Merge branch 'allow-deploy-key-to-download-public-projects' into 'master'
Allow to pull code with deploy key from public projects ## What does this MR do? With deploy keys you can download any public projects stored in GitLab. ## What are the relevant issue numbers? Fixes: https://gitlab.com/gitlab-org/gitlab-ce/issues/1217 ## Does this MR meet the acceptance criteria? - [ ] [CHANGELOG](https://gitlab.com/gitlab-org/gitlab-ce/blob/master/CHANGELOG) entry added - [ ] [Documentation created/updated](https://gitlab.com/gitlab-org/gitlab-ce/blob/master/doc/development/doc_styleguide.md) - [ ] API support added - Tests - [ ] Added for this feature/bug - [ ] All builds are passing - [ ] Conform by the [style guides](https://gitlab.com/gitlab-org/gitlab-ce/blob/master/CONTRIBUTING.md#style-guides) - [ ] Branch has no merge conflicts with `master` (if you do - rebase it please) - [ ] [Squashed related commits together](https://git-scm.com/book/en/Git-Tools-Rewriting-History#Squashing-Commits) See merge request !5316
This commit is contained in:
commit
e953b8afd2
|
@ -24,6 +24,7 @@ v 8.10.0 (unreleased)
|
|||
- Escape file extension when parsing search results !5141 (winniehell)
|
||||
- Apply the trusted_proxies config to the rack request object for use with rack_attack
|
||||
- Upgrade to Rails 4.2.7. !5236
|
||||
- Allow to pull code with deploy key from public projects
|
||||
- Add Sidekiq queue duration to transaction metrics.
|
||||
- Add a new column `artifacts_size` to table `ci_builds` !4964
|
||||
- Let Workhorse serve format-patch diffs
|
||||
|
|
|
@ -110,6 +110,7 @@ module Gitlab
|
|||
|
||||
def deploy_key_can_read_project?
|
||||
if deploy_key
|
||||
return true if project.public?
|
||||
deploy_key.projects.include?(project)
|
||||
else
|
||||
false
|
||||
|
|
|
@ -44,12 +44,12 @@ describe Gitlab::GitAccess, lib: true do
|
|||
end
|
||||
|
||||
describe 'download_access_check' do
|
||||
subject { access.check('git-upload-pack') }
|
||||
|
||||
describe 'master permissions' do
|
||||
before { project.team << [user, :master] }
|
||||
|
||||
context 'pull code' do
|
||||
subject { access.download_access_check }
|
||||
|
||||
it { expect(subject.allowed?).to be_truthy }
|
||||
end
|
||||
end
|
||||
|
@ -58,8 +58,6 @@ describe Gitlab::GitAccess, lib: true do
|
|||
before { project.team << [user, :guest] }
|
||||
|
||||
context 'pull code' do
|
||||
subject { access.download_access_check }
|
||||
|
||||
it { expect(subject.allowed?).to be_falsey }
|
||||
end
|
||||
end
|
||||
|
@ -71,16 +69,12 @@ describe Gitlab::GitAccess, lib: true do
|
|||
end
|
||||
|
||||
context 'pull code' do
|
||||
subject { access.download_access_check }
|
||||
|
||||
it { expect(subject.allowed?).to be_falsey }
|
||||
end
|
||||
end
|
||||
|
||||
describe 'without acccess to project' do
|
||||
context 'pull code' do
|
||||
subject { access.download_access_check }
|
||||
|
||||
it { expect(subject.allowed?).to be_falsey }
|
||||
end
|
||||
end
|
||||
|
@ -90,10 +84,31 @@ describe Gitlab::GitAccess, lib: true do
|
|||
let(:actor) { key }
|
||||
|
||||
context 'pull code' do
|
||||
before { key.projects << project }
|
||||
subject { access.download_access_check }
|
||||
context 'when project is authorized' do
|
||||
before { key.projects << project }
|
||||
|
||||
it { expect(subject.allowed?).to be_truthy }
|
||||
it { expect(subject).to be_allowed }
|
||||
end
|
||||
|
||||
context 'when unauthorized' do
|
||||
context 'from public project' do
|
||||
let(:project) { create(:project, :public) }
|
||||
|
||||
it { expect(subject).to be_allowed }
|
||||
end
|
||||
|
||||
context 'from internal project' do
|
||||
let(:project) { create(:project, :internal) }
|
||||
|
||||
it { expect(subject).not_to be_allowed }
|
||||
end
|
||||
|
||||
context 'from private project' do
|
||||
let(:project) { create(:project, :internal) }
|
||||
|
||||
it { expect(subject).not_to be_allowed }
|
||||
end
|
||||
end
|
||||
end
|
||||
end
|
||||
end
|
||||
|
@ -240,5 +255,40 @@ describe Gitlab::GitAccess, lib: true do
|
|||
run_permission_checks(permissions_matrix.deep_merge(developer: { push_protected_branch: true, push_all: true, merge_into_protected_branch: true }))
|
||||
end
|
||||
end
|
||||
|
||||
describe 'deploy key permissions' do
|
||||
let(:key) { create(:deploy_key) }
|
||||
let(:actor) { key }
|
||||
|
||||
context 'push code' do
|
||||
subject { access.check('git-receive-pack') }
|
||||
|
||||
context 'when project is authorized' do
|
||||
before { key.projects << project }
|
||||
|
||||
it { expect(subject).not_to be_allowed }
|
||||
end
|
||||
|
||||
context 'when unauthorized' do
|
||||
context 'to public project' do
|
||||
let(:project) { create(:project, :public) }
|
||||
|
||||
it { expect(subject).not_to be_allowed }
|
||||
end
|
||||
|
||||
context 'to internal project' do
|
||||
let(:project) { create(:project, :internal) }
|
||||
|
||||
it { expect(subject).not_to be_allowed }
|
||||
end
|
||||
|
||||
context 'to private project' do
|
||||
let(:project) { create(:project, :internal) }
|
||||
|
||||
it { expect(subject).not_to be_allowed }
|
||||
end
|
||||
end
|
||||
end
|
||||
end
|
||||
end
|
||||
end
|
||||
|
|
Loading…
Reference in New Issue