Merge branch 'post-merge-improve-of-ci-permissions' into 'master'

Post-merge improve of CI permissions Improves code from !6409 See merge request !6432

Merge branch 'post-merge-improve-of-ci-permissions' into 'master'
6df3dd9d · Rémy Coutable · 49405ac7 · cf6a35f0 · 6df3dd9d · 6df3dd9d
Commit 6df3dd9d authored Sep 21, 2016 by Rémy Coutable
8 changed files
--- a/app/controllers/jwt_controller.rb
+++ b/app/controllers/jwt_controller.rb
@@ -11,10 +11,8 @@ class JwtController < ApplicationController
    service = SERVICES[params[:service]]
    return head :not_found unless service

-    @authentication_result ||= Gitlab::Auth::Result.new
-
    result = service.new(@authentication_result.project, @authentication_result.actor, auth_params).
-      execute(authentication_abilities: @authentication_result.authentication_abilities)
+      execute(authentication_abilities: @authentication_result.authentication_abilities || [])

    render json: result, status: result[:http_status]
  end
@@ -22,6 +20,8 @@ class JwtController < ApplicationController
  private

  def authenticate_project_or_user
+    @authentication_result = Gitlab::Auth::Result.new
+
    authenticate_with_http_basic do |login, password|
      @authentication_result = Gitlab::Auth.find_for_git_client(login, password, project: nil, ip: request.ip)


--- a/app/controllers/projects/git_http_client_controller.rb
+++ b/app/controllers/projects/git_http_client_controller.rb
@@ -32,11 +32,11 @@ class Projects::GitHttpClientController < Projects::ApplicationController
        return # Allow access
      end
    elsif allow_kerberos_spnego_auth? && spnego_provided?
-      user = find_kerberos_user
+      kerberos_user = find_kerberos_user

-      if user
+      if kerberos_user
        @authentication_result = Gitlab::Auth::Result.new(
-          user, nil, :kerberos, Gitlab::Auth.full_authentication_abilities)
+          kerberos_user, nil, :kerberos, Gitlab::Auth.full_authentication_abilities)

        send_final_spnego_response
        return # Allow access

--- a/app/models/ci/build.rb
+++ b/app/models/ci/build.rb
@@ -493,8 +493,11 @@ module Ci
    end

    def hide_secrets(trace)
-      trace = Ci::MaskSecret.mask(trace, project.runners_token) if project
-      trace = Ci::MaskSecret.mask(trace, token)
+      return unless trace
+
+      trace = trace.dup
+      Ci::MaskSecret.mask!(trace, project.runners_token) if project
+      Ci::MaskSecret.mask!(trace, token)
      trace
    end
  end

--- a/app/services/auth/container_registry_authentication_service.rb
+++ b/app/services/auth/container_registry_authentication_service.rb
@@ -5,7 +5,7 @@ module Auth
    AUDIENCE = 'container_registry'

    def execute(authentication_abilities:)
-      @authentication_abilities = authentication_abilities || []
+      @authentication_abilities = authentication_abilities

      return error('not found', 404) unless registry.enabled


--- a/lib/ci/mask_secret.rb
+++ b/lib/ci/mask_secret.rb
 module Ci::MaskSecret
  class << self
-    def mask(value, token)
+    def mask!(value, token)
      return value unless value.present? && token.present?

-      value.gsub(token, 'x' * token.length)
+      value.gsub!(token, 'x' * token.length)
+      value
    end
  end
 end
--- a/spec/lib/ci/mask_secret_spec.rb
+++ b/spec/lib/ci/mask_secret_spec.rb
@@ -5,15 +5,23 @@ describe Ci::MaskSecret, lib: true do

  describe '#mask' do
    it 'masks exact number of characters' do
-      expect(subject.mask('token', 'oke')).to eq('txxxn')
+      expect(mask('token', 'oke')).to eq('txxxn')
    end

    it 'masks multiple occurrences' do
-      expect(subject.mask('token token token', 'oke')).to eq('txxxn txxxn txxxn')
+      expect(mask('token token token', 'oke')).to eq('txxxn txxxn txxxn')
    end

    it 'does not mask if not found' do
-      expect(subject.mask('token', 'not')).to eq('token')
+      expect(mask('token', 'not')).to eq('token')
+    end
+
+    it 'does support null token' do
+      expect(mask('token', nil)).to eq('token')
+    end
+
+    def mask(value, token)
+      subject.mask!(value.dup, token)
    end
  end
 end
--- a/spec/lib/gitlab/git_access_spec.rb
+++ b/spec/lib/gitlab/git_access_spec.rb
@@ -343,7 +343,7 @@ describe Gitlab::GitAccess, lib: true do
      end

      context 'to private project' do
-        let(:project) { create(:project, :internal) }
+        let(:project) { create(:project) }

        it { expect(subject).not_to be_allowed }
      end

--- a/spec/requests/git_http_spec.rb
+++ b/spec/requests/git_http_spec.rb
@@ -335,7 +335,7 @@ describe 'Git HTTP requests', lib: true do
            project.team << [user, :reporter]
          end

-          shared_examples 'can download code only from own projects' do
+          shared_examples 'can download code only' do
            it 'downloads get status 200' do
              clone_get "#{project.path_with_namespace}.git", user: 'gitlab-ci-token', password: build.token

@@ -353,7 +353,7 @@ describe 'Git HTTP requests', lib: true do
          context 'administrator' do
            let(:user) { create(:admin) }

-            it_behaves_like 'can download code only from own projects'
+            it_behaves_like 'can download code only'

            it 'downloads from other project get status 403' do
              clone_get "#{other_project.path_with_namespace}.git", user: 'gitlab-ci-token', password: build.token
@@ -365,7 +365,7 @@ describe 'Git HTTP requests', lib: true do
          context 'regular user' do
            let(:user) { create(:user) }

-            it_behaves_like 'can download code only from own projects'
+            it_behaves_like 'can download code only'

            it 'downloads from other project get status 404' do
              clone_get "#{other_project.path_with_namespace}.git", user: 'gitlab-ci-token', password: build.token