| 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
 | require_relative 'spec_helper'
require 'open3'
describe 'bin/gitlab-shell git-lfs-authentication' do
  include_context 'gitlab shell'
  let(:path) { "https://gitlab.com/repo/path" }
  let(:env) { {'SSH_CONNECTION' => 'fake', 'SSH_ORIGINAL_COMMAND' => 'git-lfs-authenticate project/repo download' } }
  before(:context) do
    write_config("gitlab_url" => "http+unix://#{CGI.escape(tmp_socket_path)}")
  end
  def mock_server(server)
    server.mount_proc('/api/v4/internal/lfs_authenticate') do |req, res|
      res.content_type = 'application/json'
      key_id = req.query['key_id'] || req.query['user_id']
      unless key_id
        body = JSON.parse(req.body)
        key_id = body['key_id'] || body['user_id'].to_s
      end
      if key_id == '100'
        res.status = 200
        res.body = %{{"username":"john","lfs_token":"sometoken","repository_http_path":"#{path}","expires_in":1800}}
      else
        res.status = 403
      end
    end
    server.mount_proc('/api/v4/internal/allowed') do |req, res|
      res.content_type = 'application/json'
      key_id = req.query['key_id'] || req.query['username']
      unless key_id
        body = JSON.parse(req.body)
        key_id = body['key_id'] || body['username'].to_s
      end
      case key_id
      when '100', 'someone' then
        res.status = 200
        res.body = '{"gl_id":"user-100", "status":true}'
      when '101' then
        res.status = 200
        res.body = '{"gl_id":"user-101", "status":true}'
      else
        res.status = 403
      end
    end
  end
  describe 'lfs authentication command' do
    def successful_response
      {
        "header" => {
          "Authorization" => "Basic am9objpzb21ldG9rZW4="
        },
        "href" => "#{path}/info/lfs",
        "expires_in" => 1800
      }.to_json + "\n"
    end
    context 'when the command is allowed' do
      context 'when key is provided' do
        let(:cmd) { "#{gitlab_shell_path} key-100" }
        it 'lfs is successfully authenticated' do
          output, stderr, status = Open3.capture3(env, cmd)
          expect(output).to eq(successful_response)
          expect(status).to be_success
        end
      end
      context 'when username is provided' do
        let(:cmd) { "#{gitlab_shell_path} username-someone" }
        it 'lfs is successfully authenticated' do
          output, stderr, status = Open3.capture3(env, cmd)
          expect(output).to eq(successful_response)
          expect(status).to be_success
        end
      end
    end
    context 'when a user is not allowed to perform an action' do
      let(:cmd) { "#{gitlab_shell_path} key-102" }
      it 'lfs is not authenticated' do
        _, stderr, status = Open3.capture3(env, cmd)
        expect(stderr).not_to be_empty
        expect(status).not_to be_success
      end
    end
    context 'when lfs authentication is forbidden for a user' do
      let(:cmd) { "#{gitlab_shell_path} key-101" }
      it 'lfs is not authenticated' do
        output, stderr, status = Open3.capture3(env, cmd)
        expect(stderr).to be_empty
        expect(output).to be_empty
        expect(status).to be_success
      end
    end
    context 'when an action for lfs authentication is unknown' do
      let(:cmd) { "#{gitlab_shell_path} key-100" }
      let(:env) { {'SSH_CONNECTION' => 'fake', 'SSH_ORIGINAL_COMMAND' => 'git-lfs-authenticate project/repo unknown' } }
      it 'the command is disallowed' do
        divider = "remote: \nremote: ========================================================================\nremote: \n"
        _, stderr, status = Open3.capture3(env, cmd)
        expect(stderr).to eq("#{divider}remote: Disallowed command\n#{divider}")
        expect(status).not_to be_success
      end
    end
  end
end
 |