Go implementation for LFS authenticate

author: Igor <idrozdov@gitlab.com> 2019-06-06 16:02:02 +0000
committer: Nick Thomas <nick@gitlab.com> 2019-06-06 16:02:02 +0000
commit: 888cd2c4ecb7d8a82328c5b3d68545596466b1a2 (patch)
tree: 3557c79227b01376a90f381c5f60f0ef42727baa /spec
parent: eb2b186f7d209a638b7523c674bc79cbafe764b6 (diff)
download: gitlab-shell-888cd2c4ecb7d8a82328c5b3d68545596466b1a2.tar.gz
1 files changed, 146 insertions, 0 deletions
diff --git a/spec/gitlab_shell_lfs_authentication_spec.rb b/spec/gitlab_shell_lfs_authentication_spec.rb
new file mode 100644
index 0000000..7cdb320
--- /dev/null
+++ b/spec/gitlab_shell_lfs_authentication_spec.rb
@@ -0,0 +1,146 @@
+require_relative 'spec_helper'
+
+require 'open3'
+
+describe 'bin/gitlab-shell git-lfs-authentication' do
+  include_context 'gitlab shell'
+
+  let(:path) { "https://gitlab.com/repo/path" }
+
+  def mock_server(server)
+    server.mount_proc('/api/v4/internal/lfs_authenticate') do |req, res|
+      res.content_type = 'application/json'
+
+      key_id = req.query['key_id'] || req.query['user_id']
+
+      unless key_id
+        body = JSON.parse(req.body)
+        key_id = body['key_id'] || body['user_id'].to_s
+      end
+
+      if key_id == '100'
+        res.status = 200
+        res.body = %{{"username":"john","lfs_token":"sometoken","repository_http_path":"#{path}","expires_in":1800}}
+      else
+        res.status = 403
+      end
+    end
+
+    server.mount_proc('/api/v4/internal/allowed') do |req, res|
+      res.content_type = 'application/json'
+
+      key_id = req.query['key_id'] || req.query['username']
+
+      unless key_id
+        body = JSON.parse(req.body)
+        key_id = body['key_id'] || body['username'].to_s
+      end
+
+      case key_id
+      when '100', 'someone' then
+        res.status = 200
+        res.body = '{"gl_id":"user-100", "status":true}'
+      when '101' then
+        res.status = 200
+        res.body = '{"gl_id":"user-101", "status":true}'
+      else
+        res.status = 403
+      end
+    end
+  end
+
+  shared_examples 'lfs authentication command' do
+    def successful_response
+      {
+        "header" => {
+          "Authorization" => "Basic am9objpzb21ldG9rZW4="
+        },
+        "href" => "#{path}/info/lfs",
+        "expires_in" => 1800
+      }.to_json + "\n"
+    end
+
+    context 'when the command is allowed' do
+      context 'when key is provided' do
+        let(:cmd) { "#{gitlab_shell_path} key-100" }
+
+        it 'lfs is successfully authenticated' do
+          output, stderr, status = Open3.capture3(env, cmd)
+
+          expect(output).to eq(successful_response)
+          expect(status).to be_success
+        end
+      end
+
+      context 'when username is provided' do
+        let(:cmd) { "#{gitlab_shell_path} username-someone" }
+
+        it 'lfs is successfully authenticated' do
+          output, stderr, status = Open3.capture3(env, cmd)
+
+          expect(output).to eq(successful_response)
+          expect(status).to be_success
+        end
+      end
+    end
+
+    context 'when a user is not allowed to perform an action' do
+      let(:cmd) { "#{gitlab_shell_path} key-102" }
+
+      it 'lfs is not authenticated' do
+        _, stderr, status = Open3.capture3(env, cmd)
+
+        expect(stderr).not_to be_empty
+        expect(status).not_to be_success
+      end
+    end
+
+    context 'when lfs authentication is forbidden for a user' do
+      let(:cmd) { "#{gitlab_shell_path} key-101" }
+
+      it 'lfs is not authenticated' do
+        output, stderr, status = Open3.capture3(env, cmd)
+
+        expect(stderr).to be_empty
+        expect(output).to be_empty
+        expect(status).to be_success
+      end
+    end
+
+    context 'when an action for lfs authentication is unknown' do
+      let(:cmd) { "#{gitlab_shell_path} key-100" }
+      let(:env) { {'SSH_CONNECTION' => 'fake', 'SSH_ORIGINAL_COMMAND' => 'git-lfs-authenticate project/repo unknown' } }
+
+      it 'the command is disallowed' do
+        _, stderr, status = Open3.capture3(env, cmd)
+
+        expect(stderr).to eq("> GitLab: Disallowed command\n")
+        expect(status).not_to be_success
+      end
+    end
+  end
+
+  let(:env) { {'SSH_CONNECTION' => 'fake', 'SSH_ORIGINAL_COMMAND' => 'git-lfs-authenticate project/repo download' } }
+
+  describe 'without go features' do
+    before(:context) do
+      write_config(
+        "gitlab_url" => "http+unix://#{CGI.escape(tmp_socket_path)}",
+      )
+    end
+
+    it_behaves_like 'lfs authentication command'
+  end
+
+  describe 'with go features' do
+    before(:context) do
+      write_config(
+        "gitlab_url" => "http+unix://#{CGI.escape(tmp_socket_path)}",
+        "migration" => { "enabled" => true,
+                        "features" => ["git-lfs-authenticate"] }
+      )
+    end
+
+    it_behaves_like 'lfs authentication command'
+  end
+end
author	Igor <idrozdov@gitlab.com>	2019-06-06 16:02:02 +0000
committer	Nick Thomas <nick@gitlab.com>	2019-06-06 16:02:02 +0000
commit	888cd2c4ecb7d8a82328c5b3d68545596466b1a2 (patch)
tree	3557c79227b01376a90f381c5f60f0ef42727baa /spec
parent	eb2b186f7d209a638b7523c674bc79cbafe764b6 (diff)
download	gitlab-shell-888cd2c4ecb7d8a82328c5b3d68545596466b1a2.tar.gz