2019-10-28 20:06:10 -04:00
# frozen_string_literal: true
2019-09-13 09:26:31 -04:00
require 'spec_helper'
2015-02-24 10:05:39 -05:00
2020-06-24 02:09:01 -04:00
RSpec . describe 'Git HTTP requests' do
2018-05-15 06:25:51 -04:00
include ProjectForksHelper
2018-05-10 10:13:05 -04:00
include TermsHelper
2016-08-15 06:33:46 -04:00
include GitHttpHelpers
2016-08-19 13:10:41 -04:00
include WorkhorseHelpers
2017-05-15 19:13:36 -04:00
shared_examples 'pulls require Basic HTTP Authentication' do
context " when no credentials are provided " do
it " responds to downloads with status 401 Unauthorized (no project existence information leak) " do
download ( path ) do | response |
2017-10-19 14:28:19 -04:00
expect ( response ) . to have_gitlab_http_status ( :unauthorized )
2017-05-15 19:13:36 -04:00
expect ( response . header [ 'WWW-Authenticate' ] ) . to start_with ( 'Basic ' )
end
end
end
2016-03-24 12:44:10 -04:00
2017-05-15 19:13:36 -04:00
context " when only username is provided " do
it " responds to downloads with status 401 Unauthorized " do
download ( path , user : user . username ) do | response |
2017-10-19 14:28:19 -04:00
expect ( response ) . to have_gitlab_http_status ( :unauthorized )
2017-05-15 19:13:36 -04:00
expect ( response . header [ 'WWW-Authenticate' ] ) . to start_with ( 'Basic ' )
end
end
end
2016-03-24 12:44:10 -04:00
2017-05-15 19:13:36 -04:00
context " when username and password are provided " do
context " when authentication fails " do
it " responds to downloads with status 401 Unauthorized " do
download ( path , user : user . username , password : " wrong-password " ) do | response |
2017-10-19 14:28:19 -04:00
expect ( response ) . to have_gitlab_http_status ( :unauthorized )
2017-05-15 19:13:36 -04:00
expect ( response . header [ 'WWW-Authenticate' ] ) . to start_with ( 'Basic ' )
end
end
2021-06-01 17:10:06 -04:00
context " when user is blocked " do
let ( :user ) { create ( :user , :blocked ) }
it " responds to downloads with status 401 Unauthorized " do
download ( path , user : user . username , password : user . password ) do | response |
expect ( response ) . to have_gitlab_http_status ( :unauthorized )
end
end
end
2017-05-15 19:13:36 -04:00
end
2015-02-24 10:05:39 -05:00
2017-05-15 19:13:36 -04:00
context " when authentication succeeds " do
it " does not respond to downloads with status 401 Unauthorized " do
download ( path , user : user . username , password : user . password ) do | response |
2017-10-19 14:28:19 -04:00
expect ( response ) . not_to have_gitlab_http_status ( :unauthorized )
2017-05-15 19:13:36 -04:00
expect ( response . header [ 'WWW-Authenticate' ] ) . to be_nil
2015-02-24 10:05:39 -05:00
end
end
2016-03-24 12:38:30 -04:00
end
2017-05-15 19:13:36 -04:00
end
end
2015-02-24 10:05:39 -05:00
2021-06-16 14:10:35 -04:00
shared_examples 'operations are not allowed with expired password' do
context " when password is expired " do
it " responds to downloads with status 401 Unauthorized " do
2021-09-30 14:11:31 -04:00
user . update! ( password_expires_at : 2 . days . ago )
2021-06-16 14:10:35 -04:00
download ( path , user : user . username , password : user . password ) do | response |
expect ( response ) . to have_gitlab_http_status ( :unauthorized )
end
end
it " responds to uploads with status 401 Unauthorized " do
2021-09-30 14:11:31 -04:00
user . update! ( password_expires_at : 2 . days . ago )
2021-06-16 14:10:35 -04:00
upload ( path , user : user . username , password : user . password ) do | response |
expect ( response ) . to have_gitlab_http_status ( :unauthorized )
end
end
end
end
2017-05-15 19:13:36 -04:00
shared_examples 'pushes require Basic HTTP Authentication' do
context " when no credentials are provided " do
it " responds to uploads with status 401 Unauthorized (no project existence information leak) " do
upload ( path ) do | response |
2017-10-19 14:28:19 -04:00
expect ( response ) . to have_gitlab_http_status ( :unauthorized )
2017-05-15 19:13:36 -04:00
expect ( response . header [ 'WWW-Authenticate' ] ) . to start_with ( 'Basic ' )
end
end
end
context " when only username is provided " do
it " responds to uploads with status 401 Unauthorized " do
upload ( path , user : user . username ) do | response |
2017-10-19 14:28:19 -04:00
expect ( response ) . to have_gitlab_http_status ( :unauthorized )
2017-05-15 19:13:36 -04:00
expect ( response . header [ 'WWW-Authenticate' ] ) . to start_with ( 'Basic ' )
end
end
end
context " when username and password are provided " do
context " when authentication fails " do
it " responds to uploads with status 401 Unauthorized " do
upload ( path , user : user . username , password : " wrong-password " ) do | response |
2017-10-19 14:28:19 -04:00
expect ( response ) . to have_gitlab_http_status ( :unauthorized )
2017-05-15 19:13:36 -04:00
expect ( response . header [ 'WWW-Authenticate' ] ) . to start_with ( 'Basic ' )
2015-02-24 10:05:39 -05:00
end
end
2017-05-15 19:13:36 -04:00
end
2015-10-22 17:16:37 -04:00
2017-05-15 19:13:36 -04:00
context " when authentication succeeds " do
it " does not respond to uploads with status 401 Unauthorized " do
upload ( path , user : user . username , password : user . password ) do | response |
2017-10-19 14:28:19 -04:00
expect ( response ) . not_to have_gitlab_http_status ( :unauthorized )
2017-05-15 19:13:36 -04:00
expect ( response . header [ 'WWW-Authenticate' ] ) . to be_nil
2016-08-15 06:33:46 -04:00
end
end
2015-10-22 17:16:37 -04:00
end
end
2017-05-15 19:13:36 -04:00
end
shared_examples_for 'pulls are allowed' do
2019-10-23 05:06:03 -04:00
it 'allows pulls' do
2020-09-30 02:09:47 -04:00
download ( path , ** env ) do | response |
2017-10-19 14:28:19 -04:00
expect ( response ) . to have_gitlab_http_status ( :ok )
2020-02-10 10:08:54 -05:00
expect ( response . media_type ) . to eq ( Gitlab :: Workhorse :: INTERNAL_API_CONTENT_TYPE )
2017-05-15 19:13:36 -04:00
end
end
end
shared_examples_for 'pushes are allowed' do
2019-10-23 05:06:03 -04:00
it 'allows pushes' , :sidekiq_might_not_need_inline do
2020-09-30 02:09:47 -04:00
upload ( path , ** env ) do | response |
2017-10-19 14:28:19 -04:00
expect ( response ) . to have_gitlab_http_status ( :ok )
2020-02-10 10:08:54 -05:00
expect ( response . media_type ) . to eq ( Gitlab :: Workhorse :: INTERNAL_API_CONTENT_TYPE )
2017-05-15 19:13:36 -04:00
end
end
end
2019-02-17 22:51:56 -05:00
shared_examples_for 'project path without .git suffix' do
context " GET info/refs " do
2020-01-24 13:09:00 -05:00
let ( :path ) { " / #{ repository_path } /info/refs " }
2019-02-17 22:51:56 -05:00
context " when no params are added " do
before do
get path
end
it " redirects to the .git suffix version " do
2020-01-24 13:09:00 -05:00
expect ( response ) . to redirect_to ( " / #{ repository_path } .git/info/refs " )
2019-02-17 22:51:56 -05:00
end
end
context " when the upload-pack service is requested " do
let ( :params ) { { service : 'git-upload-pack' } }
before do
get path , params : params
end
it " redirects to the .git suffix version " do
2020-01-24 13:09:00 -05:00
expect ( response ) . to redirect_to ( " / #{ repository_path } .git/info/refs?service= #{ params [ :service ] } " )
2019-02-17 22:51:56 -05:00
end
end
context " when the receive-pack service is requested " do
let ( :params ) { { service : 'git-receive-pack' } }
before do
get path , params : params
end
it " redirects to the .git suffix version " do
2020-01-24 13:09:00 -05:00
expect ( response ) . to redirect_to ( " / #{ repository_path } .git/info/refs?service= #{ params [ :service ] } " )
2019-02-17 22:51:56 -05:00
end
end
context " when the params are anything else " do
let ( :params ) { { service : 'git-implode-pack' } }
before do
get path , params : params
end
it " redirects to the sign-in page " do
expect ( response ) . to redirect_to ( new_user_session_path )
end
end
end
context " POST git-upload-pack " do
it " fails to find a route " do
2021-02-01 19:09:14 -05:00
clone_post ( repository_path ) do | response |
expect ( response ) . to have_gitlab_http_status ( :not_found )
end
2019-02-17 22:51:56 -05:00
end
end
context " POST git-receive-pack " do
it " fails to find a route " do
2021-02-01 19:09:14 -05:00
push_post ( repository_path ) do | response |
expect ( response ) . to have_gitlab_http_status ( :not_found )
end
2019-02-17 22:51:56 -05:00
end
end
end
2017-05-15 19:13:36 -04:00
describe " User with no identities " do
let ( :user ) { create ( :user ) }
2015-10-22 17:16:37 -04:00
2017-05-15 19:13:36 -04:00
context " when the project doesn't exist " do
2018-01-22 13:10:56 -05:00
context " when namespace doesn't exist " do
let ( :path ) { 'doesnt/exist.git' }
2016-03-24 12:44:13 -04:00
2018-01-22 13:10:56 -05:00
it_behaves_like 'pulls require Basic HTTP Authentication'
it_behaves_like 'pushes require Basic HTTP Authentication'
2021-06-16 14:10:35 -04:00
it_behaves_like 'operations are not allowed with expired password'
2018-01-22 13:10:56 -05:00
context 'when authenticated' do
it 'rejects downloads and uploads with 404 Not Found' do
download_or_upload ( path , user : user . username , password : user . password ) do | response |
expect ( response ) . to have_gitlab_http_status ( :not_found )
end
end
end
end
2016-08-15 06:33:46 -04:00
2018-01-22 13:10:56 -05:00
context 'when namespace exists' do
2022-07-29 14:08:58 -04:00
let ( :path ) { " #{ user . namespace . path } /new-project.git " }
2018-01-22 13:10:56 -05:00
context 'when authenticated' do
it 'creates a new project under the existing namespace' do
expect do
upload ( path , user : user . username , password : user . password ) do | response |
expect ( response ) . to have_gitlab_http_status ( :ok )
end
end . to change { user . projects . count } . by ( 1 )
end
2018-01-26 09:28:08 -05:00
it 'rejects push with 422 Unprocessable Entity when project is invalid' do
2018-01-22 13:10:56 -05:00
path = " #{ user . namespace . path } /new.git "
2018-01-26 09:28:08 -05:00
push_get ( path , user : user . username , password : user . password )
expect ( response ) . to have_gitlab_http_status ( :unprocessable_entity )
2017-05-15 19:13:36 -04:00
end
2016-03-24 12:34:56 -04:00
end
2019-02-17 22:51:56 -05:00
2022-05-30 14:08:57 -04:00
context 'when project name is missing' do
let ( :path ) { " / #{ user . namespace . path } /info/refs " }
it 'does not redirect to the incorrect path' do
get path
expect ( response ) . not_to redirect_to ( " / #{ user . namespace . path } .git/info/refs " )
end
end
2019-02-17 22:51:56 -05:00
it_behaves_like 'project path without .git suffix' do
2020-01-24 13:09:00 -05:00
let ( :repository_path ) { " #{ user . namespace . path } /project.git-project " }
2019-02-17 22:51:56 -05:00
end
2016-03-24 12:38:30 -04:00
end
2017-05-15 19:13:36 -04:00
end
context " when requesting the Wiki " do
let ( :wiki ) { ProjectWiki . new ( project ) }
2017-07-21 20:37:22 -04:00
let ( :path ) { " / #{ wiki . repository . full_path } .git " }
2017-05-15 19:13:36 -04:00
context " when the project is public " do
2018-02-21 19:20:30 -05:00
let ( :project ) { create ( :project , :wiki_repo , :public , :wiki_enabled ) }
2017-05-15 19:13:36 -04:00
it_behaves_like 'pushes require Basic HTTP Authentication'
2017-01-24 15:04:45 -05:00
2017-05-15 19:13:36 -04:00
context 'when unauthenticated' do
let ( :env ) { { } }
2017-01-24 15:04:45 -05:00
2017-05-15 19:13:36 -04:00
it_behaves_like 'pulls are allowed'
it " responds to pulls with the wiki's repo " do
download ( path ) do | response |
2021-07-22 08:10:04 -04:00
json_body = Gitlab :: Json . parse ( response . body )
2017-05-15 19:13:36 -04:00
2018-03-28 05:21:32 -04:00
expect ( json_body [ 'Repository' ] [ 'relative_path' ] ) . to eq ( wiki . repository . relative_path )
2017-05-15 19:13:36 -04:00
end
end
2017-01-24 15:04:45 -05:00
end
2017-05-15 19:13:36 -04:00
context 'when authenticated' do
let ( :env ) { { user : user . username , password : user . password } }
context 'and as a developer on the team' do
before do
2017-12-22 03:18:28 -05:00
project . add_developer ( user )
2017-05-15 19:13:36 -04:00
end
context 'but the repo is disabled' do
2018-02-21 19:20:30 -05:00
let ( :project ) { create ( :project , :wiki_repo , :public , :repository_disabled , :wiki_enabled ) }
2017-05-15 19:13:36 -04:00
it_behaves_like 'pulls are allowed'
it_behaves_like 'pushes are allowed'
end
end
context 'and not on the team' do
it_behaves_like 'pulls are allowed'
it 'rejects pushes with 403 Forbidden' do
2020-09-30 02:09:47 -04:00
upload ( path , ** env ) do | response |
2017-10-19 14:28:19 -04:00
expect ( response ) . to have_gitlab_http_status ( :forbidden )
2017-05-15 19:13:36 -04:00
expect ( response . body ) . to eq ( git_access_wiki_error ( :write_to_wiki ) )
end
end
2017-01-24 15:04:45 -05:00
end
end
2017-05-15 19:13:36 -04:00
end
2017-01-24 15:04:45 -05:00
2017-05-15 19:13:36 -04:00
context " when the project is private " do
2018-02-21 19:20:30 -05:00
let ( :project ) { create ( :project , :wiki_repo , :private , :wiki_enabled ) }
2017-05-15 19:13:36 -04:00
it_behaves_like 'pulls require Basic HTTP Authentication'
it_behaves_like 'pushes require Basic HTTP Authentication'
2021-06-16 14:10:35 -04:00
it_behaves_like 'operations are not allowed with expired password'
2017-05-15 19:13:36 -04:00
context 'when authenticated' do
context 'and as a developer on the team' do
before do
2017-12-22 03:18:28 -05:00
project . add_developer ( user )
2017-05-15 19:13:36 -04:00
end
2020-12-08 04:09:41 -05:00
context 'when user is using credentials with special characters' do
context 'with password with special characters' do
before do
2022-03-31 17:08:16 -04:00
user . update! ( password : 'RKszEwéC5kFnû∆f243fycGu§Gh9ftDj!U' )
2020-12-08 04:09:41 -05:00
end
it 'allows clones' do
download ( path , user : user . username , password : user . password ) do | response |
expect ( response ) . to have_gitlab_http_status ( :ok )
end
end
end
end
2017-05-15 19:13:36 -04:00
context 'but the repo is disabled' do
2018-02-21 19:20:30 -05:00
let ( :project ) { create ( :project , :wiki_repo , :private , :repository_disabled , :wiki_enabled ) }
2017-05-15 19:13:36 -04:00
it 'allows clones' do
download ( path , user : user . username , password : user . password ) do | response |
2017-10-19 14:28:19 -04:00
expect ( response ) . to have_gitlab_http_status ( :ok )
2017-05-15 19:13:36 -04:00
end
end
it 'pushes are allowed' do
upload ( path , user : user . username , password : user . password ) do | response |
2017-10-19 14:28:19 -04:00
expect ( response ) . to have_gitlab_http_status ( :ok )
2017-05-15 19:13:36 -04:00
end
end
end
end
context 'and not on the team' do
it 'rejects clones with 404 Not Found' do
download ( path , user : user . username , password : user . password ) do | response |
2017-10-19 14:28:19 -04:00
expect ( response ) . to have_gitlab_http_status ( :not_found )
2020-07-21 14:09:45 -04:00
expect ( response . body ) . to eq ( git_access_wiki_error ( :not_found ) )
2017-05-15 19:13:36 -04:00
end
end
it 'rejects pushes with 404 Not Found' do
upload ( path , user : user . username , password : user . password ) do | response |
2017-10-19 14:28:19 -04:00
expect ( response ) . to have_gitlab_http_status ( :not_found )
2020-07-21 14:09:45 -04:00
expect ( response . body ) . to eq ( git_access_wiki_error ( :not_found ) )
2017-05-15 19:13:36 -04:00
end
end
2017-01-24 15:04:45 -05:00
end
end
end
2016-08-15 06:33:46 -04:00
end
context " when the project exists " do
2017-07-21 20:37:22 -04:00
let ( :path ) { " #{ project . full_path } .git " }
2016-03-24 12:44:13 -04:00
2016-08-15 06:33:46 -04:00
context " when the project is public " do
2017-05-15 19:13:36 -04:00
let ( :project ) { create ( :project , :repository , :public ) }
2016-04-06 12:58:19 -04:00
2017-05-15 19:13:36 -04:00
it_behaves_like 'pushes require Basic HTTP Authentication'
2016-03-24 13:58:29 -04:00
2017-05-15 19:13:36 -04:00
context 'when not authenticated' do
let ( :env ) { { } }
it_behaves_like 'pulls are allowed'
2016-03-24 13:58:29 -04:00
end
2016-04-06 12:58:19 -04:00
2017-05-15 19:13:36 -04:00
context " when authenticated " do
2016-08-15 06:33:46 -04:00
let ( :env ) { { user : user . username , password : user . password } }
2016-04-06 12:58:19 -04:00
2017-05-15 19:13:36 -04:00
context 'as a developer on the team' do
before do
2017-12-22 03:18:28 -05:00
project . add_developer ( user )
2016-03-24 13:58:29 -04:00
end
2017-05-15 19:13:36 -04:00
it_behaves_like 'pulls are allowed'
it_behaves_like 'pushes are allowed'
2016-03-24 12:38:30 -04:00
2017-05-15 19:13:36 -04:00
context 'but git-receive-pack over HTTP is disabled in config' do
before do
allow ( Gitlab . config . gitlab_shell ) . to receive ( :receive_pack ) . and_return ( false )
end
it 'rejects pushes with 403 Forbidden' do
2020-09-30 02:09:47 -04:00
upload ( path , ** env ) do | response |
2017-10-19 14:28:19 -04:00
expect ( response ) . to have_gitlab_http_status ( :forbidden )
2017-05-22 14:28:51 -04:00
expect ( response . body ) . to eq ( git_access_error ( :receive_pack_disabled_over_http ) )
2017-05-15 19:13:36 -04:00
end
end
end
context 'but git-upload-pack over HTTP is disabled in config' do
it " rejects pushes with 403 Forbidden " do
allow ( Gitlab . config . gitlab_shell ) . to receive ( :upload_pack ) . and_return ( false )
2020-09-30 02:09:47 -04:00
download ( path , ** env ) do | response |
2017-10-19 14:28:19 -04:00
expect ( response ) . to have_gitlab_http_status ( :forbidden )
2017-05-22 14:28:51 -04:00
expect ( response . body ) . to eq ( git_access_error ( :upload_pack_disabled_over_http ) )
2017-05-15 19:13:36 -04:00
end
2016-08-15 06:33:46 -04:00
end
end
2021-02-12 01:09:11 -05:00
context 'but the service parameter is missing' do
it 'rejects clones with 403 Forbidden' do
get ( " / #{ path } /info/refs " , headers : auth_env ( * env . values_at ( :user , :password ) , nil ) )
expect ( response ) . to have_gitlab_http_status ( :forbidden )
end
end
2016-03-24 11:14:09 -04:00
end
2016-03-24 12:34:56 -04:00
2017-05-15 19:13:36 -04:00
context 'and not a member of the team' do
it_behaves_like 'pulls are allowed'
2016-03-24 12:38:30 -04:00
2017-05-15 19:13:36 -04:00
it 'rejects pushes with 403 Forbidden' do
2020-09-30 02:09:47 -04:00
upload ( path , ** env ) do | response |
2017-10-19 14:28:19 -04:00
expect ( response ) . to have_gitlab_http_status ( :forbidden )
2018-12-04 06:55:49 -05:00
expect ( response . body ) . to eq ( 'You are not allowed to push code to this project.' )
2017-05-15 19:13:36 -04:00
end
2016-08-15 06:33:46 -04:00
end
2018-05-15 06:25:51 -04:00
context 'when merge requests are open that allow maintainer access' do
let ( :canonical_project ) { create ( :project , :public , :repository ) }
let ( :project ) { fork_project ( canonical_project , nil , repository : true ) }
before do
2018-07-11 10:36:08 -04:00
canonical_project . add_maintainer ( user )
2018-05-15 06:25:51 -04:00
create ( :merge_request ,
source_project : project ,
2022-08-23 05:09:29 -04:00
target_project : canonical_project ,
2018-05-15 06:25:51 -04:00
source_branch : 'fixes' ,
allow_collaboration : true )
end
it_behaves_like 'pushes are allowed'
end
2021-02-12 01:09:11 -05:00
context 'but the service parameter is missing' do
it 'rejects clones with 401 Unauthorized' do
get ( " / #{ path } /info/refs " )
expect ( response ) . to have_gitlab_http_status ( :unauthorized )
end
end
2016-03-24 12:34:56 -04:00
end
end
2016-04-06 12:58:19 -04:00
2016-08-15 06:33:46 -04:00
context 'when the request is not from gitlab-workhorse' do
it 'raises an exception' do
expect do
2017-07-21 20:37:22 -04:00
get ( " / #{ project . full_path } .git/info/refs?service=git-upload-pack " )
2016-08-15 06:33:46 -04:00
end . to raise_error ( JWT :: DecodeError )
2016-04-06 12:58:19 -04:00
end
end
2016-11-02 17:50:44 -04:00
context 'when the repo is public' do
context 'but the repo is disabled' do
2017-05-15 19:13:36 -04:00
let ( :project ) { create ( :project , :public , :repository , :repository_disabled ) }
2017-07-21 20:37:22 -04:00
let ( :path ) { " #{ project . full_path } .git " }
2017-05-15 19:13:36 -04:00
let ( :env ) { { } }
2016-11-02 17:50:44 -04:00
2017-05-15 19:13:36 -04:00
it_behaves_like 'pulls require Basic HTTP Authentication'
it_behaves_like 'pushes require Basic HTTP Authentication'
2021-06-16 14:10:35 -04:00
it_behaves_like 'operations are not allowed with expired password'
2016-11-02 17:50:44 -04:00
end
context 'but the repo is enabled' do
2017-05-15 19:13:36 -04:00
let ( :project ) { create ( :project , :public , :repository , :repository_enabled ) }
2017-07-21 20:37:22 -04:00
let ( :path ) { " #{ project . full_path } .git " }
2017-05-15 19:13:36 -04:00
let ( :env ) { { } }
2016-11-02 17:50:44 -04:00
2017-05-15 19:13:36 -04:00
it_behaves_like 'pulls are allowed'
2016-11-02 17:50:44 -04:00
end
context 'but only project members are allowed' do
2017-05-15 19:13:36 -04:00
let ( :project ) { create ( :project , :public , :repository , :repository_private ) }
2016-11-02 17:50:44 -04:00
2017-05-15 19:13:36 -04:00
it_behaves_like 'pulls require Basic HTTP Authentication'
it_behaves_like 'pushes require Basic HTTP Authentication'
2021-06-16 14:10:35 -04:00
it_behaves_like 'operations are not allowed with expired password'
2016-11-02 17:50:44 -04:00
end
end
2017-06-15 20:17:24 -04:00
context 'and the user requests a redirected path' do
let! ( :redirect ) { project . route . create_redirect ( 'foo/bar' ) }
let ( :path ) { " #{ redirect . path } .git " }
2018-03-05 07:02:36 -05:00
it 'downloads get status 200 for redirects' do
2020-11-17 22:09:21 -05:00
clone_get ( path )
2018-03-05 07:02:36 -05:00
expect ( response ) . to have_gitlab_http_status ( :ok )
2017-06-15 20:17:24 -04:00
end
end
2015-02-24 10:05:39 -05:00
end
2016-08-15 06:33:46 -04:00
context " when the project is private " do
2017-05-15 19:13:36 -04:00
let ( :project ) { create ( :project , :repository , :private ) }
2015-02-24 10:05:39 -05:00
2017-05-15 19:13:36 -04:00
it_behaves_like 'pulls require Basic HTTP Authentication'
it_behaves_like 'pushes require Basic HTTP Authentication'
2021-06-16 14:10:35 -04:00
it_behaves_like 'operations are not allowed with expired password'
2015-02-24 10:05:39 -05:00
2016-08-15 06:33:46 -04:00
context " when username and password are provided " do
let ( :env ) { { user : user . username , password : 'nope' } }
2016-03-24 11:21:19 -04:00
2016-08-15 06:33:46 -04:00
context " when authentication fails " do
context " when the user is IP banned " do
2018-01-24 07:25:10 -05:00
before do
2019-11-07 22:06:48 -05:00
stub_rack_attack_setting ( enabled : true , ip_whitelist : [ ] )
2018-01-24 07:25:10 -05:00
end
2019-10-27 05:05:56 -04:00
it " responds with status 403 " do
2019-12-03 16:06:23 -05:00
expect ( Rack :: Attack :: Allow2Ban ) . to receive ( :banned? ) . and_return ( true )
2019-10-27 05:05:56 -04:00
expect ( Gitlab :: AuthLogger ) . to receive ( :error ) . with ( {
message : 'Rack_Attack' ,
env : :blocklist ,
remote_ip : '127.0.0.1' ,
request_method : 'GET' ,
path : " / #{ path } /info/refs?service=git-upload-pack "
} )
2015-02-24 10:05:39 -05:00
2020-11-17 22:09:21 -05:00
clone_get ( path , ** env )
2016-08-15 06:33:46 -04:00
2019-10-27 05:05:56 -04:00
expect ( response ) . to have_gitlab_http_status ( :forbidden )
2015-02-24 10:05:39 -05:00
end
2016-03-24 12:38:30 -04:00
end
2016-08-15 06:33:46 -04:00
end
2015-02-24 10:05:39 -05:00
2016-08-15 06:33:46 -04:00
context " when authentication succeeds " do
let ( :env ) { { user : user . username , password : user . password } }
2016-03-24 11:21:19 -04:00
2016-08-15 06:33:46 -04:00
context " when the user has access to the project " do
before do
2018-07-11 10:36:08 -04:00
project . add_maintainer ( user )
2016-08-15 06:33:46 -04:00
end
2016-03-24 11:21:19 -04:00
2016-08-15 06:33:46 -04:00
context " when the user is blocked " do
2017-05-15 19:13:36 -04:00
it " rejects pulls with 401 Unauthorized " do
2016-08-15 06:33:46 -04:00
user . block
2018-07-11 10:36:08 -04:00
project . add_maintainer ( user )
2016-08-15 06:33:46 -04:00
2020-09-30 02:09:47 -04:00
download ( path , ** env ) do | response |
2017-10-19 14:28:19 -04:00
expect ( response ) . to have_gitlab_http_status ( :unauthorized )
2017-01-18 05:23:25 -05:00
end
end
2017-05-15 19:13:36 -04:00
it " rejects pulls with 401 Unauthorized for unknown projects (no project existence information leak) " do
2017-01-18 05:23:25 -05:00
user . block
2020-11-17 22:09:21 -05:00
download ( 'doesnt/exist.git' , ** env ) do | response |
2017-10-19 14:28:19 -04:00
expect ( response ) . to have_gitlab_http_status ( :unauthorized )
2016-08-15 06:33:46 -04:00
end
end
2015-02-24 10:05:39 -05:00
end
2016-04-06 12:58:19 -04:00
2016-08-15 06:33:46 -04:00
context " when the user isn't blocked " do
2018-01-24 07:25:10 -05:00
before do
2019-10-27 05:05:56 -04:00
stub_rack_attack_setting ( enabled : true , bantime : 1 . minute , findtime : 5 . minutes , maxretry : 2 , ip_whitelist : [ ] )
2018-01-24 07:25:10 -05:00
end
2017-05-15 19:13:36 -04:00
it " resets the IP in Rack Attack on download " do
expect ( Rack :: Attack :: Allow2Ban ) . to receive ( :reset ) . twice
2016-08-15 06:33:46 -04:00
2020-09-30 02:09:47 -04:00
download ( path , ** env ) do
2017-10-19 14:28:19 -04:00
expect ( response ) . to have_gitlab_http_status ( :ok )
2020-02-10 10:08:54 -05:00
expect ( response . media_type ) . to eq ( Gitlab :: Workhorse :: INTERNAL_API_CONTENT_TYPE )
2017-05-15 19:13:36 -04:00
end
2016-04-06 12:58:19 -04:00
end
2015-03-15 22:07:23 -04:00
2017-05-15 19:13:36 -04:00
it " resets the IP in Rack Attack on upload " do
expect ( Rack :: Attack :: Allow2Ban ) . to receive ( :reset ) . twice
2020-09-30 02:09:47 -04:00
upload ( path , ** env ) do
2017-10-19 14:28:19 -04:00
expect ( response ) . to have_gitlab_http_status ( :ok )
2020-02-10 10:08:54 -05:00
expect ( response . media_type ) . to eq ( Gitlab :: Workhorse :: INTERNAL_API_CONTENT_TYPE )
2016-08-15 06:33:46 -04:00
end
end
2017-04-17 09:23:39 -04:00
2017-07-10 23:35:47 -04:00
it 'updates the user last activity' , :clean_gitlab_redis_shared_state do
2018-07-12 07:21:08 -04:00
expect ( user . last_activity_on ) . to be_nil
2017-04-17 09:23:39 -04:00
2020-09-30 02:09:47 -04:00
download ( path , ** env ) do | response |
2018-07-12 07:21:08 -04:00
expect ( user . reload . last_activity_on ) . to eql ( Date . today )
2017-04-17 09:23:39 -04:00
end
end
2016-04-29 12:56:53 -04:00
end
2016-08-15 06:33:46 -04:00
context " when an oauth token is provided " do
before do
application = Doorkeeper :: Application . create! ( name : " MyApp " , redirect_uri : " https://app.com " , owner : user )
2016-11-22 04:13:37 -05:00
@token = Doorkeeper :: AccessToken . create! ( application_id : application . id , resource_owner_id : user . id , scopes : " api " )
2016-08-15 06:33:46 -04:00
end
2016-04-29 12:56:53 -04:00
2017-07-21 20:37:22 -04:00
let ( :path ) { " #{ project . full_path } .git " }
2017-05-15 19:13:36 -04:00
let ( :env ) { { user : 'oauth2' , password : @token . token } }
2016-08-15 06:33:46 -04:00
2017-05-15 19:13:36 -04:00
it_behaves_like 'pulls are allowed'
it_behaves_like 'pushes are allowed'
2021-06-01 17:10:06 -04:00
context " when password is expired " do
it " responds to downloads with status 401 unauthorized " do
2021-09-30 14:11:31 -04:00
user . update! ( password_expires_at : 2 . days . ago )
2021-06-01 17:10:06 -04:00
download ( path , ** env ) do | response |
expect ( response ) . to have_gitlab_http_status ( :unauthorized )
end
end
end
2016-04-29 12:56:53 -04:00
end
2016-08-15 06:33:46 -04:00
context 'when user has 2FA enabled' do
let ( :user ) { create ( :user , :two_factor ) }
let ( :access_token ) { create ( :personal_access_token , user : user ) }
2017-07-21 20:37:22 -04:00
let ( :path ) { " #{ project . full_path } .git " }
2016-08-17 18:21:18 -04:00
2016-08-15 06:33:46 -04:00
before do
2018-07-11 10:36:08 -04:00
project . add_maintainer ( user )
2016-08-15 06:33:46 -04:00
end
2016-08-10 20:04:25 -04:00
2016-08-15 06:33:46 -04:00
context 'when username and password are provided' do
2022-08-30 14:09:50 -04:00
it 'rejects pulls with generic error message' do
2017-05-15 19:13:36 -04:00
download ( path , user : user . username , password : user . password ) do | response |
2017-10-19 14:28:19 -04:00
expect ( response ) . to have_gitlab_http_status ( :unauthorized )
2022-08-30 14:09:50 -04:00
expect ( response . body ) . to eq ( 'HTTP Basic: Access denied. The provided password or token is incorrect or your account has 2FA enabled and you must use a personal access token instead of a password. See http://www.example.com/help/topics/git/troubleshooting_git#error-on-git-fetch-http-basic-access-denied' )
2016-08-15 06:33:46 -04:00
end
2016-08-10 20:04:25 -04:00
end
2022-08-30 14:09:50 -04:00
it 'rejects the push attempt with generic error message' do
2017-05-15 19:13:36 -04:00
upload ( path , user : user . username , password : user . password ) do | response |
2017-10-19 14:28:19 -04:00
expect ( response ) . to have_gitlab_http_status ( :unauthorized )
2022-08-30 14:09:50 -04:00
expect ( response . body ) . to eq ( 'HTTP Basic: Access denied. The provided password or token is incorrect or your account has 2FA enabled and you must use a personal access token instead of a password. See http://www.example.com/help/topics/git/troubleshooting_git#error-on-git-fetch-http-basic-access-denied' )
2016-08-15 06:33:46 -04:00
end
2016-08-10 20:04:25 -04:00
end
end
2016-08-15 06:33:46 -04:00
context 'when username and personal access token are provided' do
2017-05-15 19:13:36 -04:00
let ( :env ) { { user : user . username , password : access_token . token } }
2016-08-10 20:04:25 -04:00
2017-05-15 19:13:36 -04:00
it_behaves_like 'pulls are allowed'
it_behaves_like 'pushes are allowed'
2019-04-15 09:05:55 -04:00
it 'rejects the push attempt for read_repository scope' do
read_access_token = create ( :personal_access_token , user : user , scopes : [ :read_repository ] )
upload ( path , user : user . username , password : read_access_token . token ) do | response |
expect ( response ) . to have_gitlab_http_status ( :forbidden )
expect ( response . body ) . to include ( 'You are not allowed to upload code' )
end
end
it 'accepts the push attempt for write_repository scope' do
write_access_token = create ( :personal_access_token , user : user , scopes : [ :write_repository ] )
upload ( path , user : user . username , password : write_access_token . token ) do | response |
expect ( response ) . to have_gitlab_http_status ( :ok )
end
end
it 'accepts the pull attempt for read_repository scope' do
read_access_token = create ( :personal_access_token , user : user , scopes : [ :read_repository ] )
download ( path , user : user . username , password : read_access_token . token ) do | response |
expect ( response ) . to have_gitlab_http_status ( :ok )
end
end
it 'accepts the pull attempt for api scope' do
read_access_token = create ( :personal_access_token , user : user , scopes : [ :api ] )
download ( path , user : user . username , password : read_access_token . token ) do | response |
expect ( response ) . to have_gitlab_http_status ( :ok )
end
end
it 'accepts the push attempt for api scope' do
write_access_token = create ( :personal_access_token , user : user , scopes : [ :api ] )
upload ( path , user : user . username , password : write_access_token . token ) do | response |
expect ( response ) . to have_gitlab_http_status ( :ok )
end
end
2021-06-01 17:10:06 -04:00
context " when password is expired " do
it " responds to uploads with status 401 unauthorized " do
2021-09-30 14:11:31 -04:00
user . update! ( password_expires_at : 2 . days . ago )
2021-06-01 17:10:06 -04:00
write_access_token = create ( :personal_access_token , user : user , scopes : [ :write_repository ] )
upload ( path , user : user . username , password : write_access_token . token ) do | response |
expect ( response ) . to have_gitlab_http_status ( :unauthorized )
end
end
end
2021-08-03 17:09:39 -04:00
context 'when token is impersonated' do
context 'when impersonation is off' do
before do
stub_config_setting ( impersonation_enabled : false )
end
it 'responds to uploads with status 401 unauthorized' do
write_access_token = create ( :personal_access_token , :impersonation , user : user , scopes : [ :write_repository ] )
upload ( path , user : user . username , password : write_access_token . token ) do | response |
expect ( response ) . to have_gitlab_http_status ( :unauthorized )
end
end
end
context 'when impersonation is on' do
it 'responds to uploads with status 200' do
write_access_token = create ( :personal_access_token , :impersonation , user : user , scopes : [ :write_repository ] )
upload ( path , user : user . username , password : write_access_token . token ) do | response |
expect ( response ) . to have_gitlab_http_status ( :ok )
end
end
end
end
2016-08-10 20:04:25 -04:00
end
end
2017-06-07 15:49:45 -04:00
context 'when internal auth is disabled' do
before do
2017-11-23 08:16:14 -05:00
allow_any_instance_of ( ApplicationSetting ) . to receive ( :password_authentication_enabled_for_git? ) { false }
2017-06-07 15:49:45 -04:00
end
2022-08-30 14:09:50 -04:00
it 'rejects pulls with generic error message' do
2017-06-07 15:49:45 -04:00
download ( path , user : 'foo' , password : 'bar' ) do | response |
2017-10-19 14:28:19 -04:00
expect ( response ) . to have_gitlab_http_status ( :unauthorized )
2022-08-30 14:09:50 -04:00
expect ( response . body ) . to eq ( 'HTTP Basic: Access denied. The provided password or token is incorrect or your account has 2FA enabled and you must use a personal access token instead of a password. See http://www.example.com/help/topics/git/troubleshooting_git#error-on-git-fetch-http-basic-access-denied' )
2017-06-07 15:49:45 -04:00
end
end
2022-08-30 14:09:50 -04:00
it 'rejects pushes with generic error message' do
2017-06-07 15:49:45 -04:00
upload ( path , user : 'foo' , password : 'bar' ) do | response |
2017-10-19 14:28:19 -04:00
expect ( response ) . to have_gitlab_http_status ( :unauthorized )
2022-08-30 14:09:50 -04:00
expect ( response . body ) . to eq ( 'HTTP Basic: Access denied. The provided password or token is incorrect or your account has 2FA enabled and you must use a personal access token instead of a password. See http://www.example.com/help/topics/git/troubleshooting_git#error-on-git-fetch-http-basic-access-denied' )
2017-06-07 15:49:45 -04:00
end
end
context 'when LDAP is configured' do
before do
2020-03-12 11:09:39 -04:00
allow ( Gitlab :: Auth :: Ldap :: Config ) . to receive ( :enabled? ) . and_return ( true )
allow_any_instance_of ( Gitlab :: Auth :: Ldap :: Authentication )
2017-06-21 09:48:12 -04:00
. to receive ( :login ) . and_return ( nil )
2017-06-07 15:49:45 -04:00
end
2022-08-30 14:09:50 -04:00
it 'displays the generic error message' do
2017-06-07 15:49:45 -04:00
upload ( path , user : 'foo' , password : 'bar' ) do | response |
2017-10-19 14:28:19 -04:00
expect ( response ) . to have_gitlab_http_status ( :unauthorized )
2022-08-30 14:09:50 -04:00
expect ( response . body ) . to eq ( 'HTTP Basic: Access denied. The provided password or token is incorrect or your account has 2FA enabled and you must use a personal access token instead of a password. See http://www.example.com/help/topics/git/troubleshooting_git#error-on-git-fetch-http-basic-access-denied' )
2017-06-07 15:49:45 -04:00
end
end
end
end
2016-08-15 06:33:46 -04:00
context " when blank password attempts follow a valid login " do
def attempt_login ( include_password )
password = include_password ? user . password : " "
clone_get path , user : user . username , password : password
response . status
end
2016-03-23 09:04:09 -04:00
2019-10-27 05:05:56 -04:00
include_context 'rack attack cache store'
2016-08-15 06:33:46 -04:00
it " repeated attempts followed by successful attempt " do
options = Gitlab . config . rack_attack . git_basic_auth
2019-10-27 05:05:56 -04:00
maxretry = options [ :maxretry ]
2016-08-15 06:33:46 -04:00
ip = '1.2.3.4'
2016-03-23 09:04:09 -04:00
2019-01-07 03:35:53 -05:00
allow_any_instance_of ( ActionDispatch :: Request ) . to receive ( :ip ) . and_return ( ip )
2016-08-15 06:33:46 -04:00
Rack :: Attack :: Allow2Ban . reset ( ip , options )
2015-03-15 22:07:23 -04:00
2016-08-15 06:33:46 -04:00
maxretry . times . each do
expect ( attempt_login ( false ) ) . to eq ( 401 )
end
2015-03-15 22:07:23 -04:00
2016-08-15 06:33:46 -04:00
expect ( attempt_login ( true ) ) . to eq ( 200 )
expect ( Rack :: Attack :: Allow2Ban . banned? ( ip ) ) . to be_falsey
end
2015-03-15 22:07:23 -04:00
end
2017-06-15 20:04:17 -04:00
context 'and the user requests a redirected path' do
let! ( :redirect ) { project . route . create_redirect ( 'foo/bar' ) }
let ( :path ) { " #{ redirect . path } .git " }
let ( :project_moved_message ) do
<<-MSG.strip_heredoc
Project '#{redirect.path}' was moved to '#{project.full_path}' .
2017-12-08 12:42:43 -05:00
Please update your Git remote :
2017-06-15 20:04:17 -04:00
2018-03-05 07:02:36 -05:00
git remote set - url origin #{project.http_url_to_repo}.
2017-06-15 20:04:17 -04:00
MSG
end
2018-03-05 07:02:36 -05:00
it 'downloads get status 200' do
2020-11-17 22:09:21 -05:00
clone_get ( path , ** env )
2018-03-05 07:02:36 -05:00
expect ( response ) . to have_gitlab_http_status ( :ok )
2017-06-15 20:04:17 -04:00
end
it 'uploads get status 404 with "project was moved" message' do
2020-09-30 02:09:47 -04:00
upload ( path , ** env ) do | response |
2018-03-05 07:02:36 -05:00
expect ( response ) . to have_gitlab_http_status ( :ok )
2017-06-15 20:04:17 -04:00
end
end
end
2015-02-24 10:05:39 -05:00
end
2016-08-15 06:33:46 -04:00
context " when the user doesn't have access to the project " do
2017-05-15 19:13:36 -04:00
it " pulls get status 404 " do
2016-08-15 06:33:46 -04:00
download ( path , user : user . username , password : user . password ) do | response |
2017-10-19 14:28:19 -04:00
expect ( response ) . to have_gitlab_http_status ( :not_found )
2016-08-15 06:33:46 -04:00
end
2015-02-24 10:05:39 -05:00
end
2016-04-06 12:58:19 -04:00
2016-08-15 06:33:46 -04:00
it " uploads get status 404 " do
upload ( path , user : user . username , password : user . password ) do | response |
2017-10-19 14:28:19 -04:00
expect ( response ) . to have_gitlab_http_status ( :not_found )
2016-08-15 06:33:46 -04:00
end
2016-03-24 13:58:29 -04:00
end
end
2022-02-10 07:18:48 -05:00
context " when the user is admin " do
let ( :admin ) { create ( :admin ) }
let ( :env ) { { user : admin . username , password : admin . password } }
# Currently, the admin mode is bypassed for git operations.
# Once the admin mode is considered for git operations, this test will fail.
# Issue: https://gitlab.com/gitlab-org/gitlab/-/issues/296509
context 'when admin mode is enabled' , :enable_admin_mode do
it_behaves_like 'pulls are allowed'
it_behaves_like 'pushes are allowed'
end
context 'when admin mode is disabled' do
it_behaves_like 'pulls are allowed'
it_behaves_like 'pushes are allowed'
end
end
2015-02-24 10:05:39 -05:00
end
end
2016-09-15 17:27:01 -04:00
2016-08-15 06:33:46 -04:00
context " when a gitlab ci token is provided " do
2017-05-16 15:58:46 -04:00
let ( :project ) { create ( :project , :repository ) }
2016-08-15 06:33:46 -04:00
let ( :build ) { create ( :ci_build , :running ) }
2018-02-22 13:51:00 -05:00
let ( :other_project ) { create ( :project , :repository ) }
2016-04-06 12:58:19 -04:00
2017-05-16 15:58:46 -04:00
before do
build . update! ( project : project ) # can't associate it on factory create
end
2016-08-15 06:33:46 -04:00
context 'when build created by system is authenticated' do
2017-07-21 20:37:22 -04:00
let ( :path ) { " #{ project . full_path } .git " }
2017-05-15 19:13:36 -04:00
let ( :env ) { { user : 'gitlab-ci-token' , password : build . token } }
2016-09-15 17:27:01 -04:00
2022-09-20 17:10:29 -04:00
it 'rejects pulls' do
download ( path , ** env ) do | response |
expect ( response ) . to have_gitlab_http_status ( :not_found )
end
end
2016-09-15 17:27:01 -04:00
2022-09-20 17:10:29 -04:00
it 'rejects pushes' do
2020-11-17 22:09:21 -05:00
push_get ( path , ** env )
2016-09-15 17:27:01 -04:00
2017-10-19 14:28:19 -04:00
expect ( response ) . to have_gitlab_http_status ( :forbidden )
2016-09-15 17:27:01 -04:00
end
2016-08-15 06:33:46 -04:00
2022-09-20 17:10:29 -04:00
context 'when ci_remove_userless_ci disabled' do
before do
stub_feature_flags ( ci_remove_userless_ci : false )
end
it_behaves_like 'pulls are allowed'
2016-08-15 06:33:46 -04:00
2022-09-20 17:10:29 -04:00
# A non-401 here is not an information leak since the system is
# "authenticated" as CI using the correct token. It does not have
# push access, so pushes should be rejected as forbidden, and giving
# a reason is fine.
#
# We know for sure it is not an information leak since pulls using
# the build token must be allowed.
it " rejects pushes with 403 Forbidden " do
push_get ( path , ** env )
expect ( response ) . to have_gitlab_http_status ( :forbidden )
expect ( response . body ) . to eq ( git_access_error ( :auth_upload ) )
end
# We are "authenticated" as CI using a valid token here. But we are
# not authorized to see any other project, so return "not found".
it " rejects pulls for other project with 404 Not Found " do
clone_get ( " #{ other_project . full_path } .git " , ** env )
expect ( response ) . to have_gitlab_http_status ( :not_found )
expect ( response . body ) . to eq ( git_access_error ( :project_not_found ) )
end
end
def pull
download ( path , ** env )
2016-08-15 06:33:46 -04:00
end
2016-09-15 17:27:01 -04:00
end
2016-08-15 06:33:46 -04:00
context 'and build created by' do
before do
2020-09-08 05:08:31 -04:00
build . update! ( user : user )
2017-12-22 03:18:28 -05:00
project . add_reporter ( user )
2021-08-24 20:11:06 -04:00
create ( :ci_job_token_project_scope_link ,
source_project : project ,
target_project : other_project ,
added_by : user )
2016-08-15 06:33:46 -04:00
end
2016-09-15 17:27:01 -04:00
2016-08-15 06:33:46 -04:00
shared_examples 'can download code only' do
2017-07-21 20:37:22 -04:00
let ( :path ) { " #{ project . full_path } .git " }
2017-05-16 15:58:46 -04:00
let ( :env ) { { user : 'gitlab-ci-token' , password : build . token } }
2016-09-15 17:27:01 -04:00
2017-05-16 15:58:46 -04:00
it_behaves_like 'pulls are allowed'
2016-12-09 14:46:50 -05:00
2017-05-16 15:58:46 -04:00
context 'when the repo does not exist' do
2017-08-02 15:55:11 -04:00
let ( :project ) { create ( :project ) }
2017-05-22 14:28:51 -04:00
2018-02-22 13:51:00 -05:00
it 'rejects pulls with 404 Not Found' do
2020-11-17 22:09:21 -05:00
clone_get ( path , ** env )
2016-12-09 14:46:50 -05:00
2018-02-22 13:51:00 -05:00
expect ( response ) . to have_gitlab_http_status ( :not_found )
2017-05-16 15:58:46 -04:00
expect ( response . body ) . to eq ( git_access_error ( :no_repo ) )
end
2016-12-09 14:46:50 -05:00
end
2017-05-16 15:58:46 -04:00
it 'rejects pushes with 403 Forbidden' do
2020-11-17 22:09:21 -05:00
push_get ( path , ** env )
2016-08-15 06:33:46 -04:00
2017-10-19 14:28:19 -04:00
expect ( response ) . to have_gitlab_http_status ( :forbidden )
2018-02-06 12:25:36 -05:00
expect ( response . body ) . to eq ( git_access_error ( :auth_upload ) )
2016-08-15 06:33:46 -04:00
end
2016-09-15 17:27:01 -04:00
end
2016-08-15 06:33:46 -04:00
context 'administrator' do
let ( :user ) { create ( :admin ) }
2016-09-15 17:27:01 -04:00
2020-12-07 07:10:00 -05:00
context 'when admin mode is enabled' , :enable_admin_mode do
it_behaves_like 'can download code only'
2016-09-15 17:27:01 -04:00
2021-07-16 08:10:21 -04:00
it 'downloads from other project get status 403' do
2020-12-07 07:10:00 -05:00
clone_get " #{ other_project . full_path } .git " , user : 'gitlab-ci-token' , password : build . token
2016-09-15 17:27:01 -04:00
2021-07-16 08:10:21 -04:00
expect ( response ) . to have_gitlab_http_status ( :forbidden )
2020-12-07 07:10:00 -05:00
end
end
context 'when admin mode is disabled' do
it_behaves_like 'can download code only'
2022-02-10 07:18:48 -05:00
it 'downloads from other project get status 403' do
2020-12-07 07:10:00 -05:00
clone_get " #{ other_project . full_path } .git " , user : 'gitlab-ci-token' , password : build . token
2022-02-10 07:18:48 -05:00
expect ( response ) . to have_gitlab_http_status ( :forbidden )
2020-12-07 07:10:00 -05:00
end
2016-08-15 06:33:46 -04:00
end
end
context 'regular user' do
let ( :user ) { create ( :user ) }
it_behaves_like 'can download code only'
it 'downloads from other project get status 404' do
2017-07-21 20:37:22 -04:00
clone_get " #{ other_project . full_path } .git " , user : 'gitlab-ci-token' , password : build . token
2016-08-15 06:33:46 -04:00
2017-10-19 14:28:19 -04:00
expect ( response ) . to have_gitlab_http_status ( :not_found )
2016-08-15 06:33:46 -04:00
end
2021-06-01 17:10:06 -04:00
context 'when users password is expired' do
it 'rejects pulls with 401 unauthorized' do
2021-09-30 14:11:31 -04:00
user . update! ( password_expires_at : 2 . days . ago )
2021-06-01 17:10:06 -04:00
download ( path , user : 'gitlab-ci-token' , password : build . token ) do | response |
expect ( response ) . to have_gitlab_http_status ( :unauthorized )
end
end
end
2016-09-15 17:27:01 -04:00
end
end
2016-04-06 12:58:19 -04:00
end
2015-02-24 10:05:39 -05:00
end
2016-03-24 13:58:29 -04:00
2019-02-17 22:51:56 -05:00
it_behaves_like 'project path without .git suffix' do
2020-01-24 13:09:00 -05:00
let ( :repository_path ) { create ( :project , :repository , :public , path : 'project.git-project' ) . full_path }
2016-06-09 06:53:11 -04:00
end
2017-05-15 19:13:36 -04:00
context " retrieving an info/refs file " do
let ( :project ) { create ( :project , :repository , :public ) }
context " when the file exists " do
before do
# Provide a dummy file in its place
allow_any_instance_of ( Repository ) . to receive ( :blob_at ) . and_call_original
allow_any_instance_of ( Repository ) . to receive ( :blob_at ) . with ( 'b83d6e391c22777fca1ed3012fce84f633d7fed0' , 'info/refs' ) do
2017-06-06 17:20:24 -04:00
Blob . decorate ( Gitlab :: Git :: Blob . find ( project . repository , 'master' , 'bar/branch-test.txt' ) , project )
2017-05-15 19:13:36 -04:00
end
2016-06-09 09:26:52 -04:00
2020-01-27 07:08:35 -05:00
get " / #{ project . full_path } /-/blob/master/info/refs "
2016-08-15 06:33:46 -04:00
end
2016-06-09 09:26:52 -04:00
2017-05-15 19:13:36 -04:00
it " returns the file " do
2017-10-19 14:28:19 -04:00
expect ( response ) . to have_gitlab_http_status ( :ok )
2017-05-15 19:13:36 -04:00
end
2016-08-15 06:33:46 -04:00
end
2016-06-09 09:26:52 -04:00
2017-05-15 19:13:36 -04:00
context " when the file does not exist " do
2017-06-14 14:18:56 -04:00
before do
2020-01-27 07:08:35 -05:00
get " / #{ project . full_path } /-/blob/master/info/refs "
2017-06-14 14:18:56 -04:00
end
2016-06-09 09:26:52 -04:00
2019-10-21 14:06:29 -04:00
it " redirects " do
2020-01-27 10:08:51 -05:00
expect ( response ) . to have_gitlab_http_status ( :found )
2017-05-15 19:13:36 -04:00
end
2016-08-15 06:33:46 -04:00
end
2016-06-09 09:26:52 -04:00
end
end
2021-07-06 20:07:23 -04:00
context " when the project path ends with a dot " do
let ( :path ) { " #{ project . full_path } .git " }
context " when the project is public " do
2022-03-04 10:16:11 -05:00
let ( :project ) do
project = create ( :project , :repository , :public )
project . update_attribute ( :path , 'foo.' )
project
end
2021-07-06 20:07:23 -04:00
it_behaves_like 'pushes require Basic HTTP Authentication'
context 'when not authenticated' do
let ( :env ) { { } }
it_behaves_like 'pulls are allowed'
end
context " when authenticated " do
let ( :env ) { { user : user . username , password : user . password } }
context 'as a developer on the team' do
before do
project . add_developer ( user )
end
it_behaves_like 'pulls are allowed'
it_behaves_like 'pushes are allowed'
context 'but git-receive-pack over HTTP is disabled in config' do
before do
allow ( Gitlab . config . gitlab_shell ) . to receive ( :receive_pack ) . and_return ( false )
end
it 'rejects pushes with 403 Forbidden' do
upload ( path , ** env ) do | response |
expect ( response ) . to have_gitlab_http_status ( :forbidden )
expect ( response . body ) . to eq ( git_access_error ( :receive_pack_disabled_over_http ) )
end
end
end
context 'but git-upload-pack over HTTP is disabled in config' do
it " rejects pushes with 403 Forbidden " do
allow ( Gitlab . config . gitlab_shell ) . to receive ( :upload_pack ) . and_return ( false )
download ( path , ** env ) do | response |
expect ( response ) . to have_gitlab_http_status ( :forbidden )
expect ( response . body ) . to eq ( git_access_error ( :upload_pack_disabled_over_http ) )
end
end
end
context 'but the service parameter is missing' do
it 'rejects clones with 403 Forbidden' do
get ( " / #{ path } /info/refs " , headers : auth_env ( * env . values_at ( :user , :password ) , nil ) )
expect ( response ) . to have_gitlab_http_status ( :forbidden )
end
end
end
context 'and not a member of the team' do
it_behaves_like 'pulls are allowed'
it 'rejects pushes with 403 Forbidden' do
upload ( path , ** env ) do | response |
expect ( response ) . to have_gitlab_http_status ( :forbidden )
expect ( response . body ) . to eq ( 'You are not allowed to push code to this project.' )
end
end
context 'when merge requests are open that allow maintainer access' do
let ( :canonical_project ) { create ( :project , :public , :repository ) }
let ( :project ) { fork_project ( canonical_project , nil , repository : true ) }
before do
canonical_project . add_maintainer ( user )
create ( :merge_request ,
source_project : project ,
2022-08-23 05:09:29 -04:00
target_project : canonical_project ,
2021-07-06 20:07:23 -04:00
source_branch : 'fixes' ,
allow_collaboration : true )
end
it_behaves_like 'pushes are allowed'
end
context 'but the service parameter is missing' do
it 'rejects clones with 401 Unauthorized' do
get ( " / #{ path } /info/refs " )
expect ( response ) . to have_gitlab_http_status ( :unauthorized )
end
end
end
end
context 'when the request is not from gitlab-workhorse' do
it 'raises an exception' do
expect do
get ( " / #{ project . full_path } .git/info/refs?service=git-upload-pack " )
end . to raise_error ( JWT :: DecodeError )
end
end
context 'when the repo is public' do
context 'but the repo is disabled' do
let ( :project ) { create ( :project , :public , :repository , :repository_disabled ) }
let ( :path ) { " #{ project . full_path } .git " }
let ( :env ) { { } }
it_behaves_like 'pulls require Basic HTTP Authentication'
it_behaves_like 'pushes require Basic HTTP Authentication'
it_behaves_like 'operations are not allowed with expired password'
end
context 'but the repo is enabled' do
let ( :project ) { create ( :project , :public , :repository , :repository_enabled ) }
let ( :path ) { " #{ project . full_path } .git " }
let ( :env ) { { } }
it_behaves_like 'pulls are allowed'
end
context 'but only project members are allowed' do
let ( :project ) { create ( :project , :public , :repository , :repository_private ) }
it_behaves_like 'pulls require Basic HTTP Authentication'
it_behaves_like 'pushes require Basic HTTP Authentication'
it_behaves_like 'operations are not allowed with expired password'
end
end
context 'and the user requests a redirected path' do
let! ( :redirect ) { project . route . create_redirect ( 'foo/bar' ) }
let ( :path ) { " #{ redirect . path } .git " }
it 'downloads get status 200 for redirects' do
clone_get ( path )
expect ( response ) . to have_gitlab_http_status ( :ok )
end
end
end
context " when the project is private " do
2022-03-04 10:16:11 -05:00
let ( :project ) do
project = create ( :project , :repository , :private )
project . update_attribute ( :path , 'foo.' )
project
end
2021-07-06 20:07:23 -04:00
it_behaves_like 'pulls require Basic HTTP Authentication'
it_behaves_like 'pushes require Basic HTTP Authentication'
it_behaves_like 'operations are not allowed with expired password'
context " when username and password are provided " do
let ( :env ) { { user : user . username , password : 'nope' } }
context " when authentication fails " do
context " when the user is IP banned " do
before do
stub_rack_attack_setting ( enabled : true , ip_whitelist : [ ] )
end
it " responds with status 403 " do
expect ( Rack :: Attack :: Allow2Ban ) . to receive ( :banned? ) . and_return ( true )
expect ( Gitlab :: AuthLogger ) . to receive ( :error ) . with ( {
message : 'Rack_Attack' ,
env : :blocklist ,
remote_ip : '127.0.0.1' ,
request_method : 'GET' ,
path : " / #{ path } /info/refs?service=git-upload-pack "
} )
clone_get ( path , ** env )
expect ( response ) . to have_gitlab_http_status ( :forbidden )
end
end
end
context " when authentication succeeds " do
let ( :env ) { { user : user . username , password : user . password } }
context " when the user has access to the project " do
before do
project . add_maintainer ( user )
end
context " when the user is blocked " do
it " rejects pulls with 401 Unauthorized " do
user . block
project . add_maintainer ( user )
download ( path , ** env ) do | response |
expect ( response ) . to have_gitlab_http_status ( :unauthorized )
end
end
it " rejects pulls with 401 Unauthorized for unknown projects (no project existence information leak) " do
user . block
download ( 'doesnt/exist.git' , ** env ) do | response |
expect ( response ) . to have_gitlab_http_status ( :unauthorized )
end
end
end
context " when the user isn't blocked " do
before do
stub_rack_attack_setting ( enabled : true , bantime : 1 . minute , findtime : 5 . minutes , maxretry : 2 , ip_whitelist : [ ] )
end
it " resets the IP in Rack Attack on download " do
expect ( Rack :: Attack :: Allow2Ban ) . to receive ( :reset ) . twice
download ( path , ** env ) do
expect ( response ) . to have_gitlab_http_status ( :ok )
expect ( response . media_type ) . to eq ( Gitlab :: Workhorse :: INTERNAL_API_CONTENT_TYPE )
end
end
it " resets the IP in Rack Attack on upload " do
expect ( Rack :: Attack :: Allow2Ban ) . to receive ( :reset ) . twice
upload ( path , ** env ) do
expect ( response ) . to have_gitlab_http_status ( :ok )
expect ( response . media_type ) . to eq ( Gitlab :: Workhorse :: INTERNAL_API_CONTENT_TYPE )
end
end
it 'updates the user last activity' , :clean_gitlab_redis_shared_state do
expect ( user . last_activity_on ) . to be_nil
download ( path , ** env ) do | response |
expect ( user . reload . last_activity_on ) . to eql ( Date . today )
end
end
end
context " when an oauth token is provided " do
before do
application = Doorkeeper :: Application . create! ( name : " MyApp " , redirect_uri : " https://app.com " , owner : user )
@token = Doorkeeper :: AccessToken . create! ( application_id : application . id , resource_owner_id : user . id , scopes : " api " )
end
let ( :path ) { " #{ project . full_path } .git " }
let ( :env ) { { user : 'oauth2' , password : @token . token } }
it_behaves_like 'pulls are allowed'
it_behaves_like 'pushes are allowed'
context " when password is expired " do
it " responds to downloads with status 401 unauthorized " do
2021-09-30 14:11:31 -04:00
user . update! ( password_expires_at : 2 . days . ago )
2021-07-06 20:07:23 -04:00
download ( path , ** env ) do | response |
expect ( response ) . to have_gitlab_http_status ( :unauthorized )
end
end
end
end
context 'when user has 2FA enabled' do
let ( :user ) { create ( :user , :two_factor ) }
let ( :access_token ) { create ( :personal_access_token , user : user ) }
let ( :path ) { " #{ project . full_path } .git " }
before do
project . add_maintainer ( user )
end
context 'when username and password are provided' do
2022-08-30 14:09:50 -04:00
it 'rejects pulls with generic error message' do
2021-07-06 20:07:23 -04:00
download ( path , user : user . username , password : user . password ) do | response |
expect ( response ) . to have_gitlab_http_status ( :unauthorized )
2022-08-30 14:09:50 -04:00
expect ( response . body ) . to eq ( 'HTTP Basic: Access denied. The provided password or token is incorrect or your account has 2FA enabled and you must use a personal access token instead of a password. See http://www.example.com/help/topics/git/troubleshooting_git#error-on-git-fetch-http-basic-access-denied' )
2021-07-06 20:07:23 -04:00
end
end
2022-08-30 14:09:50 -04:00
it 'rejects the push attempt with generic error message' do
2021-07-06 20:07:23 -04:00
upload ( path , user : user . username , password : user . password ) do | response |
expect ( response ) . to have_gitlab_http_status ( :unauthorized )
2022-08-30 14:09:50 -04:00
expect ( response . body ) . to eq ( 'HTTP Basic: Access denied. The provided password or token is incorrect or your account has 2FA enabled and you must use a personal access token instead of a password. See http://www.example.com/help/topics/git/troubleshooting_git#error-on-git-fetch-http-basic-access-denied' )
2021-07-06 20:07:23 -04:00
end
end
end
context 'when username and personal access token are provided' do
let ( :env ) { { user : user . username , password : access_token . token } }
it_behaves_like 'pulls are allowed'
it_behaves_like 'pushes are allowed'
it 'rejects the push attempt for read_repository scope' do
read_access_token = create ( :personal_access_token , user : user , scopes : [ :read_repository ] )
upload ( path , user : user . username , password : read_access_token . token ) do | response |
expect ( response ) . to have_gitlab_http_status ( :forbidden )
expect ( response . body ) . to include ( 'You are not allowed to upload code' )
end
end
it 'accepts the push attempt for write_repository scope' do
write_access_token = create ( :personal_access_token , user : user , scopes : [ :write_repository ] )
upload ( path , user : user . username , password : write_access_token . token ) do | response |
expect ( response ) . to have_gitlab_http_status ( :ok )
end
end
it 'accepts the pull attempt for read_repository scope' do
read_access_token = create ( :personal_access_token , user : user , scopes : [ :read_repository ] )
download ( path , user : user . username , password : read_access_token . token ) do | response |
expect ( response ) . to have_gitlab_http_status ( :ok )
end
end
it 'accepts the pull attempt for api scope' do
read_access_token = create ( :personal_access_token , user : user , scopes : [ :api ] )
download ( path , user : user . username , password : read_access_token . token ) do | response |
expect ( response ) . to have_gitlab_http_status ( :ok )
end
end
it 'accepts the push attempt for api scope' do
write_access_token = create ( :personal_access_token , user : user , scopes : [ :api ] )
upload ( path , user : user . username , password : write_access_token . token ) do | response |
expect ( response ) . to have_gitlab_http_status ( :ok )
end
end
context " when password is expired " do
it " responds to uploads with status 401 unauthorized " do
2021-09-30 14:11:31 -04:00
user . update! ( password_expires_at : 2 . days . ago )
2021-07-06 20:07:23 -04:00
write_access_token = create ( :personal_access_token , user : user , scopes : [ :write_repository ] )
upload ( path , user : user . username , password : write_access_token . token ) do | response |
expect ( response ) . to have_gitlab_http_status ( :unauthorized )
end
end
end
end
end
context 'when internal auth is disabled' do
before do
allow_any_instance_of ( ApplicationSetting ) . to receive ( :password_authentication_enabled_for_git? ) { false }
end
2022-08-30 14:09:50 -04:00
it 'rejects pulls with generic error message' do
2021-07-06 20:07:23 -04:00
download ( path , user : 'foo' , password : 'bar' ) do | response |
expect ( response ) . to have_gitlab_http_status ( :unauthorized )
2022-08-30 14:09:50 -04:00
expect ( response . body ) . to eq ( 'HTTP Basic: Access denied. The provided password or token is incorrect or your account has 2FA enabled and you must use a personal access token instead of a password. See http://www.example.com/help/topics/git/troubleshooting_git#error-on-git-fetch-http-basic-access-denied' )
2021-07-06 20:07:23 -04:00
end
end
2022-08-30 14:09:50 -04:00
it 'rejects pushes with generic error message' do
2021-07-06 20:07:23 -04:00
upload ( path , user : 'foo' , password : 'bar' ) do | response |
expect ( response ) . to have_gitlab_http_status ( :unauthorized )
2022-08-30 14:09:50 -04:00
expect ( response . body ) . to eq ( 'HTTP Basic: Access denied. The provided password or token is incorrect or your account has 2FA enabled and you must use a personal access token instead of a password. See http://www.example.com/help/topics/git/troubleshooting_git#error-on-git-fetch-http-basic-access-denied' )
2021-07-06 20:07:23 -04:00
end
end
context 'when LDAP is configured' do
before do
allow ( Gitlab :: Auth :: Ldap :: Config ) . to receive ( :enabled? ) . and_return ( true )
allow_any_instance_of ( Gitlab :: Auth :: Ldap :: Authentication )
. to receive ( :login ) . and_return ( nil )
end
2022-08-30 14:09:50 -04:00
it 'returns a generic error message' do
2021-07-06 20:07:23 -04:00
upload ( path , user : 'foo' , password : 'bar' ) do | response |
expect ( response ) . to have_gitlab_http_status ( :unauthorized )
2022-08-30 14:09:50 -04:00
expect ( response . body ) . to eq ( 'HTTP Basic: Access denied. The provided password or token is incorrect or your account has 2FA enabled and you must use a personal access token instead of a password. See http://www.example.com/help/topics/git/troubleshooting_git#error-on-git-fetch-http-basic-access-denied' )
2021-07-06 20:07:23 -04:00
end
end
end
end
context " when blank password attempts follow a valid login " do
def attempt_login ( include_password )
password = include_password ? user . password : " "
clone_get path , user : user . username , password : password
response . status
end
include_context 'rack attack cache store'
it " repeated attempts followed by successful attempt " do
options = Gitlab . config . rack_attack . git_basic_auth
maxretry = options [ :maxretry ]
ip = '1.2.3.4'
allow_any_instance_of ( ActionDispatch :: Request ) . to receive ( :ip ) . and_return ( ip )
Rack :: Attack :: Allow2Ban . reset ( ip , options )
maxretry . times . each do
expect ( attempt_login ( false ) ) . to eq ( 401 )
end
expect ( attempt_login ( true ) ) . to eq ( 200 )
expect ( Rack :: Attack :: Allow2Ban . banned? ( ip ) ) . to be_falsey
end
end
context 'and the user requests a redirected path' do
let! ( :redirect ) { project . route . create_redirect ( 'foo/bar' ) }
let ( :path ) { " #{ redirect . path } .git " }
let ( :project_moved_message ) do
<<-MSG.strip_heredoc
Project '#{redirect.path}' was moved to '#{project.full_path}' .
Please update your Git remote :
git remote set - url origin #{project.http_url_to_repo}.
MSG
end
it 'downloads get status 200' do
clone_get ( path , ** env )
expect ( response ) . to have_gitlab_http_status ( :ok )
end
it 'uploads get status 404 with "project was moved" message' do
upload ( path , ** env ) do | response |
expect ( response ) . to have_gitlab_http_status ( :ok )
end
end
end
end
context " when the user doesn't have access to the project " do
it " pulls get status 404 " do
download ( path , user : user . username , password : user . password ) do | response |
expect ( response ) . to have_gitlab_http_status ( :not_found )
end
end
it " uploads get status 404 " do
upload ( path , user : user . username , password : user . password ) do | response |
expect ( response ) . to have_gitlab_http_status ( :not_found )
end
end
end
end
end
context " when a gitlab ci token is provided " do
let ( :project ) { create ( :project , :repository ) }
let ( :build ) { create ( :ci_build , :running ) }
let ( :other_project ) { create ( :project , :repository ) }
before do
build . update! ( project : project ) # can't associate it on factory create
2021-08-24 20:11:06 -04:00
create ( :ci_job_token_project_scope_link ,
source_project : project ,
target_project : other_project ,
added_by : user )
2021-07-06 20:07:23 -04:00
end
context 'when build created by system is authenticated' do
let ( :path ) { " #{ project . full_path } .git " }
let ( :env ) { { user : 'gitlab-ci-token' , password : build . token } }
2022-09-20 17:10:29 -04:00
it 'rejects pulls' do
download ( path , ** env ) do | response |
expect ( response ) . to have_gitlab_http_status ( :not_found )
end
end
2021-07-06 20:07:23 -04:00
2022-09-20 17:10:29 -04:00
it 'rejects pushes' do
2021-07-06 20:07:23 -04:00
push_get ( path , ** env )
expect ( response ) . to have_gitlab_http_status ( :forbidden )
end
2022-09-20 17:10:29 -04:00
context 'when ci_remove_userless_ci is disabled' do
before do
stub_feature_flags ( ci_remove_userless_ci : false )
end
2021-07-06 20:07:23 -04:00
2022-09-20 17:10:29 -04:00
it_behaves_like 'pulls are allowed'
# A non-401 here is not an information leak since the system is
# "authenticated" as CI using the correct token. It does not have
# push access, so pushes should be rejected as forbidden, and giving
# a reason is fine.
#
# We know for sure it is not an information leak since pulls using
# the build token must be allowed.
it " rejects pushes with 403 Forbidden " do
push_get ( path , ** env )
expect ( response ) . to have_gitlab_http_status ( :forbidden )
expect ( response . body ) . to eq ( git_access_error ( :auth_upload ) )
end
# We are "authenticated" as CI using a valid token here. But we are
# not authorized to see any other project, so return "not found".
it " rejects pulls for other project with 404 Not Found " do
clone_get ( " #{ other_project . full_path } .git " , ** env )
expect ( response ) . to have_gitlab_http_status ( :not_found )
expect ( response . body ) . to eq ( git_access_error ( :project_not_found ) )
end
2021-07-06 20:07:23 -04:00
end
end
context 'and build created by' do
before do
build . update! ( user : user )
project . add_reporter ( user )
end
shared_examples 'can download code only' do
let ( :path ) { " #{ project . full_path } .git " }
let ( :env ) { { user : 'gitlab-ci-token' , password : build . token } }
it_behaves_like 'pulls are allowed'
context 'when the repo does not exist' do
let ( :project ) { create ( :project ) }
it 'rejects pulls with 404 Not Found' do
clone_get ( path , ** env )
expect ( response ) . to have_gitlab_http_status ( :not_found )
expect ( response . body ) . to eq ( git_access_error ( :no_repo ) )
end
end
it 'rejects pushes with 403 Forbidden' do
push_get ( path , ** env )
expect ( response ) . to have_gitlab_http_status ( :forbidden )
expect ( response . body ) . to eq ( git_access_error ( :auth_upload ) )
end
end
context 'administrator' do
let ( :user ) { create ( :admin ) }
context 'when admin mode is enabled' , :enable_admin_mode do
it_behaves_like 'can download code only'
2021-07-16 08:10:21 -04:00
it 'downloads from other project get status 403' do
2021-07-06 20:07:23 -04:00
clone_get " #{ other_project . full_path } .git " , user : 'gitlab-ci-token' , password : build . token
2021-07-16 08:10:21 -04:00
expect ( response ) . to have_gitlab_http_status ( :forbidden )
2021-07-06 20:07:23 -04:00
end
end
context 'when admin mode is disabled' do
it_behaves_like 'can download code only'
2022-02-10 07:18:48 -05:00
it 'downloads from other project get status 403' do
2021-07-06 20:07:23 -04:00
clone_get " #{ other_project . full_path } .git " , user : 'gitlab-ci-token' , password : build . token
2022-02-10 07:18:48 -05:00
expect ( response ) . to have_gitlab_http_status ( :forbidden )
2021-07-06 20:07:23 -04:00
end
end
end
context 'regular user' do
let ( :user ) { create ( :user ) }
it_behaves_like 'can download code only'
it 'downloads from other project get status 404' do
clone_get " #{ other_project . full_path } .git " , user : 'gitlab-ci-token' , password : build . token
expect ( response ) . to have_gitlab_http_status ( :not_found )
end
context 'when users password is expired' do
it 'rejects pulls with 401 unauthorized' do
2021-09-30 14:11:31 -04:00
user . update! ( password_expires_at : 2 . days . ago )
2021-07-06 20:07:23 -04:00
download ( path , user : 'gitlab-ci-token' , password : build . token ) do | response |
expect ( response ) . to have_gitlab_http_status ( :unauthorized )
end
end
end
end
end
end
end
it_behaves_like 'project path without .git suffix' do
2022-03-04 10:16:11 -05:00
let ( :repository_path ) do
project = create ( :project , :repository , :public )
project . update_attribute ( :path , 'project.' )
project . full_path
end
2021-07-06 20:07:23 -04:00
end
context " retrieving an info/refs file " do
2022-03-04 10:16:11 -05:00
let ( :project ) do
project = create ( :project , :repository , :public )
project . update_attribute ( :path , 'project.' )
project
end
2021-07-06 20:07:23 -04:00
context " when the file exists " do
before do
# Provide a dummy file in its place
allow_any_instance_of ( Repository ) . to receive ( :blob_at ) . and_call_original
allow_any_instance_of ( Repository ) . to receive ( :blob_at ) . with ( 'b83d6e391c22777fca1ed3012fce84f633d7fed0' , 'info/refs' ) do
Blob . decorate ( Gitlab :: Git :: Blob . find ( project . repository , 'master' , 'bar/branch-test.txt' ) , project )
end
get " / #{ project . full_path } /-/blob/master/info/refs "
end
it " returns the file " do
expect ( response ) . to have_gitlab_http_status ( :ok )
end
end
context " when the file does not exist " do
before do
get " / #{ project . full_path } /-/blob/master/info/refs "
end
it " redirects " do
expect ( response ) . to have_gitlab_http_status ( :found )
end
end
end
end
context " when the Wiki path ends with a dot " do
let ( :wiki ) { ProjectWiki . new ( project ) }
let ( :path ) { " / #{ wiki . repository . full_path } .git " }
context " when the project is public " do
2022-03-04 10:16:11 -05:00
let ( :project ) do
project = create ( :project , :wiki_repo , :public , :wiki_enabled )
project . update_attribute ( :path , 'foo.' )
project
end
2021-07-06 20:07:23 -04:00
it_behaves_like 'pushes require Basic HTTP Authentication'
context 'when unauthenticated' do
let ( :env ) { { } }
it_behaves_like 'pulls are allowed'
it " responds to pulls with the wiki's repo " do
download ( path ) do | response |
2021-07-22 08:10:04 -04:00
json_body = Gitlab :: Json . parse ( response . body )
2021-07-06 20:07:23 -04:00
expect ( json_body [ 'Repository' ] [ 'relative_path' ] ) . to eq ( wiki . repository . relative_path )
end
end
end
context 'when authenticated' do
let ( :env ) { { user : user . username , password : user . password } }
context 'and as a developer on the team' do
before do
project . add_developer ( user )
end
context 'but the repo is disabled' do
2022-03-04 10:16:11 -05:00
let ( :project ) do
project = create ( :project , :wiki_repo , :public , :repository_disabled , :wiki_enabled )
project . update_attribute ( :path , 'foo.' )
project
end
2021-07-06 20:07:23 -04:00
it_behaves_like 'pulls are allowed'
it_behaves_like 'pushes are allowed'
end
end
context 'and not on the team' do
it_behaves_like 'pulls are allowed'
it 'rejects pushes with 403 Forbidden' do
upload ( path , ** env ) do | response |
expect ( response ) . to have_gitlab_http_status ( :forbidden )
expect ( response . body ) . to eq ( git_access_wiki_error ( :write_to_wiki ) )
end
end
end
end
end
context " when the project is private " do
2022-03-04 10:16:11 -05:00
let ( :project ) do
project = create ( :project , :wiki_repo , :private , :wiki_enabled )
project . update_attribute ( :path , 'foo.' )
project
end
2021-07-06 20:07:23 -04:00
it_behaves_like 'pulls require Basic HTTP Authentication'
it_behaves_like 'pushes require Basic HTTP Authentication'
it_behaves_like 'operations are not allowed with expired password'
context 'when authenticated' do
context 'and as a developer on the team' do
before do
project . add_developer ( user )
end
context 'when user is using credentials with special characters' do
context 'with password with special characters' do
before do
2022-03-31 17:08:16 -04:00
user . update! ( password : 'RKszEwéC5kFnû∆f243fycGu§Gh9ftDj!U' )
2021-07-06 20:07:23 -04:00
end
it 'allows clones' do
download ( path , user : user . username , password : user . password ) do | response |
expect ( response ) . to have_gitlab_http_status ( :ok )
end
end
end
end
context 'but the repo is disabled' do
2022-03-04 10:16:11 -05:00
let ( :project ) do
project = create ( :project , :wiki_repo , :private , :repository_disabled , :wiki_enabled )
project . update_attribute ( :path , 'foo.' )
project
end
2021-07-06 20:07:23 -04:00
it 'allows clones' do
download ( path , user : user . username , password : user . password ) do | response |
expect ( response ) . to have_gitlab_http_status ( :ok )
end
end
it 'pushes are allowed' do
upload ( path , user : user . username , password : user . password ) do | response |
expect ( response ) . to have_gitlab_http_status ( :ok )
end
end
end
end
context 'and not on the team' do
it 'rejects clones with 404 Not Found' do
download ( path , user : user . username , password : user . password ) do | response |
expect ( response ) . to have_gitlab_http_status ( :not_found )
expect ( response . body ) . to eq ( git_access_wiki_error ( :not_found ) )
end
end
it 'rejects pushes with 404 Not Found' do
upload ( path , user : user . username , password : user . password ) do | response |
expect ( response ) . to have_gitlab_http_status ( :not_found )
expect ( response . body ) . to eq ( git_access_wiki_error ( :not_found ) )
end
end
end
end
end
end
2016-06-09 09:26:52 -04:00
end
2016-08-15 06:33:46 -04:00
describe " User with LDAP identity " do
let ( :user ) { create ( :omniauth_user , extern_uid : dn ) }
let ( :dn ) { 'uid=john,ou=people,dc=example,dc=com' }
2017-05-15 19:13:36 -04:00
let ( :path ) { 'doesnt/exist.git' }
2016-03-24 13:58:29 -04:00
2016-08-15 06:33:46 -04:00
before do
2018-03-05 17:26:40 -05:00
allow ( Gitlab :: Auth :: OAuth :: Provider ) . to receive ( :enabled? ) . and_return ( true )
2020-03-12 11:09:39 -04:00
allow_any_instance_of ( Gitlab :: Auth :: Ldap :: Authentication ) . to receive ( :login ) . and_return ( nil )
allow_any_instance_of ( Gitlab :: Auth :: Ldap :: Authentication ) . to receive ( :login ) . with ( user . username , user . password ) . and_return ( user )
2016-08-15 06:33:46 -04:00
end
2016-03-24 11:14:09 -04:00
2017-05-15 19:13:36 -04:00
it_behaves_like 'pulls require Basic HTTP Authentication'
it_behaves_like 'pushes require Basic HTTP Authentication'
2016-03-24 11:21:19 -04:00
2016-08-15 06:33:46 -04:00
context " when authentication succeeds " do
context " when the project doesn't exist " do
2017-05-15 19:13:36 -04:00
it " responds with status 404 Not Found " do
download ( path , user : user . username , password : user . password ) do | response |
2017-10-19 14:28:19 -04:00
expect ( response ) . to have_gitlab_http_status ( :not_found )
2016-08-15 06:33:46 -04:00
end
end
end
2016-03-24 13:58:29 -04:00
2016-08-15 06:33:46 -04:00
context " when the project exists " do
2017-05-15 19:13:36 -04:00
let ( :project ) { create ( :project , :repository ) }
let ( :path ) { " #{ project . full_path } .git " }
let ( :env ) { { user : user . username , password : user . password } }
2016-03-24 13:58:29 -04:00
2017-05-15 19:13:36 -04:00
context 'and the user is on the team' do
before do
2018-07-11 10:36:08 -04:00
project . add_maintainer ( user )
2017-05-15 19:13:36 -04:00
end
2016-03-24 13:58:29 -04:00
2017-05-15 19:13:36 -04:00
it " responds with status 200 " do
2020-11-17 22:09:21 -05:00
clone_get ( path , ** env ) do | response |
2020-01-27 10:08:51 -05:00
expect ( response ) . to have_gitlab_http_status ( :ok )
2017-05-15 19:13:36 -04:00
end
2016-08-15 06:33:46 -04:00
end
2017-05-15 19:13:36 -04:00
it_behaves_like 'pulls are allowed'
it_behaves_like 'pushes are allowed'
2021-06-16 14:10:35 -04:00
context " when password is expired " do
it " responds to downloads with status 200 " do
user . update! ( password_expires_at : 2 . days . ago )
download ( path , user : user . username , password : user . password ) do | response |
expect ( response ) . to have_gitlab_http_status ( :ok )
end
end
it " responds to uploads with status 200 " do
user . update! ( password_expires_at : 2 . days . ago )
upload ( path , user : user . username , password : user . password ) do | response |
expect ( response ) . to have_gitlab_http_status ( :ok )
end
end
end
2016-08-15 06:33:46 -04:00
end
end
2016-03-24 11:14:09 -04:00
end
end
2018-05-10 10:13:05 -04:00
context 'when terms are enforced' do
let ( :project ) { create ( :project , :repository ) }
let ( :user ) { create ( :user ) }
let ( :path ) { " #{ project . full_path } .git " }
let ( :env ) { { user : user . username , password : user . password } }
before do
2018-07-11 10:36:08 -04:00
project . add_maintainer ( user )
2018-05-10 10:13:05 -04:00
enforce_terms
end
it 'blocks git access when the user did not accept terms' , :aggregate_failures do
2020-11-17 22:09:21 -05:00
clone_get ( path , ** env ) do | response |
2018-05-10 10:13:05 -04:00
expect ( response ) . to have_gitlab_http_status ( :forbidden )
end
2020-09-30 02:09:47 -04:00
download ( path , ** env ) do | response |
2018-05-10 10:13:05 -04:00
expect ( response ) . to have_gitlab_http_status ( :forbidden )
end
2020-09-30 02:09:47 -04:00
upload ( path , ** env ) do | response |
2018-05-10 10:13:05 -04:00
expect ( response ) . to have_gitlab_http_status ( :forbidden )
end
end
context 'when the user accepted the terms' do
before do
accept_terms ( user )
end
it 'allows clones' do
2020-11-17 22:09:21 -05:00
clone_get ( path , ** env ) do | response |
2018-05-10 10:13:05 -04:00
expect ( response ) . to have_gitlab_http_status ( :ok )
end
end
it_behaves_like 'pulls are allowed'
it_behaves_like 'pushes are allowed'
end
context 'from CI' do
let ( :build ) { create ( :ci_build , :running ) }
let ( :env ) { { user : 'gitlab-ci-token' , password : build . token } }
before do
build . update! ( user : user , project : project )
end
it_behaves_like 'pulls are allowed'
end
end
2015-02-24 10:05:39 -05:00
end