Merge branch 'allow-disabling-of-git-access-protocol' into 'master'

Add setting that allows admins to choose which Git access protocols are enabled. ## What does this MR do? It allows admins to disable one of the two protocols for Git access. They can choose to enable just SSH, HTTP or allow both. If one of them is disabled, the clone URL in the project will show only the allowed protocol, and no dropdown to change protocols will be presented. ## What are the relevant issue numbers? Full implementation on GitLab's side for #18601 GitLab Shell implementation: gitlab-org/gitlab-shell!62 GitLab Workhorse implementation: gitlab-org/gitlab-workhorse!51 ## Screenshots (if relevant) ![Screen_Shot_2016-06-16_at_12.26.19_PM](/uploads/bad845142e9704a7385b2eaca51fd4eb/Screen_Shot_2016-06-16_at_12.26.19_PM.png) ![Screen_Shot_2016-06-20_at_4.24.54_PM](/uploads/6e452dd269e06f0be23841ce93866ed6/Screen_Shot_2016-06-20_at_4.24.54_PM.png) /cc @jschatz1 this MR touches the UI. Please review. See merge request !4696
author: Douwe Maan <douwe@gitlab.com> 2016-07-05 22:57:19 +0000
committer: Douwe Maan <douwe@gitlab.com> 2016-07-05 22:57:19 +0000
commit: cfd5870b62e9d76e564ffc64db1d1281b4a363bb (patch)
tree: 34adec49220b96c99aea7139cd0794405ecd7b8d /spec
parent: 1141eaf5c83f927ccc064b6c5d162081fdd22894 (diff)
parent: 0bdf6fe4ba90f0a1dc7777d17651667776dfb91b (diff)
download: gitlab-ce-cfd5870b62e9d76e564ffc64db1d1281b4a363bb.tar.gz
4 files changed, 171 insertions, 7 deletions
diff --git a/spec/features/admin/admin_disables_git_access_protocol_spec.rb b/spec/features/admin/admin_disables_git_access_protocol_spec.rb
new file mode 100644
index 00000000000..5b1c0460274
--- /dev/null
+++ b/spec/features/admin/admin_disables_git_access_protocol_spec.rb
@@ -0,0 +1,66 @@
+require 'rails_helper'
+
+feature 'Admin disables Git access protocol', feature: true do
+  let(:project) { create(:empty_project, :empty_repo) }
+  let(:admin) { create(:admin) }
+
+  background do
+    login_as(admin)
+  end
+
+  context 'with HTTP disabled' do
+    background do
+      disable_http_protocol
+    end
+
+    scenario 'shows only SSH url' do
+      visit_project
+
+      expect(page).to have_content("git clone #{project.ssh_url_to_repo}")
+      expect(page).not_to have_selector('#clone-dropdown')
+    end
+  end
+
+  context 'with SSH disabled' do
+    background do
+      disable_ssh_protocol
+    end
+
+    scenario 'shows only HTTP url' do
+      visit_project
+
+      expect(page).to have_content("git clone #{project.http_url_to_repo}")
+      expect(page).not_to have_selector('#clone-dropdown')
+    end
+  end
+
+  context 'with nothing disabled' do
+    background do
+      create(:personal_key, user: admin)
+    end
+
+    scenario 'shows default SSH url and protocol selection dropdown' do
+      visit_project
+
+      expect(page).to have_content("git clone #{project.ssh_url_to_repo}")
+      expect(page).to have_selector('#clone-dropdown')
+    end
+
+  end
+
+  def visit_project
+    visit namespace_project_path(project.namespace, project)
+  end
+
+  def disable_http_protocol
+    visit admin_application_settings_path
+    find('#application_setting_enabled_git_access_protocol').find(:xpath, 'option[2]').select_option
+    click_on 'Save'
+  end
+
+  def disable_ssh_protocol
+    visit admin_application_settings_path
+    find('#application_setting_enabled_git_access_protocol').find(:xpath, 'option[3]').select_option
+    click_on 'Save'
+  end
+end
diff --git a/spec/lib/gitlab/git_access_spec.rb b/spec/lib/gitlab/git_access_spec.rb
index 9b7986fa12d..c79ba11f782 100644
--- a/spec/lib/gitlab/git_access_spec.rb
+++ b/spec/lib/gitlab/git_access_spec.rb
@@ -1,7 +1,7 @@
 require 'spec_helper'
 
 describe Gitlab::GitAccess, lib: true do
-  let(:access) { Gitlab::GitAccess.new(actor, project) }
+  let(:access) { Gitlab::GitAccess.new(actor, project, 'web') }
   let(:project) { create(:project) }
   let(:user) { create(:user) }
   let(:actor) { user }
@@ -67,6 +67,43 @@ describe Gitlab::GitAccess, lib: true do
     end
   end
 
+  describe '#check with single protocols allowed' do
+    def disable_protocol(protocol)
+      settings = ::ApplicationSetting.create_from_defaults
+      settings.update_attribute(:enabled_git_access_protocol, protocol)
+    end
+
+    context 'ssh disabled' do
+      before do
+        disable_protocol('ssh')
+        @acc = Gitlab::GitAccess.new(actor, project, 'ssh')
+      end
+
+      it 'blocks ssh git push' do
+        expect(@acc.check('git-receive-pack').allowed?).to be_falsey
+      end
+
+      it 'blocks ssh git pull' do
+        expect(@acc.check('git-upload-pack').allowed?).to be_falsey
+      end
+    end
+
+    context 'http disabled' do
+      before do
+        disable_protocol('http')
+        @acc = Gitlab::GitAccess.new(actor, project, 'http')
+      end
+
+      it 'blocks http push' do
+        expect(@acc.check('git-receive-pack').allowed?).to be_falsey
+      end
+
+      it 'blocks http git pull' do
+        expect(@acc.check('git-upload-pack').allowed?).to be_falsey
+      end
+    end
+  end
+
   describe 'download_access_check' do
     describe 'master permissions' do
       before { project.team << [user, :master] }
diff --git a/spec/lib/gitlab/git_access_wiki_spec.rb b/spec/lib/gitlab/git_access_wiki_spec.rb
index 77ecfce6f17..4244b807d41 100644
--- a/spec/lib/gitlab/git_access_wiki_spec.rb
+++ b/spec/lib/gitlab/git_access_wiki_spec.rb
@@ -1,7 +1,7 @@
 require 'spec_helper'
 
 describe Gitlab::GitAccessWiki, lib: true do
-  let(:access) { Gitlab::GitAccessWiki.new(user, project) }
+  let(:access) { Gitlab::GitAccessWiki.new(user, project, 'web') }
   let(:project) { create(:project) }
   let(:user) { create(:user) }
 
diff --git a/spec/requests/api/internal_spec.rb b/spec/requests/api/internal_spec.rb
index fcea45f19ba..e567d36afa8 100644
--- a/spec/requests/api/internal_spec.rb
+++ b/spec/requests/api/internal_spec.rb
@@ -207,26 +207,86 @@ describe API::API, api: true  do
         expect(json_response["status"]).to be_falsey
       end
     end
+
+    context 'ssh access has been disabled' do
+      before do
+        settings = ::ApplicationSetting.create_from_defaults
+        settings.update_attribute(:enabled_git_access_protocol, 'http')
+      end
+
+      it 'rejects the SSH push' do
+        push(key, project)
+
+        expect(response.status).to eq(200)
+        expect(json_response['status']).to be_falsey
+        expect(json_response['message']).to eq 'Git access over SSH is not allowed'
+      end
+
+      it 'rejects the SSH pull' do
+        pull(key, project)
+
+        expect(response.status).to eq(200)
+        expect(json_response['status']).to be_falsey
+        expect(json_response['message']).to eq 'Git access over SSH is not allowed'
+      end
+    end
+
+    context 'http access has been disabled' do
+      before do
+        settings = ::ApplicationSetting.create_from_defaults
+        settings.update_attribute(:enabled_git_access_protocol, 'ssh')
+      end
+
+      it 'rejects the HTTP push' do
+        push(key, project, 'http')
+
+        expect(response.status).to eq(200)
+        expect(json_response['status']).to be_falsey
+        expect(json_response['message']).to eq 'Git access over HTTP is not allowed'
+      end
+
+      it 'rejects the HTTP pull' do
+        pull(key, project, 'http')
+
+        expect(response.status).to eq(200)
+        expect(json_response['status']).to be_falsey
+        expect(json_response['message']).to eq 'Git access over HTTP is not allowed'
+      end
+    end
+
+    context 'web actions are always allowed' do
+      it 'allows WEB push' do
+        settings = ::ApplicationSetting.create_from_defaults
+        settings.update_attribute(:enabled_git_access_protocol, 'ssh')
+        project.team << [user, :developer]
+        push(key, project, 'web')
+
+        expect(response.status).to eq(200)
+        expect(json_response['status']).to be_truthy
+      end
+    end
   end
 
-  def pull(key, project)
+  def pull(key, project, protocol = 'ssh')
     post(
       api("/internal/allowed"),
       key_id: key.id,
       project: project.path_with_namespace,
       action: 'git-upload-pack',
-      secret_token: secret_token
+      secret_token: secret_token,
+      protocol: protocol
     )
   end
 
-  def push(key, project)
+  def push(key, project, protocol = 'ssh')
     post(
       api("/internal/allowed"),
       changes: 'd14d6c0abdd253381df51a723d58691b2ee1ab08 570e7b2abdd848b95f2f578043fc23bd6f6fd24d refs/heads/master',
       key_id: key.id,
       project: project.path_with_namespace,
       action: 'git-receive-pack',
-      secret_token: secret_token
+      secret_token: secret_token,
+      protocol: protocol
     )
   end
 
@@ -237,7 +297,8 @@ describe API::API, api: true  do
       key_id: key.id,
       project: project.path_with_namespace,
       action: 'git-upload-archive',
-      secret_token: secret_token
+      secret_token: secret_token,
+      protocol: 'ssh'
     )
   end
 end
author	Douwe Maan <douwe@gitlab.com>	2016-07-05 22:57:19 +0000
committer	Douwe Maan <douwe@gitlab.com>	2016-07-05 22:57:19 +0000
commit	cfd5870b62e9d76e564ffc64db1d1281b4a363bb (patch)
tree	34adec49220b96c99aea7139cd0794405ecd7b8d /spec
parent	1141eaf5c83f927ccc064b6c5d162081fdd22894 (diff)
parent	0bdf6fe4ba90f0a1dc7777d17651667776dfb91b (diff)
download	gitlab-ce-cfd5870b62e9d76e564ffc64db1d1281b4a363bb.tar.gz