Post-merge improve of CI permissions
This commit is contained in:
parent
f30005f0a9
commit
0672c5a92e
|
@ -32,11 +32,11 @@ class Projects::GitHttpClientController < Projects::ApplicationController
|
||||||
return # Allow access
|
return # Allow access
|
||||||
end
|
end
|
||||||
elsif allow_kerberos_spnego_auth? && spnego_provided?
|
elsif allow_kerberos_spnego_auth? && spnego_provided?
|
||||||
user = find_kerberos_user
|
kerberos_user = find_kerberos_user
|
||||||
|
|
||||||
if user
|
if kerberos_user
|
||||||
@authentication_result = Gitlab::Auth::Result.new(
|
@authentication_result = Gitlab::Auth::Result.new(
|
||||||
user, nil, :kerberos, Gitlab::Auth.full_authentication_abilities)
|
kerberos_user, nil, :kerberos, Gitlab::Auth.full_authentication_abilities)
|
||||||
|
|
||||||
send_final_spnego_response
|
send_final_spnego_response
|
||||||
return # Allow access
|
return # Allow access
|
||||||
|
|
|
@ -493,8 +493,11 @@ module Ci
|
||||||
end
|
end
|
||||||
|
|
||||||
def hide_secrets(trace)
|
def hide_secrets(trace)
|
||||||
trace = Ci::MaskSecret.mask(trace, project.runners_token) if project
|
return unless trace
|
||||||
trace = Ci::MaskSecret.mask(trace, token)
|
|
||||||
|
trace = trace.dup
|
||||||
|
Ci::MaskSecret.mask!(trace, project.runners_token) if project
|
||||||
|
Ci::MaskSecret.mask!(trace, token)
|
||||||
trace
|
trace
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
|
@ -1,9 +1,9 @@
|
||||||
module Ci::MaskSecret
|
module Ci::MaskSecret
|
||||||
class << self
|
class << self
|
||||||
def mask(value, token)
|
def mask!(value, token)
|
||||||
return value unless value.present? && token.present?
|
return unless value.present? && token.present?
|
||||||
|
|
||||||
value.gsub(token, 'x' * token.length)
|
value.gsub!(token, 'x' * token.length)
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
|
@ -5,15 +5,21 @@ describe Ci::MaskSecret, lib: true do
|
||||||
|
|
||||||
describe '#mask' do
|
describe '#mask' do
|
||||||
it 'masks exact number of characters' do
|
it 'masks exact number of characters' do
|
||||||
expect(subject.mask('token', 'oke')).to eq('txxxn')
|
expect(mask('token', 'oke')).to eq('txxxn')
|
||||||
end
|
end
|
||||||
|
|
||||||
it 'masks multiple occurrences' do
|
it 'masks multiple occurrences' do
|
||||||
expect(subject.mask('token token token', 'oke')).to eq('txxxn txxxn txxxn')
|
expect(mask('token token token', 'oke')).to eq('txxxn txxxn txxxn')
|
||||||
end
|
end
|
||||||
|
|
||||||
it 'does not mask if not found' do
|
it 'does not mask if not found' do
|
||||||
expect(subject.mask('token', 'not')).to eq('token')
|
expect(mask('token', 'not')).to eq('token')
|
||||||
|
end
|
||||||
|
|
||||||
|
def mask(value, token)
|
||||||
|
value = value.dup
|
||||||
|
subject.mask!(value, token)
|
||||||
|
value
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
|
@ -343,7 +343,7 @@ describe Gitlab::GitAccess, lib: true do
|
||||||
end
|
end
|
||||||
|
|
||||||
context 'to private project' do
|
context 'to private project' do
|
||||||
let(:project) { create(:project, :internal) }
|
let(:project) { create(:project) }
|
||||||
|
|
||||||
it { expect(subject).not_to be_allowed }
|
it { expect(subject).not_to be_allowed }
|
||||||
end
|
end
|
||||||
|
|
|
@ -335,7 +335,7 @@ describe 'Git HTTP requests', lib: true do
|
||||||
project.team << [user, :reporter]
|
project.team << [user, :reporter]
|
||||||
end
|
end
|
||||||
|
|
||||||
shared_examples 'can download code only from own projects' do
|
shared_examples 'can download code only' do
|
||||||
it 'downloads get status 200' do
|
it 'downloads get status 200' do
|
||||||
clone_get "#{project.path_with_namespace}.git", user: 'gitlab-ci-token', password: build.token
|
clone_get "#{project.path_with_namespace}.git", user: 'gitlab-ci-token', password: build.token
|
||||||
|
|
||||||
|
@ -353,7 +353,7 @@ describe 'Git HTTP requests', lib: true do
|
||||||
context 'administrator' do
|
context 'administrator' do
|
||||||
let(:user) { create(:admin) }
|
let(:user) { create(:admin) }
|
||||||
|
|
||||||
it_behaves_like 'can download code only from own projects'
|
it_behaves_like 'can download code only'
|
||||||
|
|
||||||
it 'downloads from other project get status 403' do
|
it 'downloads from other project get status 403' do
|
||||||
clone_get "#{other_project.path_with_namespace}.git", user: 'gitlab-ci-token', password: build.token
|
clone_get "#{other_project.path_with_namespace}.git", user: 'gitlab-ci-token', password: build.token
|
||||||
|
@ -365,7 +365,7 @@ describe 'Git HTTP requests', lib: true do
|
||||||
context 'regular user' do
|
context 'regular user' do
|
||||||
let(:user) { create(:user) }
|
let(:user) { create(:user) }
|
||||||
|
|
||||||
it_behaves_like 'can download code only from own projects'
|
it_behaves_like 'can download code only'
|
||||||
|
|
||||||
it 'downloads from other project get status 404' do
|
it 'downloads from other project get status 404' do
|
||||||
clone_get "#{other_project.path_with_namespace}.git", user: 'gitlab-ci-token', password: build.token
|
clone_get "#{other_project.path_with_namespace}.git", user: 'gitlab-ci-token', password: build.token
|
||||||
|
|
Loading…
Reference in New Issue