Utilise new Actions

* Move gitaly, git-lfs and 2FA logic out from gitlab_shell.rb
* Streamline parsing of origin_cmd in GitlabShell
* Utilise proper HTTP status codes sent from the API
* Also support 200 OK with status of true/false (ideally get rid of this)
* Use HTTP status constants
* Use attr_reader definitions (var over @var)
* Rspec deprecation fixes

lib/gitlab_access.rb

@@ -20,12 +20,9 @@ class GitlabAccess
   end
 
   def exec
-    status = GitlabMetrics.measure('check-access:git-receive-pack') do
-      api.check_access('git-receive-pack', @gl_repository, @repo_path, @key_id, @changes, @protocol, env: ObjectDirsHelper.all_attributes.to_json)
+    GitlabMetrics.measure('check-access:git-receive-pack') do
+      api.check_access('git-receive-pack', gl_repository, repo_path, key_id, changes, protocol, env: ObjectDirsHelper.all_attributes.to_json)
     end
-
-    raise AccessDeniedError, status.message unless status.allowed?
-
     true
   rescue GitlabNet::ApiUnreachableError
     $stderr.puts "GitLab: Failed to authorize your Git request: internal API unreachable"

lib/gitlab_net.rb

 require 'json'
 
+require_relative 'errors'
 require_relative 'gitlab_logger'
 require_relative 'gitlab_access'
 require_relative 'gitlab_lfs_authentication'
 require_relative 'http_helper'
+require_relative 'action'
 
-class GitlabNet # rubocop:disable Metrics/ClassLength
+class GitlabNet
   include HTTPHelper
 
   CHECK_TIMEOUT = 5
   GL_PROTOCOL = 'ssh'.freeze
+  API_INACCESSIBLE_ERROR = 'API is not accessible'.freeze
 
   def check_access(cmd, gl_repository, repo, key_id, changes, protocol = GL_PROTOCOL, env: {})
     changes = changes.join("\n") unless changes.is_a?(String)
@@ -26,22 +29,15 @@ class GitlabNet # rubocop:disable Metrics/ClassLength
 
     resp = post("#{internal_api_endpoint}/allowed", params)
 
-    if resp.code == '200'
-      GitAccessStatus.create_from_json(resp.body)
-    else
-      GitAccessStatus.new(false,
-                          'API is not accessible',
-                          gl_repository: nil,
-                          gl_username: nil,
-                          repository_path: nil,
-                          gitaly: nil)
-    end
+    determine_action(key_id, resp)
   end
 
   def discover(key)
     key_id = key.gsub("key-", "")
     resp = get("#{internal_api_endpoint}/discover?key_id=#{key_id}")
-    JSON.parse(resp.body) rescue nil
+    JSON.parse(resp.body)
+  rescue JSON::ParserError, ApiUnreachableError
+    nil
   end
 
   def lfs_authenticate(key, repo)
@@ -97,11 +93,7 @@ class GitlabNet # rubocop:disable Metrics/ClassLength
   end
 
   def post_receive(gl_repository, identifier, changes)
-    params = {
-      gl_repository: gl_repository,
-      identifier: identifier,
-      changes: changes
-    }
+    params = { gl_repository: gl_repository, identifier: identifier, changes: changes }
     resp = post("#{internal_api_endpoint}/post_receive", params)
     raise NotFound if resp.code == HTTP_NOT_FOUND
 
@@ -120,4 +112,25 @@ class GitlabNet # rubocop:disable Metrics/ClassLength
   def sanitize_path(repo)
     repo.delete("'")
   end
+
+  def determine_action(key_id, resp)
+    json = JSON.parse(resp.body)
+    message = json['message']
+
+    case resp.code
+    when HTTP_SUCCESS
+      # TODO: This raise can be removed once internal API can respond with correct
+      #       HTTP status codes, instead of relying upon parsing the body and
+      #       accessing the 'status' key.
+      raise AccessDeniedError, message unless json['status']
+
+      Action::Gitaly.create_from_json(key_id, json)
+    when HTTP_UNAUTHORIZED, HTTP_NOT_FOUND
+      raise AccessDeniedError, message
+    else
+      raise UnknownError, "#{API_INACCESSIBLE_ERROR}: #{message}"
+    end
+  rescue JSON::ParserError
+    raise UnknownError, API_INACCESSIBLE_ERROR
+  end
 end

spec/gitlab_access_spec.rb

@@ -7,12 +7,7 @@ describe GitlabAccess do
   let(:repo_path) { File.join(repository_path, repo_name) + ".git" }
   let(:api) do
     double(GitlabNet).tap do |api|
-      api.stub(check_access: GitAccessStatus.new(true,
-                                                 'ok',
-                                                 gl_repository: 'project-1',
-                                                 gl_username: 'testuser',
-                                                 repository_path: '/home/git/repositories',
-                                                 gitaly: nil))
+      allow(api).to receive(:check_access).and_return(Action::Gitaly.new('key-1', 'project-1', 'testuser', '/home/git/repositories', nil))
     end
   end
   subject do
@@ -26,12 +21,6 @@ describe GitlabAccess do
     allow_any_instance_of(GitlabConfig).to receive(:repos_path).and_return(repository_path)
   end
 
-  describe :initialize do
-    it { expect(subject.send(:repo_path)).to eql repo_path } # FIXME: don't access private instance variables
-    it { expect(subject.send(:changes)).to eql ['wow'] } # FIXME: don't access private instance variables
-    it { expect(subject.send(:protocol)).to eql 'ssh' } # FIXME: don't access private instance variables
-  end
-
   describe "#exec" do
     context "access is granted" do
 
@@ -41,16 +30,8 @@ describe GitlabAccess do
     end
 
     context "access is denied" do
-
       before do
-        api.stub(check_access: GitAccessStatus.new(
-                  false,
-                  'denied',
-                  gl_repository: nil,
-                  gl_username: nil,
-                  repository_path: nil,
-                  gitaly: nil
-                ))
+        allow(api).to receive(:check_access).and_raise(AccessDeniedError)
       end
 
       it "returns false" do

spec/gitlab_net_spec.rb

@@ -57,7 +57,7 @@ describe GitlabNet, vcr: true do
     it "raises an exception if the connection fails" do
       VCR.use_cassette("discover-ok") do
         allow_any_instance_of(Net::HTTP).to receive(:request).and_raise(StandardError)
-        expect { gitlab_net.discover(key) }.to raise_error(GitlabNet::ApiUnreachableError)
+        expect(gitlab_net.discover(key)).to be_nil
       end
     end
   end
@@ -263,11 +263,33 @@ describe GitlabNet, vcr: true do
   end
 
   describe '#check_access' do
+    context 'something is wrong with the API response' do
+      context 'but response is JSON parsable' do
+        it 'raises an UnknownError exception' do
+          VCR.use_cassette('failed-push') do
+            expect do
+              gitlab_net.check_access('git-receive-pack', nil, project, key, changes, 'ssh')
+            end.to raise_error(UnknownError, 'API is not accessible: An internal server error occurred')
+          end
+        end
+      end
+
+      context 'but response is not JSON parsable' do
+        it 'raises an UnknownError exception' do
+          VCR.use_cassette('failed-push-unparsable') do
+            expect do
+              gitlab_net.check_access('git-receive-pack', nil, project, key, changes, 'ssh')
+            end.to raise_error(UnknownError, 'API is not accessible')
+          end
+        end
+      end
+    end
+
     context 'ssh key with access nil, to project' do
-      it 'should allow pull access for host' do
-        VCR.use_cassette("allowed-pull") do
-          access = gitlab_net.check_access('git-receive-pack', nil, project, key, changes, 'ssh')
-          access.allowed?.should be_truthy
+      it 'should allow push access for host' do
+        VCR.use_cassette('allowed-push') do
+          action = gitlab_net.check_access('git-receive-pack', nil, project, key, changes, 'ssh')
+          expect(action).to be_instance_of(Action::Gitaly)
         end
       end
 
@@ -278,75 +300,120 @@ describe GitlabNet, vcr: true do
         end
       end
 
-      it 'should allow push access for host' do
-        VCR.use_cassette("allowed-push") do
-          access = gitlab_net.check_access('git-upload-pack', nil, project, key, changes, 'ssh')
-          access.allowed?.should be_truthy
+      it 'should allow pull access for host' do
+        VCR.use_cassette("allowed-pull") do
+          action = gitlab_net.check_access('git-upload-pack', nil, project, key, changes, 'ssh')
+          expect(action).to be_instance_of(Action::Gitaly)
         end
       end
     end
 
     context 'ssh access has been disabled' do
       it 'should deny pull access for host' do
+        VCR.use_cassette('ssh-pull-disabled-old') do
+          expect do
+            gitlab_net.check_access('git-upload-pack', nil, project, key, changes, 'http')
+          end.to raise_error(AccessDeniedError, 'Git access over SSH is not allowed')
+        end
+
         VCR.use_cassette('ssh-pull-disabled') do
-          access = gitlab_net.check_access('git-upload-pack', nil, project, key, changes, 'ssh')
-          access.allowed?.should be_falsey
-          access.message.should eq 'Git access over SSH is not allowed'
+          expect do
+            gitlab_net.check_access('git-upload-pack', nil, project, key, changes, 'http')
+          end.to raise_error(AccessDeniedError, 'Git access over SSH is not allowed')
         end
       end
 
       it 'should deny push access for host' do
+        VCR.use_cassette('ssh-push-disabled-old') do
+          expect do
+            gitlab_net.check_access('git-receive-pack', nil, project, key, changes, 'ssh')
+          end.to raise_error(AccessDeniedError, 'Git access over SSH is not allowed')
+        end
+
         VCR.use_cassette('ssh-push-disabled') do
-          access = gitlab_net.check_access('git-receive-pack', nil, project, key, changes, 'ssh')
-          access.allowed?.should be_falsey
-          access.message.should eq 'Git access over SSH is not allowed'
+          expect do
+            gitlab_net.check_access('git-receive-pack', nil, project, key, changes, 'ssh')
+          end.to raise_error(AccessDeniedError, 'Git access over SSH is not allowed')
         end
       end
     end
 
     context 'http access has been disabled' do
       it 'should deny pull access for host' do
+        VCR.use_cassette('http-pull-disabled-old') do
+          expect do
+            gitlab_net.check_access('git-upload-pack', nil, project, key, changes, 'http')
+          end.to raise_error(AccessDeniedError, 'Pulling over HTTP is not allowed.')
+        end
+
         VCR.use_cassette('http-pull-disabled') do
-          access = gitlab_net.check_access('git-upload-pack', nil, project, key, changes, 'http')
-          access.allowed?.should be_falsey
-          access.message.should eq 'Pulling over HTTP is not allowed.'
+          expect do
+            gitlab_net.check_access('git-upload-pack', nil, project, key, changes, 'http')
+          end.to raise_error(AccessDeniedError, 'Pulling over HTTP is not allowed.')
         end
       end
 
       it 'should deny push access for host' do
-        VCR.use_cassette("http-push-disabled") do
-          access = gitlab_net.check_access('git-receive-pack', nil, project, key, changes, 'http')
-          access.allowed?.should be_falsey
-          access.message.should eq 'Pushing over HTTP is not allowed.'
+        VCR.use_cassette('http-push-disabled-old') do
+          expect do
+            gitlab_net.check_access('git-receive-pack', nil, project, key, changes, 'http')
+          end.to raise_error(AccessDeniedError, 'Pushing over HTTP is not allowed.')
+        end
+
+        VCR.use_cassette('http-push-disabled') do
+          expect do
+            gitlab_net.check_access('git-receive-pack', nil, project, key, changes, 'http')
+          end.to raise_error(AccessDeniedError, 'Pushing over HTTP is not allowed.')
         end
       end
     end
 
     context 'ssh key without access to project' do
       it 'should deny pull access for host' do
-        VCR.use_cassette("ssh-pull-project-denied") do
-          access = gitlab_net.check_access('git-receive-pack', nil, project, key2, changes, 'ssh')
-          access.allowed?.should be_falsey
+        VCR.use_cassette('ssh-pull-project-denied-old') do
+          expect do
+            gitlab_net.check_access('git-receive-pack', nil, project, key2, changes, 'ssh')
+          end.to raise_error(AccessDeniedError, 'Git access over SSH is not allowed')
+        end
+
+        VCR.use_cassette('ssh-pull-project-denied') do
+          expect do
+            gitlab_net.check_access('git-receive-pack', nil, project, key2, changes, 'ssh')
+          end.to raise_error(AccessDeniedError, 'Git access over SSH is not allowed')
         end
       end
 
       it 'should deny push access for host' do
-        VCR.use_cassette("ssh-push-project-denied") do
-          access = gitlab_net.check_access('git-upload-pack', nil, project, key2, changes, 'ssh')
-          access.allowed?.should be_falsey
+        VCR.use_cassette('ssh-push-project-denied-old') do
+          expect do
+            gitlab_net.check_access('git-upload-pack', nil, project, key2, changes, 'ssh')
+          end.to raise_error(AccessDeniedError, 'Git access over SSH is not allowed')
+        end
+
+        VCR.use_cassette('ssh-push-project-denied') do
+          expect do
+            gitlab_net.check_access('git-upload-pack', nil, project, key2, changes, 'ssh')
+          end.to raise_error(AccessDeniedError, 'Git access over SSH is not allowed')
         end
       end
 
       it 'should deny push access for host (with user)' do
-        VCR.use_cassette("ssh-push-project-denied-with-user") do
-          access = gitlab_net.check_access('git-upload-pack', nil, project, 'user-2', changes, 'ssh')
-          access.allowed?.should be_falsey
+        VCR.use_cassette('ssh-push-project-denied-with-user-old') do
+          expect do
+            gitlab_net.check_access('git-upload-pack', nil, project, 'user-2', changes, 'ssh')
+          end.to raise_error(AccessDeniedError, 'Git access over SSH is not allowed')
+        end
+
+        VCR.use_cassette('ssh-push-project-denied-with-user') do
+          expect do
+            gitlab_net.check_access('git-upload-pack', nil, project, 'user-2', changes, 'ssh')
+          end.to raise_error(AccessDeniedError, 'Git access over SSH is not allowed')
         end
       end
     end
 
     it "raises an exception if the connection fails" do
-      Net::HTTP.any_instance.stub(:request).and_raise(StandardError)
+      allow_any_instance_of(Net::HTTP).to receive(:request).and_raise(StandardError)
       expect {
         gitlab_net.check_access('git-upload-pack', nil, project, 'user-1', changes, 'ssh')
       }.to raise_error(GitlabNet::ApiUnreachableError)

spec/vcr_cassettes/failed-push-unparsable.yml

+---
+http_interactions:
+- request:
+    method: post
+    uri: http://localhost:3000/api/v4/internal/allowed
+    body:
+      encoding: US-ASCII
+      string: action=git-upload-pack&changes=0000000000000000000000000000000000000000+92d0970eefd7acb6d548878925ce2208cfe2d2ec+refs%2Fheads%2Fbranch4&gl_repository&project=gitlab-org%2Fgitlab-test.git&protocol=ssh&env=%7B%7D&key_id=1&secret_token=0a3938d9d95d807e94d937af3a4fbbea%0A
+    headers:
+      Accept-Encoding:
+      - gzip;q=1.0,deflate;q=0.6,identity;q=0.3
+      Accept:
+      - "*/*"
+      User-Agent:
+      - Ruby
+      Content-Type:
+      - application/x-www-form-urlencoded
+  response:
+    status:
+      code: 500
+      message: Internal Server Error
+    headers:
+      Cache-Control:
+      - max-age=0, private, must-revalidate
+      Content-Length:
+      - '155'
+      Content-Type:
+      - application/json
+      Date:
+      - Wed, 21 Jun 2017 10:44:52 GMT
+      Etag:
+      - W/"45654cae433b5a9c5fbba1d45d382e52"
+      Vary:
+      - Origin
+      X-Frame-Options:
+      - SAMEORIGIN
+      X-Request-Id:
+      - 67ab4954-19e6-42ce-aae6-55c8ae5a365e
+      X-Runtime:
+      - '0.230871'
+    body:
+      encoding: UTF-8
+      string: '""'
+    http_version:
+  recorded_at: Wed, 21 Jun 2017 10:44:52 GMT
+recorded_with: VCR 2.4.0

spec/vcr_cassettes/failed-push.yml

+---
+http_interactions:
+- request:
+    method: post
+    uri: http://localhost:3000/api/v4/internal/allowed
+    body:
+      encoding: US-ASCII
+      string: action=git-upload-pack&changes=0000000000000000000000000000000000000000+92d0970eefd7acb6d548878925ce2208cfe2d2ec+refs%2Fheads%2Fbranch4&gl_repository&project=gitlab-org%2Fgitlab-test.git&protocol=ssh&env=%7B%7D&key_id=1&secret_token=0a3938d9d95d807e94d937af3a4fbbea%0A
+    headers:
+      Accept-Encoding:
+      - gzip;q=1.0,deflate;q=0.6,identity;q=0.3
+      Accept:
+      - "*/*"
+      User-Agent:
+      - Ruby
+      Content-Type:
+      - application/x-www-form-urlencoded
+  response:
+    status:
+      code: 500
+      message: Internal Server Error
+    headers:
+      Cache-Control:
+      - max-age=0, private, must-revalidate
+      Content-Length:
+      - '155'
+      Content-Type:
+      - application/json
+      Date:
+      - Wed, 21 Jun 2017 10:44:52 GMT
+      Etag:
+      - W/"45654cae433b5a9c5fbba1d45d382e52"
+      Vary:
+      - Origin
+      X-Frame-Options:
+      - SAMEORIGIN
+      X-Request-Id:
+      - 67ab4954-19e6-42ce-aae6-55c8ae5a365e
+      X-Runtime:
+      - '0.230871'
+    body:
+      encoding: UTF-8
+      string: '{"status":false,"message":"An internal server error occurred"}'
+    http_version: 
+  recorded_at: Wed, 21 Jun 2017 10:44:52 GMT
+recorded_with: VCR 2.4.0

spec/vcr_cassettes/http-pull-disabled-old.yml

+---
+http_interactions:
+- request:
+    method: post
+    uri: http://localhost:3000/api/v4/internal/allowed
+    body:
+      encoding: US-ASCII
+      string: action=git-upload-pack&changes=0000000000000000000000000000000000000000+92d0970eefd7acb6d548878925ce2208cfe2d2ec+refs%2Fheads%2Fbranch4&gl_repository&project=gitlab-org%2Fgitlab-test.git&protocol=http&env=%7B%7D&key_id=1&secret_token=0a3938d9d95d807e94d937af3a4fbbea%0A
+    headers:
+      Accept-Encoding:
+      - gzip;q=1.0,deflate;q=0.6,identity;q=0.3
+      Accept:
+      - "*/*"
+      User-Agent:
+      - Ruby
+      Content-Type:
+      - application/x-www-form-urlencoded
+  response:
+    status:
+      code: 200
+      message: OK
+    headers:
+      Cache-Control:
+      - max-age=0, private, must-revalidate
+      Content-Length:
+      - '62'
+      Content-Type:
+      - application/json
+      Date:
+      - Wed, 21 Jun 2017 10:32:01 GMT
+      Etag:
+      - W/"71e09fcf8a60a03cd1acc22806386ead"
+      Vary:
+      - Origin
+      X-Frame-Options:
+      - SAMEORIGIN
+      X-Request-Id:
+      - 70bdecc9-0078-4a4b-aa6b-cac1b2578886
+      X-Runtime:
+      - '0.324202'
+    body:
+      encoding: UTF-8
+      string: '{"status":false,"message":"Pulling over HTTP is not allowed."}'
+    http_version: 
+  recorded_at: Wed, 21 Jun 2017 10:32:01 GMT
+recorded_with: VCR 2.4.0

spec/vcr_cassettes/http-pull-disabled.yml

@@ -17,8 +17,8 @@ http_interactions:
       - application/x-www-form-urlencoded
   response:
     status:
-      code: 200
-      message: OK
+      code: 401
+      message: Unauthorized
     headers:
       Cache-Control:
       - max-age=0, private, must-revalidate

spec/vcr_cassettes/http-push-disabled-old.yml

+---
+http_interactions:
+- request:
+    method: post
+    uri: http://localhost:3000/api/v4/internal/allowed
+    body:
+      encoding: US-ASCII
+      string: action=git-receive-pack&changes=0000000000000000000000000000000000000000+92d0970eefd7acb6d548878925ce2208cfe2d2ec+refs%2Fheads%2Fbranch4&gl_repository&project=gitlab-org%2Fgitlab-test.git&protocol=http&env=%7B%7D&key_id=1&secret_token=0a3938d9d95d807e94d937af3a4fbbea%0A
+    headers:
+      Accept-Encoding:
+      - gzip;q=1.0,deflate;q=0.6,identity;q=0.3
+      Accept:
+      - "*/*"
+      User-Agent:
+      - Ruby
+      Content-Type:
+      - application/x-www-form-urlencoded
+  response:
+    status:
+      code: 200
+      message: OK
+    headers:
+      Cache-Control:
+      - max-age=0, private, must-revalidate
+      Content-Length:
+      - '62'
+      Content-Type:
+      - application/json
+      Date:
+      - Wed, 21 Jun 2017 10:32:01 GMT
+      Etag:
+      - W/"7f14e23ac07cc8b0a53c567fcf9432fd"
+      Vary:
+      - Origin
+      X-Frame-Options:
+      - SAMEORIGIN
+      X-Request-Id:
+      - 573f3584-87c6-41cb-a5bf-5e7ee76d4250
+      X-Runtime:
+      - '0.266135'
+    body:
+      encoding: UTF-8
+      string: '{"status":false,"message":"Pushing over HTTP is not allowed."}'
+    http_version: 
+  recorded_at: Wed, 21 Jun 2017 10:32:01 GMT
+recorded_with: VCR 2.4.0

spec/vcr_cassettes/http-push-disabled.yml

@@ -17,8 +17,8 @@ http_interactions:
       - application/x-www-form-urlencoded
   response:
     status:
-      code: 200
-      message: OK
+      code: 401
+      message: Unauthorized
     headers:
       Cache-Control:
       - max-age=0, private, must-revalidate

spec/vcr_cassettes/ssh-pull-disabled-old.yml

+---
+http_interactions:
+- request:
+    method: post
+    uri: http://localhost:3000/api/v4/internal/allowed
+    body:
+      encoding: US-ASCII
+      string: action=git-upload-pack&changes=0000000000000000000000000000000000000000+92d0970eefd7acb6d548878925ce2208cfe2d2ec+refs%2Fheads%2Fbranch4&gl_repository&project=gitlab-org%2Fgitlab-test.git&protocol=ssh&env=%7B%7D&key_id=1&secret_token=0a3938d9d95d807e94d937af3a4fbbea%0A
+    headers:
+      Accept-Encoding:
+      - gzip;q=1.0,deflate;q=0.6,identity;q=0.3
+      Accept:
+      - "*/*"
+      User-Agent:
+      - Ruby
+      Content-Type:
+      - application/x-www-form-urlencoded
+  response:
+    status:
+      code: 200
+      message: OK
+    headers:
+      Cache-Control:
+      - max-age=0, private, must-revalidate
+      Content-Length:
+      - '63'
+      Content-Type:
+      - application/json
+      Date:
+      - Wed, 21 Jun 2017 12:23:57 GMT
+      Etag:
+      - W/"76a32010244f80700d5e1ba8a55d094c"
+      Vary:
+      - Origin
+      X-Frame-Options:
+      - SAMEORIGIN
+      X-Request-Id:
+      - 096ae253-c6fe-4360-b4d4-48f4b5435ca6
+      X-Runtime:
+      - '6.377187'
+    body:
+      encoding: UTF-8
+      string: '{"status":false,"message":"Git access over SSH is not allowed"}'
+    http_version: 
+  recorded_at: Wed, 21 Jun 2017 12:23:57 GMT
+recorded_with: VCR 2.4.0

spec/vcr_cassettes/ssh-pull-disabled.yml

@@ -17,8 +17,8 @@ http_interactions:
       - application/x-www-form-urlencoded
   response:
     status:
-      code: 200
-      message: OK
+      code: 401
+      message: Unauthorized
     headers:
       Cache-Control:
       - max-age=0, private, must-revalidate

spec/vcr_cassettes/ssh-pull-project-denied-old.yml

+---
+http_interactions:
+- request:
+    method: post
+    uri: http://localhost:3000/api/v4/internal/allowed
+    body:
+      encoding: US-ASCII
+      string: action=git-receive-pack&changes=0000000000000000000000000000000000000000+92d0970eefd7acb6d548878925ce2208cfe2d2ec+refs%2Fheads%2Fbranch4&gl_repository&project=gitlab-org%2Fgitlab-test.git&protocol=ssh&env=%7B%7D&key_id=2&secret_token=0a3938d9d95d807e94d937af3a4fbbea%0A
+    headers:
+      Accept-Encoding:
+      - gzip;q=1.0,deflate;q=0.6,identity;q=0.3
+      Accept:
+      - "*/*"
+      User-Agent:
+      - Ruby
+      Content-Type:
+      - application/x-www-form-urlencoded
+  response:
+    status:
+      code: 200
+      message: OK
+    headers:
+      Cache-Control:
+      - max-age=0, private, must-revalidate
+      Content-Length:
+      - '63'
+      Content-Type:
+      - application/json
+      Date:
+      - Wed, 21 Jun 2017 12:24:04 GMT
+      Etag:
+      - W/"76a32010244f80700d5e1ba8a55d094c"
+      Vary:
+      - Origin
+      X-Frame-Options:
+      - SAMEORIGIN
+      X-Request-Id:
+      - c843a5a3-fc08-46eb-aa45-caceae515638
+      X-Runtime:
+      - '7.359835'
+    body:
+      encoding: UTF-8
+      string: '{"status":false,"message":"Git access over SSH is not allowed"}'
+    http_version: 
+  recorded_at: Wed, 21 Jun 2017 12:24:04 GMT
+recorded_with: VCR 2.4.0

spec/vcr_cassettes/ssh-pull-project-denied.yml

@@ -17,8 +17,8 @@ http_interactions:
       - application/x-www-form-urlencoded
   response:
     status:
-      code: 200
-      message: OK
+      code: 401
+      message: Unauthorized
     headers:
       Cache-Control:
       - max-age=0, private, must-revalidate

spec/vcr_cassettes/ssh-push-disabled-old.yml

+---
+http_interactions:
+- request:
+    method: post
+    uri: http://localhost:3000/api/v4/internal/allowed
+    body:
+      encoding: US-ASCII
+      string: action=git-receive-pack&changes=0000000000000000000000000000000000000000+92d0970eefd7acb6d548878925ce2208cfe2d2ec+refs%2Fheads%2Fbranch4&gl_repository&project=gitlab-org%2Fgitlab-test.git&protocol=ssh&env=%7B%7D&key_id=1&secret_token=0a3938d9d95d807e94d937af3a4fbbea%0A
+    headers:
+      Accept-Encoding:
+      - gzip;q=1.0,deflate;q=0.6,identity;q=0.3
+      Accept:
+      - "*/*"
+      User-Agent:
+      - Ruby
+      Content-Type:
+      - application/x-www-form-urlencoded
+  response:
+    status:
+      code: 200
+      message: OK
+    headers:
+      Cache-Control:
+      - max-age=0, private, must-revalidate
+      Content-Length:
+      - '63'
+      Content-Type:
+      - application/json
+      Date:
+      - Wed, 21 Jun 2017 12:23:57 GMT
+      Etag:
+      - W/"76a32010244f80700d5e1ba8a55d094c"
+      Vary:
+      - Origin
+      X-Frame-Options:
+      - SAMEORIGIN
+      X-Request-Id:
+      - 93620e06-fda9-4be5-855e-300f5d62fa3c
+      X-Runtime:
+      - '0.207159'
+    body:
+      encoding: UTF-8
+      string: '{"status":false,"message":"Git access over SSH is not allowed"}'
+    http_version: 
+  recorded_at: Wed, 21 Jun 2017 12:23:57 GMT
+recorded_with: VCR 2.4.0

spec/vcr_cassettes/ssh-push-disabled.yml

@@ -17,8 +17,8 @@ http_interactions:
       - application/x-www-form-urlencoded
   response:
     status:
-      code: 200
-      message: OK
+      code: 401
+      message: Unauthorized
     headers:
       Cache-Control:
       - max-age=0, private, must-revalidate

spec/vcr_cassettes/ssh-push-project-denied-old.yml

+---
+http_interactions:
+- request:
+    method: post
+    uri: http://localhost:3000/api/v4/internal/allowed
+    body:
+      encoding: US-ASCII
+      string: action=git-upload-pack&changes=0000000000000000000000000000000000000000+92d0970eefd7acb6d548878925ce2208cfe2d2ec+refs%2Fheads%2Fbranch4&gl_repository&project=gitlab-org%2Fgitlab-test.git&protocol=ssh&env=%7B%7D&key_id=2&secret_token=0a3938d9d95d807e94d937af3a4fbbea%0A
+    headers:
+      Accept-Encoding:
+      - gzip;q=1.0,deflate;q=0.6,identity;q=0.3
+      Accept:
+      - "*/*"
+      User-Agent:
+      - Ruby
+      Content-Type:
+      - application/x-www-form-urlencoded
+  response:
+    status:
+      code: 200
+      message: OK
+    headers:
+      Cache-Control:
+      - max-age=0, private, must-revalidate
+      Content-Length:
+      - '63'
+      Content-Type:
+      - application/json
+      Date:
+      - Wed, 21 Jun 2017 12:24:04 GMT
+      Etag:
+      - W/"76a32010244f80700d5e1ba8a55d094c"
+      Vary:
+      - Origin
+      X-Frame-Options:
+      - SAMEORIGIN
+      X-Request-Id:
+      - 8ce54f29-9ed0-46e5-aedb-37edaa3d52da
+      X-Runtime:
+      - '0.228256'
+    body:
+      encoding: UTF-8
+      string: '{"status":false,"message":"Git access over SSH is not allowed"}'
+    http_version: 
+  recorded_at: Wed, 21 Jun 2017 12:24:04 GMT
+recorded_with: VCR 2.4.0

spec/vcr_cassettes/ssh-push-project-denied-with-user-old.yml

+---
+http_interactions:
+- request:
+    method: post
+    uri: http://localhost:3000/api/v4/internal/allowed
+    body:
+      encoding: US-ASCII
+      string: action=git-upload-pack&changes=0000000000000000000000000000000000000000+92d0970eefd7acb6d548878925ce2208cfe2d2ec+refs%2Fheads%2Fbranch4&gl_repository&project=gitlab-org%2Fgitlab-test.git&protocol=ssh&env=%7B%7D&user_id=2&secret_token=0a3938d9d95d807e94d937af3a4fbbea%0A
+    headers:
+      Accept-Encoding:
+      - gzip;q=1.0,deflate;q=0.6,identity;q=0.3
+      Accept:
+      - "*/*"
+      User-Agent:
+      - Ruby
+      Content-Type:
+      - application/x-www-form-urlencoded
+  response:
+    status:
+      code: 200
+      message: OK
+    headers:
+      Cache-Control:
+      - max-age=0, private, must-revalidate
+      Content-Length:
+      - '63'
+      Content-Type:
+      - application/json
+      Date:
+      - Wed, 21 Jun 2017 12:24:05 GMT
+      Etag:
+      - W/"76a32010244f80700d5e1ba8a55d094c"
+      Vary:
+      - Origin
+      X-Frame-Options:
+      - SAMEORIGIN
+      X-Request-Id:
+      - 3b242d73-d860-48ac-8fef-80e2d0d3daca
+      X-Runtime:
+      - '0.342469'
+    body:
+      encoding: UTF-8
+      string: '{"status":false,"message":"Git access over SSH is not allowed"}'
+    http_version: 
+  recorded_at: Wed, 21 Jun 2017 12:24:05 GMT
+recorded_with: VCR 2.4.0

spec/vcr_cassettes/ssh-push-project-denied-with-user.yml

@@ -17,8 +17,8 @@ http_interactions:
       - application/x-www-form-urlencoded
   response:
     status:
-      code: 200
-      message: OK
+      code: 401
+      message: Unauthorized
     headers:
       Cache-Control:
       - max-age=0, private, must-revalidate

spec/vcr_cassettes/ssh-push-project-denied.yml

@@ -17,8 +17,8 @@ http_interactions:
       - application/x-www-form-urlencoded
   response:
     status:
-      code: 200
-      message: OK
+      code: 401
+      message: Unauthorized
     headers:
       Cache-Control:
       - max-age=0, private, must-revalidate