,32 @@ describe API::MavenPackages do
    end
    context 'private project' do
-      # Auth required, read permissions required
+      before do
+        project.update!(visibility_level: Gitlab::VisibilityLevel::PRIVATE)
+      end
+      it 'returns the file' do
+        download_file_with_token(package_file_xml.file_name)
+        expect(response).to have_gitlab_http_status(200)
+        expect(response.content_type.to_s).to eq('application/octet-stream')
+      end
+      it 'denies download when not enough permissions' do
+        project.add_guest(user)
+        download_file_with_token(package_file_xml.file_name)
+        expect(response).to have_gitlab_http_status(400)
+      end
+      it 'denies download when no private token' do
+        project.add_guest(user)
+        download_file(package_file_xml.file_name)
+        expect(response).to have_gitlab_http_status(400)
+      end
    end
    def download_file(file_name, params = {}, request_headers = headers)
@@ -92,7 +118,7 @@ describe API::MavenPackages do
  end
  describe 'PUT /api/v4/projects/:id/packages/maven/*app_group/:app_name/:app_version/:file_name' do
-    let(:file_upload) { fixture_file_upload('spec/fixtures/maven/maven-metadata.xml') }
+    let(:file_upload) { fixture_file_upload('ee/spec/fixtures/maven/maven-metadata.xml') }
    before do
      # by configuring this path we allow to pass temp file from any path