Merge tag 'debian/13.2.8-1' into buster-fasttrack
gitlab Debian release 13.2.8-1
This commit is contained in:
commit
0664877716
122 changed files with 1774 additions and 548 deletions
CHANGELOG.mdGITALY_SERVER_VERSIONGemfile.lockVERSION
app
controllers
finders
graphql/mutations/snippets
models
services
applications
auth
ci
clusters/aws
members
projects
views/profiles/active_sessions
config
db
migrate
20200717040735_change_aws_roles_role_arn_null.rb20200728182311_add_o_auth_paths_to_protected_paths.rb
structure.sqldebian
doc
administration/geo/replication
api
ci/environments
user
group/saml_sso
profile
project/pages/custom_domains_ssl_tls_certification
faraday-middleware-aws-signers-v4
.gitignore.rspec.travis.ymlGemfileLICENSE.txtREADME.mdRakefile
bin
faraday_middleware-aws-signers-v4.gemspeclib
faraday_middleware-aws-signers-v4.rb
faraday_middleware
lib
locale
package.jsonspec
controllers
admin
application_controller_spec.rbgroups
oauth
omniauth_callbacks_controller_spec.rbprofiles
projects
sessions_controller_spec.rbfeatures
finders
graphql
lib
36
CHANGELOG.md
36
CHANGELOG.md
|
@ -2,6 +2,42 @@
|
||||||
documentation](doc/development/changelog.md) for instructions on adding your own
|
documentation](doc/development/changelog.md) for instructions on adding your own
|
||||||
entry.
|
entry.
|
||||||
|
|
||||||
|
## 13.2.8 (2020-09-02)
|
||||||
|
|
||||||
|
### Security (1 change)
|
||||||
|
|
||||||
|
- Protect OAuth endpoints from brute force/password stuffing.
|
||||||
|
|
||||||
|
|
||||||
|
## 13.2.7 (2020-09-02)
|
||||||
|
|
||||||
|
### Security (23 changes, 1 of them is from the community)
|
||||||
|
|
||||||
|
- Check validity of project's import_url before mirroring repository.
|
||||||
|
- Show on two-factor authentication setup page groups that are the cause of this requirement.
|
||||||
|
- Prevent interrupted 2FA sign-in from signing-in incorrect user.
|
||||||
|
- Create new 2FA code each time user is entering 2FA setup page.
|
||||||
|
- Remove all sessions but current while enabling 2FA.
|
||||||
|
- Invalidate two factor sign-in when user password changes.
|
||||||
|
- Delete members invites created by users being deleted.
|
||||||
|
- Prevent OmniAuth from rendering arbitrary error messages.
|
||||||
|
- Prevent not-2fa authenticated users that are supposed to use it to consume api via session.
|
||||||
|
- Invalidate remember me when an active session is revoked.
|
||||||
|
- Add rate limit on webhooks testing feature.
|
||||||
|
- Add scope presence validation to OAuth Application creation.
|
||||||
|
- Allow only running job tokens for API authentication.
|
||||||
|
- Prevent Deploy Tokens to read project resources when repository is disabled.
|
||||||
|
- Change conan api to use proper workhorse validation.
|
||||||
|
- Ensure global ID is of Snippet type in GraphQL destroy mutation.
|
||||||
|
- Fix Improper Access Control on Deploy-Key.
|
||||||
|
- Set maximum limit for profile events.
|
||||||
|
- Persist EKS External ID before presenting it to the user.
|
||||||
|
- Prevent project maintainers from editing group badges.
|
||||||
|
- Upgrade jquery to v3.5.
|
||||||
|
- Update websocket-extensions gem to 0.1.5. (Vitor Meireles De Sousa)
|
||||||
|
- Update GitLab Runner Helm Chart to 0.18.3.
|
||||||
|
|
||||||
|
|
||||||
## 13.2.6 (2020-08-18)
|
## 13.2.6 (2020-08-18)
|
||||||
|
|
||||||
- No changes.
|
- No changes.
|
||||||
|
|
|
@ -1 +1 @@
|
||||||
13.2.6
|
13.2.8
|
||||||
|
|
|
@ -1153,7 +1153,7 @@ GEM
|
||||||
railties (>= 3.2.0)
|
railties (>= 3.2.0)
|
||||||
websocket-driver (0.7.1)
|
websocket-driver (0.7.1)
|
||||||
websocket-extensions (>= 0.1.0)
|
websocket-extensions (>= 0.1.0)
|
||||||
websocket-extensions (0.1.4)
|
websocket-extensions (0.1.5)
|
||||||
wikicloth (0.8.1)
|
wikicloth (0.8.1)
|
||||||
builder
|
builder
|
||||||
expression_parser
|
expression_parser
|
||||||
|
|
2
VERSION
2
VERSION
|
@ -1 +1 @@
|
||||||
13.2.6
|
13.2.8
|
||||||
|
|
|
@ -38,8 +38,7 @@ class Clusters::ClustersController < Clusters::BaseController
|
||||||
|
|
||||||
def new
|
def new
|
||||||
if params[:provider] == 'aws'
|
if params[:provider] == 'aws'
|
||||||
@aws_role = current_user.aws_role || Aws::Role.new
|
@aws_role = Aws::Role.create_or_find_by!(user: current_user)
|
||||||
@aws_role.ensure_role_external_id!
|
|
||||||
@instance_types = load_instance_types.to_json
|
@instance_types = load_instance_types.to_json
|
||||||
|
|
||||||
elsif params[:provider] == 'gcp'
|
elsif params[:provider] == 'gcp'
|
||||||
|
@ -273,7 +272,7 @@ class Clusters::ClustersController < Clusters::BaseController
|
||||||
end
|
end
|
||||||
|
|
||||||
def aws_role_params
|
def aws_role_params
|
||||||
params.require(:cluster).permit(:role_arn, :role_external_id)
|
params.require(:cluster).permit(:role_arn)
|
||||||
end
|
end
|
||||||
|
|
||||||
def generate_gcp_authorize_url
|
def generate_gcp_authorize_url
|
||||||
|
|
|
@ -22,6 +22,8 @@ module AuthenticatesWithTwoFactor
|
||||||
return handle_locked_user(user) unless user.can?(:log_in)
|
return handle_locked_user(user) unless user.can?(:log_in)
|
||||||
|
|
||||||
session[:otp_user_id] = user.id
|
session[:otp_user_id] = user.id
|
||||||
|
session[:user_updated_at] = user.updated_at
|
||||||
|
|
||||||
setup_u2f_authentication(user)
|
setup_u2f_authentication(user)
|
||||||
render 'devise/sessions/two_factor'
|
render 'devise/sessions/two_factor'
|
||||||
end
|
end
|
||||||
|
@ -41,6 +43,7 @@ module AuthenticatesWithTwoFactor
|
||||||
def authenticate_with_two_factor
|
def authenticate_with_two_factor
|
||||||
user = self.resource = find_user
|
user = self.resource = find_user
|
||||||
return handle_locked_user(user) unless user.can?(:log_in)
|
return handle_locked_user(user) unless user.can?(:log_in)
|
||||||
|
return handle_changed_user(user) if user_changed?(user)
|
||||||
|
|
||||||
if user_params[:otp_attempt].present? && session[:otp_user_id]
|
if user_params[:otp_attempt].present? && session[:otp_user_id]
|
||||||
authenticate_with_two_factor_via_otp(user)
|
authenticate_with_two_factor_via_otp(user)
|
||||||
|
@ -59,12 +62,14 @@ module AuthenticatesWithTwoFactor
|
||||||
|
|
||||||
def clear_two_factor_attempt!
|
def clear_two_factor_attempt!
|
||||||
session.delete(:otp_user_id)
|
session.delete(:otp_user_id)
|
||||||
|
session.delete(:user_updated_at)
|
||||||
|
session.delete(:challenge)
|
||||||
end
|
end
|
||||||
|
|
||||||
def authenticate_with_two_factor_via_otp(user)
|
def authenticate_with_two_factor_via_otp(user)
|
||||||
if valid_otp_attempt?(user)
|
if valid_otp_attempt?(user)
|
||||||
# Remove any lingering user data from login
|
# Remove any lingering user data from login
|
||||||
session.delete(:otp_user_id)
|
clear_two_factor_attempt!
|
||||||
|
|
||||||
remember_me(user) if user_params[:remember_me] == '1'
|
remember_me(user) if user_params[:remember_me] == '1'
|
||||||
user.save!
|
user.save!
|
||||||
|
@ -81,8 +86,7 @@ module AuthenticatesWithTwoFactor
|
||||||
def authenticate_with_two_factor_via_u2f(user)
|
def authenticate_with_two_factor_via_u2f(user)
|
||||||
if U2fRegistration.authenticate(user, u2f_app_id, user_params[:device_response], session[:challenge])
|
if U2fRegistration.authenticate(user, u2f_app_id, user_params[:device_response], session[:challenge])
|
||||||
# Remove any lingering user data from login
|
# Remove any lingering user data from login
|
||||||
session.delete(:otp_user_id)
|
clear_two_factor_attempt!
|
||||||
session.delete(:challenge)
|
|
||||||
|
|
||||||
remember_me(user) if user_params[:remember_me] == '1'
|
remember_me(user) if user_params[:remember_me] == '1'
|
||||||
sign_in(user, message: :two_factor_authenticated, event: :authentication)
|
sign_in(user, message: :two_factor_authenticated, event: :authentication)
|
||||||
|
@ -109,4 +113,18 @@ module AuthenticatesWithTwoFactor
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
# rubocop: enable CodeReuse/ActiveRecord
|
# rubocop: enable CodeReuse/ActiveRecord
|
||||||
|
|
||||||
|
def handle_changed_user(user)
|
||||||
|
clear_two_factor_attempt!
|
||||||
|
|
||||||
|
redirect_to new_user_session_path, alert: _('An error occurred. Please sign in again.')
|
||||||
|
end
|
||||||
|
|
||||||
|
# If user has been updated since we validated the password,
|
||||||
|
# the password might have changed.
|
||||||
|
def user_changed?(user)
|
||||||
|
return false unless session[:user_updated_at]
|
||||||
|
|
||||||
|
user.updated_at != session[:user_updated_at]
|
||||||
|
end
|
||||||
end
|
end
|
||||||
|
|
|
@ -29,12 +29,11 @@ module EnforcesTwoFactorAuthentication
|
||||||
end
|
end
|
||||||
|
|
||||||
def two_factor_authentication_required?
|
def two_factor_authentication_required?
|
||||||
Gitlab::CurrentSettings.require_two_factor_authentication? ||
|
two_factor_verifier.two_factor_authentication_required?
|
||||||
current_user.try(:require_two_factor_authentication_from_group?)
|
|
||||||
end
|
end
|
||||||
|
|
||||||
def current_user_requires_two_factor?
|
def current_user_requires_two_factor?
|
||||||
current_user && !current_user.temp_oauth_email? && !current_user.two_factor_enabled? && !skip_two_factor?
|
two_factor_verifier.current_user_needs_to_setup_two_factor? && !skip_two_factor?
|
||||||
end
|
end
|
||||||
|
|
||||||
# rubocop: disable CodeReuse/ActiveRecord
|
# rubocop: disable CodeReuse/ActiveRecord
|
||||||
|
@ -43,7 +42,7 @@ module EnforcesTwoFactorAuthentication
|
||||||
if Gitlab::CurrentSettings.require_two_factor_authentication?
|
if Gitlab::CurrentSettings.require_two_factor_authentication?
|
||||||
global.call
|
global.call
|
||||||
else
|
else
|
||||||
groups = current_user.expanded_groups_requiring_two_factor_authentication.reorder(name: :asc)
|
groups = current_user.source_groups_of_two_factor_authentication_requirement.reorder(name: :asc)
|
||||||
group.call(groups)
|
group.call(groups)
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
@ -51,14 +50,11 @@ module EnforcesTwoFactorAuthentication
|
||||||
# rubocop: enable CodeReuse/ActiveRecord
|
# rubocop: enable CodeReuse/ActiveRecord
|
||||||
|
|
||||||
def two_factor_grace_period
|
def two_factor_grace_period
|
||||||
periods = [Gitlab::CurrentSettings.two_factor_grace_period]
|
two_factor_verifier.two_factor_grace_period
|
||||||
periods << current_user.two_factor_grace_period if current_user.try(:require_two_factor_authentication_from_group?)
|
|
||||||
periods.min
|
|
||||||
end
|
end
|
||||||
|
|
||||||
def two_factor_grace_period_expired?
|
def two_factor_grace_period_expired?
|
||||||
date = current_user.otp_grace_period_started_at
|
two_factor_verifier.two_factor_grace_period_expired?
|
||||||
date && (date + two_factor_grace_period.hours) < Time.current
|
|
||||||
end
|
end
|
||||||
|
|
||||||
def two_factor_skippable?
|
def two_factor_skippable?
|
||||||
|
@ -70,6 +66,10 @@ module EnforcesTwoFactorAuthentication
|
||||||
def skip_two_factor?
|
def skip_two_factor?
|
||||||
session[:skip_two_factor] && session[:skip_two_factor] > Time.current
|
session[:skip_two_factor] && session[:skip_two_factor] > Time.current
|
||||||
end
|
end
|
||||||
|
|
||||||
|
def two_factor_verifier
|
||||||
|
@two_factor_verifier ||= Gitlab::Auth::TwoFactorAuthVerifier.new(current_user) # rubocop:disable Gitlab/ModuleWithInstanceVariables
|
||||||
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
EnforcesTwoFactorAuthentication.prepend_if_ee('EE::EnforcesTwoFactorAuthentication')
|
EnforcesTwoFactorAuthentication.prepend_if_ee('EE::EnforcesTwoFactorAuthentication')
|
||||||
|
|
|
@ -17,4 +17,16 @@ module HooksExecution
|
||||||
flash[:alert] = "Hook execution failed: #{message}"
|
flash[:alert] = "Hook execution failed: #{message}"
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
|
def create_rate_limit(key, scope)
|
||||||
|
if rate_limiter.throttled?(key, scope: [scope, current_user])
|
||||||
|
rate_limiter.log_request(request, "#{key}_request_limit".to_sym, current_user)
|
||||||
|
|
||||||
|
render plain: _('This endpoint has been requested too many times. Try again later.'), status: :too_many_requests
|
||||||
|
end
|
||||||
|
end
|
||||||
|
|
||||||
|
def rate_limiter
|
||||||
|
::Gitlab::ApplicationRateLimiter
|
||||||
|
end
|
||||||
end
|
end
|
||||||
|
|
|
@ -49,12 +49,6 @@ class OmniauthCallbacksController < Devise::OmniauthCallbacksController
|
||||||
redirect_unverified_saml_initiation
|
redirect_unverified_saml_initiation
|
||||||
end
|
end
|
||||||
|
|
||||||
def omniauth_error
|
|
||||||
@provider = params[:provider]
|
|
||||||
@error = params[:error]
|
|
||||||
render 'errors/omniauth_error', layout: "oauth_error", status: :unprocessable_entity
|
|
||||||
end
|
|
||||||
|
|
||||||
def cas3
|
def cas3
|
||||||
ticket = params['ticket']
|
ticket = params['ticket']
|
||||||
if ticket
|
if ticket
|
||||||
|
@ -198,9 +192,10 @@ class OmniauthCallbacksController < Devise::OmniauthCallbacksController
|
||||||
end
|
end
|
||||||
|
|
||||||
def fail_login(user)
|
def fail_login(user)
|
||||||
error_message = user.errors.full_messages.to_sentence
|
@provider = Gitlab::Auth::OAuth::Provider.label_for(params[:action])
|
||||||
|
@error = user.errors.full_messages.to_sentence
|
||||||
|
|
||||||
redirect_to omniauth_error_path(oauth['provider'], error: error_message)
|
render 'errors/omniauth_error', layout: "oauth_error", status: :unprocessable_entity
|
||||||
end
|
end
|
||||||
|
|
||||||
def fail_auth0_login
|
def fail_auth0_login
|
||||||
|
|
|
@ -7,6 +7,7 @@ class Profiles::ActiveSessionsController < Profiles::ApplicationController
|
||||||
|
|
||||||
def destroy
|
def destroy
|
||||||
ActiveSession.destroy_with_public_id(current_user, params[:id])
|
ActiveSession.destroy_with_public_id(current_user, params[:id])
|
||||||
|
current_user.forget_me!
|
||||||
|
|
||||||
respond_to do |format|
|
respond_to do |format|
|
||||||
format.html { redirect_to profile_active_sessions_url, status: :found }
|
format.html { redirect_to profile_active_sessions_url, status: :found }
|
||||||
|
|
|
@ -4,7 +4,7 @@ class Profiles::TwoFactorAuthsController < Profiles::ApplicationController
|
||||||
skip_before_action :check_two_factor_requirement
|
skip_before_action :check_two_factor_requirement
|
||||||
|
|
||||||
def show
|
def show
|
||||||
unless current_user.otp_secret
|
unless current_user.two_factor_enabled?
|
||||||
current_user.otp_secret = User.generate_otp_secret(32)
|
current_user.otp_secret = User.generate_otp_secret(32)
|
||||||
end
|
end
|
||||||
|
|
||||||
|
@ -38,6 +38,8 @@ class Profiles::TwoFactorAuthsController < Profiles::ApplicationController
|
||||||
|
|
||||||
def create
|
def create
|
||||||
if current_user.validate_and_consume_otp!(params[:pin_code])
|
if current_user.validate_and_consume_otp!(params[:pin_code])
|
||||||
|
ActiveSession.destroy_all_but_current(current_user, session)
|
||||||
|
|
||||||
Users::UpdateService.new(current_user, user: current_user, otp_required_for_login: true).execute! do |user|
|
Users::UpdateService.new(current_user, user: current_user, otp_required_for_login: true).execute! do |user|
|
||||||
@codes = user.generate_otp_backup_codes!
|
@codes = user.generate_otp_backup_codes!
|
||||||
end
|
end
|
||||||
|
|
|
@ -6,6 +6,7 @@ class Projects::HooksController < Projects::ApplicationController
|
||||||
# Authorize
|
# Authorize
|
||||||
before_action :authorize_admin_project!
|
before_action :authorize_admin_project!
|
||||||
before_action :hook_logs, only: :edit
|
before_action :hook_logs, only: :edit
|
||||||
|
before_action -> { create_rate_limit(:project_testing_hook, @project) }, only: :test
|
||||||
|
|
||||||
respond_to :html
|
respond_to :html
|
||||||
|
|
||||||
|
|
|
@ -92,7 +92,7 @@ class Projects::TagsController < Projects::ApplicationController
|
||||||
end
|
end
|
||||||
|
|
||||||
format.js do
|
format.js do
|
||||||
render status: :unprocessable_entity
|
render status: :ok
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
|
@ -8,6 +8,7 @@ class SessionsController < Devise::SessionsController
|
||||||
include Recaptcha::Verify
|
include Recaptcha::Verify
|
||||||
include RendersLdapServers
|
include RendersLdapServers
|
||||||
include KnownSignIn
|
include KnownSignIn
|
||||||
|
include Gitlab::Utils::StrongMemoize
|
||||||
|
|
||||||
skip_before_action :check_two_factor_requirement, only: [:destroy]
|
skip_before_action :check_two_factor_requirement, only: [:destroy]
|
||||||
# replaced with :require_no_authentication_without_flash
|
# replaced with :require_no_authentication_without_flash
|
||||||
|
@ -197,10 +198,14 @@ class SessionsController < Devise::SessionsController
|
||||||
end
|
end
|
||||||
|
|
||||||
def find_user
|
def find_user
|
||||||
if session[:otp_user_id]
|
strong_memoize(:find_user) do
|
||||||
User.find(session[:otp_user_id])
|
if session[:otp_user_id] && user_params[:login]
|
||||||
elsif user_params[:login]
|
User.by_id_and_login(session[:otp_user_id], user_params[:login]).first
|
||||||
User.by_login(user_params[:login])
|
elsif session[:otp_user_id]
|
||||||
|
User.find(session[:otp_user_id])
|
||||||
|
elsif user_params[:login]
|
||||||
|
User.by_login(user_params[:login])
|
||||||
|
end
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
|
|
56
app/finders/ci/auth_job_finder.rb
Normal file
56
app/finders/ci/auth_job_finder.rb
Normal file
|
@ -0,0 +1,56 @@
|
||||||
|
# frozen_string_literal: true
|
||||||
|
module Ci
|
||||||
|
class AuthJobFinder
|
||||||
|
AuthError = Class.new(StandardError)
|
||||||
|
NotRunningJobError = Class.new(AuthError)
|
||||||
|
ErasedJobError = Class.new(AuthError)
|
||||||
|
DeletedProjectError = Class.new(AuthError)
|
||||||
|
|
||||||
|
def initialize(token:)
|
||||||
|
@token = token
|
||||||
|
end
|
||||||
|
|
||||||
|
def execute!
|
||||||
|
find_job_by_token.tap do |job|
|
||||||
|
next unless job
|
||||||
|
|
||||||
|
validate_job!(job)
|
||||||
|
end
|
||||||
|
end
|
||||||
|
|
||||||
|
def execute
|
||||||
|
execute!
|
||||||
|
rescue AuthError
|
||||||
|
end
|
||||||
|
|
||||||
|
private
|
||||||
|
|
||||||
|
attr_reader :token, :require_running, :raise_on_missing
|
||||||
|
|
||||||
|
def find_job_by_token
|
||||||
|
::Ci::Build.find_by_token(token)
|
||||||
|
end
|
||||||
|
|
||||||
|
def validate_job!(job)
|
||||||
|
validate_running_job!(job)
|
||||||
|
validate_job_not_erased!(job)
|
||||||
|
validate_project_presence!(job)
|
||||||
|
|
||||||
|
true
|
||||||
|
end
|
||||||
|
|
||||||
|
def validate_running_job!(job)
|
||||||
|
raise NotRunningJobError, 'Job is not running' unless job.running?
|
||||||
|
end
|
||||||
|
|
||||||
|
def validate_job_not_erased!(job)
|
||||||
|
raise ErasedJobError, 'Job has been erased!' if job.erased?
|
||||||
|
end
|
||||||
|
|
||||||
|
def validate_project_presence!(job)
|
||||||
|
if job.project.nil? || job.project.pending_delete?
|
||||||
|
raise DeletedProjectError, 'Project has been deleted!'
|
||||||
|
end
|
||||||
|
end
|
||||||
|
end
|
||||||
|
end
|
|
@ -6,6 +6,7 @@
|
||||||
# WARNING: does not consider project feature visibility!
|
# WARNING: does not consider project feature visibility!
|
||||||
# - user: The user for which to load the events
|
# - user: The user for which to load the events
|
||||||
# - params:
|
# - params:
|
||||||
|
# - limit: Number of items that to be returned. Defaults to 20 and limited to 100.
|
||||||
# - offset: The page of events to return
|
# - offset: The page of events to return
|
||||||
class UserRecentEventsFinder
|
class UserRecentEventsFinder
|
||||||
prepend FinderWithCrossProjectAccess
|
prepend FinderWithCrossProjectAccess
|
||||||
|
@ -16,7 +17,8 @@ class UserRecentEventsFinder
|
||||||
|
|
||||||
attr_reader :current_user, :target_user, :params
|
attr_reader :current_user, :target_user, :params
|
||||||
|
|
||||||
LIMIT = 20
|
DEFAULT_LIMIT = 20
|
||||||
|
MAX_LIMIT = 100
|
||||||
|
|
||||||
def initialize(current_user, target_user, params = {})
|
def initialize(current_user, target_user, params = {})
|
||||||
@current_user = current_user
|
@current_user = current_user
|
||||||
|
@ -31,7 +33,7 @@ class UserRecentEventsFinder
|
||||||
recent_events(params[:offset] || 0)
|
recent_events(params[:offset] || 0)
|
||||||
.joins(:project)
|
.joins(:project)
|
||||||
.with_associations
|
.with_associations
|
||||||
.limit_recent(params[:limit].presence || LIMIT, params[:offset])
|
.limit_recent(limit, params[:offset])
|
||||||
end
|
end
|
||||||
# rubocop: enable CodeReuse/ActiveRecord
|
# rubocop: enable CodeReuse/ActiveRecord
|
||||||
|
|
||||||
|
@ -59,4 +61,10 @@ class UserRecentEventsFinder
|
||||||
def projects
|
def projects
|
||||||
target_user.project_interactions.to_sql
|
target_user.project_interactions.to_sql
|
||||||
end
|
end
|
||||||
|
|
||||||
|
def limit
|
||||||
|
return DEFAULT_LIMIT unless params[:limit].present?
|
||||||
|
|
||||||
|
[params[:limit].to_i, MAX_LIMIT].min
|
||||||
|
end
|
||||||
end
|
end
|
||||||
|
|
|
@ -11,7 +11,7 @@ module Mutations
|
||||||
private
|
private
|
||||||
|
|
||||||
def find_object(id:)
|
def find_object(id:)
|
||||||
GitlabSchema.object_from_id(id)
|
GitlabSchema.object_from_id(id, expected_type: ::Snippet)
|
||||||
end
|
end
|
||||||
|
|
||||||
def authorized_resource?(snippet)
|
def authorized_resource?(snippet)
|
||||||
|
|
|
@ -105,6 +105,19 @@ class ActiveSession
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
|
def self.destroy_all_but_current(user, current_session)
|
||||||
|
session_ids = not_impersonated(user)
|
||||||
|
session_ids.reject! { |session| session.current?(current_session) } if current_session
|
||||||
|
|
||||||
|
Gitlab::Redis::SharedState.with do |redis|
|
||||||
|
destroy_sessions(redis, user, session_ids.map(&:session_id)) if session_ids.any?
|
||||||
|
end
|
||||||
|
end
|
||||||
|
|
||||||
|
def self.not_impersonated(user)
|
||||||
|
list(user).reject(&:is_impersonated)
|
||||||
|
end
|
||||||
|
|
||||||
def self.key_name(user_id, session_id = '*')
|
def self.key_name(user_id, session_id = '*')
|
||||||
"#{Gitlab::Redis::SharedState::USER_SESSIONS_NAMESPACE}:#{user_id}:#{session_id}"
|
"#{Gitlab::Redis::SharedState::USER_SESSIONS_NAMESPACE}:#{user_id}:#{session_id}"
|
||||||
end
|
end
|
||||||
|
|
|
@ -9,6 +9,7 @@ module Aws
|
||||||
validates :role_external_id, uniqueness: true, length: { in: 1..64 }
|
validates :role_external_id, uniqueness: true, length: { in: 1..64 }
|
||||||
validates :role_arn,
|
validates :role_arn,
|
||||||
length: 1..2048,
|
length: 1..2048,
|
||||||
|
allow_nil: true,
|
||||||
format: {
|
format: {
|
||||||
with: Gitlab::Regex.aws_arn_regex,
|
with: Gitlab::Regex.aws_arn_regex,
|
||||||
message: Gitlab::Regex.aws_arn_regex_message
|
message: Gitlab::Regex.aws_arn_regex_message
|
||||||
|
|
|
@ -3,7 +3,7 @@
|
||||||
module Clusters
|
module Clusters
|
||||||
module Applications
|
module Applications
|
||||||
class Runner < ApplicationRecord
|
class Runner < ApplicationRecord
|
||||||
VERSION = '0.18.2'
|
VERSION = '0.18.3'
|
||||||
|
|
||||||
self.table_name = 'clusters_applications_runners'
|
self.table_name = 'clusters_applications_runners'
|
||||||
|
|
||||||
|
|
|
@ -76,6 +76,8 @@ class Member < ApplicationRecord
|
||||||
scope :request, -> { where.not(requested_at: nil) }
|
scope :request, -> { where.not(requested_at: nil) }
|
||||||
scope :non_request, -> { where(requested_at: nil) }
|
scope :non_request, -> { where(requested_at: nil) }
|
||||||
|
|
||||||
|
scope :not_accepted_invitations_by_user, -> (user) { invite.where(invite_accepted_at: nil, created_by: user) }
|
||||||
|
|
||||||
scope :has_access, -> { active.where('access_level > 0') }
|
scope :has_access, -> { active.where('access_level > 0') }
|
||||||
|
|
||||||
scope :guests, -> { active.where(access_level: GUEST) }
|
scope :guests, -> { active.where(access_level: GUEST) }
|
||||||
|
|
|
@ -354,6 +354,7 @@ class User < ApplicationRecord
|
||||||
scope :order_oldest_sign_in, -> { reorder(Gitlab::Database.nulls_last_order('current_sign_in_at', 'ASC')) }
|
scope :order_oldest_sign_in, -> { reorder(Gitlab::Database.nulls_last_order('current_sign_in_at', 'ASC')) }
|
||||||
scope :order_recent_last_activity, -> { reorder(Gitlab::Database.nulls_last_order('last_activity_on', 'DESC')) }
|
scope :order_recent_last_activity, -> { reorder(Gitlab::Database.nulls_last_order('last_activity_on', 'DESC')) }
|
||||||
scope :order_oldest_last_activity, -> { reorder(Gitlab::Database.nulls_first_order('last_activity_on', 'ASC')) }
|
scope :order_oldest_last_activity, -> { reorder(Gitlab::Database.nulls_first_order('last_activity_on', 'ASC')) }
|
||||||
|
scope :by_id_and_login, ->(id, login) { where(id: id).where('username = LOWER(:login) OR email = LOWER(:login)', login: login) }
|
||||||
|
|
||||||
def active_for_authentication?
|
def active_for_authentication?
|
||||||
super && can?(:log_in)
|
super && can?(:log_in)
|
||||||
|
@ -871,6 +872,12 @@ class User < ApplicationRecord
|
||||||
all_expanded_groups.where(require_two_factor_authentication: true)
|
all_expanded_groups.where(require_two_factor_authentication: true)
|
||||||
end
|
end
|
||||||
|
|
||||||
|
def source_groups_of_two_factor_authentication_requirement
|
||||||
|
Gitlab::ObjectHierarchy.new(expanded_groups_requiring_two_factor_authentication)
|
||||||
|
.all_objects
|
||||||
|
.where(id: groups)
|
||||||
|
end
|
||||||
|
|
||||||
# rubocop: disable CodeReuse/ServiceClass
|
# rubocop: disable CodeReuse/ServiceClass
|
||||||
def refresh_authorized_projects
|
def refresh_authorized_projects
|
||||||
Users::RefreshAuthorizedProjectsService.new(self).execute
|
Users::RefreshAuthorizedProjectsService.new(self).execute
|
||||||
|
|
|
@ -11,7 +11,16 @@ module Applications
|
||||||
|
|
||||||
# EE would override and use `request` arg
|
# EE would override and use `request` arg
|
||||||
def execute(request)
|
def execute(request)
|
||||||
Doorkeeper::Application.create(params)
|
@application = Doorkeeper::Application.new(params)
|
||||||
|
|
||||||
|
unless params[:scopes].present?
|
||||||
|
@application.errors.add(:base, _("Scopes can't be blank"))
|
||||||
|
|
||||||
|
return @application
|
||||||
|
end
|
||||||
|
|
||||||
|
@application.save
|
||||||
|
@application
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
|
@ -132,6 +132,7 @@ module Auth
|
||||||
|
|
||||||
def can_access?(requested_project, requested_action)
|
def can_access?(requested_project, requested_action)
|
||||||
return false unless requested_project.container_registry_enabled?
|
return false unless requested_project.container_registry_enabled?
|
||||||
|
return false if requested_project.repository_access_level == ::ProjectFeature::DISABLED
|
||||||
|
|
||||||
case requested_action
|
case requested_action
|
||||||
when 'pull'
|
when 'pull'
|
||||||
|
|
|
@ -10,6 +10,9 @@ module Ci
|
||||||
elsif job_from_token
|
elsif job_from_token
|
||||||
create_pipeline_from_job(job_from_token)
|
create_pipeline_from_job(job_from_token)
|
||||||
end
|
end
|
||||||
|
|
||||||
|
rescue Ci::AuthJobFinder::AuthError => e
|
||||||
|
error(e.message, 401)
|
||||||
end
|
end
|
||||||
|
|
||||||
private
|
private
|
||||||
|
@ -41,8 +44,6 @@ module Ci
|
||||||
# this check is to not leak the presence of the project if user cannot read it
|
# this check is to not leak the presence of the project if user cannot read it
|
||||||
return unless can?(job.user, :read_project, project)
|
return unless can?(job.user, :read_project, project)
|
||||||
|
|
||||||
return error("400 Job has to be running", 400) unless job.running?
|
|
||||||
|
|
||||||
pipeline = Ci::CreatePipelineService.new(project, job.user, ref: params[:ref])
|
pipeline = Ci::CreatePipelineService.new(project, job.user, ref: params[:ref])
|
||||||
.execute(:pipeline, ignore_skip_ci: true) do |pipeline|
|
.execute(:pipeline, ignore_skip_ci: true) do |pipeline|
|
||||||
source = job.sourced_pipelines.build(
|
source = job.sourced_pipelines.build(
|
||||||
|
@ -64,7 +65,7 @@ module Ci
|
||||||
|
|
||||||
def job_from_token
|
def job_from_token
|
||||||
strong_memoize(:job) do
|
strong_memoize(:job) do
|
||||||
Ci::Build.find_by_token(params[:token].to_s)
|
Ci::AuthJobFinder.new(token: params[:token].to_s).execute!
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
|
|
|
@ -9,6 +9,7 @@ module Clusters
|
||||||
|
|
||||||
ERRORS = [
|
ERRORS = [
|
||||||
ActiveRecord::RecordInvalid,
|
ActiveRecord::RecordInvalid,
|
||||||
|
ActiveRecord::RecordNotFound,
|
||||||
Clusters::Aws::FetchCredentialsService::MissingRoleError,
|
Clusters::Aws::FetchCredentialsService::MissingRoleError,
|
||||||
::Aws::Errors::MissingCredentialsError,
|
::Aws::Errors::MissingCredentialsError,
|
||||||
::Aws::STS::Errors::ServiceError
|
::Aws::STS::Errors::ServiceError
|
||||||
|
@ -20,7 +21,8 @@ module Clusters
|
||||||
end
|
end
|
||||||
|
|
||||||
def execute
|
def execute
|
||||||
@role = create_or_update_role!
|
ensure_role_exists!
|
||||||
|
update_role_arn!
|
||||||
|
|
||||||
Response.new(:ok, credentials)
|
Response.new(:ok, credentials)
|
||||||
rescue *ERRORS
|
rescue *ERRORS
|
||||||
|
@ -31,14 +33,12 @@ module Clusters
|
||||||
|
|
||||||
attr_reader :role, :params
|
attr_reader :role, :params
|
||||||
|
|
||||||
def create_or_update_role!
|
def ensure_role_exists!
|
||||||
if role = user.aws_role
|
@role = ::Aws::Role.find_by_user_id!(user.id)
|
||||||
role.update!(params)
|
end
|
||||||
|
|
||||||
role
|
def update_role_arn!
|
||||||
else
|
role.update!(params)
|
||||||
user.create_aws_role!(params)
|
|
||||||
end
|
|
||||||
end
|
end
|
||||||
|
|
||||||
def credentials
|
def credentials
|
||||||
|
|
|
@ -18,6 +18,7 @@ module Members
|
||||||
end
|
end
|
||||||
|
|
||||||
delete_subresources(member) unless skip_subresources
|
delete_subresources(member) unless skip_subresources
|
||||||
|
delete_project_invitations_by(member) unless skip_subresources
|
||||||
enqueue_delete_todos(member)
|
enqueue_delete_todos(member)
|
||||||
enqueue_unassign_issuables(member) if unassign_issuables
|
enqueue_unassign_issuables(member) if unassign_issuables
|
||||||
|
|
||||||
|
@ -39,24 +40,48 @@ module Members
|
||||||
|
|
||||||
delete_project_members(member)
|
delete_project_members(member)
|
||||||
delete_subgroup_members(member)
|
delete_subgroup_members(member)
|
||||||
|
delete_invited_members(member)
|
||||||
end
|
end
|
||||||
|
|
||||||
def delete_project_members(member)
|
def delete_project_members(member)
|
||||||
groups = member.group.self_and_descendants
|
groups = member.group.self_and_descendants
|
||||||
|
|
||||||
ProjectMember.in_namespaces(groups).with_user(member.user).each do |project_member|
|
destroy_project_members(ProjectMember.in_namespaces(groups).with_user(member.user))
|
||||||
self.class.new(current_user).execute(project_member, skip_authorization: @skip_auth)
|
|
||||||
end
|
|
||||||
end
|
end
|
||||||
|
|
||||||
def delete_subgroup_members(member)
|
def delete_subgroup_members(member)
|
||||||
groups = member.group.descendants
|
groups = member.group.descendants
|
||||||
|
|
||||||
GroupMember.of_groups(groups).with_user(member.user).each do |group_member|
|
destroy_group_members(GroupMember.of_groups(groups).with_user(member.user))
|
||||||
|
end
|
||||||
|
|
||||||
|
def delete_invited_members(member)
|
||||||
|
groups = member.group.self_and_descendants
|
||||||
|
|
||||||
|
destroy_group_members(GroupMember.of_groups(groups).not_accepted_invitations_by_user(member.user))
|
||||||
|
|
||||||
|
destroy_project_members(ProjectMember.in_namespaces(groups).not_accepted_invitations_by_user(member.user))
|
||||||
|
end
|
||||||
|
|
||||||
|
def destroy_project_members(members)
|
||||||
|
members.each do |project_member|
|
||||||
|
self.class.new(current_user).execute(project_member, skip_authorization: @skip_auth)
|
||||||
|
end
|
||||||
|
end
|
||||||
|
|
||||||
|
def destroy_group_members(members)
|
||||||
|
members.each do |group_member|
|
||||||
self.class.new(current_user).execute(group_member, skip_authorization: @skip_auth, skip_subresources: true)
|
self.class.new(current_user).execute(group_member, skip_authorization: @skip_auth, skip_subresources: true)
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
|
def delete_project_invitations_by(member)
|
||||||
|
return unless member.is_a?(ProjectMember) && member.user && member.project
|
||||||
|
|
||||||
|
members_to_delete = member.project.members.not_accepted_invitations_by_user(member.user)
|
||||||
|
destroy_project_members(members_to_delete)
|
||||||
|
end
|
||||||
|
|
||||||
def can_destroy_member?(member)
|
def can_destroy_member?(member)
|
||||||
can?(current_user, destroy_member_permission(member), member)
|
can?(current_user, destroy_member_permission(member), member)
|
||||||
end
|
end
|
||||||
|
|
|
@ -7,6 +7,10 @@ module Projects
|
||||||
def execute(remote_mirror, tries)
|
def execute(remote_mirror, tries)
|
||||||
return success unless remote_mirror.enabled?
|
return success unless remote_mirror.enabled?
|
||||||
|
|
||||||
|
if Gitlab::UrlBlocker.blocked_url?(CGI.unescape(Gitlab::UrlSanitizer.sanitize(remote_mirror.url)))
|
||||||
|
return error("The remote mirror URL is invalid.")
|
||||||
|
end
|
||||||
|
|
||||||
update_mirror(remote_mirror)
|
update_mirror(remote_mirror)
|
||||||
|
|
||||||
success
|
success
|
||||||
|
|
|
@ -27,6 +27,6 @@
|
||||||
|
|
||||||
- unless is_current_session
|
- unless is_current_session
|
||||||
.float-right
|
.float-right
|
||||||
= link_to profile_active_session_path(active_session.public_id), data: { confirm: _('Are you sure? The device will be signed out of GitLab.') }, method: :delete, class: "btn btn-danger gl-ml-3" do
|
= link_to profile_active_session_path(active_session.public_id), data: { confirm: _('Are you sure? The device will be signed out of GitLab and all remember me tokens revoked.') }, method: :delete, class: "btn btn-danger gl-ml-3" do
|
||||||
%span.sr-only= _('Revoke')
|
%span.sr-only= _('Revoke')
|
||||||
= _('Revoke')
|
= _('Revoke')
|
||||||
|
|
|
@ -17,7 +17,7 @@ Doorkeeper.configure do
|
||||||
end
|
end
|
||||||
|
|
||||||
resource_owner_from_credentials do |routes|
|
resource_owner_from_credentials do |routes|
|
||||||
user = Gitlab::Auth.find_with_user_password(params[:username], params[:password])
|
user = Gitlab::Auth.find_with_user_password(params[:username], params[:password], increment_failed_attempts: true)
|
||||||
user unless user.try(:two_factor_enabled?)
|
user unless user.try(:two_factor_enabled?)
|
||||||
end
|
end
|
||||||
|
|
||||||
|
|
|
@ -25,7 +25,6 @@ devise_for :users, controllers: { omniauth_callbacks: :omniauth_callbacks,
|
||||||
confirmations: :confirmations }
|
confirmations: :confirmations }
|
||||||
|
|
||||||
devise_scope :user do
|
devise_scope :user do
|
||||||
get '/users/auth/:provider/omniauth_error' => 'omniauth_callbacks#omniauth_error', as: :omniauth_error
|
|
||||||
get '/users/almost_there' => 'confirmations#almost_there'
|
get '/users/almost_there' => 'confirmations#almost_there'
|
||||||
end
|
end
|
||||||
|
|
||||||
|
|
15
db/migrate/20200717040735_change_aws_roles_role_arn_null.rb
Normal file
15
db/migrate/20200717040735_change_aws_roles_role_arn_null.rb
Normal file
|
@ -0,0 +1,15 @@
|
||||||
|
# frozen_string_literal: true
|
||||||
|
|
||||||
|
class ChangeAwsRolesRoleArnNull < ActiveRecord::Migration[6.0]
|
||||||
|
DOWNTIME = false
|
||||||
|
EXAMPLE_ARN = 'arn:aws:iam::000000000000:role/example-role'
|
||||||
|
|
||||||
|
def up
|
||||||
|
change_column_null :aws_roles, :role_arn, true
|
||||||
|
end
|
||||||
|
|
||||||
|
def down
|
||||||
|
# Records may now exist with nulls, so we must fill them with a dummy value
|
||||||
|
change_column_null :aws_roles, :role_arn, false, EXAMPLE_ARN
|
||||||
|
end
|
||||||
|
end
|
|
@ -0,0 +1,62 @@
|
||||||
|
# frozen_string_literal: true
|
||||||
|
|
||||||
|
class AddOAuthPathsToProtectedPaths < ActiveRecord::Migration[6.0]
|
||||||
|
include Gitlab::Database::MigrationHelpers
|
||||||
|
|
||||||
|
DOWNTIME = false
|
||||||
|
|
||||||
|
ADD_PROTECTED_PATHS = [
|
||||||
|
'/oauth/authorize',
|
||||||
|
'/oauth/token'
|
||||||
|
].freeze
|
||||||
|
|
||||||
|
EXISTING_DEFAULT_PROTECTED_PATHS = [
|
||||||
|
'/users/password',
|
||||||
|
'/users/sign_in',
|
||||||
|
'/api/v3/session.json',
|
||||||
|
'/api/v3/session',
|
||||||
|
'/api/v4/session.json',
|
||||||
|
'/api/v4/session',
|
||||||
|
'/users',
|
||||||
|
'/users/confirmation',
|
||||||
|
'/unsubscribes/',
|
||||||
|
'/import/github/personal_access_token',
|
||||||
|
'/admin/session'
|
||||||
|
].freeze
|
||||||
|
|
||||||
|
NEW_DEFAULT_PROTECTED_PATHS = (EXISTING_DEFAULT_PROTECTED_PATHS + ADD_PROTECTED_PATHS).freeze
|
||||||
|
|
||||||
|
class ApplicationSetting < ActiveRecord::Base
|
||||||
|
self.table_name = 'application_settings'
|
||||||
|
end
|
||||||
|
|
||||||
|
def up
|
||||||
|
change_column_default :application_settings, :protected_paths, NEW_DEFAULT_PROTECTED_PATHS
|
||||||
|
|
||||||
|
ApplicationSetting.reset_column_information
|
||||||
|
|
||||||
|
ApplicationSetting.where.not(protected_paths: nil).each do |application_setting|
|
||||||
|
missing_paths = ADD_PROTECTED_PATHS - application_setting.protected_paths
|
||||||
|
|
||||||
|
next if missing_paths.empty?
|
||||||
|
|
||||||
|
updated_protected_paths = application_setting.protected_paths + missing_paths
|
||||||
|
application_setting.update!(protected_paths: updated_protected_paths)
|
||||||
|
end
|
||||||
|
end
|
||||||
|
|
||||||
|
def down
|
||||||
|
change_column_default :application_settings, :protected_paths, EXISTING_DEFAULT_PROTECTED_PATHS
|
||||||
|
|
||||||
|
ApplicationSetting.reset_column_information
|
||||||
|
|
||||||
|
ApplicationSetting.where.not(protected_paths: nil).each do |application_setting|
|
||||||
|
paths_to_remove = application_setting.protected_paths - EXISTING_DEFAULT_PROTECTED_PATHS
|
||||||
|
|
||||||
|
next if paths_to_remove.empty?
|
||||||
|
|
||||||
|
updated_protected_paths = application_setting.protected_paths - paths_to_remove
|
||||||
|
application_setting.update!(protected_paths: updated_protected_paths)
|
||||||
|
end
|
||||||
|
end
|
||||||
|
end
|
|
@ -9099,7 +9099,7 @@ CREATE TABLE public.application_settings (
|
||||||
throttle_protected_paths_enabled boolean DEFAULT false NOT NULL,
|
throttle_protected_paths_enabled boolean DEFAULT false NOT NULL,
|
||||||
throttle_protected_paths_requests_per_period integer DEFAULT 10 NOT NULL,
|
throttle_protected_paths_requests_per_period integer DEFAULT 10 NOT NULL,
|
||||||
throttle_protected_paths_period_in_seconds integer DEFAULT 60 NOT NULL,
|
throttle_protected_paths_period_in_seconds integer DEFAULT 60 NOT NULL,
|
||||||
protected_paths character varying(255)[] DEFAULT '{/users/password,/users/sign_in,/api/v3/session.json,/api/v3/session,/api/v4/session.json,/api/v4/session,/users,/users/confirmation,/unsubscribes/,/import/github/personal_access_token,/admin/session}'::character varying[],
|
protected_paths character varying(255)[] DEFAULT '{/users/password,/users/sign_in,/api/v3/session.json,/api/v3/session,/api/v4/session.json,/api/v4/session,/users,/users/confirmation,/unsubscribes/,/import/github/personal_access_token,/admin/session,/oauth/authorize,/oauth/token}'::character varying[],
|
||||||
throttle_incident_management_notification_enabled boolean DEFAULT false NOT NULL,
|
throttle_incident_management_notification_enabled boolean DEFAULT false NOT NULL,
|
||||||
throttle_incident_management_notification_period_in_seconds integer DEFAULT 3600,
|
throttle_incident_management_notification_period_in_seconds integer DEFAULT 3600,
|
||||||
throttle_incident_management_notification_per_period integer DEFAULT 3600,
|
throttle_incident_management_notification_per_period integer DEFAULT 3600,
|
||||||
|
@ -9433,7 +9433,7 @@ CREATE TABLE public.aws_roles (
|
||||||
user_id integer NOT NULL,
|
user_id integer NOT NULL,
|
||||||
created_at timestamp with time zone NOT NULL,
|
created_at timestamp with time zone NOT NULL,
|
||||||
updated_at timestamp with time zone NOT NULL,
|
updated_at timestamp with time zone NOT NULL,
|
||||||
role_arn character varying(2048) NOT NULL,
|
role_arn character varying(2048),
|
||||||
role_external_id character varying(64) NOT NULL
|
role_external_id character varying(64) NOT NULL
|
||||||
);
|
);
|
||||||
|
|
||||||
|
@ -23867,5 +23867,7 @@ COPY "schema_migrations" (version) FROM STDIN;
|
||||||
20200715202659
|
20200715202659
|
||||||
20200716044023
|
20200716044023
|
||||||
20200716120419
|
20200716120419
|
||||||
|
20200717040735
|
||||||
|
20200728182311
|
||||||
\.
|
\.
|
||||||
|
|
||||||
|
|
16
debian/changelog
vendored
16
debian/changelog
vendored
|
@ -1,3 +1,19 @@
|
||||||
|
gitlab (13.2.8-1) unstable; urgency=medium
|
||||||
|
|
||||||
|
* Drop faraday-middleware-aws-signers-v4 from components list
|
||||||
|
* New upstream version 13.2.8 (Fixes: CVE-2020-13318, CVE-2020-13301,
|
||||||
|
CVE-2020-13284, CVE-2020-13298, CVE-2020-13313, CVE-2020-13311,
|
||||||
|
CVE-2020-13289, CVE-2020-13302, CVE-2020-13314, CVE-2020-13309,
|
||||||
|
CVE-2020-13287, CVE-2020-13306, CVE-2020-13299, CVE-2020-13300,
|
||||||
|
CVE-2020-13317, CVE-2020-13303, CVE-2020-13316, CVE-2020-13304,
|
||||||
|
CVE-2020-13305, CVE-2020-13307, CVE-2020-13308, CVE-2020-13315,
|
||||||
|
CVE-2020-13297, CVE-2020-13310)
|
||||||
|
* Refresh patches
|
||||||
|
* Update minimum version of node-jquery to 3.5
|
||||||
|
* Remove faraday-middleware-aws-signers-v4 from upstream-file-list
|
||||||
|
|
||||||
|
-- Pirate Praveen <praveen@debian.org> Thu, 03 Sep 2020 11:20:31 +0530
|
||||||
|
|
||||||
gitlab (13.2.6-3+fto10+1) buster-fasttrack; urgency=medium
|
gitlab (13.2.6-3+fto10+1) buster-fasttrack; urgency=medium
|
||||||
|
|
||||||
* Rebuild for buster-fasttrack.
|
* Rebuild for buster-fasttrack.
|
||||||
|
|
2
debian/control
vendored
2
debian/control
vendored
|
@ -375,7 +375,7 @@ Depends: ${shlibs:Depends}, ${misc:Depends},
|
||||||
node-fuzzaldrin-plus (>= 0.5~),
|
node-fuzzaldrin-plus (>= 0.5~),
|
||||||
node-glob (>= 7.1.6~),
|
node-glob (>= 7.1.6~),
|
||||||
node-jed,
|
node-jed,
|
||||||
node-jquery (>= 3.4~),
|
node-jquery (>= 3.5~),
|
||||||
node-jquery-ujs,
|
node-jquery-ujs,
|
||||||
# Broken
|
# Broken
|
||||||
# node-jquery.waitforimages,
|
# node-jquery.waitforimages,
|
||||||
|
|
2
debian/gbp.conf
vendored
2
debian/gbp.conf
vendored
|
@ -1,2 +1,2 @@
|
||||||
[DEFAULT]
|
[DEFAULT]
|
||||||
component = [ 'elasticsearch-model', 'elasticsearch-rails', 'faraday-middleware-aws-signers-v4', 'snowplow-javascript-tracker' ]
|
component = [ 'elasticsearch-model', 'elasticsearch-rails', 'snowplow-javascript-tracker' ]
|
||||||
|
|
|
@ -132,7 +132,7 @@ Use debian packaged node modules when available
|
||||||
"ipaddr.js": "^1.9.1",
|
"ipaddr.js": "^1.9.1",
|
||||||
- "jed": "^1.1.1",
|
- "jed": "^1.1.1",
|
||||||
"jest-transform-graphql": "^2.1.0",
|
"jest-transform-graphql": "^2.1.0",
|
||||||
- "jquery": "^3.4.1",
|
- "jquery": "^3.5.0",
|
||||||
- "jquery-ujs": "1.2.2",
|
- "jquery-ujs": "1.2.2",
|
||||||
"jquery.caret": "^0.3.1",
|
"jquery.caret": "^0.3.1",
|
||||||
"jquery.waitforimages": "^2.2.0",
|
"jquery.waitforimages": "^2.2.0",
|
||||||
|
|
1
debian/upstream-file-list
vendored
1
debian/upstream-file-list
vendored
|
@ -69,7 +69,6 @@ docker
|
||||||
docker-compose.yml
|
docker-compose.yml
|
||||||
elasticsearch-model
|
elasticsearch-model
|
||||||
elasticsearch-rails
|
elasticsearch-rails
|
||||||
faraday-middleware-aws-signers-v4
|
|
||||||
file_hooks
|
file_hooks
|
||||||
fixtures
|
fixtures
|
||||||
generator_templates
|
generator_templates
|
||||||
|
|
|
@ -169,3 +169,21 @@ successfully, you must replicate their data using some other means.
|
||||||
LFS objects from replicating](https://gitlab.com/gitlab-org/gitlab/-/issues/32696).
|
LFS objects from replicating](https://gitlab.com/gitlab-org/gitlab/-/issues/32696).
|
||||||
- (*3*): If you are using Object Storage, the replication can be performed by the
|
- (*3*): If you are using Object Storage, the replication can be performed by the
|
||||||
Object Storage provider if supported. Please see [Geo with Object Storage](object_storage.md)
|
Object Storage provider if supported. Please see [Geo with Object Storage](object_storage.md)
|
||||||
|
|
||||||
|
### Package file replication behind a feature flag
|
||||||
|
|
||||||
|
Package file replication is behind a feature flag - `geo_self_service_framework_replication`, which is enabled by default.
|
||||||
|
|
||||||
|
For GitLab self-managed instances, GitLab administrators can opt to disable them.
|
||||||
|
|
||||||
|
To disable:
|
||||||
|
|
||||||
|
```ruby
|
||||||
|
Feature.disable(:geo_self_service_framework_replication)
|
||||||
|
```
|
||||||
|
|
||||||
|
To enable:
|
||||||
|
|
||||||
|
```ruby
|
||||||
|
Feature.enable(:geo_self_service_framework_replication)
|
||||||
|
```
|
||||||
|
|
|
@ -248,7 +248,7 @@ Example response:
|
||||||
### Example with user / group level access **(STARTER)**
|
### Example with user / group level access **(STARTER)**
|
||||||
|
|
||||||
Elements in the `allowed_to_push` / `allowed_to_merge` / `allowed_to_unprotect` array should take the
|
Elements in the `allowed_to_push` / `allowed_to_merge` / `allowed_to_unprotect` array should take the
|
||||||
form `{user_id: integer}`, `{group_id: integer}` or `{access_level: integer}`. Each user must have access to the project and each group must [have this project shared](../user/project/members/share_project_with_groups.md). These access levels allow [more granular control over protected branch access](../user/project/protected_branches.md#restricting-push-and-merge-access-to-certain-users-starter) and were [added to the API in](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/3516) in GitLab 10.3 EE.
|
form `{user_id: integer}`, `{group_id: integer}` or `{access_level: integer}`. Each user must have access to the project and each group must [have this project shared](../user/project/members/share_project_with_groups.md). These access levels allow [more granular control over protected branch access](../user/project/protected_branches.md#restricting-push-and-merge-access-to-certain-users-starter) and were [added to the API in](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/3516) GitLab 10.3 EE.
|
||||||
|
|
||||||
```shell
|
```shell
|
||||||
curl --request POST --header "PRIVATE-TOKEN: <your_access_token>" "https://gitlab.example.com/api/v4/projects/5/protected_branches?name=*-stable&allowed_to_push%5B%5D%5Buser_id%5D=1"
|
curl --request POST --header "PRIVATE-TOKEN: <your_access_token>" "https://gitlab.example.com/api/v4/projects/5/protected_branches?name=*-stable&allowed_to_push%5B%5D%5Buser_id%5D=1"
|
||||||
|
|
|
@ -2,7 +2,7 @@
|
||||||
|
|
||||||
> [Introduced](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/9388) in [GitLab Silver](https://about.gitlab.com/pricing/) 11.10.
|
> [Introduced](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/9388) in [GitLab Silver](https://about.gitlab.com/pricing/) 11.10.
|
||||||
|
|
||||||
The SCIM API implements the [the RFC7644 protocol](https://tools.ietf.org/html/rfc7644).
|
The SCIM API implements [the RFC7644 protocol](https://tools.ietf.org/html/rfc7644).
|
||||||
|
|
||||||
CAUTION: **Caution:**
|
CAUTION: **Caution:**
|
||||||
This API is for internal system use for connecting with a SCIM provider. While it can be used directly, it is subject to change without notice.
|
This API is for internal system use for connecting with a SCIM provider. While it can be used directly, it is subject to change without notice.
|
||||||
|
|
|
@ -26,7 +26,7 @@ Pipeline jobs in GitLab CI/CD run in parallel, so it's possible that two deploym
|
||||||
jobs in two different pipelines attempt to deploy to the same environment at the same
|
jobs in two different pipelines attempt to deploy to the same environment at the same
|
||||||
time. This is not desired behavior as deployments should happen sequentially.
|
time. This is not desired behavior as deployments should happen sequentially.
|
||||||
|
|
||||||
You can ensure only one deployment job runs at a time with the [`resource_group` keyword](../yaml/README.md#resource_group) keyword in your `.gitlab-ci.yml`.
|
You can ensure only one deployment job runs at a time with the [`resource_group` keyword](../yaml/README.md#resource_group) in your `.gitlab-ci.yml`.
|
||||||
|
|
||||||
For example:
|
For example:
|
||||||
|
|
||||||
|
|
|
@ -259,7 +259,7 @@ Group SAML SSO helps if you need to allow access via multiple SAML identity prov
|
||||||
|
|
||||||
To proceed with configuring Group SAML SSO instead, you'll need to enable the `group_saml` OmniAuth provider. This can be done from:
|
To proceed with configuring Group SAML SSO instead, you'll need to enable the `group_saml` OmniAuth provider. This can be done from:
|
||||||
|
|
||||||
- `gitlab.rb` for GitLab [Omnibus installations](#omnibus-installations).
|
- `gitlab.rb` for [Omnibus GitLab installations](#omnibus-installations).
|
||||||
- `gitlab/config/gitlab.yml` for [source installations](#source-installations).
|
- `gitlab/config/gitlab.yml` for [source installations](#source-installations).
|
||||||
|
|
||||||
### Limitations
|
### Limitations
|
||||||
|
|
|
@ -29,6 +29,11 @@ exceeds 100, the oldest ones are deleted.
|
||||||
1. Use the previous steps to navigate to **Active Sessions**.
|
1. Use the previous steps to navigate to **Active Sessions**.
|
||||||
1. Click on **Revoke** besides a session. The current session cannot be revoked, as this would sign you out of GitLab.
|
1. Click on **Revoke** besides a session. The current session cannot be revoked, as this would sign you out of GitLab.
|
||||||
|
|
||||||
|
NOTE: **Note:**
|
||||||
|
When any session is revoked all **Remember me** tokens for all
|
||||||
|
devices will be revoked. See ['Why do I keep getting signed out?'](index.md#why-do-i-keep-getting-signed-out)
|
||||||
|
for more information about the **Remember me** feature.
|
||||||
|
|
||||||
<!-- ## Troubleshooting
|
<!-- ## Troubleshooting
|
||||||
|
|
||||||
Include any troubleshooting steps that you can foresee. If you know beforehand what issues
|
Include any troubleshooting steps that you can foresee. If you know beforehand what issues
|
||||||
|
|
|
@ -255,6 +255,12 @@ to get you a new `_gitlab_session` and keep you signed in through browser restar
|
||||||
After your `remember_user_token` expires and your `_gitlab_session` is cleared/expired,
|
After your `remember_user_token` expires and your `_gitlab_session` is cleared/expired,
|
||||||
you will be asked to sign in again to verify your identity for security reasons.
|
you will be asked to sign in again to verify your identity for security reasons.
|
||||||
|
|
||||||
|
NOTE: **Note:**
|
||||||
|
When any session is signed out, or when a session is revoked
|
||||||
|
via [Active Sessions](active_sessions.md), all **Remember me** tokens are revoked.
|
||||||
|
While other sessions will remain active, the **Remember me** feature will not restore
|
||||||
|
a session if the browser is closed or the existing session expires.
|
||||||
|
|
||||||
### Increased sign-in time
|
### Increased sign-in time
|
||||||
|
|
||||||
> [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/20340) in GitLab 13.1.
|
> [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/20340) in GitLab 13.1.
|
||||||
|
@ -264,7 +270,7 @@ The `remember_user_token` lifetime of a cookie can now extend beyond the deadlin
|
||||||
GitLab uses both session and persistent cookies:
|
GitLab uses both session and persistent cookies:
|
||||||
|
|
||||||
- Session cookie: Session cookies are normally removed at the end of the browser session when the browser is closed. The `_gitlab_session` cookie has no expiration date.
|
- Session cookie: Session cookies are normally removed at the end of the browser session when the browser is closed. The `_gitlab_session` cookie has no expiration date.
|
||||||
- Persistent cookie: The `remember_me_token` is a cookie with an expiration date of two weeks. GitLab activates this cookie if you click Remember Me when you sign in.
|
- Persistent cookie: The `remember_user_token` is a cookie with an expiration date of two weeks. GitLab activates this cookie if you click Remember Me when you sign in.
|
||||||
|
|
||||||
By default, the server sets a time-to-live (TTL) of 1-week on any session that is used.
|
By default, the server sets a time-to-live (TTL) of 1-week on any session that is used.
|
||||||
|
|
||||||
|
|
|
@ -100,7 +100,7 @@ as it most likely won't work if you set an [`MX` record](dns_concepts.md#mx-reco
|
||||||
|
|
||||||
Subdomains (`subdomain.example.com`) require:
|
Subdomains (`subdomain.example.com`) require:
|
||||||
|
|
||||||
- A DNS [CNAME record](dns_concepts.md#cname-record) record pointing your subdomain to the Pages server.
|
- A DNS [CNAME record](dns_concepts.md#cname-record) pointing your subdomain to the Pages server.
|
||||||
- A DNS [TXT record](dns_concepts.md#txt-record) to verify your domain's ownership.
|
- A DNS [TXT record](dns_concepts.md#txt-record) to verify your domain's ownership.
|
||||||
|
|
||||||
| From | DNS Record | To |
|
| From | DNS Record | To |
|
||||||
|
|
10
faraday-middleware-aws-signers-v4/.gitignore
vendored
10
faraday-middleware-aws-signers-v4/.gitignore
vendored
|
@ -1,10 +0,0 @@
|
||||||
/.bundle/
|
|
||||||
/.yardoc
|
|
||||||
/Gemfile.lock
|
|
||||||
/_yardoc/
|
|
||||||
/coverage/
|
|
||||||
/doc/
|
|
||||||
/pkg/
|
|
||||||
/spec/reports/
|
|
||||||
/tmp/
|
|
||||||
test.rb
|
|
|
@ -1,2 +0,0 @@
|
||||||
--color
|
|
||||||
--require spec_helper
|
|
|
@ -1,12 +0,0 @@
|
||||||
sudo: false
|
|
||||||
cache: bundler
|
|
||||||
language: ruby
|
|
||||||
rvm:
|
|
||||||
- 2.0.0
|
|
||||||
- 2.1.10
|
|
||||||
- 2.2.6
|
|
||||||
- 2.3.3
|
|
||||||
- 2.4.0
|
|
||||||
script:
|
|
||||||
- bundle install
|
|
||||||
- bundle exec rake
|
|
|
@ -1,4 +0,0 @@
|
||||||
source 'https://rubygems.org'
|
|
||||||
|
|
||||||
# Specify your gem's dependencies in faraday_middleware-aws-signers-v4.gemspec
|
|
||||||
gemspec
|
|
|
@ -1,21 +0,0 @@
|
||||||
The MIT License (MIT)
|
|
||||||
|
|
||||||
Copyright (c) 2015 Genki Sugawara
|
|
||||||
|
|
||||||
Permission is hereby granted, free of charge, to any person obtaining a copy
|
|
||||||
of this software and associated documentation files (the "Software"), to deal
|
|
||||||
in the Software without restriction, including without limitation the rights
|
|
||||||
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
|
|
||||||
copies of the Software, and to permit persons to whom the Software is
|
|
||||||
furnished to do so, subject to the following conditions:
|
|
||||||
|
|
||||||
The above copyright notice and this permission notice shall be included in
|
|
||||||
all copies or substantial portions of the Software.
|
|
||||||
|
|
||||||
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
|
|
||||||
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
|
|
||||||
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
|
|
||||||
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
|
|
||||||
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
|
|
||||||
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
|
|
||||||
THE SOFTWARE.
|
|
|
@ -1,67 +0,0 @@
|
||||||
# FaradayMiddleware::AwsSignersV4
|
|
||||||
|
|
||||||
[Faraday](https://github.com/lostisland/faraday) middleware for AWS Signature Version 4.
|
|
||||||
|
|
||||||
[![Gem Version](https://badge.fury.io/rb/faraday_middleware-aws-signers-v4.svg)](http://badge.fury.io/rb/faraday_middleware-aws-signers-v4)
|
|
||||||
[![Build Status](https://travis-ci.org/winebarrel/faraday_middleware-aws-signers-v4.svg)](https://travis-ci.org/winebarrel/faraday_middleware-aws-signers-v4)
|
|
||||||
[![Coverage Status](https://coveralls.io/repos/winebarrel/faraday_middleware-aws-signers-v4/badge.svg?branch=master&service=github)](https://coveralls.io/github/winebarrel/faraday_middleware-aws-signers-v4?branch=master)
|
|
||||||
|
|
||||||
**Currently developing new gem to support aws-sdk-v3.**
|
|
||||||
|
|
||||||
**see https://github.com/winebarrel/faraday_middleware-aws-sigv4**
|
|
||||||
|
|
||||||
## Installation
|
|
||||||
|
|
||||||
Add this line to your application's Gemfile:
|
|
||||||
|
|
||||||
```ruby
|
|
||||||
gem 'faraday_middleware-aws-signers-v4'
|
|
||||||
```
|
|
||||||
|
|
||||||
And then execute:
|
|
||||||
|
|
||||||
$ bundle
|
|
||||||
|
|
||||||
Or install it yourself as:
|
|
||||||
|
|
||||||
$ gem install faraday_middleware-aws-signers-v4
|
|
||||||
|
|
||||||
## Usage
|
|
||||||
|
|
||||||
```ruby
|
|
||||||
require 'faraday_middleware'
|
|
||||||
require 'faraday_middleware/aws_signers_v4'
|
|
||||||
require 'pp'
|
|
||||||
|
|
||||||
conn = Faraday.new(url: 'https://apigateway.us-east-1.amazonaws.com') do |faraday|
|
|
||||||
faraday.request :aws_signers_v4,
|
|
||||||
credentials: Aws::Credentials.new(ENV['AWS_ACCESS_KEY_ID'], ENV['AWS_SECRET_ACCESS_KEY']),
|
|
||||||
# If you use the credentials file:
|
|
||||||
#credentials: Aws::SharedCredentials.new.credentials,
|
|
||||||
service_name: 'apigateway',
|
|
||||||
region: 'us-east-1'
|
|
||||||
|
|
||||||
faraday.response :json, :content_type => /\bjson\b/
|
|
||||||
faraday.response :raise_error
|
|
||||||
|
|
||||||
faraday.adapter Faraday.default_adapter
|
|
||||||
end
|
|
||||||
|
|
||||||
res = conn.get '/account'
|
|
||||||
pp res.body
|
|
||||||
# => {"accountUpdate"=>
|
|
||||||
# {"name"=>nil,
|
|
||||||
# "template"=>false,
|
|
||||||
# "templateSkipList"=>nil,
|
|
||||||
# "title"=>nil,
|
|
||||||
# "updateAccountInput"=>nil},
|
|
||||||
# "cloudwatchRoleArn"=>nil,
|
|
||||||
# "self"=>
|
|
||||||
# {"__type"=>
|
|
||||||
# "GetAccountRequest:http://internal.amazon.com/coral/com.amazonaws.backplane.controlplane/",
|
|
||||||
# "name"=>nil,
|
|
||||||
# "template"=>false,
|
|
||||||
# "templateSkipList"=>nil,
|
|
||||||
# "title"=>nil},
|
|
||||||
# "throttleSettings"=>{"burstLimit"=>1000, "rateLimit"=>500.0}}
|
|
||||||
```
|
|
|
@ -1,6 +0,0 @@
|
||||||
require 'bundler/gem_tasks'
|
|
||||||
require 'rspec/core/rake_task'
|
|
||||||
|
|
||||||
RSpec::Core::RakeTask.new(:spec)
|
|
||||||
|
|
||||||
task :default => :spec
|
|
|
@ -1,14 +0,0 @@
|
||||||
#!/usr/bin/env ruby
|
|
||||||
|
|
||||||
require "bundler/setup"
|
|
||||||
require "faraday_middleware/aws_signers_v4"
|
|
||||||
|
|
||||||
# You can add fixtures and/or initialization code here to make experimenting
|
|
||||||
# with your gem easier. You can also use a different console, if you like.
|
|
||||||
|
|
||||||
# (If you use this, don't forget to add pry to your Gemfile!)
|
|
||||||
# require "pry"
|
|
||||||
# Pry.start
|
|
||||||
|
|
||||||
require "irb"
|
|
||||||
IRB.start
|
|
|
@ -1,7 +0,0 @@
|
||||||
#!/bin/bash
|
|
||||||
set -euo pipefail
|
|
||||||
IFS=$'\n\t'
|
|
||||||
|
|
||||||
bundle install
|
|
||||||
|
|
||||||
# Do any other automated setup that you need to do here
|
|
|
@ -1,28 +0,0 @@
|
||||||
# coding: utf-8
|
|
||||||
Gem::Specification.new do |spec|
|
|
||||||
spec.name = 'faraday_middleware-aws-signers-v4'
|
|
||||||
spec.version = '0.1.9'
|
|
||||||
spec.authors = ['Genki Sugawara']
|
|
||||||
spec.email = ['sgwr_dts@yahoo.co.jp']
|
|
||||||
|
|
||||||
spec.summary = %q{Faraday middleware for AWS Signature Version 4.}
|
|
||||||
spec.description = %q{Faraday middleware for AWS Signature Version 4.}
|
|
||||||
spec.homepage = 'https://github.com/winebarrel/faraday_middleware-aws-signers-v4'
|
|
||||||
spec.license = 'MIT'
|
|
||||||
|
|
||||||
spec.files = `git ls-files -z`.split("\x0").reject { |f| f.match(%r{^(test|spec|features)/}) }
|
|
||||||
spec.bindir = 'exe'
|
|
||||||
spec.executables = spec.files.grep(%r{^exe/}) { |f| File.basename(f) }
|
|
||||||
spec.require_paths = ['lib']
|
|
||||||
|
|
||||||
spec.add_dependency 'faraday', '~> 0.9'
|
|
||||||
spec.add_dependency 'aws-sdk-resources', '>= 2', '< 3'
|
|
||||||
|
|
||||||
spec.add_development_dependency 'bundler'
|
|
||||||
spec.add_development_dependency 'rake'
|
|
||||||
spec.add_development_dependency 'rspec', '>= 3.0.0'
|
|
||||||
spec.add_development_dependency 'timecop'
|
|
||||||
spec.add_development_dependency 'faraday_middleware'
|
|
||||||
spec.add_development_dependency 'coveralls'
|
|
||||||
spec.add_development_dependency 'webmock'
|
|
||||||
end
|
|
|
@ -1 +0,0 @@
|
||||||
require 'faraday_middleware/aws_signers_v4'
|
|
|
@ -1,8 +0,0 @@
|
||||||
require 'aws-sdk-resources'
|
|
||||||
require 'faraday'
|
|
||||||
|
|
||||||
module FaradayMiddleware
|
|
||||||
autoload :AwsSignersV4, 'faraday_middleware/request/aws_signers_v4'
|
|
||||||
|
|
||||||
Faraday::Request.register_middleware :aws_signers_v4 => lambda { AwsSignersV4 }
|
|
||||||
end
|
|
|
@ -1,13 +0,0 @@
|
||||||
require 'aws-sdk-core/signers/v4'
|
|
||||||
|
|
||||||
module AwsSignersV4Ext
|
|
||||||
def signed_headers(request)
|
|
||||||
super.downcase
|
|
||||||
end
|
|
||||||
end
|
|
||||||
|
|
||||||
class Aws::Signers::V4
|
|
||||||
unless Aws::Signers::V4 < AwsSignersV4Ext
|
|
||||||
prepend AwsSignersV4Ext
|
|
||||||
end
|
|
||||||
end
|
|
|
@ -1,25 +0,0 @@
|
||||||
require 'uri'
|
|
||||||
require 'aws-sdk-resources'
|
|
||||||
|
|
||||||
module URI
|
|
||||||
def self.seahorse_encode_www_form(params)
|
|
||||||
params.map {|key, value|
|
|
||||||
encoded_key = encode_www_form_component(key)
|
|
||||||
|
|
||||||
if value.nil?
|
|
||||||
encoded_key
|
|
||||||
elsif value.respond_to?(:to_ary)
|
|
||||||
value.to_ary.map {|v|
|
|
||||||
if v.nil?
|
|
||||||
# bug?
|
|
||||||
#encoded_key
|
|
||||||
else
|
|
||||||
encoded_key + '=' + Seahorse::Util.uri_escape(v)
|
|
||||||
end
|
|
||||||
}.join('&')
|
|
||||||
else
|
|
||||||
encoded_key + '=' + Seahorse::Util.uri_escape(value)
|
|
||||||
end
|
|
||||||
}.join('&')
|
|
||||||
end
|
|
||||||
end
|
|
|
@ -1,57 +0,0 @@
|
||||||
require 'faraday_middleware/ext/uri_ext'
|
|
||||||
require 'faraday_middleware/aws_signers_v4_ext'
|
|
||||||
|
|
||||||
class FaradayMiddleware::AwsSignersV4 < Faraday::Middleware
|
|
||||||
class Request
|
|
||||||
def initialize(env)
|
|
||||||
@env = env
|
|
||||||
end
|
|
||||||
|
|
||||||
def headers
|
|
||||||
@env.request_headers
|
|
||||||
end
|
|
||||||
|
|
||||||
def body
|
|
||||||
@env.body || ''
|
|
||||||
end
|
|
||||||
|
|
||||||
def endpoint
|
|
||||||
url = @env.url.dup
|
|
||||||
|
|
||||||
# Escape the query string or the request won't sign correctly
|
|
||||||
if url and url.query
|
|
||||||
re_escape_query!(url)
|
|
||||||
end
|
|
||||||
|
|
||||||
url
|
|
||||||
end
|
|
||||||
|
|
||||||
def http_method
|
|
||||||
@env.method.to_s.upcase
|
|
||||||
end
|
|
||||||
|
|
||||||
private
|
|
||||||
|
|
||||||
def re_escape_query!(url)
|
|
||||||
params = URI.decode_www_form(url.query)
|
|
||||||
|
|
||||||
if params.any? {|k, v| v =~ / / }
|
|
||||||
url.query = URI.seahorse_encode_www_form(params)
|
|
||||||
end
|
|
||||||
end
|
|
||||||
end # of class Request
|
|
||||||
|
|
||||||
def initialize(app, options = nil)
|
|
||||||
super(app)
|
|
||||||
|
|
||||||
@credentials = options.fetch(:credentials)
|
|
||||||
@service_name = options.fetch(:service_name)
|
|
||||||
@region = options.fetch(:region)
|
|
||||||
end
|
|
||||||
|
|
||||||
def call(env)
|
|
||||||
req = Request.new(env)
|
|
||||||
Aws::Signers::V4.new(@credentials, @service_name, @region).sign(req)
|
|
||||||
@app.call(env)
|
|
||||||
end
|
|
||||||
end
|
|
|
@ -67,7 +67,7 @@ module API
|
||||||
deploy_token_from_request ||
|
deploy_token_from_request ||
|
||||||
find_user_from_bearer_token ||
|
find_user_from_bearer_token ||
|
||||||
find_user_from_job_token ||
|
find_user_from_job_token ||
|
||||||
find_user_from_warden
|
user_from_warden
|
||||||
end
|
end
|
||||||
|
|
||||||
private
|
private
|
||||||
|
@ -100,6 +100,25 @@ module API
|
||||||
def user_allowed_or_deploy_token?(user)
|
def user_allowed_or_deploy_token?(user)
|
||||||
Gitlab::UserAccess.new(user).allowed? || user.is_a?(DeployToken)
|
Gitlab::UserAccess.new(user).allowed? || user.is_a?(DeployToken)
|
||||||
end
|
end
|
||||||
|
|
||||||
|
def user_from_warden
|
||||||
|
user = find_user_from_warden
|
||||||
|
|
||||||
|
return unless user
|
||||||
|
return if two_factor_required_but_not_setup?(user)
|
||||||
|
|
||||||
|
user
|
||||||
|
end
|
||||||
|
|
||||||
|
def two_factor_required_but_not_setup?(user)
|
||||||
|
verifier = Gitlab::Auth::TwoFactorAuthVerifier.new(user)
|
||||||
|
|
||||||
|
if verifier.two_factor_authentication_required? && verifier.current_user_needs_to_setup_two_factor?
|
||||||
|
verifier.two_factor_grace_period_expired?
|
||||||
|
else
|
||||||
|
false
|
||||||
|
end
|
||||||
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
class_methods do
|
class_methods do
|
||||||
|
|
|
@ -109,9 +109,10 @@ module API
|
||||||
end
|
end
|
||||||
put ":id/badges/:badge_id" do
|
put ":id/badges/:badge_id" do
|
||||||
source = find_source_if_admin(source_type)
|
source = find_source_if_admin(source_type)
|
||||||
|
badge = find_badge(source)
|
||||||
|
|
||||||
badge = ::Badges::UpdateService.new(declared_params(include_missing: false))
|
badge = ::Badges::UpdateService.new(declared_params(include_missing: false))
|
||||||
.execute(find_badge(source))
|
.execute(badge)
|
||||||
|
|
||||||
if badge.valid?
|
if badge.valid?
|
||||||
present_badges(source, badge)
|
present_badges(source, badge)
|
||||||
|
@ -130,10 +131,6 @@ module API
|
||||||
source = find_source_if_admin(source_type)
|
source = find_source_if_admin(source_type)
|
||||||
badge = find_badge(source)
|
badge = find_badge(source)
|
||||||
|
|
||||||
if badge.is_a?(GroupBadge) && source.is_a?(Project)
|
|
||||||
error!('To delete a Group badge please use the Group endpoint', 403)
|
|
||||||
end
|
|
||||||
|
|
||||||
destroy_conditionally!(badge)
|
destroy_conditionally!(badge)
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
|
@ -26,6 +26,8 @@ module API
|
||||||
PACKAGE_COMPONENT_REGEX = Gitlab::Regex.conan_recipe_component_regex
|
PACKAGE_COMPONENT_REGEX = Gitlab::Regex.conan_recipe_component_regex
|
||||||
CONAN_REVISION_REGEX = Gitlab::Regex.conan_revision_regex
|
CONAN_REVISION_REGEX = Gitlab::Regex.conan_revision_regex
|
||||||
|
|
||||||
|
CONAN_FILES = (Gitlab::Regex::Packages::CONAN_RECIPE_FILES + Gitlab::Regex::Packages::CONAN_PACKAGE_FILES).freeze
|
||||||
|
|
||||||
before do
|
before do
|
||||||
require_packages_enabled!
|
require_packages_enabled!
|
||||||
|
|
||||||
|
@ -233,7 +235,7 @@ module API
|
||||||
end
|
end
|
||||||
|
|
||||||
params do
|
params do
|
||||||
requires :file_name, type: String, desc: 'Package file name', regexp: Gitlab::Regex.conan_file_name_regex
|
requires :file_name, type: String, desc: 'Package file name', values: CONAN_FILES
|
||||||
end
|
end
|
||||||
namespace 'export/:file_name', requirements: FILE_NAME_REQUIREMENTS do
|
namespace 'export/:file_name', requirements: FILE_NAME_REQUIREMENTS do
|
||||||
desc 'Download recipe files' do
|
desc 'Download recipe files' do
|
||||||
|
@ -248,7 +250,7 @@ module API
|
||||||
detail 'This feature was introduced in GitLab 12.6'
|
detail 'This feature was introduced in GitLab 12.6'
|
||||||
end
|
end
|
||||||
params do
|
params do
|
||||||
use :workhorse_upload_params
|
requires :file, type: ::API::Validations::Types::WorkhorseFile, desc: 'The package file to be published (generated by Multipart middleware)'
|
||||||
end
|
end
|
||||||
route_setting :authentication, job_token_allowed: true
|
route_setting :authentication, job_token_allowed: true
|
||||||
put do
|
put do
|
||||||
|
@ -267,7 +269,7 @@ module API
|
||||||
params do
|
params do
|
||||||
requires :conan_package_reference, type: String, desc: 'Conan Package ID'
|
requires :conan_package_reference, type: String, desc: 'Conan Package ID'
|
||||||
requires :package_revision, type: String, desc: 'Conan Package Revision'
|
requires :package_revision, type: String, desc: 'Conan Package Revision'
|
||||||
requires :file_name, type: String, desc: 'Package file name', regexp: Gitlab::Regex.conan_file_name_regex
|
requires :file_name, type: String, desc: 'Package file name', values: CONAN_FILES
|
||||||
end
|
end
|
||||||
namespace 'package/:conan_package_reference/:package_revision/:file_name', requirements: FILE_NAME_REQUIREMENTS do
|
namespace 'package/:conan_package_reference/:package_revision/:file_name', requirements: FILE_NAME_REQUIREMENTS do
|
||||||
desc 'Download package files' do
|
desc 'Download package files' do
|
||||||
|
@ -290,7 +292,7 @@ module API
|
||||||
detail 'This feature was introduced in GitLab 12.6'
|
detail 'This feature was introduced in GitLab 12.6'
|
||||||
end
|
end
|
||||||
params do
|
params do
|
||||||
use :workhorse_upload_params
|
requires :file, type: ::API::Validations::Types::WorkhorseFile, desc: 'The package file to be published (generated by Multipart middleware)'
|
||||||
end
|
end
|
||||||
route_setting :authentication, job_token_allowed: true
|
route_setting :authentication, job_token_allowed: true
|
||||||
put do
|
put do
|
||||||
|
|
|
@ -6,7 +6,13 @@ module API
|
||||||
include ::API::Helpers::MembersHelpers
|
include ::API::Helpers::MembersHelpers
|
||||||
|
|
||||||
def find_badge(source)
|
def find_badge(source)
|
||||||
source.badges.find(params[:badge_id])
|
badge_id = params[:badge_id]
|
||||||
|
|
||||||
|
if source.is_a?(Project)
|
||||||
|
source.project_badges.find(badge_id)
|
||||||
|
else
|
||||||
|
source.badges.find(badge_id)
|
||||||
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
def present_badges(source, records, options = {})
|
def present_badges(source, records, options = {})
|
||||||
|
|
|
@ -125,15 +125,15 @@ module API
|
||||||
end
|
end
|
||||||
|
|
||||||
def track_push_package_event
|
def track_push_package_event
|
||||||
if params[:file_name] == ::Packages::Conan::FileMetadatum::PACKAGE_BINARY && params['file.size'] > 0
|
if params[:file_name] == ::Packages::Conan::FileMetadatum::PACKAGE_BINARY && params[:file].size > 0 # rubocop: disable Style/ZeroLengthPredicate
|
||||||
track_event('push_package')
|
track_event('push_package')
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
def create_package_file_with_type(file_type, current_package)
|
def create_package_file_with_type(file_type, current_package)
|
||||||
unless params['file.size'] == 0
|
unless params[:file].size == 0 # rubocop: disable Style/ZeroLengthPredicate
|
||||||
# conan sends two upload requests, the first has no file, so we skip record creation if file.size == 0
|
# conan sends two upload requests, the first has no file, so we skip record creation if file.size == 0
|
||||||
::Packages::Conan::CreatePackageFileService.new(current_package, uploaded_package_file, params.merge(conan_file_type: file_type)).execute
|
::Packages::Conan::CreatePackageFileService.new(current_package, params[:file], params.merge(conan_file_type: file_type)).execute
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
|
@ -204,7 +204,7 @@ module API
|
||||||
|
|
||||||
return unless token
|
return unless token
|
||||||
|
|
||||||
::Ci::Build.find_by_token(token.access_token_id.to_s)
|
::Ci::AuthJobFinder.new(token: token.access_token_id.to_s).execute
|
||||||
end
|
end
|
||||||
|
|
||||||
def decode_oauth_token_from_jwt
|
def decode_oauth_token_from_jwt
|
||||||
|
|
|
@ -33,7 +33,7 @@ module API
|
||||||
|
|
||||||
return unless token
|
return unless token
|
||||||
|
|
||||||
::Ci::Build.find_by_token(token)
|
::Ci::AuthJobFinder.new(token: token).execute
|
||||||
end
|
end
|
||||||
|
|
||||||
def find_deploy_token_from_http_basic_auth
|
def find_deploy_token_from_http_basic_auth
|
||||||
|
|
|
@ -25,11 +25,13 @@ module Gitlab
|
||||||
project_repositories_archive: { threshold: 5, interval: 1.minute },
|
project_repositories_archive: { threshold: 5, interval: 1.minute },
|
||||||
project_generate_new_export: { threshold: -> { application_settings.project_export_limit }, interval: 1.minute },
|
project_generate_new_export: { threshold: -> { application_settings.project_export_limit }, interval: 1.minute },
|
||||||
project_import: { threshold: -> { application_settings.project_import_limit }, interval: 1.minute },
|
project_import: { threshold: -> { application_settings.project_import_limit }, interval: 1.minute },
|
||||||
|
project_testing_hook: { threshold: 5, interval: 1.minute },
|
||||||
play_pipeline_schedule: { threshold: 1, interval: 1.minute },
|
play_pipeline_schedule: { threshold: 1, interval: 1.minute },
|
||||||
show_raw_controller: { threshold: -> { application_settings.raw_blob_request_limit }, interval: 1.minute },
|
show_raw_controller: { threshold: -> { application_settings.raw_blob_request_limit }, interval: 1.minute },
|
||||||
group_export: { threshold: -> { application_settings.group_export_limit }, interval: 1.minute },
|
group_export: { threshold: -> { application_settings.group_export_limit }, interval: 1.minute },
|
||||||
group_download_export: { threshold: -> { application_settings.group_download_export_limit }, interval: 1.minute },
|
group_download_export: { threshold: -> { application_settings.group_download_export_limit }, interval: 1.minute },
|
||||||
group_import: { threshold: -> { application_settings.group_import_limit }, interval: 1.minute }
|
group_import: { threshold: -> { application_settings.group_import_limit }, interval: 1.minute },
|
||||||
|
group_testing_hook: { threshold: 5, interval: 1.minute }
|
||||||
}.freeze
|
}.freeze
|
||||||
end
|
end
|
||||||
|
|
||||||
|
|
|
@ -63,7 +63,15 @@ module Gitlab
|
||||||
raise Gitlab::Auth::MissingPersonalAccessTokenError
|
raise Gitlab::Auth::MissingPersonalAccessTokenError
|
||||||
end
|
end
|
||||||
|
|
||||||
def find_with_user_password(login, password)
|
# Find and return a user if the provided password is valid for various
|
||||||
|
# authenticators (OAuth, LDAP, Local Database).
|
||||||
|
#
|
||||||
|
# Specify `increment_failed_attempts: true` to increment Devise `failed_attempts`.
|
||||||
|
# CAUTION: Avoid incrementing failed attempts when authentication falls through
|
||||||
|
# different mechanisms, as in `.find_for_git_client`. This may lead to
|
||||||
|
# unwanted access locks when the value provided for `password` was actually
|
||||||
|
# a PAT, deploy token, etc.
|
||||||
|
def find_with_user_password(login, password, increment_failed_attempts: false)
|
||||||
# Avoid resource intensive checks if login credentials are not provided
|
# Avoid resource intensive checks if login credentials are not provided
|
||||||
return unless login.present? && password.present?
|
return unless login.present? && password.present?
|
||||||
|
|
||||||
|
@ -94,10 +102,14 @@ module Gitlab
|
||||||
authenticators.compact!
|
authenticators.compact!
|
||||||
|
|
||||||
# return found user that was authenticated first for given login credentials
|
# return found user that was authenticated first for given login credentials
|
||||||
authenticators.find do |auth|
|
authenticated_user = authenticators.find do |auth|
|
||||||
authenticated_user = auth.login(login, password)
|
authenticated_user = auth.login(login, password)
|
||||||
break authenticated_user if authenticated_user
|
break authenticated_user if authenticated_user
|
||||||
end
|
end
|
||||||
|
|
||||||
|
user_auth_attempt!(user, success: !!authenticated_user) if increment_failed_attempts
|
||||||
|
|
||||||
|
authenticated_user
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
|
@ -220,6 +232,8 @@ module Gitlab
|
||||||
|
|
||||||
# Registry access (with jwt) does not have access to project
|
# Registry access (with jwt) does not have access to project
|
||||||
return if project && !token.has_access_to?(project)
|
return if project && !token.has_access_to?(project)
|
||||||
|
# When repository is disabled, no resources are accessible via Deploy Token
|
||||||
|
return if project&.repository_access_level == ::ProjectFeature::DISABLED
|
||||||
|
|
||||||
scopes = abilities_for_scopes(token.scopes)
|
scopes = abilities_for_scopes(token.scopes)
|
||||||
|
|
||||||
|
@ -353,6 +367,13 @@ module Gitlab
|
||||||
def find_build_by_token(token)
|
def find_build_by_token(token)
|
||||||
::Ci::Build.running.find_by_token(token)
|
::Ci::Build.running.find_by_token(token)
|
||||||
end
|
end
|
||||||
|
|
||||||
|
def user_auth_attempt!(user, success:)
|
||||||
|
return unless user && Gitlab::Database.read_write?
|
||||||
|
return user.unlock_access! if success
|
||||||
|
|
||||||
|
user.increment_failed_attempts!
|
||||||
|
end
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
|
@ -68,9 +68,7 @@ module Gitlab
|
||||||
current_request.env[JOB_TOKEN_HEADER].presence
|
current_request.env[JOB_TOKEN_HEADER].presence
|
||||||
return unless token
|
return unless token
|
||||||
|
|
||||||
job = ::Ci::Build.find_by_token(token)
|
job = find_valid_running_job_by_token!(token)
|
||||||
raise UnauthorizedError unless job
|
|
||||||
|
|
||||||
@current_authenticated_job = job # rubocop:disable Gitlab/ModuleWithInstanceVariables
|
@current_authenticated_job = job # rubocop:disable Gitlab/ModuleWithInstanceVariables
|
||||||
|
|
||||||
job.user
|
job.user
|
||||||
|
@ -83,9 +81,7 @@ module Gitlab
|
||||||
return unless login.present? && password.present?
|
return unless login.present? && password.present?
|
||||||
return unless ::Ci::Build::CI_REGISTRY_USER == login
|
return unless ::Ci::Build::CI_REGISTRY_USER == login
|
||||||
|
|
||||||
job = ::Ci::Build.find_by_token(password)
|
job = find_valid_running_job_by_token!(password)
|
||||||
raise UnauthorizedError unless job
|
|
||||||
|
|
||||||
job.user
|
job.user
|
||||||
end
|
end
|
||||||
|
|
||||||
|
@ -169,7 +165,7 @@ module Gitlab
|
||||||
token = parsed_oauth_token
|
token = parsed_oauth_token
|
||||||
return unless token
|
return unless token
|
||||||
|
|
||||||
job = ::Ci::Build.find_by_token(token)
|
job = ::Ci::AuthJobFinder.new(token: token).execute
|
||||||
return unless job
|
return unless job
|
||||||
|
|
||||||
@current_authenticated_job = job # rubocop:disable Gitlab/ModuleWithInstanceVariables
|
@current_authenticated_job = job # rubocop:disable Gitlab/ModuleWithInstanceVariables
|
||||||
|
@ -294,6 +290,12 @@ module Gitlab
|
||||||
def blob_request?
|
def blob_request?
|
||||||
current_request.path.include?('/raw/')
|
current_request.path.include?('/raw/')
|
||||||
end
|
end
|
||||||
|
|
||||||
|
def find_valid_running_job_by_token!(token)
|
||||||
|
::Ci::AuthJobFinder.new(token: token).execute.tap do |job|
|
||||||
|
raise UnauthorizedError unless job
|
||||||
|
end
|
||||||
|
end
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
36
lib/gitlab/auth/two_factor_auth_verifier.rb
Normal file
36
lib/gitlab/auth/two_factor_auth_verifier.rb
Normal file
|
@ -0,0 +1,36 @@
|
||||||
|
# frozen_string_literal: true
|
||||||
|
|
||||||
|
module Gitlab
|
||||||
|
module Auth
|
||||||
|
class TwoFactorAuthVerifier
|
||||||
|
attr_reader :current_user
|
||||||
|
|
||||||
|
def initialize(current_user)
|
||||||
|
@current_user = current_user
|
||||||
|
end
|
||||||
|
|
||||||
|
def two_factor_authentication_required?
|
||||||
|
Gitlab::CurrentSettings.require_two_factor_authentication? ||
|
||||||
|
current_user&.require_two_factor_authentication_from_group?
|
||||||
|
end
|
||||||
|
|
||||||
|
def current_user_needs_to_setup_two_factor?
|
||||||
|
current_user && !current_user.temp_oauth_email? && !current_user.two_factor_enabled?
|
||||||
|
end
|
||||||
|
|
||||||
|
def two_factor_grace_period
|
||||||
|
periods = [Gitlab::CurrentSettings.two_factor_grace_period]
|
||||||
|
periods << current_user.two_factor_grace_period if current_user&.require_two_factor_authentication_from_group?
|
||||||
|
periods.min
|
||||||
|
end
|
||||||
|
|
||||||
|
def two_factor_grace_period_expired?
|
||||||
|
time = current_user&.otp_grace_period_started_at
|
||||||
|
|
||||||
|
return false unless time
|
||||||
|
|
||||||
|
two_factor_grace_period.hours.since(time) < Time.current
|
||||||
|
end
|
||||||
|
end
|
||||||
|
end
|
||||||
|
end
|
|
@ -91,6 +91,13 @@ module Gitlab
|
||||||
Guest.can?(:download_code, project)
|
Guest.can?(:download_code, project)
|
||||||
end
|
end
|
||||||
|
|
||||||
|
def deploy_key_can_download_code?
|
||||||
|
authentication_abilities.include?(:download_code) &&
|
||||||
|
deploy_key? &&
|
||||||
|
deploy_key.has_access_to?(container) &&
|
||||||
|
project&.repository_access_level != ::Featurable::DISABLED
|
||||||
|
end
|
||||||
|
|
||||||
def user_can_download_code?
|
def user_can_download_code?
|
||||||
authentication_abilities.include?(:download_code) && user_access.can_do_action?(:download_code)
|
authentication_abilities.include?(:download_code) && user_access.can_do_action?(:download_code)
|
||||||
end
|
end
|
||||||
|
@ -235,7 +242,7 @@ module Gitlab
|
||||||
end
|
end
|
||||||
|
|
||||||
def check_download_access!
|
def check_download_access!
|
||||||
passed = deploy_key? ||
|
passed = deploy_key_can_download_code? ||
|
||||||
deploy_token? ||
|
deploy_token? ||
|
||||||
user_can_download_code? ||
|
user_can_download_code? ||
|
||||||
build_can_download_code? ||
|
build_can_download_code? ||
|
||||||
|
|
|
@ -6,11 +6,6 @@ module Gitlab
|
||||||
CONAN_RECIPE_FILES = %w[conanfile.py conanmanifest.txt].freeze
|
CONAN_RECIPE_FILES = %w[conanfile.py conanmanifest.txt].freeze
|
||||||
CONAN_PACKAGE_FILES = %w[conaninfo.txt conanmanifest.txt conan_package.tgz].freeze
|
CONAN_PACKAGE_FILES = %w[conaninfo.txt conanmanifest.txt conan_package.tgz].freeze
|
||||||
|
|
||||||
def conan_file_name_regex
|
|
||||||
@conan_file_name_regex ||=
|
|
||||||
%r{\A#{(CONAN_RECIPE_FILES + CONAN_PACKAGE_FILES).join("|")}\z}.freeze
|
|
||||||
end
|
|
||||||
|
|
||||||
def conan_package_reference_regex
|
def conan_package_reference_regex
|
||||||
@conan_package_reference_regex ||= %r{\A[A-Za-z0-9]+\z}.freeze
|
@conan_package_reference_regex ||= %r{\A[A-Za-z0-9]+\z}.freeze
|
||||||
end
|
end
|
||||||
|
|
|
@ -2730,6 +2730,9 @@ msgstr ""
|
||||||
msgid "An error occurred while validating username"
|
msgid "An error occurred while validating username"
|
||||||
msgstr ""
|
msgstr ""
|
||||||
|
|
||||||
|
msgid "An error occurred. Please sign in again."
|
||||||
|
msgstr ""
|
||||||
|
|
||||||
msgid "An error occurred. Please try again."
|
msgid "An error occurred. Please try again."
|
||||||
msgstr ""
|
msgstr ""
|
||||||
|
|
||||||
|
@ -3143,7 +3146,7 @@ msgstr ""
|
||||||
msgid "Are you sure? Removing this GPG key does not affect already signed commits."
|
msgid "Are you sure? Removing this GPG key does not affect already signed commits."
|
||||||
msgstr ""
|
msgstr ""
|
||||||
|
|
||||||
msgid "Are you sure? The device will be signed out of GitLab."
|
msgid "Are you sure? The device will be signed out of GitLab and all remember me tokens revoked."
|
||||||
msgstr ""
|
msgstr ""
|
||||||
|
|
||||||
msgid "Are you sure? This will invalidate your registered applications and U2F devices."
|
msgid "Are you sure? This will invalidate your registered applications and U2F devices."
|
||||||
|
|
|
@ -94,7 +94,7 @@
|
||||||
"ipaddr.js": "^1.9.1",
|
"ipaddr.js": "^1.9.1",
|
||||||
"jed": "^1.1.1",
|
"jed": "^1.1.1",
|
||||||
"jest-transform-graphql": "^2.1.0",
|
"jest-transform-graphql": "^2.1.0",
|
||||||
"jquery": "^3.4.1",
|
"jquery": "^3.5.0",
|
||||||
"jquery-ujs": "1.2.2",
|
"jquery-ujs": "1.2.2",
|
||||||
"jquery.caret": "^0.3.1",
|
"jquery.caret": "^0.3.1",
|
||||||
"jquery.waitforimages": "^2.2.0",
|
"jquery.waitforimages": "^2.2.0",
|
||||||
|
|
|
@ -40,7 +40,7 @@ RSpec.describe Admin::ApplicationsController do
|
||||||
|
|
||||||
describe 'POST #create' do
|
describe 'POST #create' do
|
||||||
it 'creates the application' do
|
it 'creates the application' do
|
||||||
create_params = attributes_for(:application, trusted: true, confidential: false)
|
create_params = attributes_for(:application, trusted: true, confidential: false, scopes: ['api'])
|
||||||
|
|
||||||
expect do
|
expect do
|
||||||
post :create, params: { doorkeeper_application: create_params }
|
post :create, params: { doorkeeper_application: create_params }
|
||||||
|
@ -63,7 +63,7 @@ RSpec.describe Admin::ApplicationsController do
|
||||||
|
|
||||||
context 'when the params are for a confidential application' do
|
context 'when the params are for a confidential application' do
|
||||||
it 'creates a confidential application' do
|
it 'creates a confidential application' do
|
||||||
create_params = attributes_for(:application, confidential: true)
|
create_params = attributes_for(:application, confidential: true, scopes: ['read_user'])
|
||||||
|
|
||||||
expect do
|
expect do
|
||||||
post :create, params: { doorkeeper_application: create_params }
|
post :create, params: { doorkeeper_application: create_params }
|
||||||
|
@ -75,6 +75,18 @@ RSpec.describe Admin::ApplicationsController do
|
||||||
expect(application).to have_attributes(create_params.except(:uid, :owner_type))
|
expect(application).to have_attributes(create_params.except(:uid, :owner_type))
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
|
context 'when scopes are not present' do
|
||||||
|
it 'renders the application form on errors' do
|
||||||
|
create_params = attributes_for(:application, trusted: true, confidential: false)
|
||||||
|
|
||||||
|
expect do
|
||||||
|
post :create, params: { doorkeeper_application: create_params }
|
||||||
|
end.not_to change { Doorkeeper::Application.count }
|
||||||
|
|
||||||
|
expect(response).to render_template :new
|
||||||
|
end
|
||||||
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
describe 'PATCH #update' do
|
describe 'PATCH #update' do
|
||||||
|
|
|
@ -99,7 +99,9 @@ RSpec.describe Admin::ClustersController do
|
||||||
end
|
end
|
||||||
|
|
||||||
describe 'GET #new' do
|
describe 'GET #new' do
|
||||||
def get_new(provider: 'gcp')
|
let(:user) { admin }
|
||||||
|
|
||||||
|
def go(provider: 'gcp')
|
||||||
get :new, params: { provider: provider }
|
get :new, params: { provider: provider }
|
||||||
end
|
end
|
||||||
|
|
||||||
|
@ -112,7 +114,7 @@ RSpec.describe Admin::ClustersController do
|
||||||
|
|
||||||
context 'when selected provider is gke and no valid gcp token exists' do
|
context 'when selected provider is gke and no valid gcp token exists' do
|
||||||
it 'redirects to gcp authorize_url' do
|
it 'redirects to gcp authorize_url' do
|
||||||
get_new
|
go
|
||||||
|
|
||||||
expect(response).to redirect_to(assigns(:authorize_url))
|
expect(response).to redirect_to(assigns(:authorize_url))
|
||||||
end
|
end
|
||||||
|
@ -125,7 +127,7 @@ RSpec.describe Admin::ClustersController do
|
||||||
end
|
end
|
||||||
|
|
||||||
it 'does not have authorize_url' do
|
it 'does not have authorize_url' do
|
||||||
get_new
|
go
|
||||||
|
|
||||||
expect(assigns(:authorize_url)).to be_nil
|
expect(assigns(:authorize_url)).to be_nil
|
||||||
end
|
end
|
||||||
|
@ -137,7 +139,7 @@ RSpec.describe Admin::ClustersController do
|
||||||
end
|
end
|
||||||
|
|
||||||
it 'has new object' do
|
it 'has new object' do
|
||||||
get_new
|
go
|
||||||
|
|
||||||
expect(assigns(:gcp_cluster)).to be_an_instance_of(Clusters::ClusterPresenter)
|
expect(assigns(:gcp_cluster)).to be_an_instance_of(Clusters::ClusterPresenter)
|
||||||
end
|
end
|
||||||
|
@ -158,16 +160,18 @@ RSpec.describe Admin::ClustersController do
|
||||||
|
|
||||||
describe 'functionality for existing cluster' do
|
describe 'functionality for existing cluster' do
|
||||||
it 'has new object' do
|
it 'has new object' do
|
||||||
get_new
|
go
|
||||||
|
|
||||||
expect(assigns(:user_cluster)).to be_an_instance_of(Clusters::ClusterPresenter)
|
expect(assigns(:user_cluster)).to be_an_instance_of(Clusters::ClusterPresenter)
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
|
include_examples 'GET new cluster shared examples'
|
||||||
|
|
||||||
describe 'security' do
|
describe 'security' do
|
||||||
it { expect { get_new }.to be_allowed_for(:admin) }
|
it { expect { go }.to be_allowed_for(:admin) }
|
||||||
it { expect { get_new }.to be_denied_for(:user) }
|
it { expect { go }.to be_denied_for(:user) }
|
||||||
it { expect { get_new }.to be_denied_for(:external) }
|
it { expect { go }.to be_denied_for(:external) }
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
|
@ -424,14 +428,13 @@ RSpec.describe Admin::ClustersController do
|
||||||
end
|
end
|
||||||
|
|
||||||
describe 'POST authorize AWS role for EKS cluster' do
|
describe 'POST authorize AWS role for EKS cluster' do
|
||||||
let(:role_arn) { 'arn:aws:iam::123456789012:role/role-name' }
|
let!(:role) { create(:aws_role, user: admin) }
|
||||||
let(:role_external_id) { '12345' }
|
|
||||||
|
|
||||||
|
let(:role_arn) { 'arn:new-role' }
|
||||||
let(:params) do
|
let(:params) do
|
||||||
{
|
{
|
||||||
cluster: {
|
cluster: {
|
||||||
role_arn: role_arn,
|
role_arn: role_arn
|
||||||
role_external_id: role_external_id
|
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
end
|
end
|
||||||
|
@ -445,28 +448,32 @@ RSpec.describe Admin::ClustersController do
|
||||||
.and_return(double(execute: double))
|
.and_return(double(execute: double))
|
||||||
end
|
end
|
||||||
|
|
||||||
it 'creates an Aws::Role record' do
|
it 'updates the associated role with the supplied ARN' do
|
||||||
expect { go }.to change { Aws::Role.count }
|
go
|
||||||
|
|
||||||
expect(response).to have_gitlab_http_status(:ok)
|
expect(response).to have_gitlab_http_status(:ok)
|
||||||
|
expect(role.reload.role_arn).to eq(role_arn)
|
||||||
role = Aws::Role.last
|
|
||||||
expect(role.user).to eq admin
|
|
||||||
expect(role.role_arn).to eq role_arn
|
|
||||||
expect(role.role_external_id).to eq role_external_id
|
|
||||||
end
|
end
|
||||||
|
|
||||||
context 'role cannot be created' do
|
context 'supplied role is invalid' do
|
||||||
let(:role_arn) { 'invalid-role' }
|
let(:role_arn) { 'invalid-role' }
|
||||||
|
|
||||||
it 'does not create a record' do
|
it 'does not update the associated role' do
|
||||||
expect { go }.not_to change { Aws::Role.count }
|
expect { go }.not_to change { role.role_arn }
|
||||||
|
|
||||||
expect(response).to have_gitlab_http_status(:unprocessable_entity)
|
expect(response).to have_gitlab_http_status(:unprocessable_entity)
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
describe 'security' do
|
describe 'security' do
|
||||||
|
before do
|
||||||
|
allow_next_instance_of(Clusters::Aws::AuthorizeRoleService) do |service|
|
||||||
|
response = double(status: :ok, body: double)
|
||||||
|
|
||||||
|
allow(service).to receive(:execute).and_return(response)
|
||||||
|
end
|
||||||
|
end
|
||||||
|
|
||||||
it { expect { go }.to be_allowed_for(:admin) }
|
it { expect { go }.to be_allowed_for(:admin) }
|
||||||
it { expect { go }.to be_denied_for(:user) }
|
it { expect { go }.to be_denied_for(:user) }
|
||||||
it { expect { go }.to be_denied_for(:external) }
|
it { expect { go }.to be_denied_for(:external) }
|
||||||
|
|
|
@ -239,6 +239,7 @@ RSpec.describe ApplicationController do
|
||||||
|
|
||||||
it 'does not redirect if 2FA is not required' do
|
it 'does not redirect if 2FA is not required' do
|
||||||
allow(controller).to receive(:two_factor_authentication_required?).and_return(false)
|
allow(controller).to receive(:two_factor_authentication_required?).and_return(false)
|
||||||
|
allow(controller).to receive(:current_user).and_return(create(:user))
|
||||||
|
|
||||||
expect(controller).not_to receive(:redirect_to)
|
expect(controller).not_to receive(:redirect_to)
|
||||||
|
|
||||||
|
@ -356,13 +357,17 @@ RSpec.describe ApplicationController do
|
||||||
let(:user) { create :user, otp_grace_period_started_at: 2.hours.ago }
|
let(:user) { create :user, otp_grace_period_started_at: 2.hours.ago }
|
||||||
|
|
||||||
it 'returns true if the grace period has expired' do
|
it 'returns true if the grace period has expired' do
|
||||||
allow(controller).to receive(:two_factor_grace_period).and_return(1)
|
allow_next_instance_of(Gitlab::Auth::TwoFactorAuthVerifier) do |verifier|
|
||||||
|
allow(verifier).to receive(:two_factor_grace_period).and_return(2)
|
||||||
|
end
|
||||||
|
|
||||||
expect(subject).to be_truthy
|
expect(subject).to be_truthy
|
||||||
end
|
end
|
||||||
|
|
||||||
it 'returns false if the grace period is still active' do
|
it 'returns false if the grace period is still active' do
|
||||||
allow(controller).to receive(:two_factor_grace_period).and_return(3)
|
allow_next_instance_of(Gitlab::Auth::TwoFactorAuthVerifier) do |verifier|
|
||||||
|
allow(verifier).to receive(:two_factor_grace_period).and_return(3)
|
||||||
|
end
|
||||||
|
|
||||||
expect(subject).to be_falsey
|
expect(subject).to be_falsey
|
||||||
end
|
end
|
||||||
|
|
|
@ -180,6 +180,8 @@ RSpec.describe Groups::ClustersController do
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
|
include_examples 'GET new cluster shared examples'
|
||||||
|
|
||||||
describe 'security' do
|
describe 'security' do
|
||||||
it { expect { go }.to be_allowed_for(:admin) }
|
it { expect { go }.to be_allowed_for(:admin) }
|
||||||
it { expect { go }.to be_allowed_for(:owner).of(group) }
|
it { expect { go }.to be_allowed_for(:owner).of(group) }
|
||||||
|
@ -493,14 +495,13 @@ RSpec.describe Groups::ClustersController do
|
||||||
end
|
end
|
||||||
|
|
||||||
describe 'POST authorize AWS role for EKS cluster' do
|
describe 'POST authorize AWS role for EKS cluster' do
|
||||||
let(:role_arn) { 'arn:aws:iam::123456789012:role/role-name' }
|
let!(:role) { create(:aws_role, user: user) }
|
||||||
let(:role_external_id) { '12345' }
|
|
||||||
|
|
||||||
|
let(:role_arn) { 'arn:new-role' }
|
||||||
let(:params) do
|
let(:params) do
|
||||||
{
|
{
|
||||||
cluster: {
|
cluster: {
|
||||||
role_arn: role_arn,
|
role_arn: role_arn
|
||||||
role_external_id: role_external_id
|
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
end
|
end
|
||||||
|
@ -514,28 +515,32 @@ RSpec.describe Groups::ClustersController do
|
||||||
.and_return(double(execute: double))
|
.and_return(double(execute: double))
|
||||||
end
|
end
|
||||||
|
|
||||||
it 'creates an Aws::Role record' do
|
it 'updates the associated role with the supplied ARN' do
|
||||||
expect { go }.to change { Aws::Role.count }
|
go
|
||||||
|
|
||||||
expect(response).to have_gitlab_http_status(:ok)
|
expect(response).to have_gitlab_http_status(:ok)
|
||||||
|
expect(role.reload.role_arn).to eq(role_arn)
|
||||||
role = Aws::Role.last
|
|
||||||
expect(role.user).to eq user
|
|
||||||
expect(role.role_arn).to eq role_arn
|
|
||||||
expect(role.role_external_id).to eq role_external_id
|
|
||||||
end
|
end
|
||||||
|
|
||||||
context 'role cannot be created' do
|
context 'supplied role is invalid' do
|
||||||
let(:role_arn) { 'invalid-role' }
|
let(:role_arn) { 'invalid-role' }
|
||||||
|
|
||||||
it 'does not create a record' do
|
it 'does not update the associated role' do
|
||||||
expect { go }.not_to change { Aws::Role.count }
|
expect { go }.not_to change { role.role_arn }
|
||||||
|
|
||||||
expect(response).to have_gitlab_http_status(:unprocessable_entity)
|
expect(response).to have_gitlab_http_status(:unprocessable_entity)
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
describe 'security' do
|
describe 'security' do
|
||||||
|
before do
|
||||||
|
allow_next_instance_of(Clusters::Aws::AuthorizeRoleService) do |service|
|
||||||
|
response = double(status: :ok, body: double)
|
||||||
|
|
||||||
|
allow(service).to receive(:execute).and_return(response)
|
||||||
|
end
|
||||||
|
end
|
||||||
|
|
||||||
it { expect { go }.to be_allowed_for(:admin) }
|
it { expect { go }.to be_allowed_for(:admin) }
|
||||||
it { expect { go }.to be_allowed_for(:owner).of(group) }
|
it { expect { go }.to be_allowed_for(:owner).of(group) }
|
||||||
it { expect { go }.to be_allowed_for(:maintainer).of(group) }
|
it { expect { go }.to be_allowed_for(:maintainer).of(group) }
|
||||||
|
|
|
@ -123,7 +123,8 @@ RSpec.describe Oauth::ApplicationsController do
|
||||||
invalid_uri_params = {
|
invalid_uri_params = {
|
||||||
doorkeeper_application: {
|
doorkeeper_application: {
|
||||||
name: 'foo',
|
name: 'foo',
|
||||||
redirect_uri: 'javascript://alert()'
|
redirect_uri: 'javascript://alert()',
|
||||||
|
scopes: ['api']
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -133,6 +134,23 @@ RSpec.describe Oauth::ApplicationsController do
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
|
context 'when scopes are not present' do
|
||||||
|
render_views
|
||||||
|
|
||||||
|
it 'shows an error for blank scopes' do
|
||||||
|
invalid_uri_params = {
|
||||||
|
doorkeeper_application: {
|
||||||
|
name: 'foo',
|
||||||
|
redirect_uri: 'http://example.org'
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
post :create, params: invalid_uri_params
|
||||||
|
|
||||||
|
expect(response.body).to include 'Scopes can't be blank'
|
||||||
|
end
|
||||||
|
end
|
||||||
|
|
||||||
it_behaves_like 'redirects to login page when the user is not signed in'
|
it_behaves_like 'redirects to login page when the user is not signed in'
|
||||||
it_behaves_like 'redirects to 2fa setup page when the user requires it'
|
it_behaves_like 'redirects to 2fa setup page when the user requires it'
|
||||||
end
|
end
|
||||||
|
@ -172,7 +190,8 @@ RSpec.describe Oauth::ApplicationsController do
|
||||||
{
|
{
|
||||||
doorkeeper_application: {
|
doorkeeper_application: {
|
||||||
name: 'foo',
|
name: 'foo',
|
||||||
redirect_uri: 'http://example.org'
|
redirect_uri: 'http://example.org',
|
||||||
|
scopes: ['api']
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
end
|
end
|
||||||
|
|
|
@ -40,6 +40,22 @@ RSpec.describe OmniauthCallbacksController, type: :controller do
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
|
context 'when sign in is not valid' do
|
||||||
|
let(:provider) { :github }
|
||||||
|
let(:extern_uid) { 'my-uid' }
|
||||||
|
|
||||||
|
it 'renders omniauth error page' do
|
||||||
|
allow_next_instance_of(Gitlab::Auth::OAuth::User) do |instance|
|
||||||
|
allow(instance).to receive(:valid_sign_in?).and_return(false)
|
||||||
|
end
|
||||||
|
|
||||||
|
post provider
|
||||||
|
|
||||||
|
expect(response).to render_template("errors/omniauth_error")
|
||||||
|
expect(response).to have_gitlab_http_status(:unprocessable_entity)
|
||||||
|
end
|
||||||
|
end
|
||||||
|
|
||||||
context 'when the user is on the last sign in attempt' do
|
context 'when the user is on the last sign in attempt' do
|
||||||
let(:extern_uid) { 'my-uid' }
|
let(:extern_uid) { 'my-uid' }
|
||||||
|
|
||||||
|
|
23
spec/controllers/profiles/active_sessions_controller_spec.rb
Normal file
23
spec/controllers/profiles/active_sessions_controller_spec.rb
Normal file
|
@ -0,0 +1,23 @@
|
||||||
|
# frozen_string_literal: true
|
||||||
|
|
||||||
|
require 'spec_helper'
|
||||||
|
|
||||||
|
RSpec.describe Profiles::ActiveSessionsController do
|
||||||
|
describe 'DELETE destroy' do
|
||||||
|
let_it_be(:user) { create(:user) }
|
||||||
|
|
||||||
|
before do
|
||||||
|
sign_in(user)
|
||||||
|
end
|
||||||
|
|
||||||
|
it 'invalidates all remember user tokens' do
|
||||||
|
ActiveSession.set(user, request)
|
||||||
|
session_id = request.session.id.public_id
|
||||||
|
user.remember_me!
|
||||||
|
|
||||||
|
delete :destroy, params: { id: session_id }
|
||||||
|
|
||||||
|
expect(user.reload.remember_created_at).to be_nil
|
||||||
|
end
|
||||||
|
end
|
||||||
|
end
|
|
@ -14,10 +14,9 @@ RSpec.describe Profiles::TwoFactorAuthsController do
|
||||||
let(:user) { create(:user) }
|
let(:user) { create(:user) }
|
||||||
|
|
||||||
it 'generates otp_secret for user' do
|
it 'generates otp_secret for user' do
|
||||||
expect(User).to receive(:generate_otp_secret).with(32).and_return('secret').once
|
expect(User).to receive(:generate_otp_secret).with(32).and_call_original.once
|
||||||
|
|
||||||
get :show
|
get :show
|
||||||
get :show # Second hit shouldn't re-generate it
|
|
||||||
end
|
end
|
||||||
|
|
||||||
it 'assigns qr_code' do
|
it 'assigns qr_code' do
|
||||||
|
@ -27,6 +26,14 @@ RSpec.describe Profiles::TwoFactorAuthsController do
|
||||||
get :show
|
get :show
|
||||||
expect(assigns[:qr_code]).to eq code
|
expect(assigns[:qr_code]).to eq code
|
||||||
end
|
end
|
||||||
|
|
||||||
|
it 'generates a unique otp_secret every time the page is loaded' do
|
||||||
|
expect(User).to receive(:generate_otp_secret).with(32).and_call_original.twice
|
||||||
|
|
||||||
|
2.times do
|
||||||
|
get :show
|
||||||
|
end
|
||||||
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
describe 'POST create' do
|
describe 'POST create' do
|
||||||
|
@ -57,6 +64,12 @@ RSpec.describe Profiles::TwoFactorAuthsController do
|
||||||
expect(assigns[:codes]).to match_array %w(a b c)
|
expect(assigns[:codes]).to match_array %w(a b c)
|
||||||
end
|
end
|
||||||
|
|
||||||
|
it 'calls to delete other sessions' do
|
||||||
|
expect(ActiveSession).to receive(:destroy_all_but_current)
|
||||||
|
|
||||||
|
go
|
||||||
|
end
|
||||||
|
|
||||||
it 'renders create' do
|
it 'renders create' do
|
||||||
go
|
go
|
||||||
expect(response).to render_template(:create)
|
expect(response).to render_template(:create)
|
||||||
|
|
|
@ -183,6 +183,8 @@ RSpec.describe Projects::ClustersController do
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
|
include_examples 'GET new cluster shared examples'
|
||||||
|
|
||||||
describe 'security' do
|
describe 'security' do
|
||||||
it 'is allowed for admin when admin mode enabled', :enable_admin_mode do
|
it 'is allowed for admin when admin mode enabled', :enable_admin_mode do
|
||||||
expect { go }.to be_allowed_for(:admin)
|
expect { go }.to be_allowed_for(:admin)
|
||||||
|
@ -521,14 +523,13 @@ RSpec.describe Projects::ClustersController do
|
||||||
end
|
end
|
||||||
|
|
||||||
describe 'POST authorize AWS role for EKS cluster' do
|
describe 'POST authorize AWS role for EKS cluster' do
|
||||||
let(:role_arn) { 'arn:aws:iam::123456789012:role/role-name' }
|
let!(:role) { create(:aws_role, user: user) }
|
||||||
let(:role_external_id) { '12345' }
|
|
||||||
|
|
||||||
|
let(:role_arn) { 'arn:new-role' }
|
||||||
let(:params) do
|
let(:params) do
|
||||||
{
|
{
|
||||||
cluster: {
|
cluster: {
|
||||||
role_arn: role_arn,
|
role_arn: role_arn
|
||||||
role_external_id: role_external_id
|
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
end
|
end
|
||||||
|
@ -542,28 +543,32 @@ RSpec.describe Projects::ClustersController do
|
||||||
.and_return(double(execute: double))
|
.and_return(double(execute: double))
|
||||||
end
|
end
|
||||||
|
|
||||||
it 'creates an Aws::Role record' do
|
it 'updates the associated role with the supplied ARN' do
|
||||||
expect { go }.to change { Aws::Role.count }
|
go
|
||||||
|
|
||||||
expect(response).to have_gitlab_http_status(:ok)
|
expect(response).to have_gitlab_http_status(:ok)
|
||||||
|
expect(role.reload.role_arn).to eq(role_arn)
|
||||||
role = Aws::Role.last
|
|
||||||
expect(role.user).to eq user
|
|
||||||
expect(role.role_arn).to eq role_arn
|
|
||||||
expect(role.role_external_id).to eq role_external_id
|
|
||||||
end
|
end
|
||||||
|
|
||||||
context 'role cannot be created' do
|
context 'supplied role is invalid' do
|
||||||
let(:role_arn) { 'invalid-role' }
|
let(:role_arn) { 'invalid-role' }
|
||||||
|
|
||||||
it 'does not create a record' do
|
it 'does not update the associated role' do
|
||||||
expect { go }.not_to change { Aws::Role.count }
|
expect { go }.not_to change { role.role_arn }
|
||||||
|
|
||||||
expect(response).to have_gitlab_http_status(:unprocessable_entity)
|
expect(response).to have_gitlab_http_status(:unprocessable_entity)
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
describe 'security' do
|
describe 'security' do
|
||||||
|
before do
|
||||||
|
allow_next_instance_of(Clusters::Aws::AuthorizeRoleService) do |service|
|
||||||
|
response = double(status: :ok, body: double)
|
||||||
|
|
||||||
|
allow(service).to receive(:execute).and_return(response)
|
||||||
|
end
|
||||||
|
end
|
||||||
|
|
||||||
it 'is allowed for admin when admin mode enabled', :enable_admin_mode do
|
it 'is allowed for admin when admin mode enabled', :enable_admin_mode do
|
||||||
expect { go }.to be_allowed_for(:admin)
|
expect { go }.to be_allowed_for(:admin)
|
||||||
end
|
end
|
||||||
|
|
|
@ -46,4 +46,26 @@ RSpec.describe Projects::HooksController do
|
||||||
expect(ProjectHook.first).to have_attributes(hook_params)
|
expect(ProjectHook.first).to have_attributes(hook_params)
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
|
describe '#test' do
|
||||||
|
let(:hook) { create(:project_hook, project: project) }
|
||||||
|
|
||||||
|
context 'when the endpoint receives requests above the limit' do
|
||||||
|
before do
|
||||||
|
allow(Gitlab::ApplicationRateLimiter).to receive(:rate_limits)
|
||||||
|
.and_return(project_testing_hook: { threshold: 1, interval: 1.minute })
|
||||||
|
end
|
||||||
|
|
||||||
|
it 'prevents making test requests' do
|
||||||
|
expect_next_instance_of(TestHooks::ProjectService) do |service|
|
||||||
|
expect(service).to receive(:execute).and_return(http_status: 200)
|
||||||
|
end
|
||||||
|
|
||||||
|
2.times { post :test, params: { namespace_id: project.namespace, project_id: project, id: hook } }
|
||||||
|
|
||||||
|
expect(response.body).to eq(_('This endpoint has been requested too many times. Try again later.'))
|
||||||
|
expect(response).to have_gitlab_http_status(:too_many_requests)
|
||||||
|
end
|
||||||
|
end
|
||||||
|
end
|
||||||
end
|
end
|
||||||
|
|
|
@ -288,8 +288,8 @@ RSpec.describe SessionsController do
|
||||||
context 'when using two-factor authentication via OTP' do
|
context 'when using two-factor authentication via OTP' do
|
||||||
let(:user) { create(:user, :two_factor) }
|
let(:user) { create(:user, :two_factor) }
|
||||||
|
|
||||||
def authenticate_2fa(user_params)
|
def authenticate_2fa(user_params, otp_user_id: user.id)
|
||||||
post(:create, params: { user: user_params }, session: { otp_user_id: user.id })
|
post(:create, params: { user: user_params }, session: { otp_user_id: otp_user_id })
|
||||||
end
|
end
|
||||||
|
|
||||||
context 'remember_me field' do
|
context 'remember_me field' do
|
||||||
|
@ -326,8 +326,22 @@ RSpec.describe SessionsController do
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
|
# See issue gitlab-org/gitlab#20302.
|
||||||
|
context 'when otp_user_id is stale' do
|
||||||
|
render_views
|
||||||
|
|
||||||
|
it 'favors login over otp_user_id when password is present and does not authenticate the user' do
|
||||||
|
authenticate_2fa(
|
||||||
|
{ login: 'random_username', password: user.password },
|
||||||
|
otp_user_id: user.id
|
||||||
|
)
|
||||||
|
|
||||||
|
expect(response).to set_flash.now[:alert].to /Invalid Login or password/
|
||||||
|
end
|
||||||
|
end
|
||||||
|
|
||||||
##
|
##
|
||||||
# See #14900 issue
|
# See issue gitlab-org/gitlab-foss#14900
|
||||||
#
|
#
|
||||||
context 'when authenticating with login and OTP of another user' do
|
context 'when authenticating with login and OTP of another user' do
|
||||||
context 'when another user has 2FA enabled' do
|
context 'when another user has 2FA enabled' do
|
||||||
|
@ -413,18 +427,6 @@ RSpec.describe SessionsController do
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
context 'when another user does not have 2FA enabled' do
|
|
||||||
let(:another_user) { create(:user) }
|
|
||||||
|
|
||||||
it 'does not leak that 2FA is disabled for another user' do
|
|
||||||
authenticate_2fa(login: another_user.username,
|
|
||||||
otp_attempt: 'invalid')
|
|
||||||
|
|
||||||
expect(response).to set_flash.now[:alert]
|
|
||||||
.to /Invalid two-factor code/
|
|
||||||
end
|
|
||||||
end
|
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
|
|
|
@ -7,7 +7,7 @@ RSpec.describe 'admin manage applications' do
|
||||||
sign_in(create(:admin))
|
sign_in(create(:admin))
|
||||||
end
|
end
|
||||||
|
|
||||||
it do
|
it 'creates new oauth application' do
|
||||||
visit admin_applications_path
|
visit admin_applications_path
|
||||||
|
|
||||||
click_on 'New application'
|
click_on 'New application'
|
||||||
|
@ -16,6 +16,7 @@ RSpec.describe 'admin manage applications' do
|
||||||
fill_in :doorkeeper_application_name, with: 'test'
|
fill_in :doorkeeper_application_name, with: 'test'
|
||||||
fill_in :doorkeeper_application_redirect_uri, with: 'https://test.com'
|
fill_in :doorkeeper_application_redirect_uri, with: 'https://test.com'
|
||||||
check :doorkeeper_application_trusted
|
check :doorkeeper_application_trusted
|
||||||
|
check :doorkeeper_application_scopes_read_user
|
||||||
click_on 'Submit'
|
click_on 'Submit'
|
||||||
expect(page).to have_content('Application: test')
|
expect(page).to have_content('Application: test')
|
||||||
expect(page).to have_content('Application ID')
|
expect(page).to have_content('Application ID')
|
||||||
|
@ -43,4 +44,19 @@ RSpec.describe 'admin manage applications' do
|
||||||
end
|
end
|
||||||
expect(page.find('.oauth-applications')).not_to have_content('test_changed')
|
expect(page.find('.oauth-applications')).not_to have_content('test_changed')
|
||||||
end
|
end
|
||||||
|
|
||||||
|
context 'when scopes are blank' do
|
||||||
|
it 'returns an error' do
|
||||||
|
visit admin_applications_path
|
||||||
|
|
||||||
|
click_on 'New application'
|
||||||
|
expect(page).to have_content('New application')
|
||||||
|
|
||||||
|
fill_in :doorkeeper_application_name, with: 'test'
|
||||||
|
fill_in :doorkeeper_application_redirect_uri, with: 'https://test.com'
|
||||||
|
click_on 'Submit'
|
||||||
|
|
||||||
|
expect(page).to have_content("Scopes can't be blank")
|
||||||
|
end
|
||||||
|
end
|
||||||
end
|
end
|
||||||
|
|
|
@ -15,6 +15,7 @@ RSpec.describe 'User manages applications' do
|
||||||
|
|
||||||
fill_in :doorkeeper_application_name, with: 'test'
|
fill_in :doorkeeper_application_name, with: 'test'
|
||||||
fill_in :doorkeeper_application_redirect_uri, with: 'https://test.com'
|
fill_in :doorkeeper_application_redirect_uri, with: 'https://test.com'
|
||||||
|
check :doorkeeper_application_scopes_read_user
|
||||||
click_on 'Save application'
|
click_on 'Save application'
|
||||||
|
|
||||||
expect(page).to have_content 'Application: test'
|
expect(page).to have_content 'Application: test'
|
||||||
|
@ -41,4 +42,16 @@ RSpec.describe 'User manages applications' do
|
||||||
end
|
end
|
||||||
expect(page.find('.oauth-applications')).not_to have_content 'test_changed'
|
expect(page.find('.oauth-applications')).not_to have_content 'test_changed'
|
||||||
end
|
end
|
||||||
|
|
||||||
|
context 'when scopes are blank' do
|
||||||
|
it 'returns an error' do
|
||||||
|
expect(page).to have_content 'Add new application'
|
||||||
|
|
||||||
|
fill_in :doorkeeper_application_name, with: 'test'
|
||||||
|
fill_in :doorkeeper_application_redirect_uri, with: 'https://test.com'
|
||||||
|
click_on 'Save application'
|
||||||
|
|
||||||
|
expect(page).to have_content("Scopes can't be blank")
|
||||||
|
end
|
||||||
|
end
|
||||||
end
|
end
|
||||||
|
|
|
@ -177,6 +177,14 @@ RSpec.describe 'Login' do
|
||||||
expect(page).not_to have_content(I18n.t('devise.failure.already_authenticated'))
|
expect(page).not_to have_content(I18n.t('devise.failure.already_authenticated'))
|
||||||
end
|
end
|
||||||
|
|
||||||
|
it 'does not allow sign-in if the user password is updated before entering a one-time code' do
|
||||||
|
user.update!(password: 'new_password')
|
||||||
|
|
||||||
|
enter_code(user.current_otp)
|
||||||
|
|
||||||
|
expect(page).to have_content('An error occurred. Please sign in again.')
|
||||||
|
end
|
||||||
|
|
||||||
context 'using one-time code' do
|
context 'using one-time code' do
|
||||||
it 'allows login with valid code' do
|
it 'allows login with valid code' do
|
||||||
expect(authentication_metrics)
|
expect(authentication_metrics)
|
||||||
|
@ -232,7 +240,7 @@ RSpec.describe 'Login' do
|
||||||
expect(codes.size).to eq 10
|
expect(codes.size).to eq 10
|
||||||
|
|
||||||
# Ensure the generated codes get saved
|
# Ensure the generated codes get saved
|
||||||
user.save
|
user.save(touch: false)
|
||||||
end
|
end
|
||||||
|
|
||||||
context 'with valid code' do
|
context 'with valid code' do
|
||||||
|
@ -290,7 +298,7 @@ RSpec.describe 'Login' do
|
||||||
code = codes.sample
|
code = codes.sample
|
||||||
expect(user.invalidate_otp_backup_code!(code)).to eq true
|
expect(user.invalidate_otp_backup_code!(code)).to eq true
|
||||||
|
|
||||||
user.save!
|
user.save!(touch: false)
|
||||||
expect(user.reload.otp_backup_codes.size).to eq 9
|
expect(user.reload.otp_backup_codes.size).to eq 9
|
||||||
|
|
||||||
enter_code(code)
|
enter_code(code)
|
||||||
|
|
64
spec/finders/ci/auth_job_finder_spec.rb
Normal file
64
spec/finders/ci/auth_job_finder_spec.rb
Normal file
|
@ -0,0 +1,64 @@
|
||||||
|
# frozen_string_literal: true
|
||||||
|
require 'spec_helper'
|
||||||
|
|
||||||
|
RSpec.describe Ci::AuthJobFinder do
|
||||||
|
let_it_be(:job, reload: true) { create(:ci_build, status: :running) }
|
||||||
|
|
||||||
|
let(:token) { job.token }
|
||||||
|
|
||||||
|
subject(:finder) do
|
||||||
|
described_class.new(token: token)
|
||||||
|
end
|
||||||
|
|
||||||
|
describe '#execute!' do
|
||||||
|
subject(:execute) { finder.execute! }
|
||||||
|
|
||||||
|
it { is_expected.to eq(job) }
|
||||||
|
|
||||||
|
it 'raises error if the job is not running' do
|
||||||
|
job.success!
|
||||||
|
|
||||||
|
expect { execute }.to raise_error described_class::NotRunningJobError, 'Job is not running'
|
||||||
|
end
|
||||||
|
|
||||||
|
it 'raises error if the job is erased' do
|
||||||
|
expect(::Ci::Build).to receive(:find_by_token).with(job.token).and_return(job)
|
||||||
|
expect(job).to receive(:erased?).and_return(true)
|
||||||
|
|
||||||
|
expect { execute }.to raise_error described_class::ErasedJobError, 'Job has been erased!'
|
||||||
|
end
|
||||||
|
|
||||||
|
it 'raises error if the the project is missing' do
|
||||||
|
expect(::Ci::Build).to receive(:find_by_token).with(job.token).and_return(job)
|
||||||
|
expect(job).to receive(:project).and_return(nil)
|
||||||
|
|
||||||
|
expect { execute }.to raise_error described_class::DeletedProjectError, 'Project has been deleted!'
|
||||||
|
end
|
||||||
|
|
||||||
|
it 'raises error if the the project is being removed' do
|
||||||
|
project = double(Project)
|
||||||
|
|
||||||
|
expect(::Ci::Build).to receive(:find_by_token).with(job.token).and_return(job)
|
||||||
|
expect(job).to receive(:project).twice.and_return(project)
|
||||||
|
expect(project).to receive(:pending_delete?).and_return(true)
|
||||||
|
|
||||||
|
expect { execute }.to raise_error described_class::DeletedProjectError, 'Project has been deleted!'
|
||||||
|
end
|
||||||
|
|
||||||
|
context 'with wrong job token' do
|
||||||
|
let(:token) { 'missing' }
|
||||||
|
|
||||||
|
it { is_expected.to be_nil }
|
||||||
|
end
|
||||||
|
end
|
||||||
|
|
||||||
|
describe '#execute' do
|
||||||
|
subject(:execute) { finder.execute }
|
||||||
|
|
||||||
|
before do
|
||||||
|
job.success!
|
||||||
|
end
|
||||||
|
|
||||||
|
it { is_expected.to be_nil }
|
||||||
|
end
|
||||||
|
end
|
|
@ -11,8 +11,10 @@ RSpec.describe UserRecentEventsFinder do
|
||||||
let!(:private_event) { create(:event, project: private_project, author: project_owner) }
|
let!(:private_event) { create(:event, project: private_project, author: project_owner) }
|
||||||
let!(:internal_event) { create(:event, project: internal_project, author: project_owner) }
|
let!(:internal_event) { create(:event, project: internal_project, author: project_owner) }
|
||||||
let!(:public_event) { create(:event, project: public_project, author: project_owner) }
|
let!(:public_event) { create(:event, project: public_project, author: project_owner) }
|
||||||
|
let(:limit) { nil }
|
||||||
|
let(:params) { { limit: limit } }
|
||||||
|
|
||||||
subject(:finder) { described_class.new(current_user, project_owner) }
|
subject(:finder) { described_class.new(current_user, project_owner, params) }
|
||||||
|
|
||||||
describe '#execute' do
|
describe '#execute' do
|
||||||
context 'when profile is public' do
|
context 'when profile is public' do
|
||||||
|
@ -48,5 +50,38 @@ RSpec.describe UserRecentEventsFinder do
|
||||||
expect(events).to include(event_b)
|
expect(events).to include(event_b)
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
|
context 'limits' do
|
||||||
|
before do
|
||||||
|
stub_const("#{described_class}::DEFAULT_LIMIT", 1)
|
||||||
|
stub_const("#{described_class}::MAX_LIMIT", 3)
|
||||||
|
end
|
||||||
|
|
||||||
|
context 'when limit is not set' do
|
||||||
|
it 'returns events limited to DEFAULT_LIMIT' do
|
||||||
|
expect(finder.execute.size).to eq(described_class::DEFAULT_LIMIT)
|
||||||
|
end
|
||||||
|
end
|
||||||
|
|
||||||
|
context 'when limit is set' do
|
||||||
|
let(:limit) { 2 }
|
||||||
|
|
||||||
|
it 'returns events limited to specified limit' do
|
||||||
|
expect(finder.execute.size).to eq(limit)
|
||||||
|
end
|
||||||
|
end
|
||||||
|
|
||||||
|
context 'when limit is set to a number that exceeds maximum limit' do
|
||||||
|
let(:limit) { 4 }
|
||||||
|
|
||||||
|
before do
|
||||||
|
create(:event, project: public_project, author: project_owner)
|
||||||
|
end
|
||||||
|
|
||||||
|
it 'returns events limited to MAX_LIMIT' do
|
||||||
|
expect(finder.execute.size).to eq(described_class::MAX_LIMIT)
|
||||||
|
end
|
||||||
|
end
|
||||||
|
end
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
|
@ -212,6 +212,55 @@ RSpec.describe GitlabSchema do
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
|
describe '.parse_gid' do
|
||||||
|
let_it_be(:global_id) { 'gid://gitlab/TestOne/2147483647' }
|
||||||
|
|
||||||
|
before do
|
||||||
|
test_base = Class.new
|
||||||
|
test_one = Class.new(test_base)
|
||||||
|
test_two = Class.new(test_base)
|
||||||
|
|
||||||
|
stub_const('TestBase', test_base)
|
||||||
|
stub_const('TestOne', test_one)
|
||||||
|
stub_const('TestTwo', test_two)
|
||||||
|
end
|
||||||
|
|
||||||
|
it 'parses the gid' do
|
||||||
|
gid = described_class.parse_gid(global_id)
|
||||||
|
|
||||||
|
expect(gid.model_id).to eq '2147483647'
|
||||||
|
expect(gid.model_class).to eq TestOne
|
||||||
|
end
|
||||||
|
|
||||||
|
context 'when gid is malformed' do
|
||||||
|
let_it_be(:global_id) { 'malformed://gitlab/TestOne/2147483647' }
|
||||||
|
|
||||||
|
it 'raises an error' do
|
||||||
|
expect { described_class.parse_gid(global_id) }
|
||||||
|
.to raise_error(Gitlab::Graphql::Errors::ArgumentError, "#{global_id} is not a valid GitLab id.")
|
||||||
|
end
|
||||||
|
end
|
||||||
|
|
||||||
|
context 'when using expected_type' do
|
||||||
|
it 'accepts a single type' do
|
||||||
|
gid = described_class.parse_gid(global_id, expected_type: TestOne)
|
||||||
|
|
||||||
|
expect(gid.model_class).to eq TestOne
|
||||||
|
end
|
||||||
|
|
||||||
|
it 'accepts an ancestor type' do
|
||||||
|
gid = described_class.parse_gid(global_id, expected_type: TestBase)
|
||||||
|
|
||||||
|
expect(gid.model_class).to eq TestOne
|
||||||
|
end
|
||||||
|
|
||||||
|
it 'rejects an unknown type' do
|
||||||
|
expect { described_class.parse_gid(global_id, expected_type: TestTwo) }
|
||||||
|
.to raise_error(Gitlab::Graphql::Errors::ArgumentError, "#{global_id} is not a valid id for TestTwo.")
|
||||||
|
end
|
||||||
|
end
|
||||||
|
end
|
||||||
|
|
||||||
def field_instrumenters
|
def field_instrumenters
|
||||||
described_class.instrumenters[:field] + described_class.instrumenters[:field_after_built_ins]
|
described_class.instrumenters[:field] + described_class.instrumenters[:field_after_built_ins]
|
||||||
end
|
end
|
||||||
|
|
|
@ -45,7 +45,7 @@ RSpec.describe API::Helpers::PackagesManagerClientsHelpers do
|
||||||
describe '#find_job_from_http_basic_auth' do
|
describe '#find_job_from_http_basic_auth' do
|
||||||
let_it_be(:user) { personal_access_token.user }
|
let_it_be(:user) { personal_access_token.user }
|
||||||
|
|
||||||
let(:job) { create(:ci_build, user: user) }
|
let(:job) { create(:ci_build, user: user, status: :running) }
|
||||||
let(:password) { job.token }
|
let(:password) { job.token }
|
||||||
let(:headers) { { Authorization: basic_http_auth(username, password) } }
|
let(:headers) { { Authorization: basic_http_auth(username, password) } }
|
||||||
|
|
||||||
|
@ -57,6 +57,14 @@ RSpec.describe API::Helpers::PackagesManagerClientsHelpers do
|
||||||
|
|
||||||
context 'with a valid Authorization header' do
|
context 'with a valid Authorization header' do
|
||||||
it { is_expected.to eq job }
|
it { is_expected.to eq job }
|
||||||
|
|
||||||
|
context 'when the job is not running' do
|
||||||
|
before do
|
||||||
|
job.update!(status: :failed)
|
||||||
|
end
|
||||||
|
|
||||||
|
it { is_expected.to be nil }
|
||||||
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
context 'with an invalid Authorization header' do
|
context 'with an invalid Authorization header' do
|
||||||
|
|
|
@ -36,11 +36,29 @@ RSpec.describe Gitlab::Auth::AuthFinders do
|
||||||
expect { subject }.to raise_error(Gitlab::Auth::UnauthorizedError)
|
expect { subject }.to raise_error(Gitlab::Auth::UnauthorizedError)
|
||||||
end
|
end
|
||||||
|
|
||||||
it "return user if token is valid" do
|
context 'with a running job' do
|
||||||
set_token(job.token)
|
before do
|
||||||
|
job.update!(status: :running)
|
||||||
|
end
|
||||||
|
|
||||||
expect(subject).to eq(user)
|
it 'return user if token is valid' do
|
||||||
expect(@current_authenticated_job).to eq job
|
set_token(job.token)
|
||||||
|
|
||||||
|
expect(subject).to eq(user)
|
||||||
|
expect(@current_authenticated_job).to eq job
|
||||||
|
end
|
||||||
|
end
|
||||||
|
|
||||||
|
context 'with a job that is not running' do
|
||||||
|
before do
|
||||||
|
job.update!(status: :failed)
|
||||||
|
end
|
||||||
|
|
||||||
|
it 'returns an Unauthorized exception' do
|
||||||
|
set_token(job.token)
|
||||||
|
|
||||||
|
expect { subject }.to raise_error(Gitlab::Auth::UnauthorizedError)
|
||||||
|
end
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
@ -556,7 +574,7 @@ RSpec.describe Gitlab::Auth::AuthFinders do
|
||||||
context 'with CI username' do
|
context 'with CI username' do
|
||||||
let(:username) { ::Ci::Build::CI_REGISTRY_USER }
|
let(:username) { ::Ci::Build::CI_REGISTRY_USER }
|
||||||
let(:user) { create(:user) }
|
let(:user) { create(:user) }
|
||||||
let(:build) { create(:ci_build, user: user) }
|
let(:build) { create(:ci_build, user: user, status: :running) }
|
||||||
|
|
||||||
it 'returns nil without password' do
|
it 'returns nil without password' do
|
||||||
set_basic_auth_header(username, nil)
|
set_basic_auth_header(username, nil)
|
||||||
|
@ -575,6 +593,13 @@ RSpec.describe Gitlab::Auth::AuthFinders do
|
||||||
|
|
||||||
expect { subject }.to raise_error(Gitlab::Auth::UnauthorizedError)
|
expect { subject }.to raise_error(Gitlab::Auth::UnauthorizedError)
|
||||||
end
|
end
|
||||||
|
|
||||||
|
it 'returns exception if the job is not running' do
|
||||||
|
set_basic_auth_header(username, build.token)
|
||||||
|
build.success!
|
||||||
|
|
||||||
|
expect { subject }.to raise_error(Gitlab::Auth::UnauthorizedError)
|
||||||
|
end
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
|
@ -585,7 +610,7 @@ RSpec.describe Gitlab::Auth::AuthFinders do
|
||||||
|
|
||||||
context 'with a job token' do
|
context 'with a job token' do
|
||||||
let(:route_authentication_setting) { { job_token_allowed: true } }
|
let(:route_authentication_setting) { { job_token_allowed: true } }
|
||||||
let(:job) { create(:ci_build, user: user) }
|
let(:job) { create(:ci_build, user: user, status: :running) }
|
||||||
|
|
||||||
before do
|
before do
|
||||||
env['HTTP_AUTHORIZATION'] = "Bearer #{job.token}"
|
env['HTTP_AUTHORIZATION'] = "Bearer #{job.token}"
|
||||||
|
@ -640,7 +665,7 @@ RSpec.describe Gitlab::Auth::AuthFinders do
|
||||||
end
|
end
|
||||||
|
|
||||||
describe '#find_user_from_job_token' do
|
describe '#find_user_from_job_token' do
|
||||||
let(:job) { create(:ci_build, user: user) }
|
let(:job) { create(:ci_build, user: user, status: :running) }
|
||||||
let(:route_authentication_setting) { { job_token_allowed: true } }
|
let(:route_authentication_setting) { { job_token_allowed: true } }
|
||||||
|
|
||||||
subject { find_user_from_job_token }
|
subject { find_user_from_job_token }
|
||||||
|
@ -665,6 +690,13 @@ RSpec.describe Gitlab::Auth::AuthFinders do
|
||||||
expect { subject }.to raise_error(Gitlab::Auth::UnauthorizedError)
|
expect { subject }.to raise_error(Gitlab::Auth::UnauthorizedError)
|
||||||
end
|
end
|
||||||
|
|
||||||
|
it 'returns exception if the job is not running' do
|
||||||
|
set_header(described_class::JOB_TOKEN_HEADER, job.token)
|
||||||
|
job.success!
|
||||||
|
|
||||||
|
expect { subject }.to raise_error(Gitlab::Auth::UnauthorizedError)
|
||||||
|
end
|
||||||
|
|
||||||
context 'when route is not allowed to be authenticated' do
|
context 'when route is not allowed to be authenticated' do
|
||||||
let(:route_authentication_setting) { { job_token_allowed: false } }
|
let(:route_authentication_setting) { { job_token_allowed: false } }
|
||||||
|
|
||||||
|
|
|
@ -87,7 +87,7 @@ RSpec.describe Gitlab::Auth::RequestAuthenticator do
|
||||||
|
|
||||||
describe '#find_user_from_job_token' do
|
describe '#find_user_from_job_token' do
|
||||||
let!(:user) { build(:user) }
|
let!(:user) { build(:user) }
|
||||||
let!(:job) { build(:ci_build, user: user) }
|
let!(:job) { build(:ci_build, user: user, status: :running) }
|
||||||
|
|
||||||
before do
|
before do
|
||||||
env[Gitlab::Auth::AuthFinders::JOB_TOKEN_HEADER] = 'token'
|
env[Gitlab::Auth::AuthFinders::JOB_TOKEN_HEADER] = 'token'
|
||||||
|
@ -96,13 +96,18 @@ RSpec.describe Gitlab::Auth::RequestAuthenticator do
|
||||||
context 'with API requests' do
|
context 'with API requests' do
|
||||||
before do
|
before do
|
||||||
env['SCRIPT_NAME'] = '/api/endpoint'
|
env['SCRIPT_NAME'] = '/api/endpoint'
|
||||||
|
expect(::Ci::Build).to receive(:find_by_token).with('token').and_return(job)
|
||||||
end
|
end
|
||||||
|
|
||||||
it 'tries to find the user' do
|
it 'tries to find the user' do
|
||||||
expect(::Ci::Build).to receive(:find_by_token).and_return(job)
|
|
||||||
|
|
||||||
expect(subject.find_sessionless_user([:api])).to eq user
|
expect(subject.find_sessionless_user([:api])).to eq user
|
||||||
end
|
end
|
||||||
|
|
||||||
|
it 'returns nil if the job is not running' do
|
||||||
|
job.status = :success
|
||||||
|
|
||||||
|
expect(subject.find_sessionless_user([:api])).to be_blank
|
||||||
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
context 'without API requests' do
|
context 'without API requests' do
|
||||||
|
|
112
spec/lib/gitlab/auth/two_factor_auth_verifier_spec.rb
Normal file
112
spec/lib/gitlab/auth/two_factor_auth_verifier_spec.rb
Normal file
|
@ -0,0 +1,112 @@
|
||||||
|
# frozen_string_literal: true
|
||||||
|
|
||||||
|
require 'spec_helper'
|
||||||
|
|
||||||
|
RSpec.describe Gitlab::Auth::TwoFactorAuthVerifier do
|
||||||
|
let(:user) { create(:user) }
|
||||||
|
|
||||||
|
subject { described_class.new(user) }
|
||||||
|
|
||||||
|
describe '#two_factor_authentication_required?' do
|
||||||
|
describe 'when it is required on application level' do
|
||||||
|
it 'returns true' do
|
||||||
|
stub_application_setting require_two_factor_authentication: true
|
||||||
|
|
||||||
|
expect(subject.two_factor_authentication_required?).to be_truthy
|
||||||
|
end
|
||||||
|
end
|
||||||
|
|
||||||
|
describe 'when it is required on group level' do
|
||||||
|
it 'returns true' do
|
||||||
|
allow(user).to receive(:require_two_factor_authentication_from_group?).and_return(true)
|
||||||
|
|
||||||
|
expect(subject.two_factor_authentication_required?).to be_truthy
|
||||||
|
end
|
||||||
|
end
|
||||||
|
|
||||||
|
describe 'when it is not required' do
|
||||||
|
it 'returns false when not required on group level' do
|
||||||
|
allow(user).to receive(:require_two_factor_authentication_from_group?).and_return(false)
|
||||||
|
|
||||||
|
expect(subject.two_factor_authentication_required?).to be_falsey
|
||||||
|
end
|
||||||
|
end
|
||||||
|
end
|
||||||
|
|
||||||
|
describe '#current_user_needs_to_setup_two_factor?' do
|
||||||
|
it 'returns false when current_user is nil' do
|
||||||
|
expect(described_class.new(nil).current_user_needs_to_setup_two_factor?).to be_falsey
|
||||||
|
end
|
||||||
|
|
||||||
|
it 'returns false when current_user does not have temp email' do
|
||||||
|
allow(user).to receive(:two_factor_enabled?).and_return(false)
|
||||||
|
allow(user).to receive(:temp_oauth_email?).and_return(true)
|
||||||
|
|
||||||
|
expect(subject.current_user_needs_to_setup_two_factor?).to be_falsey
|
||||||
|
end
|
||||||
|
|
||||||
|
it 'returns false when current_user has 2fa disabled' do
|
||||||
|
allow(user).to receive(:temp_oauth_email?).and_return(false)
|
||||||
|
allow(user).to receive(:two_factor_enabled?).and_return(true)
|
||||||
|
|
||||||
|
expect(subject.current_user_needs_to_setup_two_factor?).to be_falsey
|
||||||
|
end
|
||||||
|
|
||||||
|
it 'returns true when user requires 2fa authentication' do
|
||||||
|
allow(user).to receive(:two_factor_enabled?).and_return(false)
|
||||||
|
allow(user).to receive(:temp_oauth_email?).and_return(false)
|
||||||
|
|
||||||
|
expect(subject.current_user_needs_to_setup_two_factor?).to be_truthy
|
||||||
|
end
|
||||||
|
end
|
||||||
|
|
||||||
|
describe '#two_factor_grace_period' do
|
||||||
|
it 'returns grace period from settings if there is no period from groups' do
|
||||||
|
stub_application_setting two_factor_grace_period: 2
|
||||||
|
allow(user).to receive(:require_two_factor_authentication_from_group?).and_return(false)
|
||||||
|
|
||||||
|
expect(subject.two_factor_grace_period).to eq(2)
|
||||||
|
end
|
||||||
|
|
||||||
|
it 'returns grace period from groups if there is no period from settings' do
|
||||||
|
allow(user).to receive(:require_two_factor_authentication_from_group?).and_return(true)
|
||||||
|
allow(user).to receive(:two_factor_grace_period).and_return(3)
|
||||||
|
|
||||||
|
expect(subject.two_factor_grace_period).to eq(3)
|
||||||
|
end
|
||||||
|
|
||||||
|
it 'returns minimal grace period if there is grace period from settings and from group' do
|
||||||
|
allow(user).to receive(:require_two_factor_authentication_from_group?).and_return(true)
|
||||||
|
allow(user).to receive(:two_factor_grace_period).and_return(3)
|
||||||
|
stub_application_setting two_factor_grace_period: 2
|
||||||
|
|
||||||
|
expect(subject.two_factor_grace_period).to eq(2)
|
||||||
|
end
|
||||||
|
end
|
||||||
|
|
||||||
|
describe '#two_factor_grace_period_expired?' do
|
||||||
|
before do
|
||||||
|
allow(user).to receive(:otp_grace_period_started_at).and_return(4.hours.ago)
|
||||||
|
end
|
||||||
|
|
||||||
|
it 'returns true if the grace period has expired' do
|
||||||
|
allow(subject).to receive(:two_factor_grace_period).and_return(2)
|
||||||
|
|
||||||
|
expect(subject.two_factor_grace_period_expired?).to be_truthy
|
||||||
|
end
|
||||||
|
|
||||||
|
it 'returns false if the grace period has not expired' do
|
||||||
|
allow(subject).to receive(:two_factor_grace_period).and_return(6)
|
||||||
|
|
||||||
|
expect(subject.two_factor_grace_period_expired?).to be_falsey
|
||||||
|
end
|
||||||
|
|
||||||
|
context 'when otp_grace_period_started_at is nil' do
|
||||||
|
it 'returns false' do
|
||||||
|
allow(user).to receive(:otp_grace_period_started_at).and_return(nil)
|
||||||
|
|
||||||
|
expect(subject.two_factor_grace_period_expired?).to be_falsey
|
||||||
|
end
|
||||||
|
end
|
||||||
|
end
|
||||||
|
end
|
|
@ -431,7 +431,7 @@ RSpec.describe Gitlab::Auth, :use_clean_rails_memory_store_caching do
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
shared_examples 'deploy token with disabled registry' do
|
shared_examples 'deploy token with disabled feature' do
|
||||||
context 'when registry disabled' do
|
context 'when registry disabled' do
|
||||||
before do
|
before do
|
||||||
stub_container_registry_config(enabled: false)
|
stub_container_registry_config(enabled: false)
|
||||||
|
@ -442,6 +442,15 @@ RSpec.describe Gitlab::Auth, :use_clean_rails_memory_store_caching do
|
||||||
.to eq(auth_failure)
|
.to eq(auth_failure)
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
|
context 'when repository is disabled' do
|
||||||
|
let(:project) { create(:project, :repository_disabled) }
|
||||||
|
|
||||||
|
it 'fails when login and token are valid' do
|
||||||
|
expect(gl_auth.find_for_git_client(login, deploy_token.token, project: project, ip: 'ip'))
|
||||||
|
.to eq(auth_failure)
|
||||||
|
end
|
||||||
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
context 'when deploy token and user have the same username' do
|
context 'when deploy token and user have the same username' do
|
||||||
|
@ -594,7 +603,7 @@ RSpec.describe Gitlab::Auth, :use_clean_rails_memory_store_caching do
|
||||||
it_behaves_like 'registry token scope'
|
it_behaves_like 'registry token scope'
|
||||||
end
|
end
|
||||||
|
|
||||||
it_behaves_like 'deploy token with disabled registry'
|
it_behaves_like 'deploy token with disabled feature'
|
||||||
end
|
end
|
||||||
|
|
||||||
context 'when the deploy token has write_registry as a scope' do
|
context 'when the deploy token has write_registry as a scope' do
|
||||||
|
@ -616,7 +625,7 @@ RSpec.describe Gitlab::Auth, :use_clean_rails_memory_store_caching do
|
||||||
it_behaves_like 'registry token scope'
|
it_behaves_like 'registry token scope'
|
||||||
end
|
end
|
||||||
|
|
||||||
it_behaves_like 'deploy token with disabled registry'
|
it_behaves_like 'deploy token with disabled feature'
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
@ -671,12 +680,69 @@ RSpec.describe Gitlab::Auth, :use_clean_rails_memory_store_caching do
|
||||||
expect( gl_auth.find_with_user_password(username, password) ).not_to eql user
|
expect( gl_auth.find_with_user_password(username, password) ).not_to eql user
|
||||||
end
|
end
|
||||||
|
|
||||||
|
it 'does not find user in locked state' do
|
||||||
|
user.lock_access!
|
||||||
|
|
||||||
|
expect(gl_auth.find_with_user_password(username, password)).not_to eql user
|
||||||
|
end
|
||||||
|
|
||||||
it "does not find user in ldap_blocked state" do
|
it "does not find user in ldap_blocked state" do
|
||||||
user.ldap_block
|
user.ldap_block
|
||||||
|
|
||||||
expect( gl_auth.find_with_user_password(username, password) ).not_to eql user
|
expect( gl_auth.find_with_user_password(username, password) ).not_to eql user
|
||||||
end
|
end
|
||||||
|
|
||||||
|
context 'with increment_failed_attempts' do
|
||||||
|
wrong_password = 'incorrect_password'
|
||||||
|
|
||||||
|
it 'increments failed_attempts when true and password is incorrect' do
|
||||||
|
expect do
|
||||||
|
gl_auth.find_with_user_password(username, wrong_password, increment_failed_attempts: true)
|
||||||
|
user.reload
|
||||||
|
end.to change(user, :failed_attempts).from(0).to(1)
|
||||||
|
end
|
||||||
|
|
||||||
|
it 'resets failed_attempts when true and password is correct' do
|
||||||
|
user.failed_attempts = 2
|
||||||
|
user.save
|
||||||
|
|
||||||
|
expect do
|
||||||
|
gl_auth.find_with_user_password(username, password, increment_failed_attempts: true)
|
||||||
|
user.reload
|
||||||
|
end.to change(user, :failed_attempts).from(2).to(0)
|
||||||
|
end
|
||||||
|
|
||||||
|
it 'does not increment failed_attempts by default' do
|
||||||
|
expect do
|
||||||
|
gl_auth.find_with_user_password(username, wrong_password)
|
||||||
|
user.reload
|
||||||
|
end.not_to change(user, :failed_attempts)
|
||||||
|
end
|
||||||
|
|
||||||
|
context 'when the database is read only' do
|
||||||
|
before do
|
||||||
|
allow(Gitlab::Database).to receive(:read_only?).and_return(true)
|
||||||
|
end
|
||||||
|
|
||||||
|
it 'does not increment failed_attempts when true and password is incorrect' do
|
||||||
|
expect do
|
||||||
|
gl_auth.find_with_user_password(username, wrong_password, increment_failed_attempts: true)
|
||||||
|
user.reload
|
||||||
|
end.not_to change(user, :failed_attempts)
|
||||||
|
end
|
||||||
|
|
||||||
|
it 'does not reset failed_attempts when true and password is correct' do
|
||||||
|
user.failed_attempts = 2
|
||||||
|
user.save
|
||||||
|
|
||||||
|
expect do
|
||||||
|
gl_auth.find_with_user_password(username, password, increment_failed_attempts: true)
|
||||||
|
user.reload
|
||||||
|
end.not_to change(user, :failed_attempts)
|
||||||
|
end
|
||||||
|
end
|
||||||
|
end
|
||||||
|
|
||||||
context "with ldap enabled" do
|
context "with ldap enabled" do
|
||||||
before do
|
before do
|
||||||
allow(Gitlab::Auth::Ldap::Config).to receive(:enabled?).and_return(true)
|
allow(Gitlab::Auth::Ldap::Config).to receive(:enabled?).and_return(true)
|
||||||
|
|
|
@ -487,31 +487,135 @@ RSpec.describe Gitlab::GitAccess do
|
||||||
let(:actor) { key }
|
let(:actor) { key }
|
||||||
|
|
||||||
context 'pull code' do
|
context 'pull code' do
|
||||||
context 'when project is authorized' do
|
context 'when project is public' do
|
||||||
before do
|
let(:project) { create(:project, :public, :repository, *options) }
|
||||||
key.projects << project
|
|
||||||
|
context 'when deploy key exists in the project' do
|
||||||
|
before do
|
||||||
|
key.projects << project
|
||||||
|
end
|
||||||
|
|
||||||
|
context 'when the repository is public' do
|
||||||
|
let(:options) { %i[repository_enabled] }
|
||||||
|
|
||||||
|
it { expect { pull_access_check }.not_to raise_error }
|
||||||
|
end
|
||||||
|
|
||||||
|
context 'when the repository is private' do
|
||||||
|
let(:options) { %i[repository_private] }
|
||||||
|
|
||||||
|
it { expect { pull_access_check }.not_to raise_error }
|
||||||
|
end
|
||||||
|
|
||||||
|
context 'when the repository is disabled' do
|
||||||
|
let(:options) { %i[repository_disabled] }
|
||||||
|
|
||||||
|
it { expect { pull_access_check }.to raise_error('You are not allowed to download code from this project.') }
|
||||||
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
it { expect { pull_access_check }.not_to raise_error }
|
context 'when deploy key does not exist in the project' do
|
||||||
|
context 'when the repository is public' do
|
||||||
|
let(:options) { %i[repository_enabled] }
|
||||||
|
|
||||||
|
it { expect { pull_access_check }.not_to raise_error }
|
||||||
|
end
|
||||||
|
|
||||||
|
context 'when the repository is private' do
|
||||||
|
let(:options) { %i[repository_private] }
|
||||||
|
|
||||||
|
it { expect { pull_access_check }.to raise_error('You are not allowed to download code from this project.') }
|
||||||
|
end
|
||||||
|
|
||||||
|
context 'when the repository is disabled' do
|
||||||
|
let(:options) { %i[repository_disabled] }
|
||||||
|
|
||||||
|
it { expect { pull_access_check }.to raise_error('You are not allowed to download code from this project.') }
|
||||||
|
end
|
||||||
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
context 'when unauthorized' do
|
context 'when project is internal' do
|
||||||
context 'from public project' do
|
let(:project) { create(:project, :internal, :repository, *options) }
|
||||||
let(:project) { create(:project, :public, :repository) }
|
|
||||||
|
|
||||||
it { expect { pull_access_check }.not_to raise_error }
|
context 'when deploy key exists in the project' do
|
||||||
|
before do
|
||||||
|
key.projects << project
|
||||||
|
end
|
||||||
|
|
||||||
|
context 'when the repository is public' do
|
||||||
|
let(:options) { %i[repository_enabled] }
|
||||||
|
|
||||||
|
it { expect { pull_access_check }.not_to raise_error }
|
||||||
|
end
|
||||||
|
|
||||||
|
context 'when the repository is private' do
|
||||||
|
let(:options) { %i[repository_private] }
|
||||||
|
|
||||||
|
it { expect { pull_access_check }.not_to raise_error }
|
||||||
|
end
|
||||||
|
|
||||||
|
context 'when the repository is disabled' do
|
||||||
|
let(:options) { %i[repository_disabled] }
|
||||||
|
|
||||||
|
it { expect { pull_access_check }.to raise_error('You are not allowed to download code from this project.') }
|
||||||
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
context 'from internal project' do
|
context 'when deploy key does not exist in the project' do
|
||||||
let(:project) { create(:project, :internal, :repository) }
|
context 'when the repository is public' do
|
||||||
|
let(:options) { %i[repository_enabled] }
|
||||||
|
|
||||||
it { expect { pull_access_check }.to raise_not_found }
|
it { expect { pull_access_check }.to raise_error('The project you were looking for could not be found.') }
|
||||||
|
end
|
||||||
|
|
||||||
|
context 'when the repository is private' do
|
||||||
|
let(:options) { %i[repository_private] }
|
||||||
|
|
||||||
|
it { expect { pull_access_check }.to raise_error('The project you were looking for could not be found.') }
|
||||||
|
end
|
||||||
|
|
||||||
|
context 'when the repository is disabled' do
|
||||||
|
let(:options) { %i[repository_disabled] }
|
||||||
|
|
||||||
|
it { expect { pull_access_check }.to raise_error('The project you were looking for could not be found.') }
|
||||||
|
end
|
||||||
|
end
|
||||||
|
end
|
||||||
|
|
||||||
|
context 'when project is private' do
|
||||||
|
let(:project) { create(:project, :private, :repository, *options) }
|
||||||
|
|
||||||
|
context 'when deploy key exists in the project' do
|
||||||
|
before do
|
||||||
|
key.projects << project
|
||||||
|
end
|
||||||
|
|
||||||
|
context 'when the repository is private' do
|
||||||
|
let(:options) { %i[repository_private] }
|
||||||
|
|
||||||
|
it { expect { pull_access_check }.not_to raise_error }
|
||||||
|
end
|
||||||
|
|
||||||
|
context 'when the repository is disabled' do
|
||||||
|
let(:options) { %i[repository_disabled] }
|
||||||
|
|
||||||
|
it { expect { pull_access_check }.to raise_error('You are not allowed to download code from this project.') }
|
||||||
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
context 'from private project' do
|
context 'when deploy key does not exist in the project' do
|
||||||
let(:project) { create(:project, :private, :repository) }
|
context 'when the repository is private' do
|
||||||
|
let(:options) { %i[repository_private] }
|
||||||
|
|
||||||
it { expect { pull_access_check }.to raise_not_found }
|
it { expect { pull_access_check }.to raise_error('The project you were looking for could not be found.') }
|
||||||
|
end
|
||||||
|
|
||||||
|
context 'when the repository is disabled' do
|
||||||
|
let(:options) { %i[repository_disabled] }
|
||||||
|
|
||||||
|
it { expect { pull_access_check }.to raise_error('The project you were looking for could not be found.') }
|
||||||
|
end
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
|
@ -164,15 +164,6 @@ RSpec.describe Gitlab::Regex do
|
||||||
it { is_expected.not_to match('foo/bar') }
|
it { is_expected.not_to match('foo/bar') }
|
||||||
end
|
end
|
||||||
|
|
||||||
describe '.conan_file_name_regex' do
|
|
||||||
subject { described_class.conan_file_name_regex }
|
|
||||||
|
|
||||||
it { is_expected.to match('conanfile.py') }
|
|
||||||
it { is_expected.to match('conan_package.tgz') }
|
|
||||||
it { is_expected.not_to match('foo.txt') }
|
|
||||||
it { is_expected.not_to match('!!()()') }
|
|
||||||
end
|
|
||||||
|
|
||||||
describe '.conan_package_reference_regex' do
|
describe '.conan_package_reference_regex' do
|
||||||
subject { described_class.conan_package_reference_regex }
|
subject { described_class.conan_package_reference_regex }
|
||||||
|
|
||||||
|
|
Some files were not shown because too many files have changed in this diff Show more
Loading…
Reference in a new issue