diff options
author | Rémy Coutable <remy@rymai.me> | 2016-07-19 18:21:29 +0300 |
---|---|---|
committer | Rémy Coutable <remy@rymai.me> | 2016-07-19 18:23:28 +0300 |
commit | b7d36646e6b209601e7d9f7cde5e4333cb53f813 (patch) | |
tree | 60725bd2b1aadd4bcdeea7870b1620e66340d77d | |
parent | 1b3130f349af888aeb646b40afa6aef903df1300 (diff) |
Merge branch 'allow-deploy-key-to-download-public-projects' into 'master'
Allow to pull code with deploy key from public projects
## What does this MR do?
With deploy keys you can download any public projects stored in GitLab.
## What are the relevant issue numbers?
Fixes: https://gitlab.com/gitlab-org/gitlab-ce/issues/1217
## Does this MR meet the acceptance criteria?
- [ ] [CHANGELOG](https://gitlab.com/gitlab-org/gitlab-ce/blob/master/CHANGELOG) entry added
- [ ] [Documentation created/updated](https://gitlab.com/gitlab-org/gitlab-ce/blob/master/doc/development/doc_styleguide.md)
- [ ] API support added
- Tests
- [ ] Added for this feature/bug
- [ ] All builds are passing
- [ ] Conform by the [style guides](https://gitlab.com/gitlab-org/gitlab-ce/blob/master/CONTRIBUTING.md#style-guides)
- [ ] Branch has no merge conflicts with `master` (if you do - rebase it please)
- [ ] [Squashed related commits together](https://git-scm.com/book/en/Git-Tools-Rewriting-History#Squashing-Commits)
See merge request !5316
-rw-r--r-- | CHANGELOG | 1 | ||||
-rw-r--r-- | lib/gitlab/git_access.rb | 1 | ||||
-rw-r--r-- | spec/lib/gitlab/git_access_spec.rb | 72 |
3 files changed, 63 insertions, 11 deletions
diff --git a/CHANGELOG b/CHANGELOG index b61cd2c09c8..1d4d9347548 100644 --- a/CHANGELOG +++ b/CHANGELOG @@ -22,6 +22,7 @@ v 8.10.0 (unreleased) - Escape file extension when parsing search results !5141 (winniehell) - Apply the trusted_proxies config to the rack request object for use with rack_attack - Upgrade to Rails 4.2.7. !5236 + - Allow to pull code with deploy key from public projects - Add Sidekiq queue duration to transaction metrics. - Add a new column `artifacts_size` to table `ci_builds` !4964 - Let Workhorse serve format-patch diffs diff --git a/lib/gitlab/git_access.rb b/lib/gitlab/git_access.rb index 308f23bc9bc..8e8f39d9cb2 100644 --- a/lib/gitlab/git_access.rb +++ b/lib/gitlab/git_access.rb @@ -110,6 +110,7 @@ module Gitlab def deploy_key_can_read_project? if deploy_key + return true if project.public? deploy_key.projects.include?(project) else false diff --git a/spec/lib/gitlab/git_access_spec.rb b/spec/lib/gitlab/git_access_spec.rb index db33c7a22bb..ae064a878b0 100644 --- a/spec/lib/gitlab/git_access_spec.rb +++ b/spec/lib/gitlab/git_access_spec.rb @@ -44,12 +44,12 @@ describe Gitlab::GitAccess, lib: true do end describe 'download_access_check' do + subject { access.check('git-upload-pack') } + describe 'master permissions' do before { project.team << [user, :master] } context 'pull code' do - subject { access.download_access_check } - it { expect(subject.allowed?).to be_truthy } end end @@ -58,8 +58,6 @@ describe Gitlab::GitAccess, lib: true do before { project.team << [user, :guest] } context 'pull code' do - subject { access.download_access_check } - it { expect(subject.allowed?).to be_falsey } end end @@ -71,16 +69,12 @@ describe Gitlab::GitAccess, lib: true do end context 'pull code' do - subject { access.download_access_check } - it { expect(subject.allowed?).to be_falsey } end end describe 'without acccess to project' do context 'pull code' do - subject { access.download_access_check } - it { expect(subject.allowed?).to be_falsey } end end @@ -90,10 +84,31 @@ describe Gitlab::GitAccess, lib: true do let(:actor) { key } context 'pull code' do - before { key.projects << project } - subject { access.download_access_check } + context 'when project is authorized' do + before { key.projects << project } - it { expect(subject.allowed?).to be_truthy } + it { expect(subject).to be_allowed } + end + + context 'when unauthorized' do + context 'from public project' do + let(:project) { create(:project, :public) } + + it { expect(subject).to be_allowed } + end + + context 'from internal project' do + let(:project) { create(:project, :internal) } + + it { expect(subject).not_to be_allowed } + end + + context 'from private project' do + let(:project) { create(:project, :internal) } + + it { expect(subject).not_to be_allowed } + end + end end end end @@ -240,5 +255,40 @@ describe Gitlab::GitAccess, lib: true do run_permission_checks(permissions_matrix.deep_merge(developer: { push_protected_branch: true, push_all: true, merge_into_protected_branch: true })) end end + + describe 'deploy key permissions' do + let(:key) { create(:deploy_key) } + let(:actor) { key } + + context 'push code' do + subject { access.check('git-receive-pack') } + + context 'when project is authorized' do + before { key.projects << project } + + it { expect(subject).not_to be_allowed } + end + + context 'when unauthorized' do + context 'to public project' do + let(:project) { create(:project, :public) } + + it { expect(subject).not_to be_allowed } + end + + context 'to internal project' do + let(:project) { create(:project, :internal) } + + it { expect(subject).not_to be_allowed } + end + + context 'to private project' do + let(:project) { create(:project, :internal) } + + it { expect(subject).not_to be_allowed } + end + end + end + end end end |