2019-12-26 22:10:19 +05:30
# frozen_string_literal: true
2019-12-04 20:38:33 +05:30
require 'spec_helper'
2016-06-16 23:09:34 +05:30
2020-07-28 23:09:34 +05:30
RSpec . describe 'Git HTTP requests' do
2018-11-08 19:23:39 +05:30
include ProjectForksHelper
2018-10-15 14:42:47 +05:30
include TermsHelper
2016-11-03 12:29:30 +05:30
include GitHttpHelpers
2016-09-29 09:46:39 +05:30
include WorkhorseHelpers
2017-09-10 17:25:29 +05:30
shared_examples 'pulls require Basic HTTP Authentication' do
context " when no credentials are provided " do
it " responds to downloads with status 401 Unauthorized (no project existence information leak) " do
download ( path ) do | response |
2018-03-17 18:26:18 +05:30
expect ( response ) . to have_gitlab_http_status ( :unauthorized )
2017-09-10 17:25:29 +05:30
expect ( response . header [ 'WWW-Authenticate' ] ) . to start_with ( 'Basic ' )
end
end
end
2016-06-16 23:09:34 +05:30
2017-09-10 17:25:29 +05:30
context " when only username is provided " do
it " responds to downloads with status 401 Unauthorized " do
download ( path , user : user . username ) do | response |
2018-03-17 18:26:18 +05:30
expect ( response ) . to have_gitlab_http_status ( :unauthorized )
2017-09-10 17:25:29 +05:30
expect ( response . header [ 'WWW-Authenticate' ] ) . to start_with ( 'Basic ' )
end
end
end
2016-06-16 23:09:34 +05:30
2017-09-10 17:25:29 +05:30
context " when username and password are provided " do
context " when authentication fails " do
it " responds to downloads with status 401 Unauthorized " do
download ( path , user : user . username , password : " wrong-password " ) do | response |
2018-03-17 18:26:18 +05:30
expect ( response ) . to have_gitlab_http_status ( :unauthorized )
2017-09-10 17:25:29 +05:30
expect ( response . header [ 'WWW-Authenticate' ] ) . to start_with ( 'Basic ' )
end
end
2021-06-02 17:11:27 +05:30
context " when user is blocked " do
let ( :user ) { create ( :user , :blocked ) }
it " responds to downloads with status 401 Unauthorized " do
download ( path , user : user . username , password : user . password ) do | response |
expect ( response ) . to have_gitlab_http_status ( :unauthorized )
end
end
end
2017-09-10 17:25:29 +05:30
end
2016-06-16 23:09:34 +05:30
2017-09-10 17:25:29 +05:30
context " when authentication succeeds " do
it " does not respond to downloads with status 401 Unauthorized " do
download ( path , user : user . username , password : user . password ) do | response |
2018-03-17 18:26:18 +05:30
expect ( response ) . not_to have_gitlab_http_status ( :unauthorized )
2017-09-10 17:25:29 +05:30
expect ( response . header [ 'WWW-Authenticate' ] ) . to be_nil
2016-06-16 23:09:34 +05:30
end
end
end
2017-09-10 17:25:29 +05:30
end
end
2021-07-02 01:05:55 +05:30
shared_examples 'operations are not allowed with expired password' do
context " when password is expired " do
it " responds to downloads with status 401 Unauthorized " do
user . update! ( password_expires_at : 2 . days . ago )
download ( path , user : user . username , password : user . password ) do | response |
expect ( response ) . to have_gitlab_http_status ( :unauthorized )
end
end
it " responds to uploads with status 401 Unauthorized " do
user . update! ( password_expires_at : 2 . days . ago )
upload ( path , user : user . username , password : user . password ) do | response |
expect ( response ) . to have_gitlab_http_status ( :unauthorized )
end
end
end
end
2017-09-10 17:25:29 +05:30
shared_examples 'pushes require Basic HTTP Authentication' do
context " when no credentials are provided " do
it " responds to uploads with status 401 Unauthorized (no project existence information leak) " do
upload ( path ) do | response |
2018-03-17 18:26:18 +05:30
expect ( response ) . to have_gitlab_http_status ( :unauthorized )
2017-09-10 17:25:29 +05:30
expect ( response . header [ 'WWW-Authenticate' ] ) . to start_with ( 'Basic ' )
end
end
end
2016-06-16 23:09:34 +05:30
2017-09-10 17:25:29 +05:30
context " when only username is provided " do
it " responds to uploads with status 401 Unauthorized " do
upload ( path , user : user . username ) do | response |
2018-03-17 18:26:18 +05:30
expect ( response ) . to have_gitlab_http_status ( :unauthorized )
2017-09-10 17:25:29 +05:30
expect ( response . header [ 'WWW-Authenticate' ] ) . to start_with ( 'Basic ' )
end
end
end
context " when username and password are provided " do
context " when authentication fails " do
it " responds to uploads with status 401 Unauthorized " do
upload ( path , user : user . username , password : " wrong-password " ) do | response |
2018-03-17 18:26:18 +05:30
expect ( response ) . to have_gitlab_http_status ( :unauthorized )
2017-09-10 17:25:29 +05:30
expect ( response . header [ 'WWW-Authenticate' ] ) . to start_with ( 'Basic ' )
2016-06-16 23:09:34 +05:30
end
end
2017-09-10 17:25:29 +05:30
end
2016-06-16 23:09:34 +05:30
2017-09-10 17:25:29 +05:30
context " when authentication succeeds " do
it " does not respond to uploads with status 401 Unauthorized " do
upload ( path , user : user . username , password : user . password ) do | response |
2018-03-17 18:26:18 +05:30
expect ( response ) . not_to have_gitlab_http_status ( :unauthorized )
2017-09-10 17:25:29 +05:30
expect ( response . header [ 'WWW-Authenticate' ] ) . to be_nil
2016-11-03 12:29:30 +05:30
end
end
2016-06-16 23:09:34 +05:30
end
end
2017-09-10 17:25:29 +05:30
end
shared_examples_for 'pulls are allowed' do
2019-12-26 22:10:19 +05:30
it 'allows pulls' do
2021-01-03 14:25:43 +05:30
download ( path , ** env ) do | response |
2018-03-17 18:26:18 +05:30
expect ( response ) . to have_gitlab_http_status ( :ok )
2020-03-13 15:44:24 +05:30
expect ( response . media_type ) . to eq ( Gitlab :: Workhorse :: INTERNAL_API_CONTENT_TYPE )
2017-09-10 17:25:29 +05:30
end
end
end
shared_examples_for 'pushes are allowed' do
2019-12-26 22:10:19 +05:30
it 'allows pushes' , :sidekiq_might_not_need_inline do
2021-01-03 14:25:43 +05:30
upload ( path , ** env ) do | response |
2018-03-17 18:26:18 +05:30
expect ( response ) . to have_gitlab_http_status ( :ok )
2020-03-13 15:44:24 +05:30
expect ( response . media_type ) . to eq ( Gitlab :: Workhorse :: INTERNAL_API_CONTENT_TYPE )
2017-09-10 17:25:29 +05:30
end
end
end
2019-03-13 22:55:13 +05:30
shared_examples_for 'project path without .git suffix' do
context " GET info/refs " do
2020-03-13 15:44:24 +05:30
let ( :path ) { " / #{ repository_path } /info/refs " }
2019-03-13 22:55:13 +05:30
context " when no params are added " do
before do
get path
end
it " redirects to the .git suffix version " do
2020-03-13 15:44:24 +05:30
expect ( response ) . to redirect_to ( " / #{ repository_path } .git/info/refs " )
2019-03-13 22:55:13 +05:30
end
end
context " when the upload-pack service is requested " do
let ( :params ) { { service : 'git-upload-pack' } }
before do
get path , params : params
end
it " redirects to the .git suffix version " do
2020-03-13 15:44:24 +05:30
expect ( response ) . to redirect_to ( " / #{ repository_path } .git/info/refs?service= #{ params [ :service ] } " )
2019-03-13 22:55:13 +05:30
end
end
context " when the receive-pack service is requested " do
let ( :params ) { { service : 'git-receive-pack' } }
before do
get path , params : params
end
it " redirects to the .git suffix version " do
2020-03-13 15:44:24 +05:30
expect ( response ) . to redirect_to ( " / #{ repository_path } .git/info/refs?service= #{ params [ :service ] } " )
2019-03-13 22:55:13 +05:30
end
end
context " when the params are anything else " do
let ( :params ) { { service : 'git-implode-pack' } }
before do
get path , params : params
end
it " redirects to the sign-in page " do
expect ( response ) . to redirect_to ( new_user_session_path )
end
end
end
context " POST git-upload-pack " do
it " fails to find a route " do
2021-02-04 15:43:07 +05:30
clone_post ( repository_path ) do | response |
expect ( response ) . to have_gitlab_http_status ( :not_found )
end
2019-03-13 22:55:13 +05:30
end
end
context " POST git-receive-pack " do
it " fails to find a route " do
2021-02-04 15:43:07 +05:30
push_post ( repository_path ) do | response |
expect ( response ) . to have_gitlab_http_status ( :not_found )
end
2019-03-13 22:55:13 +05:30
end
end
end
2017-09-10 17:25:29 +05:30
describe " User with no identities " do
let ( :user ) { create ( :user ) }
2016-06-16 23:09:34 +05:30
2017-09-10 17:25:29 +05:30
context " when the project doesn't exist " do
2018-03-17 18:26:18 +05:30
context " when namespace doesn't exist " do
let ( :path ) { 'doesnt/exist.git' }
2016-06-16 23:09:34 +05:30
2018-03-17 18:26:18 +05:30
it_behaves_like 'pulls require Basic HTTP Authentication'
it_behaves_like 'pushes require Basic HTTP Authentication'
2021-07-02 01:05:55 +05:30
it_behaves_like 'operations are not allowed with expired password'
2018-03-17 18:26:18 +05:30
context 'when authenticated' do
it 'rejects downloads and uploads with 404 Not Found' do
download_or_upload ( path , user : user . username , password : user . password ) do | response |
expect ( response ) . to have_gitlab_http_status ( :not_found )
end
end
end
end
context 'when namespace exists' do
2022-08-27 11:52:29 +05:30
let ( :path ) { " #{ user . namespace . path } /new-project.git " }
2018-03-17 18:26:18 +05:30
context 'when authenticated' do
it 'creates a new project under the existing namespace' do
expect do
upload ( path , user : user . username , password : user . password ) do | response |
expect ( response ) . to have_gitlab_http_status ( :ok )
end
end . to change { user . projects . count } . by ( 1 )
end
it 'rejects push with 422 Unprocessable Entity when project is invalid' do
path = " #{ user . namespace . path } /new.git "
push_get ( path , user : user . username , password : user . password )
2016-11-03 12:29:30 +05:30
2018-03-17 18:26:18 +05:30
expect ( response ) . to have_gitlab_http_status ( :unprocessable_entity )
2017-09-10 17:25:29 +05:30
end
2016-06-16 23:09:34 +05:30
end
2019-03-13 22:55:13 +05:30
2022-07-23 23:45:48 +05:30
context 'when project name is missing' do
let ( :path ) { " / #{ user . namespace . path } /info/refs " }
it 'does not redirect to the incorrect path' do
get path
expect ( response ) . not_to redirect_to ( " / #{ user . namespace . path } .git/info/refs " )
end
end
2019-03-13 22:55:13 +05:30
it_behaves_like 'project path without .git suffix' do
2020-03-13 15:44:24 +05:30
let ( :repository_path ) { " #{ user . namespace . path } /project.git-project " }
2019-03-13 22:55:13 +05:30
end
2016-06-16 23:09:34 +05:30
end
2017-09-10 17:25:29 +05:30
end
context " when requesting the Wiki " do
let ( :wiki ) { ProjectWiki . new ( project ) }
let ( :path ) { " / #{ wiki . repository . full_path } .git " }
2017-08-17 22:00:37 +05:30
2017-09-10 17:25:29 +05:30
context " when the project is public " do
2018-03-17 18:26:18 +05:30
let ( :project ) { create ( :project , :wiki_repo , :public , :wiki_enabled ) }
2017-09-10 17:25:29 +05:30
it_behaves_like 'pushes require Basic HTTP Authentication'
context 'when unauthenticated' do
let ( :env ) { { } }
it_behaves_like 'pulls are allowed'
2017-08-17 22:00:37 +05:30
2017-09-10 17:25:29 +05:30
it " responds to pulls with the wiki's repo " do
download ( path ) do | response |
2021-10-27 15:23:28 +05:30
json_body = Gitlab :: Json . parse ( response . body )
2017-09-10 17:25:29 +05:30
2018-05-09 12:01:36 +05:30
expect ( json_body [ 'Repository' ] [ 'relative_path' ] ) . to eq ( wiki . repository . relative_path )
2017-09-10 17:25:29 +05:30
end
end
2017-08-17 22:00:37 +05:30
end
2017-09-10 17:25:29 +05:30
context 'when authenticated' do
let ( :env ) { { user : user . username , password : user . password } }
context 'and as a developer on the team' do
before do
2018-03-17 18:26:18 +05:30
project . add_developer ( user )
2017-09-10 17:25:29 +05:30
end
context 'but the repo is disabled' do
2018-03-17 18:26:18 +05:30
let ( :project ) { create ( :project , :wiki_repo , :public , :repository_disabled , :wiki_enabled ) }
2017-09-10 17:25:29 +05:30
it_behaves_like 'pulls are allowed'
it_behaves_like 'pushes are allowed'
end
end
context 'and not on the team' do
it_behaves_like 'pulls are allowed'
it 'rejects pushes with 403 Forbidden' do
2021-01-03 14:25:43 +05:30
upload ( path , ** env ) do | response |
2018-03-17 18:26:18 +05:30
expect ( response ) . to have_gitlab_http_status ( :forbidden )
2017-09-10 17:25:29 +05:30
expect ( response . body ) . to eq ( git_access_wiki_error ( :write_to_wiki ) )
end
end
2017-08-17 22:00:37 +05:30
end
end
2017-09-10 17:25:29 +05:30
end
2017-08-17 22:00:37 +05:30
2017-09-10 17:25:29 +05:30
context " when the project is private " do
2018-03-17 18:26:18 +05:30
let ( :project ) { create ( :project , :wiki_repo , :private , :wiki_enabled ) }
2017-09-10 17:25:29 +05:30
it_behaves_like 'pulls require Basic HTTP Authentication'
it_behaves_like 'pushes require Basic HTTP Authentication'
2021-07-02 01:05:55 +05:30
it_behaves_like 'operations are not allowed with expired password'
2017-09-10 17:25:29 +05:30
context 'when authenticated' do
context 'and as a developer on the team' do
before do
2018-03-17 18:26:18 +05:30
project . add_developer ( user )
2017-09-10 17:25:29 +05:30
end
2021-01-29 00:20:46 +05:30
context 'when user is using credentials with special characters' do
context 'with password with special characters' do
before do
2022-04-01 21:47:47 +05:30
user . update! ( password : 'RKszEwéC5kFnû∆f243fycGu§Gh9ftDj!U' )
2021-01-29 00:20:46 +05:30
end
it 'allows clones' do
download ( path , user : user . username , password : user . password ) do | response |
expect ( response ) . to have_gitlab_http_status ( :ok )
end
end
end
end
2017-09-10 17:25:29 +05:30
context 'but the repo is disabled' do
2018-03-17 18:26:18 +05:30
let ( :project ) { create ( :project , :wiki_repo , :private , :repository_disabled , :wiki_enabled ) }
2017-09-10 17:25:29 +05:30
it 'allows clones' do
download ( path , user : user . username , password : user . password ) do | response |
2018-03-17 18:26:18 +05:30
expect ( response ) . to have_gitlab_http_status ( :ok )
2017-09-10 17:25:29 +05:30
end
end
it 'pushes are allowed' do
upload ( path , user : user . username , password : user . password ) do | response |
2018-03-17 18:26:18 +05:30
expect ( response ) . to have_gitlab_http_status ( :ok )
2017-09-10 17:25:29 +05:30
end
end
end
end
context 'and not on the team' do
it 'rejects clones with 404 Not Found' do
download ( path , user : user . username , password : user . password ) do | response |
2018-03-17 18:26:18 +05:30
expect ( response ) . to have_gitlab_http_status ( :not_found )
2020-10-24 23:57:45 +05:30
expect ( response . body ) . to eq ( git_access_wiki_error ( :not_found ) )
2017-09-10 17:25:29 +05:30
end
end
it 'rejects pushes with 404 Not Found' do
upload ( path , user : user . username , password : user . password ) do | response |
2018-03-17 18:26:18 +05:30
expect ( response ) . to have_gitlab_http_status ( :not_found )
2020-10-24 23:57:45 +05:30
expect ( response . body ) . to eq ( git_access_wiki_error ( :not_found ) )
2017-09-10 17:25:29 +05:30
end
end
2017-08-17 22:00:37 +05:30
end
end
end
2016-11-03 12:29:30 +05:30
end
context " when the project exists " do
2017-09-10 17:25:29 +05:30
let ( :path ) { " #{ project . full_path } .git " }
2016-06-16 23:09:34 +05:30
2016-11-03 12:29:30 +05:30
context " when the project is public " do
2017-09-10 17:25:29 +05:30
let ( :project ) { create ( :project , :repository , :public ) }
2016-06-16 23:09:34 +05:30
2017-09-10 17:25:29 +05:30
it_behaves_like 'pushes require Basic HTTP Authentication'
2016-06-16 23:09:34 +05:30
2017-09-10 17:25:29 +05:30
context 'when not authenticated' do
let ( :env ) { { } }
it_behaves_like 'pulls are allowed'
2016-06-16 23:09:34 +05:30
end
2017-09-10 17:25:29 +05:30
context " when authenticated " do
2016-11-03 12:29:30 +05:30
let ( :env ) { { user : user . username , password : user . password } }
2016-06-16 23:09:34 +05:30
2017-09-10 17:25:29 +05:30
context 'as a developer on the team' do
before do
2018-03-17 18:26:18 +05:30
project . add_developer ( user )
2016-06-16 23:09:34 +05:30
end
2017-09-10 17:25:29 +05:30
it_behaves_like 'pulls are allowed'
it_behaves_like 'pushes are allowed'
2016-06-16 23:09:34 +05:30
2017-09-10 17:25:29 +05:30
context 'but git-receive-pack over HTTP is disabled in config' do
before do
allow ( Gitlab . config . gitlab_shell ) . to receive ( :receive_pack ) . and_return ( false )
end
it 'rejects pushes with 403 Forbidden' do
2021-01-03 14:25:43 +05:30
upload ( path , ** env ) do | response |
2018-03-17 18:26:18 +05:30
expect ( response ) . to have_gitlab_http_status ( :forbidden )
2017-09-10 17:25:29 +05:30
expect ( response . body ) . to eq ( git_access_error ( :receive_pack_disabled_over_http ) )
end
end
end
context 'but git-upload-pack over HTTP is disabled in config' do
it " rejects pushes with 403 Forbidden " do
allow ( Gitlab . config . gitlab_shell ) . to receive ( :upload_pack ) . and_return ( false )
2021-01-03 14:25:43 +05:30
download ( path , ** env ) do | response |
2018-03-17 18:26:18 +05:30
expect ( response ) . to have_gitlab_http_status ( :forbidden )
2017-09-10 17:25:29 +05:30
expect ( response . body ) . to eq ( git_access_error ( :upload_pack_disabled_over_http ) )
end
2016-11-03 12:29:30 +05:30
end
end
2021-03-11 19:13:27 +05:30
context 'but the service parameter is missing' do
it 'rejects clones with 403 Forbidden' do
get ( " / #{ path } /info/refs " , headers : auth_env ( * env . values_at ( :user , :password ) , nil ) )
expect ( response ) . to have_gitlab_http_status ( :forbidden )
end
end
2016-06-16 23:09:34 +05:30
end
2017-09-10 17:25:29 +05:30
context 'and not a member of the team' do
it_behaves_like 'pulls are allowed'
2016-06-16 23:09:34 +05:30
2017-09-10 17:25:29 +05:30
it 'rejects pushes with 403 Forbidden' do
2021-01-03 14:25:43 +05:30
upload ( path , ** env ) do | response |
2018-03-17 18:26:18 +05:30
expect ( response ) . to have_gitlab_http_status ( :forbidden )
2019-02-15 15:39:39 +05:30
expect ( response . body ) . to eq ( 'You are not allowed to push code to this project.' )
2017-09-10 17:25:29 +05:30
end
2016-11-03 12:29:30 +05:30
end
2018-11-08 19:23:39 +05:30
context 'when merge requests are open that allow maintainer access' do
let ( :canonical_project ) { create ( :project , :public , :repository ) }
let ( :project ) { fork_project ( canonical_project , nil , repository : true ) }
before do
2018-11-18 11:00:15 +05:30
canonical_project . add_maintainer ( user )
2018-11-08 19:23:39 +05:30
create ( :merge_request ,
source_project : project ,
2022-10-11 01:57:18 +05:30
target_project : canonical_project ,
2018-11-08 19:23:39 +05:30
source_branch : 'fixes' ,
allow_collaboration : true )
end
it_behaves_like 'pushes are allowed'
end
2021-03-11 19:13:27 +05:30
context 'but the service parameter is missing' do
it 'rejects clones with 401 Unauthorized' do
get ( " / #{ path } /info/refs " )
expect ( response ) . to have_gitlab_http_status ( :unauthorized )
end
end
2016-06-16 23:09:34 +05:30
end
end
2016-11-03 12:29:30 +05:30
context 'when the request is not from gitlab-workhorse' do
it 'raises an exception' do
expect do
2017-09-10 17:25:29 +05:30
get ( " / #{ project . full_path } .git/info/refs?service=git-upload-pack " )
2016-11-03 12:29:30 +05:30
end . to raise_error ( JWT :: DecodeError )
2016-06-16 23:09:34 +05:30
end
end
2016-11-24 13:41:30 +05:30
context 'when the repo is public' do
context 'but the repo is disabled' do
2017-09-10 17:25:29 +05:30
let ( :project ) { create ( :project , :public , :repository , :repository_disabled ) }
let ( :path ) { " #{ project . full_path } .git " }
let ( :env ) { { } }
2016-11-24 13:41:30 +05:30
2017-09-10 17:25:29 +05:30
it_behaves_like 'pulls require Basic HTTP Authentication'
it_behaves_like 'pushes require Basic HTTP Authentication'
2021-07-02 01:05:55 +05:30
it_behaves_like 'operations are not allowed with expired password'
2016-11-24 13:41:30 +05:30
end
context 'but the repo is enabled' do
2017-09-10 17:25:29 +05:30
let ( :project ) { create ( :project , :public , :repository , :repository_enabled ) }
let ( :path ) { " #{ project . full_path } .git " }
let ( :env ) { { } }
2016-11-24 13:41:30 +05:30
2017-09-10 17:25:29 +05:30
it_behaves_like 'pulls are allowed'
2016-11-24 13:41:30 +05:30
end
context 'but only project members are allowed' do
2017-09-10 17:25:29 +05:30
let ( :project ) { create ( :project , :public , :repository , :repository_private ) }
2016-11-24 13:41:30 +05:30
2017-09-10 17:25:29 +05:30
it_behaves_like 'pulls require Basic HTTP Authentication'
it_behaves_like 'pushes require Basic HTTP Authentication'
2021-07-02 01:05:55 +05:30
it_behaves_like 'operations are not allowed with expired password'
2016-11-24 13:41:30 +05:30
end
end
2016-06-16 23:09:34 +05:30
2017-09-10 17:25:29 +05:30
context 'and the user requests a redirected path' do
let! ( :redirect ) { project . route . create_redirect ( 'foo/bar' ) }
let ( :path ) { " #{ redirect . path } .git " }
2016-06-16 23:09:34 +05:30
2018-05-09 12:01:36 +05:30
it 'downloads get status 200 for redirects' do
2021-01-29 00:20:46 +05:30
clone_get ( path )
2018-05-09 12:01:36 +05:30
expect ( response ) . to have_gitlab_http_status ( :ok )
2016-06-16 23:09:34 +05:30
end
end
2017-09-10 17:25:29 +05:30
end
context " when the project is private " do
let ( :project ) { create ( :project , :repository , :private ) }
it_behaves_like 'pulls require Basic HTTP Authentication'
it_behaves_like 'pushes require Basic HTTP Authentication'
2021-07-02 01:05:55 +05:30
it_behaves_like 'operations are not allowed with expired password'
2016-06-16 23:09:34 +05:30
2016-11-03 12:29:30 +05:30
context " when username and password are provided " do
let ( :env ) { { user : user . username , password : 'nope' } }
2016-06-16 23:09:34 +05:30
2016-11-03 12:29:30 +05:30
context " when authentication fails " do
context " when the user is IP banned " do
2018-11-18 11:00:15 +05:30
before do
2019-12-26 22:10:19 +05:30
stub_rack_attack_setting ( enabled : true , ip_whitelist : [ ] )
2018-11-18 11:00:15 +05:30
end
2019-12-26 22:10:19 +05:30
it " responds with status 403 " do
2020-01-01 13:55:28 +05:30
expect ( Rack :: Attack :: Allow2Ban ) . to receive ( :banned? ) . and_return ( true )
2019-12-26 22:10:19 +05:30
expect ( Gitlab :: AuthLogger ) . to receive ( :error ) . with ( {
message : 'Rack_Attack' ,
env : :blocklist ,
remote_ip : '127.0.0.1' ,
request_method : 'GET' ,
path : " / #{ path } /info/refs?service=git-upload-pack "
} )
2016-06-16 23:09:34 +05:30
2021-01-29 00:20:46 +05:30
clone_get ( path , ** env )
2016-11-03 12:29:30 +05:30
2019-12-26 22:10:19 +05:30
expect ( response ) . to have_gitlab_http_status ( :forbidden )
2016-06-16 23:09:34 +05:30
end
end
2016-11-03 12:29:30 +05:30
end
2016-06-16 23:09:34 +05:30
2016-11-03 12:29:30 +05:30
context " when authentication succeeds " do
let ( :env ) { { user : user . username , password : user . password } }
2016-06-16 23:09:34 +05:30
2016-11-03 12:29:30 +05:30
context " when the user has access to the project " do
before do
2018-11-18 11:00:15 +05:30
project . add_maintainer ( user )
2016-11-03 12:29:30 +05:30
end
2016-06-16 23:09:34 +05:30
2016-11-03 12:29:30 +05:30
context " when the user is blocked " do
2017-09-10 17:25:29 +05:30
it " rejects pulls with 401 Unauthorized " do
2016-11-03 12:29:30 +05:30
user . block
2018-11-18 11:00:15 +05:30
project . add_maintainer ( user )
2016-11-03 12:29:30 +05:30
2021-01-03 14:25:43 +05:30
download ( path , ** env ) do | response |
2018-03-17 18:26:18 +05:30
expect ( response ) . to have_gitlab_http_status ( :unauthorized )
2017-08-17 22:00:37 +05:30
end
end
2017-09-10 17:25:29 +05:30
it " rejects pulls with 401 Unauthorized for unknown projects (no project existence information leak) " do
2017-08-17 22:00:37 +05:30
user . block
2021-01-29 00:20:46 +05:30
download ( 'doesnt/exist.git' , ** env ) do | response |
2018-03-17 18:26:18 +05:30
expect ( response ) . to have_gitlab_http_status ( :unauthorized )
2016-11-03 12:29:30 +05:30
end
end
2016-06-16 23:09:34 +05:30
end
2016-11-03 12:29:30 +05:30
context " when the user isn't blocked " do
2018-11-18 11:00:15 +05:30
before do
2019-12-26 22:10:19 +05:30
stub_rack_attack_setting ( enabled : true , bantime : 1 . minute , findtime : 5 . minutes , maxretry : 2 , ip_whitelist : [ ] )
2018-11-18 11:00:15 +05:30
end
2017-09-10 17:25:29 +05:30
it " resets the IP in Rack Attack on download " do
expect ( Rack :: Attack :: Allow2Ban ) . to receive ( :reset ) . twice
2016-11-03 12:29:30 +05:30
2021-01-03 14:25:43 +05:30
download ( path , ** env ) do
2018-03-17 18:26:18 +05:30
expect ( response ) . to have_gitlab_http_status ( :ok )
2020-03-13 15:44:24 +05:30
expect ( response . media_type ) . to eq ( Gitlab :: Workhorse :: INTERNAL_API_CONTENT_TYPE )
2017-09-10 17:25:29 +05:30
end
2016-06-16 23:09:34 +05:30
end
2017-09-10 17:25:29 +05:30
it " resets the IP in Rack Attack on upload " do
expect ( Rack :: Attack :: Allow2Ban ) . to receive ( :reset ) . twice
2021-01-03 14:25:43 +05:30
upload ( path , ** env ) do
2018-03-17 18:26:18 +05:30
expect ( response ) . to have_gitlab_http_status ( :ok )
2020-03-13 15:44:24 +05:30
expect ( response . media_type ) . to eq ( Gitlab :: Workhorse :: INTERNAL_API_CONTENT_TYPE )
2016-11-03 12:29:30 +05:30
end
end
2017-08-17 22:00:37 +05:30
2017-09-10 17:25:29 +05:30
it 'updates the user last activity' , :clean_gitlab_redis_shared_state do
2018-11-18 11:00:15 +05:30
expect ( user . last_activity_on ) . to be_nil
2017-08-17 22:00:37 +05:30
2021-01-03 14:25:43 +05:30
download ( path , ** env ) do | response |
2018-11-18 11:00:15 +05:30
expect ( user . reload . last_activity_on ) . to eql ( Date . today )
2017-08-17 22:00:37 +05:30
end
end
2016-06-16 23:09:34 +05:30
end
2016-11-03 12:29:30 +05:30
context " when an oauth token is provided " do
before do
application = Doorkeeper :: Application . create! ( name : " MyApp " , redirect_uri : " https://app.com " , owner : user )
2017-08-17 22:00:37 +05:30
@token = Doorkeeper :: AccessToken . create! ( application_id : application . id , resource_owner_id : user . id , scopes : " api " )
2016-11-03 12:29:30 +05:30
end
2016-06-16 23:09:34 +05:30
2017-09-10 17:25:29 +05:30
let ( :path ) { " #{ project . full_path } .git " }
let ( :env ) { { user : 'oauth2' , password : @token . token } }
2016-06-16 23:09:34 +05:30
2017-09-10 17:25:29 +05:30
it_behaves_like 'pulls are allowed'
it_behaves_like 'pushes are allowed'
2021-06-02 17:11:27 +05:30
context " when password is expired " do
it " responds to downloads with status 401 unauthorized " do
user . update! ( password_expires_at : 2 . days . ago )
download ( path , ** env ) do | response |
expect ( response ) . to have_gitlab_http_status ( :unauthorized )
end
end
end
2016-06-16 23:09:34 +05:30
end
2016-11-03 12:29:30 +05:30
context 'when user has 2FA enabled' do
let ( :user ) { create ( :user , :two_factor ) }
let ( :access_token ) { create ( :personal_access_token , user : user ) }
2017-09-10 17:25:29 +05:30
let ( :path ) { " #{ project . full_path } .git " }
2016-09-13 17:45:13 +05:30
2016-11-03 12:29:30 +05:30
before do
2018-11-18 11:00:15 +05:30
project . add_maintainer ( user )
2016-11-03 12:29:30 +05:30
end
2016-09-13 17:45:13 +05:30
2016-11-03 12:29:30 +05:30
context 'when username and password are provided' do
2022-09-01 20:07:04 +05:30
it 'rejects pulls with generic error message' do
2017-09-10 17:25:29 +05:30
download ( path , user : user . username , password : user . password ) do | response |
2018-03-17 18:26:18 +05:30
expect ( response ) . to have_gitlab_http_status ( :unauthorized )
2022-09-01 20:07:04 +05:30
expect ( response . body ) . to eq ( 'HTTP Basic: Access denied. The provided password or token is incorrect or your account has 2FA enabled and you must use a personal access token instead of a password. See http://www.example.com/help/topics/git/troubleshooting_git#error-on-git-fetch-http-basic-access-denied' )
2016-11-03 12:29:30 +05:30
end
2016-09-13 17:45:13 +05:30
end
2022-09-01 20:07:04 +05:30
it 'rejects the push attempt with generic error message' do
2017-09-10 17:25:29 +05:30
upload ( path , user : user . username , password : user . password ) do | response |
2018-03-17 18:26:18 +05:30
expect ( response ) . to have_gitlab_http_status ( :unauthorized )
2022-09-01 20:07:04 +05:30
expect ( response . body ) . to eq ( 'HTTP Basic: Access denied. The provided password or token is incorrect or your account has 2FA enabled and you must use a personal access token instead of a password. See http://www.example.com/help/topics/git/troubleshooting_git#error-on-git-fetch-http-basic-access-denied' )
2016-11-03 12:29:30 +05:30
end
2016-09-13 17:45:13 +05:30
end
end
2016-11-03 12:29:30 +05:30
context 'when username and personal access token are provided' do
2017-09-10 17:25:29 +05:30
let ( :env ) { { user : user . username , password : access_token . token } }
it_behaves_like 'pulls are allowed'
it_behaves_like 'pushes are allowed'
2019-07-31 22:56:46 +05:30
it 'rejects the push attempt for read_repository scope' do
read_access_token = create ( :personal_access_token , user : user , scopes : [ :read_repository ] )
upload ( path , user : user . username , password : read_access_token . token ) do | response |
expect ( response ) . to have_gitlab_http_status ( :forbidden )
expect ( response . body ) . to include ( 'You are not allowed to upload code' )
end
end
it 'accepts the push attempt for write_repository scope' do
write_access_token = create ( :personal_access_token , user : user , scopes : [ :write_repository ] )
upload ( path , user : user . username , password : write_access_token . token ) do | response |
expect ( response ) . to have_gitlab_http_status ( :ok )
end
end
it 'accepts the pull attempt for read_repository scope' do
read_access_token = create ( :personal_access_token , user : user , scopes : [ :read_repository ] )
download ( path , user : user . username , password : read_access_token . token ) do | response |
expect ( response ) . to have_gitlab_http_status ( :ok )
end
end
it 'accepts the pull attempt for api scope' do
read_access_token = create ( :personal_access_token , user : user , scopes : [ :api ] )
download ( path , user : user . username , password : read_access_token . token ) do | response |
expect ( response ) . to have_gitlab_http_status ( :ok )
end
end
it 'accepts the push attempt for api scope' do
write_access_token = create ( :personal_access_token , user : user , scopes : [ :api ] )
upload ( path , user : user . username , password : write_access_token . token ) do | response |
expect ( response ) . to have_gitlab_http_status ( :ok )
end
end
2021-06-02 17:11:27 +05:30
context " when password is expired " do
it " responds to uploads with status 401 unauthorized " do
user . update! ( password_expires_at : 2 . days . ago )
write_access_token = create ( :personal_access_token , user : user , scopes : [ :write_repository ] )
upload ( path , user : user . username , password : write_access_token . token ) do | response |
expect ( response ) . to have_gitlab_http_status ( :unauthorized )
end
end
end
2021-08-04 16:29:09 +05:30
context 'when token is impersonated' do
context 'when impersonation is off' do
before do
stub_config_setting ( impersonation_enabled : false )
end
it 'responds to uploads with status 401 unauthorized' do
write_access_token = create ( :personal_access_token , :impersonation , user : user , scopes : [ :write_repository ] )
upload ( path , user : user . username , password : write_access_token . token ) do | response |
expect ( response ) . to have_gitlab_http_status ( :unauthorized )
end
end
end
context 'when impersonation is on' do
it 'responds to uploads with status 200' do
write_access_token = create ( :personal_access_token , :impersonation , user : user , scopes : [ :write_repository ] )
upload ( path , user : user . username , password : write_access_token . token ) do | response |
expect ( response ) . to have_gitlab_http_status ( :ok )
end
end
end
end
2017-09-10 17:25:29 +05:30
end
end
context 'when internal auth is disabled' do
before do
2018-03-17 18:26:18 +05:30
allow_any_instance_of ( ApplicationSetting ) . to receive ( :password_authentication_enabled_for_git? ) { false }
2017-09-10 17:25:29 +05:30
end
2022-09-01 20:07:04 +05:30
it 'rejects pulls with generic error message' do
2017-09-10 17:25:29 +05:30
download ( path , user : 'foo' , password : 'bar' ) do | response |
2018-03-17 18:26:18 +05:30
expect ( response ) . to have_gitlab_http_status ( :unauthorized )
2022-09-01 20:07:04 +05:30
expect ( response . body ) . to eq ( 'HTTP Basic: Access denied. The provided password or token is incorrect or your account has 2FA enabled and you must use a personal access token instead of a password. See http://www.example.com/help/topics/git/troubleshooting_git#error-on-git-fetch-http-basic-access-denied' )
2017-09-10 17:25:29 +05:30
end
end
2022-09-01 20:07:04 +05:30
it 'rejects pushes with generic error message' do
2017-09-10 17:25:29 +05:30
upload ( path , user : 'foo' , password : 'bar' ) do | response |
2018-03-17 18:26:18 +05:30
expect ( response ) . to have_gitlab_http_status ( :unauthorized )
2022-09-01 20:07:04 +05:30
expect ( response . body ) . to eq ( 'HTTP Basic: Access denied. The provided password or token is incorrect or your account has 2FA enabled and you must use a personal access token instead of a password. See http://www.example.com/help/topics/git/troubleshooting_git#error-on-git-fetch-http-basic-access-denied' )
2017-09-10 17:25:29 +05:30
end
end
context 'when LDAP is configured' do
before do
2020-04-08 14:13:33 +05:30
allow ( Gitlab :: Auth :: Ldap :: Config ) . to receive ( :enabled? ) . and_return ( true )
allow_any_instance_of ( Gitlab :: Auth :: Ldap :: Authentication )
2017-09-10 17:25:29 +05:30
. to receive ( :login ) . and_return ( nil )
2016-09-13 17:45:13 +05:30
end
2022-09-01 20:07:04 +05:30
it 'displays the generic error message' do
2017-09-10 17:25:29 +05:30
upload ( path , user : 'foo' , password : 'bar' ) do | response |
2018-03-17 18:26:18 +05:30
expect ( response ) . to have_gitlab_http_status ( :unauthorized )
2022-09-01 20:07:04 +05:30
expect ( response . body ) . to eq ( 'HTTP Basic: Access denied. The provided password or token is incorrect or your account has 2FA enabled and you must use a personal access token instead of a password. See http://www.example.com/help/topics/git/troubleshooting_git#error-on-git-fetch-http-basic-access-denied' )
2016-11-03 12:29:30 +05:30
end
2016-09-13 17:45:13 +05:30
end
end
end
2016-11-03 12:29:30 +05:30
context " when blank password attempts follow a valid login " do
def attempt_login ( include_password )
password = include_password ? user . password : " "
clone_get path , user : user . username , password : password
response . status
end
2016-06-16 23:09:34 +05:30
2019-12-26 22:10:19 +05:30
include_context 'rack attack cache store'
2016-11-03 12:29:30 +05:30
it " repeated attempts followed by successful attempt " do
options = Gitlab . config . rack_attack . git_basic_auth
2019-12-26 22:10:19 +05:30
maxretry = options [ :maxretry ]
2016-11-03 12:29:30 +05:30
ip = '1.2.3.4'
2016-06-16 23:09:34 +05:30
2019-03-02 22:35:43 +05:30
allow_any_instance_of ( ActionDispatch :: Request ) . to receive ( :ip ) . and_return ( ip )
2016-11-03 12:29:30 +05:30
Rack :: Attack :: Allow2Ban . reset ( ip , options )
2016-06-16 23:09:34 +05:30
2016-11-03 12:29:30 +05:30
maxretry . times . each do
expect ( attempt_login ( false ) ) . to eq ( 401 )
end
2016-06-16 23:09:34 +05:30
2016-11-03 12:29:30 +05:30
expect ( attempt_login ( true ) ) . to eq ( 200 )
expect ( Rack :: Attack :: Allow2Ban . banned? ( ip ) ) . to be_falsey
end
2016-06-16 23:09:34 +05:30
end
2017-09-10 17:25:29 +05:30
context 'and the user requests a redirected path' do
let! ( :redirect ) { project . route . create_redirect ( 'foo/bar' ) }
let ( :path ) { " #{ redirect . path } .git " }
let ( :project_moved_message ) do
<<-MSG.strip_heredoc
Project '#{redirect.path}' was moved to '#{project.full_path}' .
2018-03-17 18:26:18 +05:30
Please update your Git remote :
2017-09-10 17:25:29 +05:30
2018-05-09 12:01:36 +05:30
git remote set - url origin #{project.http_url_to_repo}.
2017-09-10 17:25:29 +05:30
MSG
end
2018-05-09 12:01:36 +05:30
it 'downloads get status 200' do
2021-01-29 00:20:46 +05:30
clone_get ( path , ** env )
2018-05-09 12:01:36 +05:30
expect ( response ) . to have_gitlab_http_status ( :ok )
2017-09-10 17:25:29 +05:30
end
it 'uploads get status 404 with "project was moved" message' do
2021-01-03 14:25:43 +05:30
upload ( path , ** env ) do | response |
2018-05-09 12:01:36 +05:30
expect ( response ) . to have_gitlab_http_status ( :ok )
2017-09-10 17:25:29 +05:30
end
end
end
2016-06-16 23:09:34 +05:30
end
2016-11-03 12:29:30 +05:30
context " when the user doesn't have access to the project " do
2017-09-10 17:25:29 +05:30
it " pulls get status 404 " do
2016-11-03 12:29:30 +05:30
download ( path , user : user . username , password : user . password ) do | response |
2018-03-17 18:26:18 +05:30
expect ( response ) . to have_gitlab_http_status ( :not_found )
2016-11-03 12:29:30 +05:30
end
2016-06-16 23:09:34 +05:30
end
2016-11-03 12:29:30 +05:30
it " uploads get status 404 " do
upload ( path , user : user . username , password : user . password ) do | response |
2018-03-17 18:26:18 +05:30
expect ( response ) . to have_gitlab_http_status ( :not_found )
2016-11-03 12:29:30 +05:30
end
2016-06-16 23:09:34 +05:30
end
end
2022-04-04 11:22:00 +05:30
context " when the user is admin " do
let ( :admin ) { create ( :admin ) }
let ( :env ) { { user : admin . username , password : admin . password } }
# Currently, the admin mode is bypassed for git operations.
# Once the admin mode is considered for git operations, this test will fail.
# Issue: https://gitlab.com/gitlab-org/gitlab/-/issues/296509
context 'when admin mode is enabled' , :enable_admin_mode do
it_behaves_like 'pulls are allowed'
it_behaves_like 'pushes are allowed'
end
context 'when admin mode is disabled' do
it_behaves_like 'pulls are allowed'
it_behaves_like 'pushes are allowed'
end
end
2016-06-16 23:09:34 +05:30
end
end
2016-09-29 09:46:39 +05:30
2016-11-03 12:29:30 +05:30
context " when a gitlab ci token is provided " do
2017-09-10 17:25:29 +05:30
let ( :project ) { create ( :project , :repository ) }
2016-11-03 12:29:30 +05:30
let ( :build ) { create ( :ci_build , :running ) }
2018-03-17 18:26:18 +05:30
let ( :other_project ) { create ( :project , :repository ) }
2016-09-29 09:46:39 +05:30
2017-09-10 17:25:29 +05:30
before do
build . update! ( project : project ) # can't associate it on factory create
end
2016-09-29 09:46:39 +05:30
2017-09-10 17:25:29 +05:30
context 'when build created by system is authenticated' do
let ( :path ) { " #{ project . full_path } .git " }
let ( :env ) { { user : 'gitlab-ci-token' , password : build . token } }
it_behaves_like 'pulls are allowed'
# A non-401 here is not an information leak since the system is
# "authenticated" as CI using the correct token. It does not have
# push access, so pushes should be rejected as forbidden, and giving
# a reason is fine.
#
# We know for sure it is not an information leak since pulls using
# the build token must be allowed.
it " rejects pushes with 403 Forbidden " do
2021-01-29 00:20:46 +05:30
push_get ( path , ** env )
2017-09-10 17:25:29 +05:30
2018-03-17 18:26:18 +05:30
expect ( response ) . to have_gitlab_http_status ( :forbidden )
expect ( response . body ) . to eq ( git_access_error ( :auth_upload ) )
2016-09-29 09:46:39 +05:30
end
2016-11-03 12:29:30 +05:30
2017-09-10 17:25:29 +05:30
# We are "authenticated" as CI using a valid token here. But we are
# not authorized to see any other project, so return "not found".
it " rejects pulls for other project with 404 Not Found " do
2021-01-29 00:20:46 +05:30
clone_get ( " #{ other_project . full_path } .git " , ** env )
2016-11-03 12:29:30 +05:30
2018-03-17 18:26:18 +05:30
expect ( response ) . to have_gitlab_http_status ( :not_found )
2017-09-10 17:25:29 +05:30
expect ( response . body ) . to eq ( git_access_error ( :project_not_found ) )
2016-11-03 12:29:30 +05:30
end
2016-09-29 09:46:39 +05:30
end
2016-11-03 12:29:30 +05:30
context 'and build created by' do
before do
2020-11-24 15:15:51 +05:30
build . update! ( user : user )
2018-03-17 18:26:18 +05:30
project . add_reporter ( user )
2021-11-11 11:23:49 +05:30
create ( :ci_job_token_project_scope_link ,
source_project : project ,
target_project : other_project ,
added_by : user )
2016-11-03 12:29:30 +05:30
end
2016-09-29 09:46:39 +05:30
2016-11-03 12:29:30 +05:30
shared_examples 'can download code only' do
2017-09-10 17:25:29 +05:30
let ( :path ) { " #{ project . full_path } .git " }
let ( :env ) { { user : 'gitlab-ci-token' , password : build . token } }
2016-09-29 09:46:39 +05:30
2017-09-10 17:25:29 +05:30
it_behaves_like 'pulls are allowed'
2016-09-29 09:46:39 +05:30
2017-09-10 17:25:29 +05:30
context 'when the repo does not exist' do
let ( :project ) { create ( :project ) }
2017-08-17 22:00:37 +05:30
2018-03-17 18:26:18 +05:30
it 'rejects pulls with 404 Not Found' do
2021-01-29 00:20:46 +05:30
clone_get ( path , ** env )
2017-08-17 22:00:37 +05:30
2018-03-17 18:26:18 +05:30
expect ( response ) . to have_gitlab_http_status ( :not_found )
2017-09-10 17:25:29 +05:30
expect ( response . body ) . to eq ( git_access_error ( :no_repo ) )
end
2017-08-17 22:00:37 +05:30
end
2017-09-10 17:25:29 +05:30
it 'rejects pushes with 403 Forbidden' do
2021-01-29 00:20:46 +05:30
push_get ( path , ** env )
2016-11-03 12:29:30 +05:30
2018-03-17 18:26:18 +05:30
expect ( response ) . to have_gitlab_http_status ( :forbidden )
expect ( response . body ) . to eq ( git_access_error ( :auth_upload ) )
2016-11-03 12:29:30 +05:30
end
2016-09-29 09:46:39 +05:30
end
2016-11-03 12:29:30 +05:30
context 'administrator' do
let ( :user ) { create ( :admin ) }
2016-09-29 09:46:39 +05:30
2021-02-22 17:27:13 +05:30
context 'when admin mode is enabled' , :enable_admin_mode do
it_behaves_like 'can download code only'
2016-09-29 09:46:39 +05:30
2021-09-30 23:02:18 +05:30
it 'downloads from other project get status 403' do
2021-02-22 17:27:13 +05:30
clone_get " #{ other_project . full_path } .git " , user : 'gitlab-ci-token' , password : build . token
2016-09-29 09:46:39 +05:30
2021-09-30 23:02:18 +05:30
expect ( response ) . to have_gitlab_http_status ( :forbidden )
2021-02-22 17:27:13 +05:30
end
end
context 'when admin mode is disabled' do
it_behaves_like 'can download code only'
2022-04-04 11:22:00 +05:30
it 'downloads from other project get status 403' do
2021-02-22 17:27:13 +05:30
clone_get " #{ other_project . full_path } .git " , user : 'gitlab-ci-token' , password : build . token
2022-04-04 11:22:00 +05:30
expect ( response ) . to have_gitlab_http_status ( :forbidden )
2021-02-22 17:27:13 +05:30
end
2016-11-03 12:29:30 +05:30
end
end
context 'regular user' do
let ( :user ) { create ( :user ) }
it_behaves_like 'can download code only'
it 'downloads from other project get status 404' do
2017-09-10 17:25:29 +05:30
clone_get " #{ other_project . full_path } .git " , user : 'gitlab-ci-token' , password : build . token
2016-11-03 12:29:30 +05:30
2018-03-17 18:26:18 +05:30
expect ( response ) . to have_gitlab_http_status ( :not_found )
2016-11-03 12:29:30 +05:30
end
2021-06-02 17:11:27 +05:30
context 'when users password is expired' do
it 'rejects pulls with 401 unauthorized' do
user . update! ( password_expires_at : 2 . days . ago )
download ( path , user : 'gitlab-ci-token' , password : build . token ) do | response |
expect ( response ) . to have_gitlab_http_status ( :unauthorized )
end
end
end
2016-09-29 09:46:39 +05:30
end
end
2016-06-16 23:09:34 +05:30
end
end
2019-03-13 22:55:13 +05:30
it_behaves_like 'project path without .git suffix' do
2020-03-13 15:44:24 +05:30
let ( :repository_path ) { create ( :project , :repository , :public , path : 'project.git-project' ) . full_path }
2016-06-16 23:09:34 +05:30
end
2017-09-10 17:25:29 +05:30
context " retrieving an info/refs file " do
let ( :project ) { create ( :project , :repository , :public ) }
2016-06-16 23:09:34 +05:30
2017-09-10 17:25:29 +05:30
context " when the file exists " do
before do
# Provide a dummy file in its place
allow_any_instance_of ( Repository ) . to receive ( :blob_at ) . and_call_original
allow_any_instance_of ( Repository ) . to receive ( :blob_at ) . with ( 'b83d6e391c22777fca1ed3012fce84f633d7fed0' , 'info/refs' ) do
Blob . decorate ( Gitlab :: Git :: Blob . find ( project . repository , 'master' , 'bar/branch-test.txt' ) , project )
end
2016-06-16 23:09:34 +05:30
2020-03-13 15:44:24 +05:30
get " / #{ project . full_path } /-/blob/master/info/refs "
2017-09-10 17:25:29 +05:30
end
2016-06-16 23:09:34 +05:30
2017-09-10 17:25:29 +05:30
it " returns the file " do
2018-03-17 18:26:18 +05:30
expect ( response ) . to have_gitlab_http_status ( :ok )
2017-09-10 17:25:29 +05:30
end
2016-11-03 12:29:30 +05:30
end
2016-06-16 23:09:34 +05:30
2017-09-10 17:25:29 +05:30
context " when the file does not exist " do
before do
2020-03-13 15:44:24 +05:30
get " / #{ project . full_path } /-/blob/master/info/refs "
2017-09-10 17:25:29 +05:30
end
2016-06-16 23:09:34 +05:30
2019-12-26 22:10:19 +05:30
it " redirects " do
2020-03-13 15:44:24 +05:30
expect ( response ) . to have_gitlab_http_status ( :found )
2017-09-10 17:25:29 +05:30
end
2016-11-03 12:29:30 +05:30
end
2016-06-16 23:09:34 +05:30
end
end
2021-09-04 01:27:46 +05:30
context " when the project path ends with a dot " do
let ( :path ) { " #{ project . full_path } .git " }
context " when the project is public " do
2022-05-07 20:08:51 +05:30
let ( :project ) do
project = create ( :project , :repository , :public )
project . update_attribute ( :path , 'foo.' )
project
end
2021-09-04 01:27:46 +05:30
it_behaves_like 'pushes require Basic HTTP Authentication'
context 'when not authenticated' do
let ( :env ) { { } }
it_behaves_like 'pulls are allowed'
end
context " when authenticated " do
let ( :env ) { { user : user . username , password : user . password } }
context 'as a developer on the team' do
before do
project . add_developer ( user )
end
it_behaves_like 'pulls are allowed'
it_behaves_like 'pushes are allowed'
context 'but git-receive-pack over HTTP is disabled in config' do
before do
allow ( Gitlab . config . gitlab_shell ) . to receive ( :receive_pack ) . and_return ( false )
end
it 'rejects pushes with 403 Forbidden' do
upload ( path , ** env ) do | response |
expect ( response ) . to have_gitlab_http_status ( :forbidden )
expect ( response . body ) . to eq ( git_access_error ( :receive_pack_disabled_over_http ) )
end
end
end
context 'but git-upload-pack over HTTP is disabled in config' do
it " rejects pushes with 403 Forbidden " do
allow ( Gitlab . config . gitlab_shell ) . to receive ( :upload_pack ) . and_return ( false )
download ( path , ** env ) do | response |
expect ( response ) . to have_gitlab_http_status ( :forbidden )
expect ( response . body ) . to eq ( git_access_error ( :upload_pack_disabled_over_http ) )
end
end
end
context 'but the service parameter is missing' do
it 'rejects clones with 403 Forbidden' do
get ( " / #{ path } /info/refs " , headers : auth_env ( * env . values_at ( :user , :password ) , nil ) )
expect ( response ) . to have_gitlab_http_status ( :forbidden )
end
end
end
context 'and not a member of the team' do
it_behaves_like 'pulls are allowed'
it 'rejects pushes with 403 Forbidden' do
upload ( path , ** env ) do | response |
expect ( response ) . to have_gitlab_http_status ( :forbidden )
expect ( response . body ) . to eq ( 'You are not allowed to push code to this project.' )
end
end
context 'when merge requests are open that allow maintainer access' do
let ( :canonical_project ) { create ( :project , :public , :repository ) }
let ( :project ) { fork_project ( canonical_project , nil , repository : true ) }
before do
canonical_project . add_maintainer ( user )
create ( :merge_request ,
source_project : project ,
2022-10-11 01:57:18 +05:30
target_project : canonical_project ,
2021-09-04 01:27:46 +05:30
source_branch : 'fixes' ,
allow_collaboration : true )
end
it_behaves_like 'pushes are allowed'
end
context 'but the service parameter is missing' do
it 'rejects clones with 401 Unauthorized' do
get ( " / #{ path } /info/refs " )
expect ( response ) . to have_gitlab_http_status ( :unauthorized )
end
end
end
end
context 'when the request is not from gitlab-workhorse' do
it 'raises an exception' do
expect do
get ( " / #{ project . full_path } .git/info/refs?service=git-upload-pack " )
end . to raise_error ( JWT :: DecodeError )
end
end
context 'when the repo is public' do
context 'but the repo is disabled' do
let ( :project ) { create ( :project , :public , :repository , :repository_disabled ) }
let ( :path ) { " #{ project . full_path } .git " }
let ( :env ) { { } }
it_behaves_like 'pulls require Basic HTTP Authentication'
it_behaves_like 'pushes require Basic HTTP Authentication'
it_behaves_like 'operations are not allowed with expired password'
end
context 'but the repo is enabled' do
let ( :project ) { create ( :project , :public , :repository , :repository_enabled ) }
let ( :path ) { " #{ project . full_path } .git " }
let ( :env ) { { } }
it_behaves_like 'pulls are allowed'
end
context 'but only project members are allowed' do
let ( :project ) { create ( :project , :public , :repository , :repository_private ) }
it_behaves_like 'pulls require Basic HTTP Authentication'
it_behaves_like 'pushes require Basic HTTP Authentication'
it_behaves_like 'operations are not allowed with expired password'
end
end
context 'and the user requests a redirected path' do
let! ( :redirect ) { project . route . create_redirect ( 'foo/bar' ) }
let ( :path ) { " #{ redirect . path } .git " }
it 'downloads get status 200 for redirects' do
clone_get ( path )
expect ( response ) . to have_gitlab_http_status ( :ok )
end
end
end
context " when the project is private " do
2022-05-07 20:08:51 +05:30
let ( :project ) do
project = create ( :project , :repository , :private )
project . update_attribute ( :path , 'foo.' )
project
end
2021-09-04 01:27:46 +05:30
it_behaves_like 'pulls require Basic HTTP Authentication'
it_behaves_like 'pushes require Basic HTTP Authentication'
it_behaves_like 'operations are not allowed with expired password'
context " when username and password are provided " do
let ( :env ) { { user : user . username , password : 'nope' } }
context " when authentication fails " do
context " when the user is IP banned " do
before do
stub_rack_attack_setting ( enabled : true , ip_whitelist : [ ] )
end
it " responds with status 403 " do
expect ( Rack :: Attack :: Allow2Ban ) . to receive ( :banned? ) . and_return ( true )
expect ( Gitlab :: AuthLogger ) . to receive ( :error ) . with ( {
message : 'Rack_Attack' ,
env : :blocklist ,
remote_ip : '127.0.0.1' ,
request_method : 'GET' ,
path : " / #{ path } /info/refs?service=git-upload-pack "
} )
clone_get ( path , ** env )
expect ( response ) . to have_gitlab_http_status ( :forbidden )
end
end
end
context " when authentication succeeds " do
let ( :env ) { { user : user . username , password : user . password } }
context " when the user has access to the project " do
before do
project . add_maintainer ( user )
end
context " when the user is blocked " do
it " rejects pulls with 401 Unauthorized " do
user . block
project . add_maintainer ( user )
download ( path , ** env ) do | response |
expect ( response ) . to have_gitlab_http_status ( :unauthorized )
end
end
it " rejects pulls with 401 Unauthorized for unknown projects (no project existence information leak) " do
user . block
download ( 'doesnt/exist.git' , ** env ) do | response |
expect ( response ) . to have_gitlab_http_status ( :unauthorized )
end
end
end
context " when the user isn't blocked " do
before do
stub_rack_attack_setting ( enabled : true , bantime : 1 . minute , findtime : 5 . minutes , maxretry : 2 , ip_whitelist : [ ] )
end
it " resets the IP in Rack Attack on download " do
expect ( Rack :: Attack :: Allow2Ban ) . to receive ( :reset ) . twice
download ( path , ** env ) do
expect ( response ) . to have_gitlab_http_status ( :ok )
expect ( response . media_type ) . to eq ( Gitlab :: Workhorse :: INTERNAL_API_CONTENT_TYPE )
end
end
it " resets the IP in Rack Attack on upload " do
expect ( Rack :: Attack :: Allow2Ban ) . to receive ( :reset ) . twice
upload ( path , ** env ) do
expect ( response ) . to have_gitlab_http_status ( :ok )
expect ( response . media_type ) . to eq ( Gitlab :: Workhorse :: INTERNAL_API_CONTENT_TYPE )
end
end
it 'updates the user last activity' , :clean_gitlab_redis_shared_state do
expect ( user . last_activity_on ) . to be_nil
download ( path , ** env ) do | response |
expect ( user . reload . last_activity_on ) . to eql ( Date . today )
end
end
end
context " when an oauth token is provided " do
before do
application = Doorkeeper :: Application . create! ( name : " MyApp " , redirect_uri : " https://app.com " , owner : user )
@token = Doorkeeper :: AccessToken . create! ( application_id : application . id , resource_owner_id : user . id , scopes : " api " )
end
let ( :path ) { " #{ project . full_path } .git " }
let ( :env ) { { user : 'oauth2' , password : @token . token } }
it_behaves_like 'pulls are allowed'
it_behaves_like 'pushes are allowed'
context " when password is expired " do
it " responds to downloads with status 401 unauthorized " do
user . update! ( password_expires_at : 2 . days . ago )
download ( path , ** env ) do | response |
expect ( response ) . to have_gitlab_http_status ( :unauthorized )
end
end
end
end
context 'when user has 2FA enabled' do
let ( :user ) { create ( :user , :two_factor ) }
let ( :access_token ) { create ( :personal_access_token , user : user ) }
let ( :path ) { " #{ project . full_path } .git " }
before do
project . add_maintainer ( user )
end
context 'when username and password are provided' do
2022-09-01 20:07:04 +05:30
it 'rejects pulls with generic error message' do
2021-09-04 01:27:46 +05:30
download ( path , user : user . username , password : user . password ) do | response |
expect ( response ) . to have_gitlab_http_status ( :unauthorized )
2022-09-01 20:07:04 +05:30
expect ( response . body ) . to eq ( 'HTTP Basic: Access denied. The provided password or token is incorrect or your account has 2FA enabled and you must use a personal access token instead of a password. See http://www.example.com/help/topics/git/troubleshooting_git#error-on-git-fetch-http-basic-access-denied' )
2021-09-04 01:27:46 +05:30
end
end
2022-09-01 20:07:04 +05:30
it 'rejects the push attempt with generic error message' do
2021-09-04 01:27:46 +05:30
upload ( path , user : user . username , password : user . password ) do | response |
expect ( response ) . to have_gitlab_http_status ( :unauthorized )
2022-09-01 20:07:04 +05:30
expect ( response . body ) . to eq ( 'HTTP Basic: Access denied. The provided password or token is incorrect or your account has 2FA enabled and you must use a personal access token instead of a password. See http://www.example.com/help/topics/git/troubleshooting_git#error-on-git-fetch-http-basic-access-denied' )
2021-09-04 01:27:46 +05:30
end
end
end
context 'when username and personal access token are provided' do
let ( :env ) { { user : user . username , password : access_token . token } }
it_behaves_like 'pulls are allowed'
it_behaves_like 'pushes are allowed'
it 'rejects the push attempt for read_repository scope' do
read_access_token = create ( :personal_access_token , user : user , scopes : [ :read_repository ] )
upload ( path , user : user . username , password : read_access_token . token ) do | response |
expect ( response ) . to have_gitlab_http_status ( :forbidden )
expect ( response . body ) . to include ( 'You are not allowed to upload code' )
end
end
it 'accepts the push attempt for write_repository scope' do
write_access_token = create ( :personal_access_token , user : user , scopes : [ :write_repository ] )
upload ( path , user : user . username , password : write_access_token . token ) do | response |
expect ( response ) . to have_gitlab_http_status ( :ok )
end
end
it 'accepts the pull attempt for read_repository scope' do
read_access_token = create ( :personal_access_token , user : user , scopes : [ :read_repository ] )
download ( path , user : user . username , password : read_access_token . token ) do | response |
expect ( response ) . to have_gitlab_http_status ( :ok )
end
end
it 'accepts the pull attempt for api scope' do
read_access_token = create ( :personal_access_token , user : user , scopes : [ :api ] )
download ( path , user : user . username , password : read_access_token . token ) do | response |
expect ( response ) . to have_gitlab_http_status ( :ok )
end
end
it 'accepts the push attempt for api scope' do
write_access_token = create ( :personal_access_token , user : user , scopes : [ :api ] )
upload ( path , user : user . username , password : write_access_token . token ) do | response |
expect ( response ) . to have_gitlab_http_status ( :ok )
end
end
context " when password is expired " do
it " responds to uploads with status 401 unauthorized " do
user . update! ( password_expires_at : 2 . days . ago )
write_access_token = create ( :personal_access_token , user : user , scopes : [ :write_repository ] )
upload ( path , user : user . username , password : write_access_token . token ) do | response |
expect ( response ) . to have_gitlab_http_status ( :unauthorized )
end
end
end
end
end
context 'when internal auth is disabled' do
before do
allow_any_instance_of ( ApplicationSetting ) . to receive ( :password_authentication_enabled_for_git? ) { false }
end
2022-09-01 20:07:04 +05:30
it 'rejects pulls with generic error message' do
2021-09-04 01:27:46 +05:30
download ( path , user : 'foo' , password : 'bar' ) do | response |
expect ( response ) . to have_gitlab_http_status ( :unauthorized )
2022-09-01 20:07:04 +05:30
expect ( response . body ) . to eq ( 'HTTP Basic: Access denied. The provided password or token is incorrect or your account has 2FA enabled and you must use a personal access token instead of a password. See http://www.example.com/help/topics/git/troubleshooting_git#error-on-git-fetch-http-basic-access-denied' )
2021-09-04 01:27:46 +05:30
end
end
2022-09-01 20:07:04 +05:30
it 'rejects pushes with generic error message' do
2021-09-04 01:27:46 +05:30
upload ( path , user : 'foo' , password : 'bar' ) do | response |
expect ( response ) . to have_gitlab_http_status ( :unauthorized )
2022-09-01 20:07:04 +05:30
expect ( response . body ) . to eq ( 'HTTP Basic: Access denied. The provided password or token is incorrect or your account has 2FA enabled and you must use a personal access token instead of a password. See http://www.example.com/help/topics/git/troubleshooting_git#error-on-git-fetch-http-basic-access-denied' )
2021-09-04 01:27:46 +05:30
end
end
context 'when LDAP is configured' do
before do
allow ( Gitlab :: Auth :: Ldap :: Config ) . to receive ( :enabled? ) . and_return ( true )
allow_any_instance_of ( Gitlab :: Auth :: Ldap :: Authentication )
. to receive ( :login ) . and_return ( nil )
end
2022-09-01 20:07:04 +05:30
it 'returns a generic error message' do
2021-09-04 01:27:46 +05:30
upload ( path , user : 'foo' , password : 'bar' ) do | response |
expect ( response ) . to have_gitlab_http_status ( :unauthorized )
2022-09-01 20:07:04 +05:30
expect ( response . body ) . to eq ( 'HTTP Basic: Access denied. The provided password or token is incorrect or your account has 2FA enabled and you must use a personal access token instead of a password. See http://www.example.com/help/topics/git/troubleshooting_git#error-on-git-fetch-http-basic-access-denied' )
2021-09-04 01:27:46 +05:30
end
end
end
end
context " when blank password attempts follow a valid login " do
def attempt_login ( include_password )
password = include_password ? user . password : " "
clone_get path , user : user . username , password : password
response . status
end
include_context 'rack attack cache store'
it " repeated attempts followed by successful attempt " do
options = Gitlab . config . rack_attack . git_basic_auth
maxretry = options [ :maxretry ]
ip = '1.2.3.4'
allow_any_instance_of ( ActionDispatch :: Request ) . to receive ( :ip ) . and_return ( ip )
Rack :: Attack :: Allow2Ban . reset ( ip , options )
maxretry . times . each do
expect ( attempt_login ( false ) ) . to eq ( 401 )
end
expect ( attempt_login ( true ) ) . to eq ( 200 )
expect ( Rack :: Attack :: Allow2Ban . banned? ( ip ) ) . to be_falsey
end
end
context 'and the user requests a redirected path' do
let! ( :redirect ) { project . route . create_redirect ( 'foo/bar' ) }
let ( :path ) { " #{ redirect . path } .git " }
let ( :project_moved_message ) do
<<-MSG.strip_heredoc
Project '#{redirect.path}' was moved to '#{project.full_path}' .
Please update your Git remote :
git remote set - url origin #{project.http_url_to_repo}.
MSG
end
it 'downloads get status 200' do
clone_get ( path , ** env )
expect ( response ) . to have_gitlab_http_status ( :ok )
end
it 'uploads get status 404 with "project was moved" message' do
upload ( path , ** env ) do | response |
expect ( response ) . to have_gitlab_http_status ( :ok )
end
end
end
end
context " when the user doesn't have access to the project " do
it " pulls get status 404 " do
download ( path , user : user . username , password : user . password ) do | response |
expect ( response ) . to have_gitlab_http_status ( :not_found )
end
end
it " uploads get status 404 " do
upload ( path , user : user . username , password : user . password ) do | response |
expect ( response ) . to have_gitlab_http_status ( :not_found )
end
end
end
end
end
context " when a gitlab ci token is provided " do
let ( :project ) { create ( :project , :repository ) }
let ( :build ) { create ( :ci_build , :running ) }
let ( :other_project ) { create ( :project , :repository ) }
before do
build . update! ( project : project ) # can't associate it on factory create
2021-11-11 11:23:49 +05:30
create ( :ci_job_token_project_scope_link ,
source_project : project ,
target_project : other_project ,
added_by : user )
2021-09-04 01:27:46 +05:30
end
context 'when build created by system is authenticated' do
let ( :path ) { " #{ project . full_path } .git " }
let ( :env ) { { user : 'gitlab-ci-token' , password : build . token } }
it_behaves_like 'pulls are allowed'
# A non-401 here is not an information leak since the system is
# "authenticated" as CI using the correct token. It does not have
# push access, so pushes should be rejected as forbidden, and giving
# a reason is fine.
#
# We know for sure it is not an information leak since pulls using
# the build token must be allowed.
it " rejects pushes with 403 Forbidden " do
push_get ( path , ** env )
expect ( response ) . to have_gitlab_http_status ( :forbidden )
expect ( response . body ) . to eq ( git_access_error ( :auth_upload ) )
end
# We are "authenticated" as CI using a valid token here. But we are
# not authorized to see any other project, so return "not found".
it " rejects pulls for other project with 404 Not Found " do
clone_get ( " #{ other_project . full_path } .git " , ** env )
expect ( response ) . to have_gitlab_http_status ( :not_found )
expect ( response . body ) . to eq ( git_access_error ( :project_not_found ) )
end
end
context 'and build created by' do
before do
build . update! ( user : user )
project . add_reporter ( user )
end
shared_examples 'can download code only' do
let ( :path ) { " #{ project . full_path } .git " }
let ( :env ) { { user : 'gitlab-ci-token' , password : build . token } }
it_behaves_like 'pulls are allowed'
context 'when the repo does not exist' do
let ( :project ) { create ( :project ) }
it 'rejects pulls with 404 Not Found' do
clone_get ( path , ** env )
expect ( response ) . to have_gitlab_http_status ( :not_found )
expect ( response . body ) . to eq ( git_access_error ( :no_repo ) )
end
end
it 'rejects pushes with 403 Forbidden' do
push_get ( path , ** env )
expect ( response ) . to have_gitlab_http_status ( :forbidden )
expect ( response . body ) . to eq ( git_access_error ( :auth_upload ) )
end
end
context 'administrator' do
let ( :user ) { create ( :admin ) }
context 'when admin mode is enabled' , :enable_admin_mode do
it_behaves_like 'can download code only'
2021-09-30 23:02:18 +05:30
it 'downloads from other project get status 403' do
2021-09-04 01:27:46 +05:30
clone_get " #{ other_project . full_path } .git " , user : 'gitlab-ci-token' , password : build . token
2021-09-30 23:02:18 +05:30
expect ( response ) . to have_gitlab_http_status ( :forbidden )
2021-09-04 01:27:46 +05:30
end
end
context 'when admin mode is disabled' do
it_behaves_like 'can download code only'
2022-04-04 11:22:00 +05:30
it 'downloads from other project get status 403' do
2021-09-04 01:27:46 +05:30
clone_get " #{ other_project . full_path } .git " , user : 'gitlab-ci-token' , password : build . token
2022-04-04 11:22:00 +05:30
expect ( response ) . to have_gitlab_http_status ( :forbidden )
2021-09-04 01:27:46 +05:30
end
end
end
context 'regular user' do
let ( :user ) { create ( :user ) }
it_behaves_like 'can download code only'
it 'downloads from other project get status 404' do
clone_get " #{ other_project . full_path } .git " , user : 'gitlab-ci-token' , password : build . token
expect ( response ) . to have_gitlab_http_status ( :not_found )
end
context 'when users password is expired' do
it 'rejects pulls with 401 unauthorized' do
user . update! ( password_expires_at : 2 . days . ago )
download ( path , user : 'gitlab-ci-token' , password : build . token ) do | response |
expect ( response ) . to have_gitlab_http_status ( :unauthorized )
end
end
end
end
end
end
end
it_behaves_like 'project path without .git suffix' do
2022-05-07 20:08:51 +05:30
let ( :repository_path ) do
project = create ( :project , :repository , :public )
project . update_attribute ( :path , 'project.' )
project . full_path
end
2021-09-04 01:27:46 +05:30
end
context " retrieving an info/refs file " do
2022-05-07 20:08:51 +05:30
let ( :project ) do
project = create ( :project , :repository , :public )
project . update_attribute ( :path , 'project.' )
project
end
2021-09-04 01:27:46 +05:30
context " when the file exists " do
before do
# Provide a dummy file in its place
allow_any_instance_of ( Repository ) . to receive ( :blob_at ) . and_call_original
allow_any_instance_of ( Repository ) . to receive ( :blob_at ) . with ( 'b83d6e391c22777fca1ed3012fce84f633d7fed0' , 'info/refs' ) do
Blob . decorate ( Gitlab :: Git :: Blob . find ( project . repository , 'master' , 'bar/branch-test.txt' ) , project )
end
get " / #{ project . full_path } /-/blob/master/info/refs "
end
it " returns the file " do
expect ( response ) . to have_gitlab_http_status ( :ok )
end
end
context " when the file does not exist " do
before do
get " / #{ project . full_path } /-/blob/master/info/refs "
end
it " redirects " do
expect ( response ) . to have_gitlab_http_status ( :found )
end
end
end
end
context " when the Wiki path ends with a dot " do
let ( :wiki ) { ProjectWiki . new ( project ) }
let ( :path ) { " / #{ wiki . repository . full_path } .git " }
context " when the project is public " do
2022-05-07 20:08:51 +05:30
let ( :project ) do
project = create ( :project , :wiki_repo , :public , :wiki_enabled )
project . update_attribute ( :path , 'foo.' )
project
end
2021-09-04 01:27:46 +05:30
it_behaves_like 'pushes require Basic HTTP Authentication'
context 'when unauthenticated' do
let ( :env ) { { } }
it_behaves_like 'pulls are allowed'
it " responds to pulls with the wiki's repo " do
download ( path ) do | response |
2021-10-27 15:23:28 +05:30
json_body = Gitlab :: Json . parse ( response . body )
2021-09-04 01:27:46 +05:30
expect ( json_body [ 'Repository' ] [ 'relative_path' ] ) . to eq ( wiki . repository . relative_path )
end
end
end
context 'when authenticated' do
let ( :env ) { { user : user . username , password : user . password } }
context 'and as a developer on the team' do
before do
project . add_developer ( user )
end
context 'but the repo is disabled' do
2022-05-07 20:08:51 +05:30
let ( :project ) do
project = create ( :project , :wiki_repo , :public , :repository_disabled , :wiki_enabled )
project . update_attribute ( :path , 'foo.' )
project
end
2021-09-04 01:27:46 +05:30
it_behaves_like 'pulls are allowed'
it_behaves_like 'pushes are allowed'
end
end
context 'and not on the team' do
it_behaves_like 'pulls are allowed'
it 'rejects pushes with 403 Forbidden' do
upload ( path , ** env ) do | response |
expect ( response ) . to have_gitlab_http_status ( :forbidden )
expect ( response . body ) . to eq ( git_access_wiki_error ( :write_to_wiki ) )
end
end
end
end
end
context " when the project is private " do
2022-05-07 20:08:51 +05:30
let ( :project ) do
project = create ( :project , :wiki_repo , :private , :wiki_enabled )
project . update_attribute ( :path , 'foo.' )
project
end
2021-09-04 01:27:46 +05:30
it_behaves_like 'pulls require Basic HTTP Authentication'
it_behaves_like 'pushes require Basic HTTP Authentication'
it_behaves_like 'operations are not allowed with expired password'
context 'when authenticated' do
context 'and as a developer on the team' do
before do
project . add_developer ( user )
end
context 'when user is using credentials with special characters' do
context 'with password with special characters' do
before do
2022-04-01 21:47:47 +05:30
user . update! ( password : 'RKszEwéC5kFnû∆f243fycGu§Gh9ftDj!U' )
2021-09-04 01:27:46 +05:30
end
it 'allows clones' do
download ( path , user : user . username , password : user . password ) do | response |
expect ( response ) . to have_gitlab_http_status ( :ok )
end
end
end
end
context 'but the repo is disabled' do
2022-05-07 20:08:51 +05:30
let ( :project ) do
project = create ( :project , :wiki_repo , :private , :repository_disabled , :wiki_enabled )
project . update_attribute ( :path , 'foo.' )
project
end
2021-09-04 01:27:46 +05:30
it 'allows clones' do
download ( path , user : user . username , password : user . password ) do | response |
expect ( response ) . to have_gitlab_http_status ( :ok )
end
end
it 'pushes are allowed' do
upload ( path , user : user . username , password : user . password ) do | response |
expect ( response ) . to have_gitlab_http_status ( :ok )
end
end
end
end
context 'and not on the team' do
it 'rejects clones with 404 Not Found' do
download ( path , user : user . username , password : user . password ) do | response |
expect ( response ) . to have_gitlab_http_status ( :not_found )
expect ( response . body ) . to eq ( git_access_wiki_error ( :not_found ) )
end
end
it 'rejects pushes with 404 Not Found' do
upload ( path , user : user . username , password : user . password ) do | response |
expect ( response ) . to have_gitlab_http_status ( :not_found )
expect ( response . body ) . to eq ( git_access_wiki_error ( :not_found ) )
end
end
end
end
end
end
2016-06-16 23:09:34 +05:30
end
2016-11-03 12:29:30 +05:30
describe " User with LDAP identity " do
let ( :user ) { create ( :omniauth_user , extern_uid : dn ) }
let ( :dn ) { 'uid=john,ou=people,dc=example,dc=com' }
2017-09-10 17:25:29 +05:30
let ( :path ) { 'doesnt/exist.git' }
2016-06-16 23:09:34 +05:30
2016-11-03 12:29:30 +05:30
before do
2018-03-27 19:54:05 +05:30
allow ( Gitlab :: Auth :: OAuth :: Provider ) . to receive ( :enabled? ) . and_return ( true )
2020-04-08 14:13:33 +05:30
allow_any_instance_of ( Gitlab :: Auth :: Ldap :: Authentication ) . to receive ( :login ) . and_return ( nil )
allow_any_instance_of ( Gitlab :: Auth :: Ldap :: Authentication ) . to receive ( :login ) . with ( user . username , user . password ) . and_return ( user )
2016-11-03 12:29:30 +05:30
end
2016-06-16 23:09:34 +05:30
2017-09-10 17:25:29 +05:30
it_behaves_like 'pulls require Basic HTTP Authentication'
it_behaves_like 'pushes require Basic HTTP Authentication'
2016-06-16 23:09:34 +05:30
2016-11-03 12:29:30 +05:30
context " when authentication succeeds " do
context " when the project doesn't exist " do
2017-09-10 17:25:29 +05:30
it " responds with status 404 Not Found " do
download ( path , user : user . username , password : user . password ) do | response |
2018-03-17 18:26:18 +05:30
expect ( response ) . to have_gitlab_http_status ( :not_found )
2016-11-03 12:29:30 +05:30
end
end
end
2016-06-16 23:09:34 +05:30
2016-11-03 12:29:30 +05:30
context " when the project exists " do
2017-09-10 17:25:29 +05:30
let ( :project ) { create ( :project , :repository ) }
let ( :path ) { " #{ project . full_path } .git " }
let ( :env ) { { user : user . username , password : user . password } }
2016-06-16 23:09:34 +05:30
2017-09-10 17:25:29 +05:30
context 'and the user is on the team' do
before do
2018-11-18 11:00:15 +05:30
project . add_maintainer ( user )
2017-09-10 17:25:29 +05:30
end
2016-06-16 23:09:34 +05:30
2017-09-10 17:25:29 +05:30
it " responds with status 200 " do
2021-01-29 00:20:46 +05:30
clone_get ( path , ** env ) do | response |
2020-03-13 15:44:24 +05:30
expect ( response ) . to have_gitlab_http_status ( :ok )
2017-09-10 17:25:29 +05:30
end
2016-11-03 12:29:30 +05:30
end
2017-09-10 17:25:29 +05:30
it_behaves_like 'pulls are allowed'
it_behaves_like 'pushes are allowed'
2021-07-02 01:05:55 +05:30
context " when password is expired " do
it " responds to downloads with status 200 " do
user . update! ( password_expires_at : 2 . days . ago )
download ( path , user : user . username , password : user . password ) do | response |
expect ( response ) . to have_gitlab_http_status ( :ok )
end
end
it " responds to uploads with status 200 " do
user . update! ( password_expires_at : 2 . days . ago )
upload ( path , user : user . username , password : user . password ) do | response |
expect ( response ) . to have_gitlab_http_status ( :ok )
end
end
end
2016-11-03 12:29:30 +05:30
end
end
2016-06-16 23:09:34 +05:30
end
end
2018-10-15 14:42:47 +05:30
context 'when terms are enforced' do
let ( :project ) { create ( :project , :repository ) }
let ( :user ) { create ( :user ) }
let ( :path ) { " #{ project . full_path } .git " }
let ( :env ) { { user : user . username , password : user . password } }
before do
2018-11-18 11:00:15 +05:30
project . add_maintainer ( user )
2018-10-15 14:42:47 +05:30
enforce_terms
end
it 'blocks git access when the user did not accept terms' , :aggregate_failures do
2021-01-29 00:20:46 +05:30
clone_get ( path , ** env ) do | response |
2018-10-15 14:42:47 +05:30
expect ( response ) . to have_gitlab_http_status ( :forbidden )
end
2021-01-03 14:25:43 +05:30
download ( path , ** env ) do | response |
2018-10-15 14:42:47 +05:30
expect ( response ) . to have_gitlab_http_status ( :forbidden )
end
2021-01-03 14:25:43 +05:30
upload ( path , ** env ) do | response |
2018-10-15 14:42:47 +05:30
expect ( response ) . to have_gitlab_http_status ( :forbidden )
end
end
context 'when the user accepted the terms' do
before do
accept_terms ( user )
end
it 'allows clones' do
2021-01-29 00:20:46 +05:30
clone_get ( path , ** env ) do | response |
2018-10-15 14:42:47 +05:30
expect ( response ) . to have_gitlab_http_status ( :ok )
end
end
it_behaves_like 'pulls are allowed'
it_behaves_like 'pushes are allowed'
end
context 'from CI' do
let ( :build ) { create ( :ci_build , :running ) }
let ( :env ) { { user : 'gitlab-ci-token' , password : build . token } }
before do
build . update! ( user : user , project : project )
end
it_behaves_like 'pulls are allowed'
end
end
2016-06-16 23:09:34 +05:30
end