Merge branch '254281-lfs-push-mirror-prefers-server-authorization-header' into 'master'

Prefer server-provided authentication for LFS push mirroring See merge request gitlab-org/gitlab!44284

Merge branch '254281-lfs-push-mirror-prefers-server-authorization-header' into 'master'
Prefer server-provided authentication for LFS push mirroring See merge request gitlab-org/gitlab!44284
bb1e09d4 · Kerri Miller · 3ff382cd · 915789d6 · bb1e09d4 · bb1e09d4
Commit bb1e09d4 authored Oct 05, 2020 by Kerri Miller
3 changed files
--- a/changelogs/unreleased/254281-lfs-push-mirror-prefers-server-authorization-header.yml
+++ b/changelogs/unreleased/254281-lfs-push-mirror-prefers-server-authorization-header.yml
+---
+title: Prefer server-provided authentication for LFS push mirroring
+merge_request: 44284
+author:
+type: fixed
--- a/lib/gitlab/lfs/client.rb
+++ b/lib/gitlab/lfs/client.rb
@@ -60,6 +60,7 @@ module Gitlab
          }.merge(upload_action['header'] || {})
        }
+        authenticated = true if params[:headers].key?('Authorization')
        params[:basic_auth] = basic_auth unless authenticated
        rsp = Gitlab::HTTP.put(upload_action['href'], params)
@@ -75,6 +76,7 @@ module Gitlab
          headers: build_request_headers(verify_action['header'])
        }
+        authenticated = true if params[:headers].key?('Authorization')
        params[:basic_auth] = basic_auth unless authenticated
        rsp = Gitlab::HTTP.post(verify_action['href'], params)

--- a/spec/lib/gitlab/lfs/client_spec.rb
+++ b/spec/lib/gitlab/lfs/client_spec.rb
@@ -32,6 +32,9 @@ RSpec.describe Gitlab::Lfs::Client do
    }
  end
+  let(:authorized_upload_action) { upload_action.tap { |action| action['header']['Authorization'] = 'foo' } }
+  let(:authorized_verify_action) { verify_action.tap { |action| action['header']['Authorization'] = 'foo' } }
  subject(:lfs_client) { described_class.new(base_url, credentials: credentials) }
  describe '#batch' do
@@ -124,6 +127,19 @@ RSpec.describe Gitlab::Lfs::Client do
      end
    end
+    context 'request is not marked as authenticated but includes an authorization header' do
+      it 'prefers the provided authorization header' do
+        stub = stub_upload(
+          object: object,
+          headers: authorized_upload_action['header']
+        ).to_return(status: 200)
+        lfs_client.upload!(object, authorized_upload_action, authenticated: false)
+        expect(stub).to have_been_requested
+      end
+    end
    context 'LFS object has no file' do
      let(:object) { LfsObject.new }
@@ -193,6 +209,19 @@ RSpec.describe Gitlab::Lfs::Client do
      end
    end
+    context 'request is not marked as authenticated but includes an authorization header' do
+      it 'prefers the provided authorization header' do
+        stub = stub_verify(
+          object: object,
+          headers: authorized_verify_action['header']
+        ).to_return(status: 200)
+        lfs_client.verify!(object, authorized_verify_action, authenticated: false)
+        expect(stub).to have_been_requested
+      end
+    end
    context 'server returns 400 error' do
      it 'raises an error' do
        stub_verify(object: object, headers: verify_action['header']).to_return(status: 400)