2014-09-24 04:37:30 -04:00
|
|
|
require 'spec_helper'
|
|
|
|
|
2017-07-10 10:24:02 -04:00
|
|
|
describe Gitlab::GitAccess do
|
2017-05-16 15:58:46 -04:00
|
|
|
let(:pull_access_check) { access.check('git-upload-pack', '_any') }
|
|
|
|
let(:push_access_check) { access.check('git-receive-pack', '_any') }
|
2017-07-25 13:09:00 -04:00
|
|
|
let(:access) { described_class.new(actor, project, protocol, authentication_abilities: authentication_abilities, redirected_path: redirected_path) }
|
2017-01-24 18:42:12 -05:00
|
|
|
let(:project) { create(:project, :repository) }
|
2014-09-24 04:37:30 -04:00
|
|
|
let(:user) { create(:user) }
|
2015-03-24 09:10:55 -04:00
|
|
|
let(:actor) { user }
|
2017-05-16 12:02:52 -04:00
|
|
|
let(:protocol) { 'ssh' }
|
2017-06-15 20:03:54 -04:00
|
|
|
let(:redirected_path) { nil }
|
2016-09-16 03:59:10 -04:00
|
|
|
let(:authentication_abilities) do
|
2016-09-15 05:57:09 -04:00
|
|
|
[
|
|
|
|
:read_project,
|
|
|
|
:download_code,
|
|
|
|
:push_code
|
|
|
|
]
|
|
|
|
end
|
2014-09-24 04:37:30 -04:00
|
|
|
|
2016-06-22 20:16:24 -04:00
|
|
|
describe '#check with single protocols allowed' do
|
|
|
|
def disable_protocol(protocol)
|
2017-05-19 15:58:45 -04:00
|
|
|
allow(Gitlab::ProtocolAccess).to receive(:allowed?).with(protocol).and_return(false)
|
2016-06-22 20:16:24 -04:00
|
|
|
end
|
|
|
|
|
|
|
|
context 'ssh disabled' do
|
|
|
|
before do
|
|
|
|
disable_protocol('ssh')
|
|
|
|
end
|
|
|
|
|
|
|
|
it 'blocks ssh git push' do
|
2017-05-19 15:58:45 -04:00
|
|
|
expect { push_access_check }.to raise_unauthorized('Git access over SSH is not allowed')
|
2016-06-22 20:16:24 -04:00
|
|
|
end
|
|
|
|
|
|
|
|
it 'blocks ssh git pull' do
|
2017-05-19 15:58:45 -04:00
|
|
|
expect { pull_access_check }.to raise_unauthorized('Git access over SSH is not allowed')
|
2016-06-22 20:16:24 -04:00
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
context 'http disabled' do
|
2017-05-16 12:08:23 -04:00
|
|
|
let(:protocol) { 'http' }
|
|
|
|
|
2016-06-22 20:16:24 -04:00
|
|
|
before do
|
|
|
|
disable_protocol('http')
|
|
|
|
end
|
|
|
|
|
|
|
|
it 'blocks http push' do
|
2017-05-19 15:58:45 -04:00
|
|
|
expect { push_access_check }.to raise_unauthorized('Git access over HTTP is not allowed')
|
2016-06-22 20:16:24 -04:00
|
|
|
end
|
|
|
|
|
|
|
|
it 'blocks http git pull' do
|
2017-05-19 15:58:45 -04:00
|
|
|
expect { pull_access_check }.to raise_unauthorized('Git access over HTTP is not allowed')
|
2016-06-22 20:16:24 -04:00
|
|
|
end
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
2017-05-16 15:58:46 -04:00
|
|
|
describe '#check_project_accessibility!' do
|
|
|
|
context 'when the project exists' do
|
|
|
|
context 'when actor exists' do
|
|
|
|
context 'when actor is a DeployKey' do
|
|
|
|
let(:deploy_key) { create(:deploy_key, user: user, can_push: true) }
|
|
|
|
let(:actor) { deploy_key }
|
|
|
|
|
|
|
|
context 'when the DeployKey has access to the project' do
|
2017-06-14 14:18:56 -04:00
|
|
|
before do
|
|
|
|
deploy_key.projects << project
|
|
|
|
end
|
2017-05-16 15:58:46 -04:00
|
|
|
|
|
|
|
it 'allows pull access' do
|
2017-05-19 15:58:45 -04:00
|
|
|
expect { pull_access_check }.not_to raise_error
|
2017-05-16 15:58:46 -04:00
|
|
|
end
|
|
|
|
|
|
|
|
it 'allows push access' do
|
2017-05-19 15:58:45 -04:00
|
|
|
expect { push_access_check }.not_to raise_error
|
2017-05-16 15:58:46 -04:00
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
context 'when the Deploykey does not have access to the project' do
|
|
|
|
it 'blocks pulls with "not found"' do
|
2017-05-19 15:58:45 -04:00
|
|
|
expect { pull_access_check }.to raise_not_found('The project you were looking for could not be found.')
|
2017-05-16 15:58:46 -04:00
|
|
|
end
|
|
|
|
|
|
|
|
it 'blocks pushes with "not found"' do
|
2017-05-19 15:58:45 -04:00
|
|
|
expect { push_access_check }.to raise_not_found('The project you were looking for could not be found.')
|
2017-05-16 15:58:46 -04:00
|
|
|
end
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
context 'when actor is a User' do
|
|
|
|
context 'when the User can read the project' do
|
2017-06-14 14:18:56 -04:00
|
|
|
before do
|
|
|
|
project.team << [user, :master]
|
|
|
|
end
|
2017-05-16 15:58:46 -04:00
|
|
|
|
|
|
|
it 'allows pull access' do
|
2017-05-19 15:58:45 -04:00
|
|
|
expect { pull_access_check }.not_to raise_error
|
2017-05-16 15:58:46 -04:00
|
|
|
end
|
|
|
|
|
|
|
|
it 'allows push access' do
|
2017-05-19 15:58:45 -04:00
|
|
|
expect { push_access_check }.not_to raise_error
|
2017-05-16 15:58:46 -04:00
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
context 'when the User cannot read the project' do
|
|
|
|
it 'blocks pulls with "not found"' do
|
2017-05-19 15:58:45 -04:00
|
|
|
expect { pull_access_check }.to raise_not_found('The project you were looking for could not be found.')
|
2017-05-16 15:58:46 -04:00
|
|
|
end
|
|
|
|
|
|
|
|
it 'blocks pushes with "not found"' do
|
2017-05-19 15:58:45 -04:00
|
|
|
expect { push_access_check }.to raise_not_found('The project you were looking for could not be found.')
|
2017-05-16 15:58:46 -04:00
|
|
|
end
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
# For backwards compatibility
|
|
|
|
context 'when actor is :ci' do
|
|
|
|
let(:actor) { :ci }
|
|
|
|
let(:authentication_abilities) { build_authentication_abilities }
|
|
|
|
|
|
|
|
it 'allows pull access' do
|
2017-05-19 15:58:45 -04:00
|
|
|
expect { pull_access_check }.not_to raise_error
|
2017-05-16 15:58:46 -04:00
|
|
|
end
|
|
|
|
|
|
|
|
it 'does not block pushes with "not found"' do
|
2017-05-19 15:58:45 -04:00
|
|
|
expect { push_access_check }.to raise_unauthorized('You are not allowed to upload code for this project.')
|
2017-05-16 15:58:46 -04:00
|
|
|
end
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
context 'when actor is nil' do
|
|
|
|
let(:actor) { nil }
|
|
|
|
|
|
|
|
context 'when guests can read the project' do
|
|
|
|
let(:project) { create(:project, :repository, :public) }
|
|
|
|
|
|
|
|
it 'allows pull access' do
|
2017-05-19 15:58:45 -04:00
|
|
|
expect { pull_access_check }.not_to raise_error
|
2017-05-16 15:58:46 -04:00
|
|
|
end
|
|
|
|
|
|
|
|
it 'does not block pushes with "not found"' do
|
2017-05-19 15:58:45 -04:00
|
|
|
expect { push_access_check }.to raise_unauthorized('You are not allowed to upload code for this project.')
|
2017-05-16 15:58:46 -04:00
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
context 'when guests cannot read the project' do
|
|
|
|
it 'blocks pulls with "not found"' do
|
2017-05-19 15:58:45 -04:00
|
|
|
expect { pull_access_check }.to raise_not_found('The project you were looking for could not be found.')
|
2017-05-16 15:58:46 -04:00
|
|
|
end
|
|
|
|
|
|
|
|
it 'blocks pushes with "not found"' do
|
2017-05-19 15:58:45 -04:00
|
|
|
expect { push_access_check }.to raise_not_found('The project you were looking for could not be found.')
|
2017-05-16 15:58:46 -04:00
|
|
|
end
|
|
|
|
end
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
context 'when the project is nil' do
|
|
|
|
let(:project) { nil }
|
|
|
|
|
|
|
|
it 'blocks any command with "not found"' do
|
2017-05-19 15:58:45 -04:00
|
|
|
expect { pull_access_check }.to raise_not_found('The project you were looking for could not be found.')
|
|
|
|
expect { push_access_check }.to raise_not_found('The project you were looking for could not be found.')
|
2017-05-16 15:58:46 -04:00
|
|
|
end
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
2017-06-15 20:03:54 -04:00
|
|
|
describe '#check_project_moved!' do
|
|
|
|
before do
|
|
|
|
project.team << [user, :master]
|
|
|
|
end
|
|
|
|
|
|
|
|
context 'when a redirect was not followed to find the project' do
|
|
|
|
context 'pull code' do
|
|
|
|
it { expect { pull_access_check }.not_to raise_error }
|
|
|
|
end
|
|
|
|
|
|
|
|
context 'push code' do
|
|
|
|
it { expect { push_access_check }.not_to raise_error }
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
context 'when a redirect was followed to find the project' do
|
|
|
|
let(:redirected_path) { 'some/other-path' }
|
|
|
|
|
|
|
|
context 'pull code' do
|
|
|
|
it { expect { pull_access_check }.to raise_not_found(/Project '#{redirected_path}' was moved to '#{project.full_path}'/) }
|
|
|
|
it { expect { pull_access_check }.to raise_not_found(/git remote set-url origin #{project.ssh_url_to_repo}/) }
|
|
|
|
|
|
|
|
context 'http protocol' do
|
|
|
|
let(:protocol) { 'http' }
|
|
|
|
it { expect { pull_access_check }.to raise_not_found(/git remote set-url origin #{project.http_url_to_repo}/) }
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
context 'push code' do
|
|
|
|
it { expect { push_access_check }.to raise_not_found(/Project '#{redirected_path}' was moved to '#{project.full_path}'/) }
|
|
|
|
it { expect { push_access_check }.to raise_not_found(/git remote set-url origin #{project.ssh_url_to_repo}/) }
|
|
|
|
|
|
|
|
context 'http protocol' do
|
|
|
|
let(:protocol) { 'http' }
|
|
|
|
it { expect { push_access_check }.to raise_not_found(/git remote set-url origin #{project.http_url_to_repo}/) }
|
|
|
|
end
|
|
|
|
end
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
2017-05-16 15:58:46 -04:00
|
|
|
describe '#check_command_disabled!' do
|
2017-06-14 14:18:56 -04:00
|
|
|
before do
|
|
|
|
project.team << [user, :master]
|
|
|
|
end
|
2017-05-16 12:02:52 -04:00
|
|
|
|
|
|
|
context 'over http' do
|
|
|
|
let(:protocol) { 'http' }
|
|
|
|
|
|
|
|
context 'when the git-upload-pack command is disabled in config' do
|
|
|
|
before do
|
|
|
|
allow(Gitlab.config.gitlab_shell).to receive(:upload_pack).and_return(false)
|
|
|
|
end
|
|
|
|
|
|
|
|
context 'when calling git-upload-pack' do
|
2017-05-22 14:28:51 -04:00
|
|
|
it { expect { pull_access_check }.to raise_unauthorized('Pulling over HTTP is not allowed.') }
|
2017-05-16 12:02:52 -04:00
|
|
|
end
|
|
|
|
|
|
|
|
context 'when calling git-receive-pack' do
|
2017-05-19 15:58:45 -04:00
|
|
|
it { expect { push_access_check }.not_to raise_error }
|
2017-05-16 12:02:52 -04:00
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
context 'when the git-receive-pack command is disabled in config' do
|
|
|
|
before do
|
|
|
|
allow(Gitlab.config.gitlab_shell).to receive(:receive_pack).and_return(false)
|
|
|
|
end
|
|
|
|
|
|
|
|
context 'when calling git-receive-pack' do
|
2017-05-22 14:28:51 -04:00
|
|
|
it { expect { push_access_check }.to raise_unauthorized('Pushing over HTTP is not allowed.') }
|
2017-05-16 12:02:52 -04:00
|
|
|
end
|
|
|
|
|
|
|
|
context 'when calling git-upload-pack' do
|
2017-05-19 15:58:45 -04:00
|
|
|
it { expect { pull_access_check }.not_to raise_error }
|
2017-05-16 12:02:52 -04:00
|
|
|
end
|
|
|
|
end
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
2016-12-20 08:19:07 -05:00
|
|
|
describe '#check_download_access!' do
|
2014-09-24 04:37:30 -04:00
|
|
|
describe 'master permissions' do
|
2017-06-14 14:18:56 -04:00
|
|
|
before do
|
|
|
|
project.team << [user, :master]
|
|
|
|
end
|
2014-09-24 04:37:30 -04:00
|
|
|
|
|
|
|
context 'pull code' do
|
2017-05-19 15:58:45 -04:00
|
|
|
it { expect { pull_access_check }.not_to raise_error }
|
2014-09-24 04:37:30 -04:00
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
describe 'guest permissions' do
|
2017-06-14 14:18:56 -04:00
|
|
|
before do
|
|
|
|
project.team << [user, :guest]
|
|
|
|
end
|
2014-09-24 04:37:30 -04:00
|
|
|
|
|
|
|
context 'pull code' do
|
2017-05-19 15:58:45 -04:00
|
|
|
it { expect { pull_access_check }.to raise_unauthorized('You are not allowed to download code from this project.') }
|
2014-09-24 04:37:30 -04:00
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
describe 'blocked user' do
|
|
|
|
before do
|
|
|
|
project.team << [user, :master]
|
|
|
|
user.block
|
|
|
|
end
|
|
|
|
|
|
|
|
context 'pull code' do
|
2017-05-19 15:58:45 -04:00
|
|
|
it { expect { pull_access_check }.to raise_unauthorized('Your account has been blocked.') }
|
2014-09-24 04:37:30 -04:00
|
|
|
end
|
|
|
|
end
|
|
|
|
|
2016-11-11 08:53:43 -05:00
|
|
|
describe 'without access to project' do
|
2014-09-24 04:37:30 -04:00
|
|
|
context 'pull code' do
|
2017-05-19 15:58:45 -04:00
|
|
|
it { expect { pull_access_check }.to raise_not_found('The project you were looking for could not be found.') }
|
2014-09-24 04:37:30 -04:00
|
|
|
end
|
2016-11-02 17:50:44 -04:00
|
|
|
|
|
|
|
context 'when project is public' do
|
2017-01-24 18:42:12 -05:00
|
|
|
let(:public_project) { create(:project, :public, :repository) }
|
2017-07-25 13:09:00 -04:00
|
|
|
let(:access) { described_class.new(nil, public_project, 'web', authentication_abilities: []) }
|
2016-11-02 17:50:44 -04:00
|
|
|
|
|
|
|
context 'when repository is enabled' do
|
|
|
|
it 'give access to download code' do
|
2017-05-19 15:58:45 -04:00
|
|
|
expect { pull_access_check }.not_to raise_error
|
2016-11-02 17:50:44 -04:00
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
context 'when repository is disabled' do
|
|
|
|
it 'does not give access to download code' do
|
|
|
|
public_project.project_feature.update_attribute(:repository_access_level, ProjectFeature::DISABLED)
|
|
|
|
|
2017-05-19 15:58:45 -04:00
|
|
|
expect { pull_access_check }.to raise_unauthorized('You are not allowed to download code from this project.')
|
2016-11-02 17:50:44 -04:00
|
|
|
end
|
|
|
|
end
|
|
|
|
end
|
2014-09-24 04:37:30 -04:00
|
|
|
end
|
2014-12-01 09:25:10 -05:00
|
|
|
|
|
|
|
describe 'deploy key permissions' do
|
2016-11-16 09:07:04 -05:00
|
|
|
let(:key) { create(:deploy_key, user: user) }
|
2015-03-24 09:10:55 -04:00
|
|
|
let(:actor) { key }
|
2014-12-01 09:25:10 -05:00
|
|
|
|
|
|
|
context 'pull code' do
|
2016-07-18 06:36:44 -04:00
|
|
|
context 'when project is authorized' do
|
2017-06-14 14:18:56 -04:00
|
|
|
before do
|
|
|
|
key.projects << project
|
|
|
|
end
|
2014-12-01 09:25:10 -05:00
|
|
|
|
2017-05-19 15:58:45 -04:00
|
|
|
it { expect { pull_access_check }.not_to raise_error }
|
2016-07-18 06:36:44 -04:00
|
|
|
end
|
|
|
|
|
|
|
|
context 'when unauthorized' do
|
|
|
|
context 'from public project' do
|
2017-01-24 18:42:12 -05:00
|
|
|
let(:project) { create(:project, :public, :repository) }
|
2016-07-18 06:36:44 -04:00
|
|
|
|
2017-05-19 15:58:45 -04:00
|
|
|
it { expect { pull_access_check }.not_to raise_error }
|
2016-07-18 06:36:44 -04:00
|
|
|
end
|
|
|
|
|
|
|
|
context 'from internal project' do
|
2017-01-24 18:42:12 -05:00
|
|
|
let(:project) { create(:project, :internal, :repository) }
|
2016-07-18 06:36:44 -04:00
|
|
|
|
2017-05-19 15:58:45 -04:00
|
|
|
it { expect { pull_access_check }.to raise_not_found('The project you were looking for could not be found.') }
|
2016-07-18 06:36:44 -04:00
|
|
|
end
|
|
|
|
|
|
|
|
context 'from private project' do
|
2017-01-24 18:42:12 -05:00
|
|
|
let(:project) { create(:project, :private, :repository) }
|
2016-07-18 06:36:44 -04:00
|
|
|
|
2017-05-19 15:58:45 -04:00
|
|
|
it { expect { pull_access_check }.to raise_not_found('The project you were looking for could not be found.') }
|
2016-07-18 06:36:44 -04:00
|
|
|
end
|
|
|
|
end
|
2014-12-01 09:25:10 -05:00
|
|
|
end
|
|
|
|
end
|
2016-09-15 05:57:09 -04:00
|
|
|
|
2016-09-16 03:59:10 -04:00
|
|
|
describe 'build authentication_abilities permissions' do
|
|
|
|
let(:authentication_abilities) { build_authentication_abilities }
|
2016-09-15 05:57:09 -04:00
|
|
|
|
2016-10-17 11:23:51 -04:00
|
|
|
describe 'owner' do
|
2017-01-24 18:42:12 -05:00
|
|
|
let(:project) { create(:project, :repository, namespace: user.namespace) }
|
2016-10-17 11:23:51 -04:00
|
|
|
|
|
|
|
context 'pull code' do
|
2017-05-19 15:58:45 -04:00
|
|
|
it { expect { pull_access_check }.not_to raise_error }
|
2016-10-17 11:23:51 -04:00
|
|
|
end
|
|
|
|
end
|
|
|
|
|
2016-09-15 05:57:09 -04:00
|
|
|
describe 'reporter user' do
|
2017-06-14 14:18:56 -04:00
|
|
|
before do
|
|
|
|
project.team << [user, :reporter]
|
|
|
|
end
|
2016-09-15 05:57:09 -04:00
|
|
|
|
|
|
|
context 'pull code' do
|
2017-05-19 15:58:45 -04:00
|
|
|
it { expect { pull_access_check }.not_to raise_error }
|
2016-09-15 05:57:09 -04:00
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
describe 'admin user' do
|
|
|
|
let(:user) { create(:admin) }
|
|
|
|
|
|
|
|
context 'when member of the project' do
|
2017-06-14 14:18:56 -04:00
|
|
|
before do
|
|
|
|
project.team << [user, :reporter]
|
|
|
|
end
|
2016-09-15 05:57:09 -04:00
|
|
|
|
|
|
|
context 'pull code' do
|
2017-05-19 15:58:45 -04:00
|
|
|
it { expect { pull_access_check }.not_to raise_error }
|
2016-09-15 05:57:09 -04:00
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
context 'when is not member of the project' do
|
|
|
|
context 'pull code' do
|
2017-05-19 15:58:45 -04:00
|
|
|
it { expect { pull_access_check }.to raise_unauthorized('You are not allowed to download code from this project.') }
|
2016-09-15 05:57:09 -04:00
|
|
|
end
|
|
|
|
end
|
|
|
|
end
|
2017-05-16 15:58:46 -04:00
|
|
|
|
|
|
|
describe 'generic CI (build without a user)' do
|
|
|
|
let(:actor) { :ci }
|
|
|
|
|
|
|
|
context 'pull code' do
|
2017-05-19 15:58:45 -04:00
|
|
|
it { expect { pull_access_check }.not_to raise_error }
|
2017-05-16 15:58:46 -04:00
|
|
|
end
|
|
|
|
end
|
2016-09-15 05:57:09 -04:00
|
|
|
end
|
2014-09-24 04:37:30 -04:00
|
|
|
end
|
|
|
|
|
2016-12-20 08:19:07 -05:00
|
|
|
describe '#check_push_access!' do
|
2017-06-14 14:18:56 -04:00
|
|
|
before do
|
|
|
|
merge_into_protected_branch
|
|
|
|
end
|
2017-03-23 09:08:39 -04:00
|
|
|
let(:unprotected_branch) { 'unprotected_branch' }
|
2014-09-24 04:37:30 -04:00
|
|
|
|
2016-07-18 04:16:56 -04:00
|
|
|
let(:changes) do
|
|
|
|
{ push_new_branch: "#{Gitlab::Git::BLANK_SHA} 570e7b2ab refs/heads/wow",
|
2014-09-24 05:04:40 -04:00
|
|
|
push_master: '6f6d7e7ed 570e7b2ab refs/heads/master',
|
|
|
|
push_protected_branch: '6f6d7e7ed 570e7b2ab refs/heads/feature',
|
2014-11-03 14:02:12 -05:00
|
|
|
push_remove_protected_branch: "570e7b2ab #{Gitlab::Git::BLANK_SHA} "\
|
|
|
|
'refs/heads/feature',
|
2014-09-24 05:04:40 -04:00
|
|
|
push_tag: '6f6d7e7ed 570e7b2ab refs/tags/v1.0.0',
|
2014-11-03 14:02:12 -05:00
|
|
|
push_new_tag: "#{Gitlab::Git::BLANK_SHA} 570e7b2ab refs/tags/v7.8.9",
|
2016-07-18 04:16:56 -04:00
|
|
|
push_all: ['6f6d7e7ed 570e7b2ab refs/heads/master', '6f6d7e7ed 570e7b2ab refs/heads/feature'],
|
|
|
|
merge_into_protected_branch: "0b4bc9a #{merge_into_protected_branch} refs/heads/feature" }
|
2014-09-24 05:04:40 -04:00
|
|
|
end
|
2014-09-24 04:37:30 -04:00
|
|
|
|
2016-07-18 04:16:56 -04:00
|
|
|
def stub_git_hooks
|
|
|
|
# Running the `pre-receive` hook is expensive, and not necessary for this test.
|
2017-02-23 10:09:11 -05:00
|
|
|
allow_any_instance_of(GitHooksService).to receive(:execute) do |service, &block|
|
|
|
|
block.call(service)
|
|
|
|
end
|
2014-09-24 04:37:30 -04:00
|
|
|
end
|
2014-12-26 05:41:04 -05:00
|
|
|
|
2016-07-18 04:16:56 -04:00
|
|
|
def merge_into_protected_branch
|
|
|
|
@protected_branch_merge_commit ||= begin
|
|
|
|
stub_git_hooks
|
|
|
|
project.repository.add_branch(user, unprotected_branch, 'feature')
|
|
|
|
target_branch = project.repository.lookup('feature')
|
2017-02-15 18:28:29 -05:00
|
|
|
source_branch = project.repository.create_file(
|
2016-12-08 06:11:52 -05:00
|
|
|
user,
|
2017-04-19 20:37:44 -04:00
|
|
|
'filename',
|
2017-03-23 09:08:39 -04:00
|
|
|
'This is the file content',
|
|
|
|
message: 'This is a good commit message',
|
2017-02-15 18:28:29 -05:00
|
|
|
branch_name: unprotected_branch)
|
2016-07-18 04:16:56 -04:00
|
|
|
rugged = project.repository.rugged
|
|
|
|
author = { email: "email@example.com", time: Time.now, name: "Example Git User" }
|
2014-12-26 05:41:04 -05:00
|
|
|
|
2016-07-18 04:16:56 -04:00
|
|
|
merge_index = rugged.merge_commits(target_branch, source_branch)
|
|
|
|
Rugged::Commit.create(rugged, author: author, committer: author, message: "commit message", parents: [target_branch, source_branch], tree: merge_index.write_tree(rugged))
|
2014-12-26 05:41:04 -05:00
|
|
|
end
|
|
|
|
end
|
2016-06-23 05:28:14 -04:00
|
|
|
|
2016-10-18 12:28:57 -04:00
|
|
|
# Run permission checks for a user
|
2016-07-18 04:16:56 -04:00
|
|
|
def self.run_permission_checks(permissions_matrix)
|
|
|
|
permissions_matrix.keys.each do |role|
|
2016-07-13 14:57:30 -04:00
|
|
|
describe "#{role} access" do
|
2016-07-14 02:16:13 -04:00
|
|
|
before do
|
|
|
|
if role == :admin
|
|
|
|
user.update_attribute(:admin, true)
|
|
|
|
else
|
|
|
|
project.team << [user, role]
|
|
|
|
end
|
2017-02-23 10:09:11 -05:00
|
|
|
end
|
|
|
|
|
|
|
|
permissions_matrix[role].each do |action, allowed|
|
2017-07-25 13:09:00 -04:00
|
|
|
context action.to_s do
|
2017-02-23 10:09:11 -05:00
|
|
|
subject { access.send(:check_push_access!, changes[action]) }
|
2016-06-23 05:28:14 -04:00
|
|
|
|
2017-02-23 10:09:11 -05:00
|
|
|
it do
|
|
|
|
if allowed
|
|
|
|
expect { subject }.not_to raise_error
|
|
|
|
else
|
|
|
|
expect { subject }.to raise_error(Gitlab::GitAccess::UnauthorizedError)
|
|
|
|
end
|
2016-10-18 12:28:57 -04:00
|
|
|
end
|
2016-06-23 05:28:14 -04:00
|
|
|
end
|
|
|
|
end
|
|
|
|
end
|
|
|
|
end
|
|
|
|
end
|
2016-07-18 04:16:56 -04:00
|
|
|
|
|
|
|
permissions_matrix = {
|
2016-07-14 02:16:13 -04:00
|
|
|
admin: {
|
|
|
|
push_new_branch: true,
|
|
|
|
push_master: true,
|
|
|
|
push_protected_branch: true,
|
|
|
|
push_remove_protected_branch: false,
|
|
|
|
push_tag: true,
|
|
|
|
push_new_tag: true,
|
|
|
|
push_all: true,
|
|
|
|
merge_into_protected_branch: true
|
|
|
|
},
|
|
|
|
|
2016-07-18 04:16:56 -04:00
|
|
|
master: {
|
|
|
|
push_new_branch: true,
|
|
|
|
push_master: true,
|
|
|
|
push_protected_branch: true,
|
|
|
|
push_remove_protected_branch: false,
|
|
|
|
push_tag: true,
|
|
|
|
push_new_tag: true,
|
|
|
|
push_all: true,
|
|
|
|
merge_into_protected_branch: true
|
|
|
|
},
|
|
|
|
|
|
|
|
developer: {
|
|
|
|
push_new_branch: true,
|
|
|
|
push_master: true,
|
|
|
|
push_protected_branch: false,
|
|
|
|
push_remove_protected_branch: false,
|
|
|
|
push_tag: false,
|
|
|
|
push_new_tag: true,
|
|
|
|
push_all: false,
|
|
|
|
merge_into_protected_branch: false
|
|
|
|
},
|
|
|
|
|
|
|
|
reporter: {
|
|
|
|
push_new_branch: false,
|
|
|
|
push_master: false,
|
|
|
|
push_protected_branch: false,
|
|
|
|
push_remove_protected_branch: false,
|
|
|
|
push_tag: false,
|
|
|
|
push_new_tag: false,
|
|
|
|
push_all: false,
|
|
|
|
merge_into_protected_branch: false
|
|
|
|
},
|
|
|
|
|
|
|
|
guest: {
|
|
|
|
push_new_branch: false,
|
|
|
|
push_master: false,
|
|
|
|
push_protected_branch: false,
|
|
|
|
push_remove_protected_branch: false,
|
|
|
|
push_tag: false,
|
|
|
|
push_new_tag: false,
|
|
|
|
push_all: false,
|
|
|
|
merge_into_protected_branch: false
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2017-02-22 12:46:57 -05:00
|
|
|
[%w(feature exact), ['feat*', 'wildcard']].each do |protected_branch_name, protected_branch_type|
|
2016-07-18 04:16:56 -04:00
|
|
|
context do
|
2017-06-14 14:18:56 -04:00
|
|
|
before do
|
|
|
|
create(:protected_branch, name: protected_branch_name, project: project)
|
|
|
|
end
|
2016-07-18 04:16:56 -04:00
|
|
|
|
|
|
|
run_permission_checks(permissions_matrix)
|
|
|
|
end
|
|
|
|
|
2016-07-08 02:15:02 -04:00
|
|
|
context "when developers are allowed to push into the #{protected_branch_type} protected branch" do
|
2017-06-14 14:18:56 -04:00
|
|
|
before do
|
|
|
|
create(:protected_branch, :developers_can_push, name: protected_branch_name, project: project)
|
|
|
|
end
|
2016-07-18 04:16:56 -04:00
|
|
|
|
|
|
|
run_permission_checks(permissions_matrix.deep_merge(developer: { push_protected_branch: true, push_all: true, merge_into_protected_branch: true }))
|
|
|
|
end
|
|
|
|
|
2016-07-08 02:15:02 -04:00
|
|
|
context "developers are allowed to merge into the #{protected_branch_type} protected branch" do
|
2017-06-14 14:18:56 -04:00
|
|
|
before do
|
|
|
|
create(:protected_branch, :developers_can_merge, name: protected_branch_name, project: project)
|
|
|
|
end
|
2016-07-18 04:16:56 -04:00
|
|
|
|
|
|
|
context "when a merge request exists for the given source/target branch" do
|
|
|
|
context "when the merge request is in progress" do
|
|
|
|
before do
|
2016-07-08 02:15:02 -04:00
|
|
|
create(:merge_request, source_project: project, source_branch: unprotected_branch, target_branch: 'feature',
|
2016-07-08 05:16:13 -04:00
|
|
|
state: 'locked', in_progress_merge_commit_sha: merge_into_protected_branch)
|
2016-07-18 04:16:56 -04:00
|
|
|
end
|
|
|
|
|
2016-07-25 05:29:05 -04:00
|
|
|
run_permission_checks(permissions_matrix.deep_merge(developer: { merge_into_protected_branch: true }))
|
|
|
|
end
|
2016-07-18 04:16:56 -04:00
|
|
|
|
2016-07-25 05:29:05 -04:00
|
|
|
context "when the merge request is not in progress" do
|
|
|
|
before do
|
|
|
|
create(:merge_request, source_project: project, source_branch: unprotected_branch, target_branch: 'feature', in_progress_merge_commit_sha: nil)
|
2016-07-18 04:16:56 -04:00
|
|
|
end
|
2016-07-25 05:29:05 -04:00
|
|
|
|
|
|
|
run_permission_checks(permissions_matrix.deep_merge(developer: { merge_into_protected_branch: false }))
|
2016-07-08 02:15:02 -04:00
|
|
|
end
|
2016-07-18 04:16:56 -04:00
|
|
|
|
2016-07-08 02:15:02 -04:00
|
|
|
context "when a merge request does not exist for the given source/target branch" do
|
2016-07-18 04:16:56 -04:00
|
|
|
run_permission_checks(permissions_matrix.deep_merge(developer: { merge_into_protected_branch: false }))
|
|
|
|
end
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
2016-07-08 02:15:02 -04:00
|
|
|
context "when developers are allowed to push and merge into the #{protected_branch_type} protected branch" do
|
2017-06-14 14:18:56 -04:00
|
|
|
before do
|
|
|
|
create(:protected_branch, :developers_can_merge, :developers_can_push, name: protected_branch_name, project: project)
|
|
|
|
end
|
2016-07-18 04:16:56 -04:00
|
|
|
|
|
|
|
run_permission_checks(permissions_matrix.deep_merge(developer: { push_protected_branch: true, push_all: true, merge_into_protected_branch: true }))
|
|
|
|
end
|
2016-07-18 06:36:44 -04:00
|
|
|
|
2016-07-14 02:16:13 -04:00
|
|
|
context "when no one is allowed to push to the #{protected_branch_name} protected branch" do
|
2017-06-14 14:18:56 -04:00
|
|
|
before do
|
|
|
|
create(:protected_branch, :no_one_can_push, name: protected_branch_name, project: project)
|
|
|
|
end
|
2016-07-18 06:36:44 -04:00
|
|
|
|
2016-07-14 02:16:13 -04:00
|
|
|
run_permission_checks(permissions_matrix.deep_merge(developer: { push_protected_branch: false, push_all: false, merge_into_protected_branch: false },
|
|
|
|
master: { push_protected_branch: false, push_all: false, merge_into_protected_branch: false },
|
|
|
|
admin: { push_protected_branch: false, push_all: false, merge_into_protected_branch: false }))
|
|
|
|
end
|
2016-07-08 02:15:02 -04:00
|
|
|
end
|
|
|
|
end
|
2016-07-18 06:36:44 -04:00
|
|
|
|
2017-05-19 15:58:45 -04:00
|
|
|
describe 'build authentication abilities' do
|
|
|
|
let(:authentication_abilities) { build_authentication_abilities }
|
2016-07-18 06:36:44 -04:00
|
|
|
|
2016-09-15 05:57:09 -04:00
|
|
|
context 'when project is authorized' do
|
2017-06-14 14:18:56 -04:00
|
|
|
before do
|
|
|
|
project.team << [user, :reporter]
|
|
|
|
end
|
2016-07-18 06:36:44 -04:00
|
|
|
|
2017-05-19 15:58:45 -04:00
|
|
|
it { expect { push_access_check }.to raise_unauthorized('You are not allowed to upload code for this project.') }
|
2016-09-15 05:57:09 -04:00
|
|
|
end
|
|
|
|
|
|
|
|
context 'when unauthorized' do
|
|
|
|
context 'to public project' do
|
2017-01-24 18:42:12 -05:00
|
|
|
let(:project) { create(:project, :public, :repository) }
|
2016-07-18 06:36:44 -04:00
|
|
|
|
2017-05-19 15:58:45 -04:00
|
|
|
it { expect { push_access_check }.to raise_unauthorized('You are not allowed to upload code for this project.') }
|
2016-07-08 02:15:02 -04:00
|
|
|
end
|
2016-07-18 06:36:44 -04:00
|
|
|
|
2016-09-15 05:57:09 -04:00
|
|
|
context 'to internal project' do
|
2017-01-24 18:42:12 -05:00
|
|
|
let(:project) { create(:project, :internal, :repository) }
|
2016-07-18 06:36:44 -04:00
|
|
|
|
2017-05-19 15:58:45 -04:00
|
|
|
it { expect { push_access_check }.to raise_unauthorized('You are not allowed to upload code for this project.') }
|
2016-09-15 05:57:09 -04:00
|
|
|
end
|
2016-07-08 02:15:02 -04:00
|
|
|
|
2016-09-15 05:57:09 -04:00
|
|
|
context 'to private project' do
|
2017-01-24 18:42:12 -05:00
|
|
|
let(:project) { create(:project, :private, :repository) }
|
2016-07-08 02:15:02 -04:00
|
|
|
|
2017-05-19 15:58:45 -04:00
|
|
|
it { expect { push_access_check }.to raise_not_found('The project you were looking for could not be found.') }
|
2016-09-15 09:40:53 -04:00
|
|
|
end
|
|
|
|
end
|
2016-09-15 05:57:09 -04:00
|
|
|
end
|
|
|
|
|
|
|
|
describe 'deploy key permissions' do
|
2016-11-16 09:07:04 -05:00
|
|
|
let(:key) { create(:deploy_key, user: user, can_push: can_push) }
|
2016-09-15 05:57:09 -04:00
|
|
|
let(:actor) { key }
|
|
|
|
|
2016-11-11 08:44:33 -05:00
|
|
|
context 'when deploy_key can push' do
|
|
|
|
let(:can_push) { true }
|
|
|
|
|
2017-05-19 15:58:45 -04:00
|
|
|
context 'when project is authorized' do
|
2017-06-14 14:18:56 -04:00
|
|
|
before do
|
|
|
|
key.projects << project
|
|
|
|
end
|
2017-05-19 15:58:45 -04:00
|
|
|
|
|
|
|
it { expect { push_access_check }.not_to raise_error }
|
|
|
|
end
|
|
|
|
|
|
|
|
context 'when unauthorized' do
|
|
|
|
context 'to public project' do
|
|
|
|
let(:project) { create(:project, :public, :repository) }
|
|
|
|
|
|
|
|
it { expect { push_access_check }.to raise_unauthorized('This deploy key does not have write access to this project.') }
|
|
|
|
end
|
|
|
|
|
|
|
|
context 'to internal project' do
|
|
|
|
let(:project) { create(:project, :internal, :repository) }
|
|
|
|
|
|
|
|
it { expect { push_access_check }.to raise_not_found('The project you were looking for could not be found.') }
|
|
|
|
end
|
|
|
|
|
|
|
|
context 'to private project' do
|
|
|
|
let(:project) { create(:project, :private, :repository) }
|
|
|
|
|
|
|
|
it { expect { push_access_check }.to raise_not_found('The project you were looking for could not be found.') }
|
2016-11-11 08:44:33 -05:00
|
|
|
end
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
context 'when deploy_key cannot push' do
|
|
|
|
let(:can_push) { false }
|
|
|
|
|
2017-05-19 15:58:45 -04:00
|
|
|
context 'when project is authorized' do
|
2017-06-14 14:18:56 -04:00
|
|
|
before do
|
|
|
|
key.projects << project
|
|
|
|
end
|
2017-05-19 15:58:45 -04:00
|
|
|
|
|
|
|
it { expect { push_access_check }.to raise_unauthorized('This deploy key does not have write access to this project.') }
|
|
|
|
end
|
|
|
|
|
|
|
|
context 'when unauthorized' do
|
|
|
|
context 'to public project' do
|
|
|
|
let(:project) { create(:project, :public, :repository) }
|
|
|
|
|
|
|
|
it { expect { push_access_check }.to raise_unauthorized('This deploy key does not have write access to this project.') }
|
|
|
|
end
|
|
|
|
|
|
|
|
context 'to internal project' do
|
|
|
|
let(:project) { create(:project, :internal, :repository) }
|
|
|
|
|
|
|
|
it { expect { push_access_check }.to raise_not_found('The project you were looking for could not be found.') }
|
|
|
|
end
|
|
|
|
|
|
|
|
context 'to private project' do
|
|
|
|
let(:project) { create(:project, :private, :repository) }
|
|
|
|
|
|
|
|
it { expect { push_access_check }.to raise_not_found('The project you were looking for could not be found.') }
|
2016-11-11 08:44:33 -05:00
|
|
|
end
|
2016-09-15 09:40:53 -04:00
|
|
|
end
|
|
|
|
end
|
2016-09-15 05:57:09 -04:00
|
|
|
end
|
|
|
|
|
|
|
|
private
|
|
|
|
|
2017-05-19 15:58:45 -04:00
|
|
|
def raise_unauthorized(message)
|
|
|
|
raise_error(Gitlab::GitAccess::UnauthorizedError, message)
|
|
|
|
end
|
|
|
|
|
|
|
|
def raise_not_found(message)
|
|
|
|
raise_error(Gitlab::GitAccess::NotFoundError, message)
|
|
|
|
end
|
|
|
|
|
2016-09-16 03:59:10 -04:00
|
|
|
def build_authentication_abilities
|
2016-09-15 05:57:09 -04:00
|
|
|
[
|
|
|
|
:read_project,
|
|
|
|
:build_download_code
|
|
|
|
]
|
|
|
|
end
|
2016-09-15 07:49:11 -04:00
|
|
|
|
2016-09-16 03:59:10 -04:00
|
|
|
def full_authentication_abilities
|
2016-09-15 07:49:11 -04:00
|
|
|
[
|
|
|
|
:read_project,
|
|
|
|
:download_code,
|
|
|
|
:push_code
|
|
|
|
]
|
|
|
|
end
|
2014-09-24 04:37:30 -04:00
|
|
|
end
|