diff options
| author | Ash McKenzie <amckenzie@gitlab.com> | 2018-07-26 19:06:20 +1000 |
|---|---|---|
| committer | Ash McKenzie <amckenzie@gitlab.com> | 2018-08-01 00:24:16 +1000 |
| commit | ecba183b60eb0798ecf1736659ed7d0a995d0f01 (patch) | |
| tree | 3606b2d25e914f69f6cc9aab6de7864331b49dbf /spec | |
| parent | 252a96d61f52d91486f92f980c2f0e4c7a1b9408 (diff) | |
| download | gitlab-shell-ecba183b60eb0798ecf1736659ed7d0a995d0f01.tar.gz | |
Utilise new Actions
* Move gitaly, git-lfs and 2FA logic out from gitlab_shell.rb
* Streamline parsing of origin_cmd in GitlabShell
* Utilise proper HTTP status codes sent from the API
* Also support 200 OK with status of true/false (ideally get rid of this)
* Use HTTP status constants
* Use attr_reader definitions (var over @var)
* Rspec deprecation fixes
Diffstat (limited to 'spec')
19 files changed, 651 insertions, 531 deletions
diff --git a/spec/gitlab_access_spec.rb b/spec/gitlab_access_spec.rb index bec7f25..e529a66 100644 --- a/spec/gitlab_access_spec.rb +++ b/spec/gitlab_access_spec.rb @@ -7,12 +7,7 @@ describe GitlabAccess do let(:repo_path) { File.join(repository_path, repo_name) + ".git" } let(:api) do double(GitlabNet).tap do |api| - api.stub(check_access: GitAccessStatus.new(true, - 'ok', - gl_repository: 'project-1', - gl_username: 'testuser', - repository_path: '/home/git/repositories', - gitaly: nil)) + allow(api).to receive(:check_access).and_return(Action::Gitaly.new('key-1', 'project-1', 'testuser', '/home/git/repositories', nil)) end end subject do @@ -26,12 +21,6 @@ describe GitlabAccess do allow_any_instance_of(GitlabConfig).to receive(:repos_path).and_return(repository_path) end - describe :initialize do - it { expect(subject.send(:repo_path)).to eql repo_path } # FIXME: don't access private instance variables - it { expect(subject.send(:changes)).to eql ['wow'] } # FIXME: don't access private instance variables - it { expect(subject.send(:protocol)).to eql 'ssh' } # FIXME: don't access private instance variables - end - describe "#exec" do context "access is granted" do @@ -41,16 +30,8 @@ describe GitlabAccess do end context "access is denied" do - before do - api.stub(check_access: GitAccessStatus.new( - false, - 'denied', - gl_repository: nil, - gl_username: nil, - repository_path: nil, - gitaly: nil - )) + allow(api).to receive(:check_access).and_raise(AccessDeniedError) end it "returns false" do diff --git a/spec/gitlab_net_spec.rb b/spec/gitlab_net_spec.rb index 291e895..a2760aa 100644 --- a/spec/gitlab_net_spec.rb +++ b/spec/gitlab_net_spec.rb @@ -57,7 +57,7 @@ describe GitlabNet, vcr: true do it "raises an exception if the connection fails" do VCR.use_cassette("discover-ok") do allow_any_instance_of(Net::HTTP).to receive(:request).and_raise(StandardError) - expect { gitlab_net.discover(key) }.to raise_error(GitlabNet::ApiUnreachableError) + expect(gitlab_net.discover(key)).to be_nil end end end @@ -263,11 +263,33 @@ describe GitlabNet, vcr: true do end describe '#check_access' do + context 'something is wrong with the API response' do + context 'but response is JSON parsable' do + it 'raises an UnknownError exception' do + VCR.use_cassette('failed-push') do + expect do + gitlab_net.check_access('git-receive-pack', nil, project, key, changes, 'ssh') + end.to raise_error(UnknownError, 'API is not accessible: An internal server error occurred') + end + end + end + + context 'but response is not JSON parsable' do + it 'raises an UnknownError exception' do + VCR.use_cassette('failed-push-unparsable') do + expect do + gitlab_net.check_access('git-receive-pack', nil, project, key, changes, 'ssh') + end.to raise_error(UnknownError, 'API is not accessible') + end + end + end + end + context 'ssh key with access nil, to project' do - it 'should allow pull access for host' do - VCR.use_cassette("allowed-pull") do - access = gitlab_net.check_access('git-receive-pack', nil, project, key, changes, 'ssh') - access.allowed?.should be_truthy + it 'should allow push access for host' do + VCR.use_cassette('allowed-push') do + action = gitlab_net.check_access('git-receive-pack', nil, project, key, changes, 'ssh') + expect(action).to be_instance_of(Action::Gitaly) end end @@ -278,75 +300,120 @@ describe GitlabNet, vcr: true do end end - it 'should allow push access for host' do - VCR.use_cassette("allowed-push") do - access = gitlab_net.check_access('git-upload-pack', nil, project, key, changes, 'ssh') - access.allowed?.should be_truthy + it 'should allow pull access for host' do + VCR.use_cassette("allowed-pull") do + action = gitlab_net.check_access('git-upload-pack', nil, project, key, changes, 'ssh') + expect(action).to be_instance_of(Action::Gitaly) end end end context 'ssh access has been disabled' do it 'should deny pull access for host' do + VCR.use_cassette('ssh-pull-disabled-old') do + expect do + gitlab_net.check_access('git-upload-pack', nil, project, key, changes, 'http') + end.to raise_error(AccessDeniedError, 'Git access over SSH is not allowed') + end + VCR.use_cassette('ssh-pull-disabled') do - access = gitlab_net.check_access('git-upload-pack', nil, project, key, changes, 'ssh') - access.allowed?.should be_falsey - access.message.should eq 'Git access over SSH is not allowed' + expect do + gitlab_net.check_access('git-upload-pack', nil, project, key, changes, 'http') + end.to raise_error(AccessDeniedError, 'Git access over SSH is not allowed') end end it 'should deny push access for host' do + VCR.use_cassette('ssh-push-disabled-old') do + expect do + gitlab_net.check_access('git-receive-pack', nil, project, key, changes, 'ssh') + end.to raise_error(AccessDeniedError, 'Git access over SSH is not allowed') + end + VCR.use_cassette('ssh-push-disabled') do - access = gitlab_net.check_access('git-receive-pack', nil, project, key, changes, 'ssh') - access.allowed?.should be_falsey - access.message.should eq 'Git access over SSH is not allowed' + expect do + gitlab_net.check_access('git-receive-pack', nil, project, key, changes, 'ssh') + end.to raise_error(AccessDeniedError, 'Git access over SSH is not allowed') end end end context 'http access has been disabled' do it 'should deny pull access for host' do + VCR.use_cassette('http-pull-disabled-old') do + expect do + gitlab_net.check_access('git-upload-pack', nil, project, key, changes, 'http') + end.to raise_error(AccessDeniedError, 'Pulling over HTTP is not allowed.') + end + VCR.use_cassette('http-pull-disabled') do - access = gitlab_net.check_access('git-upload-pack', nil, project, key, changes, 'http') - access.allowed?.should be_falsey - access.message.should eq 'Pulling over HTTP is not allowed.' + expect do + gitlab_net.check_access('git-upload-pack', nil, project, key, changes, 'http') + end.to raise_error(AccessDeniedError, 'Pulling over HTTP is not allowed.') end end it 'should deny push access for host' do - VCR.use_cassette("http-push-disabled") do - access = gitlab_net.check_access('git-receive-pack', nil, project, key, changes, 'http') - access.allowed?.should be_falsey - access.message.should eq 'Pushing over HTTP is not allowed.' + VCR.use_cassette('http-push-disabled-old') do + expect do + gitlab_net.check_access('git-receive-pack', nil, project, key, changes, 'http') + end.to raise_error(AccessDeniedError, 'Pushing over HTTP is not allowed.') + end + + VCR.use_cassette('http-push-disabled') do + expect do + gitlab_net.check_access('git-receive-pack', nil, project, key, changes, 'http') + end.to raise_error(AccessDeniedError, 'Pushing over HTTP is not allowed.') end end end context 'ssh key without access to project' do it 'should deny pull access for host' do - VCR.use_cassette("ssh-pull-project-denied") do - access = gitlab_net.check_access('git-receive-pack', nil, project, key2, changes, 'ssh') - access.allowed?.should be_falsey + VCR.use_cassette('ssh-pull-project-denied-old') do + expect do + gitlab_net.check_access('git-receive-pack', nil, project, key2, changes, 'ssh') + end.to raise_error(AccessDeniedError, 'Git access over SSH is not allowed') + end + + VCR.use_cassette('ssh-pull-project-denied') do + expect do + gitlab_net.check_access('git-receive-pack', nil, project, key2, changes, 'ssh') + end.to raise_error(AccessDeniedError, 'Git access over SSH is not allowed') end end it 'should deny push access for host' do - VCR.use_cassette("ssh-push-project-denied") do - access = gitlab_net.check_access('git-upload-pack', nil, project, key2, changes, 'ssh') - access.allowed?.should be_falsey + VCR.use_cassette('ssh-push-project-denied-old') do + expect do + gitlab_net.check_access('git-upload-pack', nil, project, key2, changes, 'ssh') + end.to raise_error(AccessDeniedError, 'Git access over SSH is not allowed') + end + + VCR.use_cassette('ssh-push-project-denied') do + expect do + gitlab_net.check_access('git-upload-pack', nil, project, key2, changes, 'ssh') + end.to raise_error(AccessDeniedError, 'Git access over SSH is not allowed') end end it 'should deny push access for host (with user)' do - VCR.use_cassette("ssh-push-project-denied-with-user") do - access = gitlab_net.check_access('git-upload-pack', nil, project, 'user-2', changes, 'ssh') - access.allowed?.should be_falsey + VCR.use_cassette('ssh-push-project-denied-with-user-old') do + expect do + gitlab_net.check_access('git-upload-pack', nil, project, 'user-2', changes, 'ssh') + end.to raise_error(AccessDeniedError, 'Git access over SSH is not allowed') + end + + VCR.use_cassette('ssh-push-project-denied-with-user') do + expect do + gitlab_net.check_access('git-upload-pack', nil, project, 'user-2', changes, 'ssh') + end.to raise_error(AccessDeniedError, 'Git access over SSH is not allowed') end end end it "raises an exception if the connection fails" do - Net::HTTP.any_instance.stub(:request).and_raise(StandardError) + allow_any_instance_of(Net::HTTP).to receive(:request).and_raise(StandardError) expect { gitlab_net.check_access('git-upload-pack', nil, project, 'user-1', changes, 'ssh') }.to raise_error(GitlabNet::ApiUnreachableError) diff --git a/spec/gitlab_shell_spec.rb b/spec/gitlab_shell_spec.rb index af84b29..b7c0746 100644 --- a/spec/gitlab_shell_spec.rb +++ b/spec/gitlab_shell_spec.rb @@ -1,6 +1,6 @@ require_relative 'spec_helper' require_relative '../lib/gitlab_shell' -require_relative '../lib/gitlab_access_status' +require_relative '../lib/action' describe GitlabShell do before do @@ -8,544 +8,202 @@ describe GitlabShell do FileUtils.mkdir_p(tmp_repos_path) end - after do - FileUtils.rm_rf(tmp_repos_path) - end + after { FileUtils.rm_rf(tmp_repos_path) } - subject do - ARGV[0] = key_id - GitlabShell.new(key_id).tap do |shell| - shell.stub(exec_cmd: :exec_called) - shell.stub(api: api) - end - end - - let(:gitaly_check_access) { GitAccessStatus.new( - true, - 'ok', - gl_repository: gl_repository, - gl_username: gl_username, - repository_path: repo_path, - gitaly: { 'repository' => { 'relative_path' => repo_name, 'storage_name' => 'default'} , 'address' => 'unix:gitaly.socket' } - ) - } - - let(:api) do - double(GitlabNet).tap do |api| - api.stub(discover: { 'name' => 'John Doe', 'username' => 'testuser' }) - api.stub(check_access: GitAccessStatus.new( - true, - 'ok', - gl_repository: gl_repository, - gl_username: gl_username, - repository_path: repo_path, - gitaly: nil)) - api.stub(two_factor_recovery_codes: { - 'success' => true, - 'recovery_codes' => ['f67c514de60c4953', '41278385fc00c1e0'] - }) - end - end + subject { described_class.new(key_id) } let(:key_id) { "key-#{rand(100) + 100}" } - let(:ssh_cmd) { nil } let(:tmp_repos_path) { File.join(ROOT_PATH, 'tmp', 'repositories') } - let(:repo_name) { 'gitlab-ci.git' } let(:repo_path) { File.join(tmp_repos_path, repo_name) } let(:gl_repository) { 'project-1' } let(:gl_username) { 'testuser' } - before do - GitlabConfig.any_instance.stub(audit_usernames: false) - end + let(:api) { double(GitlabNet) } - describe :initialize do - let(:ssh_cmd) { 'git-receive-pack' } + let(:gitaly_action) { Action::Gitaly.new( + key_id, + gl_repository, + gl_username, + repo_path, + { 'repository' => { 'relative_path' => repo_name, 'storage_name' => 'default' } , 'address' => 'unix:gitaly.socket' }) + } + let(:api_2fa_recovery_action) { Action::API2FARecovery.new(key_id) } + let(:git_lfs_authenticate_action) { Action::GitLFSAuthenticate.new(key_id, repo_name) } - its(:key_id) { should == key_id } + before do + allow(GitlabNet).to receive(:new).and_return(api) + allow(api).to receive(:discover).with(key_id).and_return('username' => gl_username) end - describe :parse_cmd do - describe 'git' do - context 'w/o namespace' do - let(:ssh_args) { %W(git-upload-pack gitlab-ci.git) } - - before do - subject.send :parse_cmd, ssh_args - end - - its(:repo_name) { should == 'gitlab-ci.git' } - its(:command) { should == 'git-upload-pack' } - end - - context 'namespace' do - let(:repo_name) { 'dmitriy.zaporozhets/gitlab-ci.git' } - let(:ssh_args) { %W(git-upload-pack dmitriy.zaporozhets/gitlab-ci.git) } - - before do - subject.send :parse_cmd, ssh_args - end - - its(:repo_name) { should == 'dmitriy.zaporozhets/gitlab-ci.git' } - its(:command) { should == 'git-upload-pack' } - end - - context 'with an invalid number of arguments' do - let(:ssh_args) { %W(foobar) } - - it "should raise an DisallowedCommandError" do - expect { subject.send :parse_cmd, ssh_args }.to raise_error(GitlabShell::DisallowedCommandError) - end - end - - context 'with an API command' do - before do - subject.send :parse_cmd, ssh_args - end - - context 'when generating recovery codes' do - let(:ssh_args) { %w(2fa_recovery_codes) } - - it 'sets the correct command' do - expect(subject.command).to eq('2fa_recovery_codes') - end - - it 'does not set repo name' do - expect(subject.repo_name).to be_nil - end - end - end - end - - describe 'git-lfs' do - let(:repo_name) { 'dzaporozhets/gitlab.git' } - let(:ssh_args) { %W(git-lfs-authenticate dzaporozhets/gitlab.git download) } - + describe '#exec' do + context "when we don't have a valid user" do before do - subject.send :parse_cmd, ssh_args + allow(api).to receive(:discover).with(key_id).and_return(nil) end - its(:repo_name) { should == 'dzaporozhets/gitlab.git' } - its(:command) { should == 'git-lfs-authenticate' } - its(:git_access) { should == 'git-upload-pack' } - end - - describe 'git-lfs old clients' do - let(:repo_name) { 'dzaporozhets/gitlab.git' } - let(:ssh_args) { %W(git-lfs-authenticate dzaporozhets/gitlab.git download long_oid) } - - before do - subject.send :parse_cmd, ssh_args - end - - its(:repo_name) { should == 'dzaporozhets/gitlab.git' } - its(:command) { should == 'git-lfs-authenticate' } - its(:git_access) { should == 'git-upload-pack' } - end - end - - describe :exec do - let(:gitaly_message) { JSON.dump({ 'repository' => { 'relative_path' => repo_name, 'storage_name' => 'default' }, 'gl_repository' => gl_repository, 'gl_id' => key_id, 'gl_username' => gl_username}) } - - shared_examples_for 'upload-pack' do |command| - let(:ssh_cmd) { "#{command} gitlab-ci.git" } - after { subject.exec(ssh_cmd) } - - it "should process the command" do - subject.should_receive(:process_cmd).with(%W(git-upload-pack gitlab-ci.git)) - end - - it "should execute the command" do - subject.should_receive(:exec_cmd).with('git-upload-pack', repo_path) - end - - it "should log the command execution" do - message = "executing git command" - user_string = "user with key #{key_id}" - $logger.should_receive(:info).with(message, command: "git-upload-pack #{repo_path}", user: user_string) - end - - it "should use usernames if configured to do so" do - GitlabConfig.any_instance.stub(audit_usernames: true) - $logger.should_receive(:info).with("executing git command", hash_including(user: 'testuser')) + it 'prints Welcome.. and returns true' do + expect { + expect(subject.exec(nil)).to be_truthy + }.to output("Welcome to GitLab, Anonymous!\n").to_stdout end end - context 'git-upload-pack' do - it_behaves_like 'upload-pack', 'git-upload-pack' - end - - context 'git upload-pack' do - it_behaves_like 'upload-pack', 'git upload-pack' - end - - context 'gitaly-upload-pack' do - let(:ssh_cmd) { "git-upload-pack gitlab-ci.git" } - before { - api.stub(check_access: gitaly_check_access) - } - after { subject.exec(ssh_cmd) } - - it "should process the command" do - subject.should_receive(:process_cmd).with(%W(git-upload-pack gitlab-ci.git)) - end - - it "should execute the command" do - subject.should_receive(:exec_cmd).with(File.join(ROOT_PATH, "bin/gitaly-upload-pack"), 'unix:gitaly.socket', gitaly_message) - end - - it "should log the command execution" do - message = "executing git command" - user_string = "user with key #{key_id}" - $logger.should_receive(:info).with(message, command: "gitaly-upload-pack unix:gitaly.socket #{gitaly_message}", user: user_string) + context 'when we have a valid user' do + context 'when origin_cmd is nil' do + it 'prints Welcome.. and returns true' do + expect { + expect(subject.exec(nil)).to be_truthy + }.to output("Welcome to GitLab, @testuser!\n").to_stdout + end end - it "should use usernames if configured to do so" do - GitlabConfig.any_instance.stub(audit_usernames: true) - $logger.should_receive(:info).with("executing git command", hash_including(user: 'testuser')) + context 'when origin_cmd is empty' do + it 'prints Welcome.. and returns true' do + expect { + expect(subject.exec('')).to be_truthy + }.to output("Welcome to GitLab, @testuser!\n").to_stdout + end end end - context 'git-receive-pack' do - let(:ssh_cmd) { "git-receive-pack gitlab-ci.git" } - after { subject.exec(ssh_cmd) } - - it "should process the command" do - subject.should_receive(:process_cmd).with(%W(git-receive-pack gitlab-ci.git)) - end - - it "should execute the command" do - subject.should_receive(:exec_cmd).with('git-receive-pack', repo_path) - end - - it "should log the command execution" do - message = "executing git command" - user_string = "user with key #{key_id}" - $logger.should_receive(:info).with(message, command: "git-receive-pack #{repo_path}", user: user_string) + context 'when origin_cmd is invalid' do + it 'prints a message to stderr and returns false' do + expect { + expect(subject.exec("git-invalid-command #{repo_name}")).to be_falsey + }.to output("GitLab: Disallowed command\n").to_stderr end end - context 'gitaly-receive-pack' do - let(:ssh_cmd) { "git-receive-pack gitlab-ci.git" } - before { - api.stub(check_access: gitaly_check_access) - } - after { subject.exec(ssh_cmd) } - - it "should process the command" do - subject.should_receive(:process_cmd).with(%W(git-receive-pack gitlab-ci.git)) - end - - it "should execute the command" do - subject.should_receive(:exec_cmd).with(File.join(ROOT_PATH, "bin/gitaly-receive-pack"), 'unix:gitaly.socket', gitaly_message) - end - - it "should log the command execution" do - message = "executing git command" - user_string = "user with key #{key_id}" - $logger.should_receive(:info).with(message, command: "gitaly-receive-pack unix:gitaly.socket #{gitaly_message}", user: user_string) - end - - it "should use usernames if configured to do so" do - GitlabConfig.any_instance.stub(audit_usernames: true) - $logger.should_receive(:info).with("executing git command", hash_including(user: 'testuser')) + context 'when origin_cmd is valid, but incomplete' do + it 'prints a message to stderr and returns false' do + expect { + expect(subject.exec('git-upload-pack')).to be_falsey + }.to output("GitLab: Disallowed command\n").to_stderr end end - shared_examples_for 'upload-archive' do |command| - let(:ssh_cmd) { "#{command} gitlab-ci.git" } - let(:exec_cmd_params) { ['git-upload-archive', repo_path] } - let(:exec_cmd_log_params) { exec_cmd_params } - - after { subject.exec(ssh_cmd) } - - it "should process the command" do - subject.should_receive(:process_cmd).with(%W(git-upload-archive gitlab-ci.git)) - end - - it "should execute the command" do - subject.should_receive(:exec_cmd).with(*exec_cmd_params) - end - - it "should log the command execution" do - message = "executing git command" - user_string = "user with key #{key_id}" - $logger.should_receive(:info).with(message, command: exec_cmd_log_params.join(' '), user: user_string) + context 'when origin_cmd is git-lfs-authenticate' do + context 'but incomplete' do + it 'prints a message to stderr and returns false' do + expect { + expect(subject.exec('git-lfs-authenticate')).to be_falsey + }.to output("GitLab: Disallowed command\n").to_stderr + end end - it "should use usernames if configured to do so" do - GitlabConfig.any_instance.stub(audit_usernames: true) - $logger.should_receive(:info).with("executing git command", hash_including(user: 'testuser')) + context 'but invalid' do + it 'prints a message to stderr and returns false' do + expect { + expect(subject.exec("git-lfs-authenticate #{repo_name} invalid")).to be_falsey + }.to output("GitLab: Disallowed command\n").to_stderr + end end end - context 'git-upload-archive' do - it_behaves_like 'upload-archive', 'git-upload-archive' - end - - context 'git upload-archive' do - it_behaves_like 'upload-archive', 'git upload-archive' - end + context 'when origin_cmd is 2fa_recovery_codes' do + let(:origin_cmd) { '2fa_recovery_codes' } + let(:git_access) { '2fa_recovery_codes' } - context 'gitaly-upload-archive' do before do - api.stub(check_access: gitaly_check_access) + expect(Action::API2FARecovery).to receive(:new).with(key_id).and_return(api_2fa_recovery_action) end - it_behaves_like 'upload-archive', 'git-upload-archive' do - let(:gitaly_executable) { "gitaly-upload-archive" } - let(:exec_cmd_params) do - [ - File.join(ROOT_PATH, "bin", gitaly_executable), - 'unix:gitaly.socket', - gitaly_message - ] - end - let(:exec_cmd_log_params) do - [gitaly_executable, 'unix:gitaly.socket', gitaly_message] - end + it 'returns true' do + expect(api_2fa_recovery_action).to receive(:execute).with('2fa_recovery_codes', %w{ 2fa_recovery_codes }).and_return(true) + expect(subject.exec(origin_cmd)).to be_truthy end end - context 'arbitrary command' do - let(:ssh_cmd) { 'arbitrary command' } - after { subject.exec(ssh_cmd) } - - it "should not process the command" do - subject.should_not_receive(:process_cmd) - end - - it "should not execute the command" do - subject.should_not_receive(:exec_cmd) - end - - it "should log the attempt" do - message = 'Denied disallowed command' - user_string = "user with key #{key_id}" - $logger.should_receive(:warn).with(message, command: 'arbitrary command', user: user_string) + context 'when access to the repo is denied' do + before do + expect(api).to receive(:check_access).with('git-upload-pack', nil, repo_name, key_id, '_any').and_raise(AccessDeniedError, 'Sorry, access denied') end - end - - context 'no command' do - after { subject.exec(nil) } - it "should call api.discover" do - api.should_receive(:discover).with(key_id) + it 'prints a message to stderr and returns false' do + expect($stderr).to receive(:puts).with('GitLab: Sorry, access denied') + expect(subject.exec("git-upload-pack #{repo_name}")).to be_falsey end end - context "failed connection" do - let(:ssh_cmd) { 'git-upload-pack gitlab-ci.git' } - - before { - api.stub(:check_access).and_raise(GitlabNet::ApiUnreachableError) - } - after { subject.exec(ssh_cmd) } - - it "should not process the command" do - subject.should_not_receive(:process_cmd) + context 'when the API is unavailable' do + before do + expect(api).to receive(:check_access).with('git-upload-pack', nil, repo_name, key_id, '_any').and_raise(GitlabNet::ApiUnreachableError) end - it "should not execute the command" do - subject.should_not_receive(:exec_cmd) + it 'prints a message to stderr and returns false' do + expect($stderr).to receive(:puts).with('GitLab: Failed to authorize your Git request: internal API unreachable') + expect(subject.exec("git-upload-pack #{repo_name}")).to be_falsey end end - context 'with an API command' do + context 'when access has been verified OK' do before do - allow(subject).to receive(:continue?).and_return(true) + expect(api).to receive(:check_access).with(git_access, nil, repo_name, key_id, '_any').and_return(gitaly_action) end - context 'when generating recovery codes' do - let(:ssh_cmd) { '2fa_recovery_codes' } - after do - subject.exec(ssh_cmd) - end - - it 'does not call verify_access' do - expect(subject).not_to receive(:verify_access) - end - - it 'calls the corresponding method' do - expect(subject).to receive(:api_2fa_recovery_codes) - end + context 'when origin_cmd is git-upload-pack' do + let(:origin_cmd) { 'git-upload-pack' } + let(:git_access) { 'git-upload-pack' } - it 'outputs recovery codes' do - expect($stdout).to receive(:puts) - .with(/f67c514de60c4953\n41278385fc00c1e0/) + it 'returns true' do + expect(gitaly_action).to receive(:execute).with('git-upload-pack', %W{git-upload-pack #{repo_name}}).and_return(true) + expect(subject.exec("#{origin_cmd} #{repo_name}")).to be_truthy end - context 'when the process is unsuccessful' do - it 'displays the error to the user' do - api.stub(two_factor_recovery_codes: { - 'success' => false, - 'message' => 'Could not find the given key' - }) - - expect($stdout).to receive(:puts) - .with(/Could not find the given key/) + context 'but repo path is invalid' do + it 'prints a message to stderr and returns false' do + expect(gitaly_action).to receive(:execute).with('git-upload-pack', %W{git-upload-pack #{repo_name}}).and_raise(InvalidRepositoryPathError) + expect($stderr).to receive(:puts).with('GitLab: Invalid repository path') + expect(subject.exec("#{origin_cmd} #{repo_name}")).to be_falsey end end - end - end - end - - describe :validate_access do - let(:ssh_cmd) { "git-upload-pack gitlab-ci.git" } - - describe 'check access with api' do - after { subject.exec(ssh_cmd) } - - it "should call api.check_access" do - api.should_receive(:check_access).with('git-upload-pack', nil, 'gitlab-ci.git', key_id, '_any', 'ssh') - end - - it "should disallow access and log the attempt if check_access returns false status" do - api.stub(check_access: GitAccessStatus.new( - false, - 'denied', - gl_repository: nil, - gl_username: nil, - repository_path: nil, - gitaly: nil)) - message = 'Access denied' - user_string = "user with key #{key_id}" - $logger.should_receive(:warn).with(message, command: 'git-upload-pack gitlab-ci.git', user: user_string) - end - end - - describe 'set the repository path' do - context 'with a correct path' do - before { subject.exec(ssh_cmd) } - - its(:repo_path) { should == repo_path } - end - - context "with a path that doesn't match an absolute path" do - before do - File.stub(:absolute_path) { 'y/gitlab-ci.git' } - end - it "refuses to assign the path" do - $stderr.should_receive(:puts).with("GitLab: Invalid repository path") - expect(subject.exec(ssh_cmd)).to be_falsey + context "but we're using an old git version for Windows 2.14" do + it 'returns true' do + expect(gitaly_action).to receive(:execute).with('git-upload-pack', %W{git-upload-pack #{repo_name}}).and_return(true) + expect(subject.exec("git upload-pack #{repo_name}")).to be_truthy #NOTE: 'git upload-pack' vs. 'git-upload-pack' + end end end - end - end - - describe :exec_cmd do - let(:shell) { GitlabShell.new(key_id) } - let(:env) do - { - 'HOME' => ENV['HOME'], - 'PATH' => ENV['PATH'], - 'LD_LIBRARY_PATH' => ENV['LD_LIBRARY_PATH'], - 'LANG' => ENV['LANG'], - 'GL_ID' => key_id, - 'GL_PROTOCOL' => 'ssh', - 'GL_REPOSITORY' => gl_repository, - 'GL_USERNAME' => 'testuser' - } - end - let(:exec_options) { { unsetenv_others: true, chdir: ROOT_PATH } } - before do - Kernel.stub(:exec) - shell.gl_repository = gl_repository - shell.instance_variable_set(:@username, gl_username) - end - - it "uses Kernel::exec method" do - Kernel.should_receive(:exec).with(env, 1, 2, exec_options).once - shell.send :exec_cmd, 1, 2 - end - - it "refuses to execute a lone non-array argument" do - expect { shell.send :exec_cmd, 1 }.to raise_error(GitlabShell::DisallowedCommandError) - end - - it "allows one argument if it is an array" do - Kernel.should_receive(:exec).with(env, [1, 2], exec_options).once - shell.send :exec_cmd, [1, 2] - end - context "when specifying a git_tracing log file" do - let(:git_trace_log_file) { '/tmp/git_trace_performance.log' } + context 'when origin_cmd is git-lfs-authenticate' do + let(:origin_cmd) { 'git-lfs-authenticate' } + # let(:fake_payload) { 'FAKE PAYLOAD' } + let(:lfs_access) { double(GitlabLfsAuthentication, authentication_payload: fake_payload)} - before do - GitlabConfig.any_instance.stub(git_trace_log_file: git_trace_log_file) - shell - end - - it "uses GIT_TRACE_PERFORMANCE" do - expected_hash = hash_including( - 'GIT_TRACE' => git_trace_log_file, - 'GIT_TRACE_PACKET' => git_trace_log_file, - 'GIT_TRACE_PERFORMANCE' => git_trace_log_file - ) - Kernel.should_receive(:exec).with(expected_hash, [1, 2], exec_options).once - - shell.send :exec_cmd, [1, 2] - end - - context "when provides a relative path" do - let(:git_trace_log_file) { 'git_trace_performance.log' } - - it "does not uses GIT_TRACE*" do - # If we try to use it we'll show a warning to the users - expected_hash = hash_excluding( - 'GIT_TRACE', 'GIT_TRACE_PACKET', 'GIT_TRACE_PERFORMANCE' - ) - Kernel.should_receive(:exec).with(expected_hash, [1, 2], exec_options).once - - shell.send :exec_cmd, [1, 2] - end - - it "writes an entry on the log" do - message = 'git trace log path must be absolute, ignoring' - - expect($logger).to receive(:warn). - with(message, git_trace_log_file: git_trace_log_file) - - Kernel.should_receive(:exec).with(env, [1, 2], exec_options).once - shell.send :exec_cmd, [1, 2] - end - end - - context "when provides a file not writable" do before do - expect(File).to receive(:open).with(git_trace_log_file, 'a').and_raise(Errno::EACCES) + expect(Action::GitLFSAuthenticate).to receive(:new).with(key_id, repo_name).and_return(git_lfs_authenticate_action) end - it "does not uses GIT_TRACE*" do - # If we try to use it we'll show a warning to the users - expected_hash = hash_excluding( - 'GIT_TRACE', 'GIT_TRACE_PACKET', 'GIT_TRACE_PERFORMANCE' - ) - Kernel.should_receive(:exec).with(expected_hash, [1, 2], exec_options).once + context 'upload' do + let(:git_access) { 'git-receive-pack' } - shell.send :exec_cmd, [1, 2] + it 'returns true' do + expect(git_lfs_authenticate_action).to receive(:execute).with('git-lfs-authenticate', %w{ git-lfs-authenticate gitlab-ci.git upload }).and_return(true) + # expect($stdout).to receive(:puts).with(fake_payload) + expect(subject.exec("#{origin_cmd} #{repo_name} upload")).to be_truthy + end end - it "writes an entry on the log" do - message = 'Failed to open git trace log file' - error = 'Permission denied' + context 'download' do + let(:git_access) { 'git-upload-pack' } - expect($logger).to receive(:warn). - with(message, git_trace_log_file: git_trace_log_file, error: error) + it 'returns true' do + expect(git_lfs_authenticate_action).to receive(:execute).with('git-lfs-authenticate', %w{ git-lfs-authenticate gitlab-ci.git download }).and_return(true) + # expect($stdout).to receive(:puts).with(fake_payload) + expect(subject.exec("#{origin_cmd} #{repo_name} download")).to be_truthy + end - Kernel.should_receive(:exec).with(env, [1, 2], exec_options).once - shell.send :exec_cmd, [1, 2] + context 'for old git-lfs clients' do + it 'returns true' do + expect(git_lfs_authenticate_action).to receive(:execute).with('git-lfs-authenticate', %w{ git-lfs-authenticate gitlab-ci.git download long_oid }).and_return(true) + # expect($stdout).to receive(:puts).with(fake_payload) + expect(subject.exec("#{origin_cmd} #{repo_name} download long_oid")).to be_truthy + end + end end end end end - - describe :api do - let(:shell) { GitlabShell.new(key_id) } - subject { shell.send :api } - - it { should be_a(GitlabNet) } - end end diff --git a/spec/vcr_cassettes/failed-push-unparsable.yml b/spec/vcr_cassettes/failed-push-unparsable.yml new file mode 100644 index 0000000..fbc09ec --- /dev/null +++ b/spec/vcr_cassettes/failed-push-unparsable.yml @@ -0,0 +1,46 @@ +--- +http_interactions: +- request: + method: post + uri: http://localhost:3000/api/v4/internal/allowed + body: + encoding: US-ASCII + string: action=git-upload-pack&changes=0000000000000000000000000000000000000000+92d0970eefd7acb6d548878925ce2208cfe2d2ec+refs%2Fheads%2Fbranch4&gl_repository&project=gitlab-org%2Fgitlab-test.git&protocol=ssh&env=%7B%7D&key_id=1&secret_token=0a3938d9d95d807e94d937af3a4fbbea%0A + headers: + Accept-Encoding: + - gzip;q=1.0,deflate;q=0.6,identity;q=0.3 + Accept: + - "*/*" + User-Agent: + - Ruby + Content-Type: + - application/x-www-form-urlencoded + response: + status: + code: 500 + message: Internal Server Error + headers: + Cache-Control: + - max-age=0, private, must-revalidate + Content-Length: + - '155' + Content-Type: + - application/json + Date: + - Wed, 21 Jun 2017 10:44:52 GMT + Etag: + - W/"45654cae433b5a9c5fbba1d45d382e52" + Vary: + - Origin + X-Frame-Options: + - SAMEORIGIN + X-Request-Id: + - 67ab4954-19e6-42ce-aae6-55c8ae5a365e + X-Runtime: + - '0.230871' + body: + encoding: UTF-8 + string: '""' + http_version: + recorded_at: Wed, 21 Jun 2017 10:44:52 GMT +recorded_with: VCR 2.4.0 diff --git a/spec/vcr_cassettes/failed-push.yml b/spec/vcr_cassettes/failed-push.yml new file mode 100644 index 0000000..334aabd --- /dev/null +++ b/spec/vcr_cassettes/failed-push.yml @@ -0,0 +1,46 @@ +--- +http_interactions: +- request: + method: post + uri: http://localhost:3000/api/v4/internal/allowed + body: + encoding: US-ASCII + string: action=git-upload-pack&changes=0000000000000000000000000000000000000000+92d0970eefd7acb6d548878925ce2208cfe2d2ec+refs%2Fheads%2Fbranch4&gl_repository&project=gitlab-org%2Fgitlab-test.git&protocol=ssh&env=%7B%7D&key_id=1&secret_token=0a3938d9d95d807e94d937af3a4fbbea%0A + headers: + Accept-Encoding: + - gzip;q=1.0,deflate;q=0.6,identity;q=0.3 + Accept: + - "*/*" + User-Agent: + - Ruby + Content-Type: + - application/x-www-form-urlencoded + response: + status: + code: 500 + message: Internal Server Error + headers: + Cache-Control: + - max-age=0, private, must-revalidate + Content-Length: + - '155' + Content-Type: + - application/json + Date: + - Wed, 21 Jun 2017 10:44:52 GMT + Etag: + - W/"45654cae433b5a9c5fbba1d45d382e52" + Vary: + - Origin + X-Frame-Options: + - SAMEORIGIN + X-Request-Id: + - 67ab4954-19e6-42ce-aae6-55c8ae5a365e + X-Runtime: + - '0.230871' + body: + encoding: UTF-8 + string: '{"status":false,"message":"An internal server error occurred"}' + http_version: + recorded_at: Wed, 21 Jun 2017 10:44:52 GMT +recorded_with: VCR 2.4.0 diff --git a/spec/vcr_cassettes/http-pull-disabled-old.yml b/spec/vcr_cassettes/http-pull-disabled-old.yml new file mode 100644 index 0000000..23ef3e5 --- /dev/null +++ b/spec/vcr_cassettes/http-pull-disabled-old.yml @@ -0,0 +1,46 @@ +--- +http_interactions: +- request: + method: post + uri: http://localhost:3000/api/v4/internal/allowed + body: + encoding: US-ASCII + string: action=git-upload-pack&changes=0000000000000000000000000000000000000000+92d0970eefd7acb6d548878925ce2208cfe2d2ec+refs%2Fheads%2Fbranch4&gl_repository&project=gitlab-org%2Fgitlab-test.git&protocol=http&env=%7B%7D&key_id=1&secret_token=0a3938d9d95d807e94d937af3a4fbbea%0A + headers: + Accept-Encoding: + - gzip;q=1.0,deflate;q=0.6,identity;q=0.3 + Accept: + - "*/*" + User-Agent: + - Ruby + Content-Type: + - application/x-www-form-urlencoded + response: + status: + code: 200 + message: OK + headers: + Cache-Control: + - max-age=0, private, must-revalidate + Content-Length: + - '62' + Content-Type: + - application/json + Date: + - Wed, 21 Jun 2017 10:32:01 GMT + Etag: + - W/"71e09fcf8a60a03cd1acc22806386ead" + Vary: + - Origin + X-Frame-Options: + - SAMEORIGIN + X-Request-Id: + - 70bdecc9-0078-4a4b-aa6b-cac1b2578886 + X-Runtime: + - '0.324202' + body: + encoding: UTF-8 + string: '{"status":false,"message":"Pulling over HTTP is not allowed."}' + http_version: + recorded_at: Wed, 21 Jun 2017 10:32:01 GMT +recorded_with: VCR 2.4.0 diff --git a/spec/vcr_cassettes/http-pull-disabled.yml b/spec/vcr_cassettes/http-pull-disabled.yml index 23ef3e5..34cf634 100644 --- a/spec/vcr_cassettes/http-pull-disabled.yml +++ b/spec/vcr_cassettes/http-pull-disabled.yml @@ -17,8 +17,8 @@ http_interactions: - application/x-www-form-urlencoded response: status: - code: 200 - message: OK + code: 401 + message: Unauthorized headers: Cache-Control: - max-age=0, private, must-revalidate diff --git a/spec/vcr_cassettes/http-push-disabled-old.yml b/spec/vcr_cassettes/http-push-disabled-old.yml new file mode 100644 index 0000000..676e5b8 --- /dev/null +++ b/spec/vcr_cassettes/http-push-disabled-old.yml @@ -0,0 +1,46 @@ +--- +http_interactions: +- request: + method: post + uri: http://localhost:3000/api/v4/internal/allowed + body: + encoding: US-ASCII + string: action=git-receive-pack&changes=0000000000000000000000000000000000000000+92d0970eefd7acb6d548878925ce2208cfe2d2ec+refs%2Fheads%2Fbranch4&gl_repository&project=gitlab-org%2Fgitlab-test.git&protocol=http&env=%7B%7D&key_id=1&secret_token=0a3938d9d95d807e94d937af3a4fbbea%0A + headers: + Accept-Encoding: + - gzip;q=1.0,deflate;q=0.6,identity;q=0.3 + Accept: + - "*/*" + User-Agent: + - Ruby + Content-Type: + - application/x-www-form-urlencoded + response: + status: + code: 200 + message: OK + headers: + Cache-Control: + - max-age=0, private, must-revalidate + Content-Length: + - '62' + Content-Type: + - application/json + Date: + - Wed, 21 Jun 2017 10:32:01 GMT + Etag: + - W/"7f14e23ac07cc8b0a53c567fcf9432fd" + Vary: + - Origin + X-Frame-Options: + - SAMEORIGIN + X-Request-Id: + - 573f3584-87c6-41cb-a5bf-5e7ee76d4250 + X-Runtime: + - '0.266135' + body: + encoding: UTF-8 + string: '{"status":false,"message":"Pushing over HTTP is not allowed."}' + http_version: + recorded_at: Wed, 21 Jun 2017 10:32:01 GMT +recorded_with: VCR 2.4.0 diff --git a/spec/vcr_cassettes/http-push-disabled.yml b/spec/vcr_cassettes/http-push-disabled.yml index 676e5b8..e7e185e 100644 --- a/spec/vcr_cassettes/http-push-disabled.yml +++ b/spec/vcr_cassettes/http-push-disabled.yml @@ -17,8 +17,8 @@ http_interactions: - application/x-www-form-urlencoded response: status: - code: 200 - message: OK + code: 401 + message: Unauthorized headers: Cache-Control: - max-age=0, private, must-revalidate diff --git a/spec/vcr_cassettes/ssh-pull-disabled-old.yml b/spec/vcr_cassettes/ssh-pull-disabled-old.yml new file mode 100644 index 0000000..55ce261 --- /dev/null +++ b/spec/vcr_cassettes/ssh-pull-disabled-old.yml @@ -0,0 +1,46 @@ +--- +http_interactions: +- request: + method: post + uri: http://localhost:3000/api/v4/internal/allowed + body: + encoding: US-ASCII + string: action=git-upload-pack&changes=0000000000000000000000000000000000000000+92d0970eefd7acb6d548878925ce2208cfe2d2ec+refs%2Fheads%2Fbranch4&gl_repository&project=gitlab-org%2Fgitlab-test.git&protocol=ssh&env=%7B%7D&key_id=1&secret_token=0a3938d9d95d807e94d937af3a4fbbea%0A + headers: + Accept-Encoding: + - gzip;q=1.0,deflate;q=0.6,identity;q=0.3 + Accept: + - "*/*" + User-Agent: + - Ruby + Content-Type: + - application/x-www-form-urlencoded + response: + status: + code: 200 + message: OK + headers: + Cache-Control: + - max-age=0, private, must-revalidate + Content-Length: + - '63' + Content-Type: + - application/json + Date: + - Wed, 21 Jun 2017 12:23:57 GMT + Etag: + - W/"76a32010244f80700d5e1ba8a55d094c" + Vary: + - Origin + X-Frame-Options: + - SAMEORIGIN + X-Request-Id: + - 096ae253-c6fe-4360-b4d4-48f4b5435ca6 + X-Runtime: + - '6.377187' + body: + encoding: UTF-8 + string: '{"status":false,"message":"Git access over SSH is not allowed"}' + http_version: + recorded_at: Wed, 21 Jun 2017 12:23:57 GMT +recorded_with: VCR 2.4.0 diff --git a/spec/vcr_cassettes/ssh-pull-disabled.yml b/spec/vcr_cassettes/ssh-pull-disabled.yml index 55ce261..92fc36a 100644 --- a/spec/vcr_cassettes/ssh-pull-disabled.yml +++ b/spec/vcr_cassettes/ssh-pull-disabled.yml @@ -17,8 +17,8 @@ http_interactions: - application/x-www-form-urlencoded response: status: - code: 200 - message: OK + code: 401 + message: Unauthorized headers: Cache-Control: - max-age=0, private, must-revalidate diff --git a/spec/vcr_cassettes/ssh-pull-project-denied-old.yml b/spec/vcr_cassettes/ssh-pull-project-denied-old.yml new file mode 100644 index 0000000..c16e608 --- /dev/null +++ b/spec/vcr_cassettes/ssh-pull-project-denied-old.yml @@ -0,0 +1,46 @@ +--- +http_interactions: +- request: + method: post + uri: http://localhost:3000/api/v4/internal/allowed + body: + encoding: US-ASCII + string: action=git-receive-pack&changes=0000000000000000000000000000000000000000+92d0970eefd7acb6d548878925ce2208cfe2d2ec+refs%2Fheads%2Fbranch4&gl_repository&project=gitlab-org%2Fgitlab-test.git&protocol=ssh&env=%7B%7D&key_id=2&secret_token=0a3938d9d95d807e94d937af3a4fbbea%0A + headers: + Accept-Encoding: + - gzip;q=1.0,deflate;q=0.6,identity;q=0.3 + Accept: + - "*/*" + User-Agent: + - Ruby + Content-Type: + - application/x-www-form-urlencoded + response: + status: + code: 200 + message: OK + headers: + Cache-Control: + - max-age=0, private, must-revalidate + Content-Length: + - '63' + Content-Type: + - application/json + Date: + - Wed, 21 Jun 2017 12:24:04 GMT + Etag: + - W/"76a32010244f80700d5e1ba8a55d094c" + Vary: + - Origin + X-Frame-Options: + - SAMEORIGIN + X-Request-Id: + - c843a5a3-fc08-46eb-aa45-caceae515638 + X-Runtime: + - '7.359835' + body: + encoding: UTF-8 + string: '{"status":false,"message":"Git access over SSH is not allowed"}' + http_version: + recorded_at: Wed, 21 Jun 2017 12:24:04 GMT +recorded_with: VCR 2.4.0 diff --git a/spec/vcr_cassettes/ssh-pull-project-denied.yml b/spec/vcr_cassettes/ssh-pull-project-denied.yml index c16e608..61a71db 100644 --- a/spec/vcr_cassettes/ssh-pull-project-denied.yml +++ b/spec/vcr_cassettes/ssh-pull-project-denied.yml @@ -17,8 +17,8 @@ http_interactions: - application/x-www-form-urlencoded response: status: - code: 200 - message: OK + code: 401 + message: Unauthorized headers: Cache-Control: - max-age=0, private, must-revalidate diff --git a/spec/vcr_cassettes/ssh-push-disabled-old.yml b/spec/vcr_cassettes/ssh-push-disabled-old.yml new file mode 100644 index 0000000..c061791 --- /dev/null +++ b/spec/vcr_cassettes/ssh-push-disabled-old.yml @@ -0,0 +1,46 @@ +--- +http_interactions: +- request: + method: post + uri: http://localhost:3000/api/v4/internal/allowed + body: + encoding: US-ASCII + string: action=git-receive-pack&changes=0000000000000000000000000000000000000000+92d0970eefd7acb6d548878925ce2208cfe2d2ec+refs%2Fheads%2Fbranch4&gl_repository&project=gitlab-org%2Fgitlab-test.git&protocol=ssh&env=%7B%7D&key_id=1&secret_token=0a3938d9d95d807e94d937af3a4fbbea%0A + headers: + Accept-Encoding: + - gzip;q=1.0,deflate;q=0.6,identity;q=0.3 + Accept: + - "*/*" + User-Agent: + - Ruby + Content-Type: + - application/x-www-form-urlencoded + response: + status: + code: 200 + message: OK + headers: + Cache-Control: + - max-age=0, private, must-revalidate + Content-Length: + - '63' + Content-Type: + - application/json + Date: + - Wed, 21 Jun 2017 12:23:57 GMT + Etag: + - W/"76a32010244f80700d5e1ba8a55d094c" + Vary: + - Origin + X-Frame-Options: + - SAMEORIGIN + X-Request-Id: + - 93620e06-fda9-4be5-855e-300f5d62fa3c + X-Runtime: + - '0.207159' + body: + encoding: UTF-8 + string: '{"status":false,"message":"Git access over SSH is not allowed"}' + http_version: + recorded_at: Wed, 21 Jun 2017 12:23:57 GMT +recorded_with: VCR 2.4.0 diff --git a/spec/vcr_cassettes/ssh-push-disabled.yml b/spec/vcr_cassettes/ssh-push-disabled.yml index c061791..5ca2642 100644 --- a/spec/vcr_cassettes/ssh-push-disabled.yml +++ b/spec/vcr_cassettes/ssh-push-disabled.yml @@ -17,8 +17,8 @@ http_interactions: - application/x-www-form-urlencoded response: status: - code: 200 - message: OK + code: 401 + message: Unauthorized headers: Cache-Control: - max-age=0, private, must-revalidate diff --git a/spec/vcr_cassettes/ssh-push-project-denied-old.yml b/spec/vcr_cassettes/ssh-push-project-denied-old.yml new file mode 100644 index 0000000..5107d15 --- /dev/null +++ b/spec/vcr_cassettes/ssh-push-project-denied-old.yml @@ -0,0 +1,46 @@ +--- +http_interactions: +- request: + method: post + uri: http://localhost:3000/api/v4/internal/allowed + body: + encoding: US-ASCII + string: action=git-upload-pack&changes=0000000000000000000000000000000000000000+92d0970eefd7acb6d548878925ce2208cfe2d2ec+refs%2Fheads%2Fbranch4&gl_repository&project=gitlab-org%2Fgitlab-test.git&protocol=ssh&env=%7B%7D&key_id=2&secret_token=0a3938d9d95d807e94d937af3a4fbbea%0A + headers: + Accept-Encoding: + - gzip;q=1.0,deflate;q=0.6,identity;q=0.3 + Accept: + - "*/*" + User-Agent: + - Ruby + Content-Type: + - application/x-www-form-urlencoded + response: + status: + code: 200 + message: OK + headers: + Cache-Control: + - max-age=0, private, must-revalidate + Content-Length: + - '63' + Content-Type: + - application/json + Date: + - Wed, 21 Jun 2017 12:24:04 GMT + Etag: + - W/"76a32010244f80700d5e1ba8a55d094c" + Vary: + - Origin + X-Frame-Options: + - SAMEORIGIN + X-Request-Id: + - 8ce54f29-9ed0-46e5-aedb-37edaa3d52da + X-Runtime: + - '0.228256' + body: + encoding: UTF-8 + string: '{"status":false,"message":"Git access over SSH is not allowed"}' + http_version: + recorded_at: Wed, 21 Jun 2017 12:24:04 GMT +recorded_with: VCR 2.4.0 diff --git a/spec/vcr_cassettes/ssh-push-project-denied-with-user-old.yml b/spec/vcr_cassettes/ssh-push-project-denied-with-user-old.yml new file mode 100644 index 0000000..b461b5b --- /dev/null +++ b/spec/vcr_cassettes/ssh-push-project-denied-with-user-old.yml @@ -0,0 +1,46 @@ +--- +http_interactions: +- request: + method: post + uri: http://localhost:3000/api/v4/internal/allowed + body: + encoding: US-ASCII + string: action=git-upload-pack&changes=0000000000000000000000000000000000000000+92d0970eefd7acb6d548878925ce2208cfe2d2ec+refs%2Fheads%2Fbranch4&gl_repository&project=gitlab-org%2Fgitlab-test.git&protocol=ssh&env=%7B%7D&user_id=2&secret_token=0a3938d9d95d807e94d937af3a4fbbea%0A + headers: + Accept-Encoding: + - gzip;q=1.0,deflate;q=0.6,identity;q=0.3 + Accept: + - "*/*" + User-Agent: + - Ruby + Content-Type: + - application/x-www-form-urlencoded + response: + status: + code: 200 + message: OK + headers: + Cache-Control: + - max-age=0, private, must-revalidate + Content-Length: + - '63' + Content-Type: + - application/json + Date: + - Wed, 21 Jun 2017 12:24:05 GMT + Etag: + - W/"76a32010244f80700d5e1ba8a55d094c" + Vary: + - Origin + X-Frame-Options: + - SAMEORIGIN + X-Request-Id: + - 3b242d73-d860-48ac-8fef-80e2d0d3daca + X-Runtime: + - '0.342469' + body: + encoding: UTF-8 + string: '{"status":false,"message":"Git access over SSH is not allowed"}' + http_version: + recorded_at: Wed, 21 Jun 2017 12:24:05 GMT +recorded_with: VCR 2.4.0 diff --git a/spec/vcr_cassettes/ssh-push-project-denied-with-user.yml b/spec/vcr_cassettes/ssh-push-project-denied-with-user.yml index b461b5b..01be21b 100644 --- a/spec/vcr_cassettes/ssh-push-project-denied-with-user.yml +++ b/spec/vcr_cassettes/ssh-push-project-denied-with-user.yml @@ -17,8 +17,8 @@ http_interactions: - application/x-www-form-urlencoded response: status: - code: 200 - message: OK + code: 401 + message: Unauthorized headers: Cache-Control: - max-age=0, private, must-revalidate diff --git a/spec/vcr_cassettes/ssh-push-project-denied.yml b/spec/vcr_cassettes/ssh-push-project-denied.yml index 5107d15..b23dd8d 100644 --- a/spec/vcr_cassettes/ssh-push-project-denied.yml +++ b/spec/vcr_cassettes/ssh-push-project-denied.yml @@ -17,8 +17,8 @@ http_interactions: - application/x-www-form-urlencoded response: status: - code: 200 - message: OK + code: 401 + message: Unauthorized headers: Cache-Control: - max-age=0, private, must-revalidate |