Commit 548169cf authored by Kamil Trzcinski's avatar Kamil Trzcinski

Fix most of specs

parent 551787ac
...@@ -23,10 +23,12 @@ class Projects::GitHttpClientController < Projects::ApplicationController ...@@ -23,10 +23,12 @@ class Projects::GitHttpClientController < Projects::ApplicationController
login, password = user_name_and_password(request) login, password = user_name_and_password(request)
auth_result = Gitlab::Auth.find_for_git_client(login, password, project: project, ip: request.ip) auth_result = Gitlab::Auth.find_for_git_client(login, password, project: project, ip: request.ip)
if auth_result.type == :ci && download_request? if auth_result.type == :ci && !download_request?
@ci = true # Not allowed
auth_result = Gitlab::Auth::Result.new
elsif auth_result.type == :oauth && !download_request? elsif auth_result.type == :oauth && !download_request?
# Not allowed # Not allowed
auth_result = Gitlab::Auth::Result.new
elsif auth_result.type == :missing_personal_token elsif auth_result.type == :missing_personal_token
render_missing_personal_token render_missing_personal_token
return # Render above denied access, nothing left to do return # Render above denied access, nothing left to do
...@@ -35,6 +37,7 @@ class Projects::GitHttpClientController < Projects::ApplicationController ...@@ -35,6 +37,7 @@ class Projects::GitHttpClientController < Projects::ApplicationController
end end
@capabilities = auth_result.capabilities || [] @capabilities = auth_result.capabilities || []
@ci = auth_result.type == :ci
if auth_result.succeeded? if auth_result.succeeded?
return # Allow access return # Allow access
......
...@@ -14,7 +14,7 @@ module Ci ...@@ -14,7 +14,7 @@ module Ci
end end
def authenticate_build_token!(build) def authenticate_build_token!(build)
forbidden! unless build_token_valid? forbidden! unless build_token_valid?(build)
end end
def runner_registration_token_valid? def runner_registration_token_valid?
...@@ -23,7 +23,7 @@ module Ci ...@@ -23,7 +23,7 @@ module Ci
current_application_settings.runners_registration_token) current_application_settings.runners_registration_token)
end end
def build_token_valid? def build_token_valid?(build)
token = (params[BUILD_TOKEN_PARAM] || env[BUILD_TOKEN_HEADER]).to_s token = (params[BUILD_TOKEN_PARAM] || env[BUILD_TOKEN_HEADER]).to_s
# We require to also check `runners_token` to maintain compatibility with old version of runners # We require to also check `runners_token` to maintain compatibility with old version of runners
......
...@@ -117,6 +117,7 @@ module Gitlab ...@@ -117,6 +117,7 @@ module Gitlab
build = ::Ci::Build.running.find_by_token(password) build = ::Ci::Build.running.find_by_token(password)
return unless build return unless build
return unless build.project.builds_enabled?
if build.user if build.user
# If user is assigned to build, use restricted credentials of user # If user is assigned to build, use restricted credentials of user
...@@ -127,8 +128,6 @@ module Gitlab ...@@ -127,8 +128,6 @@ module Gitlab
end end
end end
private
def build_capabilities def build_capabilities
[ [
:read_project, :read_project,
......
...@@ -324,7 +324,7 @@ describe Gitlab::GitAccess, lib: true do ...@@ -324,7 +324,7 @@ describe Gitlab::GitAccess, lib: true do
subject { access.check('git-receive-pack', '_any') } subject { access.check('git-receive-pack', '_any') }
context 'when project is authorized' do context 'when project is authorized' do
before { key.projects << project } before { authorize }
it { expect(subject).not_to be_allowed } it { expect(subject).not_to be_allowed }
end end
...@@ -353,14 +353,22 @@ describe Gitlab::GitAccess, lib: true do ...@@ -353,14 +353,22 @@ describe Gitlab::GitAccess, lib: true do
describe 'build capabilities permissions' do describe 'build capabilities permissions' do
let(:capabilities) { build_capabilities } let(:capabilities) { build_capabilities }
it_behaves_like 'can not push code' it_behaves_like 'can not push code' do
def authorize
project.team << [user, :reporter]
end
end
end end
describe 'deploy key permissions' do describe 'deploy key permissions' do
let(:key) { create(:deploy_key) } let(:key) { create(:deploy_key) }
let(:actor) { key } let(:actor) { key }
it_behaves_like 'can not push code' it_behaves_like 'can not push code' do
def authorize
key.projects << project
end
end
end end
private private
......
require 'spec_helper' require 'spec_helper'
describe Gitlab::GitAccessWiki, lib: true do describe Gitlab::GitAccessWiki, lib: true do
let(:access) { Gitlab::GitAccessWiki.new(user, project, 'web') } let(:access) { Gitlab::GitAccessWiki.new(user, project, 'web', capabilities: capabilities) }
let(:project) { create(:project) } let(:project) { create(:project) }
let(:user) { create(:user) } let(:user) { create(:user) }
let(:capabilities) do
[
:read_project,
:download_code,
:push_code
]
end
describe 'push_allowed?' do describe 'push_allowed?' do
before do before do
......
...@@ -586,8 +586,8 @@ describe 'Git LFS API and storage' do ...@@ -586,8 +586,8 @@ describe 'Git LFS API and storage' do
context 'when CI is authorized' do context 'when CI is authorized' do
let(:authorization) { authorize_ci_project } let(:authorization) { authorize_ci_project }
it 'responds with 401' do it 'responds with 403' do
expect(response).to have_http_status(401) expect(response).to have_http_status(403)
end end
end end
end end
...@@ -614,7 +614,7 @@ describe 'Git LFS API and storage' do ...@@ -614,7 +614,7 @@ describe 'Git LFS API and storage' do
let(:authorization) { authorize_ci_project } let(:authorization) { authorize_ci_project }
it 'responds with status 403' do it 'responds with status 403' do
expect(response).to have_http_status(401) expect(response).to have_http_status(403)
end end
end end
end end
...@@ -897,7 +897,9 @@ describe 'Git LFS API and storage' do ...@@ -897,7 +897,9 @@ describe 'Git LFS API and storage' do
end end
def authorize_ci_project def authorize_ci_project
ActionController::HttpAuthentication::Basic.encode_credentials('gitlab-ci-token', project.runners_token) pipeline = create(:ci_empty_pipeline, project: project)
build = create(:ci_build, :running, pipeline: pipeline)
ActionController::HttpAuthentication::Basic.encode_credentials('gitlab-ci-token', build.token)
end end
def authorize_user def authorize_user
......
...@@ -48,12 +48,6 @@ describe Auth::ContainerRegistryAuthenticationService, services: true do ...@@ -48,12 +48,6 @@ describe Auth::ContainerRegistryAuthenticationService, services: true do
'actions' => actions, 'actions' => actions,
}] }]
end end
let(:capabilities) do
[
:build_read_container_image,
:build_create_container_image
]
end
it_behaves_like 'a valid token' it_behaves_like 'a valid token'
it { expect(payload).to include('access' => access) } it { expect(payload).to include('access' => access) }
...@@ -203,6 +197,12 @@ describe Auth::ContainerRegistryAuthenticationService, services: true do ...@@ -203,6 +197,12 @@ describe Auth::ContainerRegistryAuthenticationService, services: true do
context 'project authorization' do context 'project authorization' do
let(:current_project) { create(:empty_project) } let(:current_project) { create(:empty_project) }
let(:capabilities) do
[
:build_read_container_image,
:build_create_container_image
]
end
context 'allow to use scope-less authentication' do context 'allow to use scope-less authentication' do
it_behaves_like 'a valid token' it_behaves_like 'a valid token'
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment