PageRenderTime 26ms CodeModel.GetById 19ms RepoModel.GetById 0ms app.codeStats 0ms

/spec/requests/git_http_spec.rb

https://gitlab.com/svansteenis/gitlab-ee
Ruby | 395 lines | 347 code | 47 blank | 1 comment | 2 complexity | 02176500e3ae09f9b0e9b6ea10af4b1d MD5 | raw file
    

  1. require "spec_helper"
    2. 

  2. 

  3. describe 'Git HTTP requests', lib: true do
    4. 

  4.   let(:user)    { create(:user) }
    5. 

  5.   let(:project) { create(:project, path: 'project.git-project') }
    6. 

  6. 

  7.   it "gives WWW-Authenticate hints" do
    8. 

  8.     clone_get('doesnt/exist.git')
    9. 

  9. 

  10.     expect(response.header['WWW-Authenticate']).to start_with('Basic ')
    11. 

  11.   end
    12. 

  12. 

  13.   context "when the project doesn't exist" do
    14. 

  14.     context "when no authentication is provided" do
    15. 

  15.       it "responds with status 401 (no project existence information leak)" do
    16. 

  16.         download('doesnt/exist.git') do |response|
    17. 

  17.           expect(response.status).to eq(401)
    18. 

  18.         end
    19. 

  19.       end
    20. 

  20.     end
    21. 

  21. 

  22.     context "when username and password are provided" do
    23. 

  23.       context "when authentication fails" do
    24. 

  24.         it "responds with status 401" do
    25. 

  25.           download('doesnt/exist.git', user: user.username, password: "nope") do |response|
    26. 

  26.             expect(response.status).to eq(401)
    27. 

  27.           end
    28. 

  28.         end
    29. 

  29.       end
    30. 

  30. 

  31.       context "when authentication succeeds" do
    32. 

  32.         it "responds with status 404" do
    33. 

  33.           download('/doesnt/exist.git', user: user.username, password: user.password) do |response|
    34. 

  34.             expect(response.status).to eq(404)
    35. 

  35.           end
    36. 

  36.         end
    37. 

  37.       end
    38. 

  38.     end
    39. 

  39.   end
    40. 

  40. 

  41.   context "when the Wiki for a project exists" do
    42. 

  42.     it "responds with the right project" do
    43. 

  43.       wiki = ProjectWiki.new(project)
    44. 

  44.       project.update_attribute(:visibility_level, Project::PUBLIC)
    45. 

  45. 

  46.       download("/#{wiki.repository.path_with_namespace}.git") do |response|
    47. 

  47.         json_body = ActiveSupport::JSON.decode(response.body)
    48. 

  48. 

  49.         expect(response.status).to eq(200)
    50. 

  50.         expect(json_body['RepoPath']).to include(wiki.repository.path_with_namespace)
    51. 

  51.       end
    52. 

  52.     end
    53. 

  53.   end
    54. 

  54. 

  55.   context "when the project exists" do
    56. 

  56.     let(:path) { "#{project.path_with_namespace}.git" }
    57. 

  57. 

  58.     context "when the project is public" do
    59. 

  59.       before do
    60. 

  60.         project.update_attribute(:visibility_level, Project::PUBLIC)
    61. 

  61.       end
    62. 

  62. 

  63.       it "downloads get status 200" do
    64. 

  64.         download(path, {}) do |response|
    65. 

  65.           expect(response.status).to eq(200)
    66. 

  66.         end
    67. 

  67.       end
    68. 

  68. 

  69.       it "uploads get status 401" do
    70. 

  70.         upload(path, {}) do |response|
    71. 

  71.           expect(response.status).to eq(401)
    72. 

  72.         end
    73. 

  73.       end
    74. 

  74. 

  75.       context "with correct credentials" do
    76. 

  76.         let(:env) { { user: user.username, password: user.password } }
    77. 

  77. 

  78.         it "uploads get status 200 (because Git hooks do the real check)" do
    79. 

  79.           upload(path, env) do |response|
    80. 

  80.             expect(response.status).to eq(200)
    81. 

  81.           end
    82. 

  82.         end
    83. 

  83. 

  84.         context 'but git-receive-pack is disabled' do
    85. 

  85.           it "responds with status 404" do
    86. 

  86.             allow(Gitlab.config.gitlab_shell).to receive(:receive_pack).and_return(false)
    87. 

  87. 

  88.             upload(path, env) do |response|
    89. 

  89.               expect(response.status).to eq(404)
    90. 

  90.             end
    91. 

  91.           end
    92. 

  92.         end
    93. 

  93.       end
    94. 

  94. 

  95.       context 'but git-upload-pack is disabled' do
    96. 

  96.         it "responds with status 404" do
    97. 

  97.           allow(Gitlab.config.gitlab_shell).to receive(:upload_pack).and_return(false)
    98. 

  98. 

  99.           download(path, {}) do |response|
    100. 

  100.             expect(response.status).to eq(404)
    101. 

  101.           end
    102. 

  102.         end
    103. 

  103.       end
    104. 

  104.     end
    105. 

  105. 

  106.     context "when the project is private" do
    107. 

  107.       before do
    108. 

  108.         project.update_attribute(:visibility_level, Project::PRIVATE)
    109. 

  109.       end
    110. 

  110. 

  111.       context "when no authentication is provided" do
    112. 

  112.         it "responds with status 401 to downloads" do
    113. 

  113.           download(path, {}) do |response|
    114. 

  114.             expect(response.status).to eq(401)
    115. 

  115.           end
    116. 

  116.         end
    117. 

  117. 

  118.         it "responds with status 401 to uploads" do
    119. 

  119.           upload(path, {}) do |response|
    120. 

  120.             expect(response.status).to eq(401)
    121. 

  121.           end
    122. 

  122.         end
    123. 

  123.       end
    124. 

  124. 

  125.       context "when username and password are provided" do
    126. 

  126.         let(:env) { { user: user.username, password: 'nope' } }
    127. 

  127. 

  128.         context "when authentication fails" do
    129. 

  129.           it "responds with status 401" do
    130. 

  130.             download(path, env) do |response|
    131. 

  131.               expect(response.status).to eq(401)
    132. 

  132.             end
    133. 

  133.           end
    134. 

  134. 

  135.           context "when the user is IP banned" do
    136. 

  136.             it "responds with status 401" do
    137. 

  137.               expect(Rack::Attack::Allow2Ban).to receive(:filter).and_return(true)
    138. 

  138.               allow_any_instance_of(Rack::Request).to receive(:ip).and_return('1.2.3.4')
    139. 

  139. 

  140.               clone_get(path, env)
    141. 

  141. 

  142.               expect(response.status).to eq(401)
    143. 

  143.             end
    144. 

  144.           end
    145. 

  145.         end
    146. 

  146. 

  147.         context "when authentication succeeds" do
    148. 

  148.           let(:env) { { user: user.username, password: user.password } }
    149. 

  149. 

  150.           context "when the user has access to the project" do
    151. 

  151.             before do
    152. 

  152.               project.team << [user, :master]
    153. 

  153.             end
    154. 

  154. 

  155.             context "when the user is blocked" do
    156. 

  156.               it "responds with status 404" do
    157. 

  157.                 user.block
    158. 

  158.                 project.team << [user, :master]
    159. 

  159. 

  160.                 download(path, env) do |response|
    161. 

  161.                   expect(response.status).to eq(404)
    162. 

  162.                 end
    163. 

  163.               end
    164. 

  164.             end
    165. 

  165. 

  166.             context "when the user isn't blocked" do
    167. 

  167.               it "downloads get status 200" do
    168. 

  168.                 expect(Rack::Attack::Allow2Ban).to receive(:reset)
    169. 

  169. 

  170.                 clone_get(path, env)
    171. 

  171. 

  172.                 expect(response.status).to eq(200)
    173. 

  173.               end
    174. 

  174. 

  175.               it "uploads get status 200" do
    176. 

  176.                 upload(path, env) do |response|
    177. 

  177.                   expect(response.status).to eq(200)
    178. 

  178.                 end
    179. 

  179.               end
    180. 

  180.             end
    181. 

  181. 

  182.             context "when an oauth token is provided" do
    183. 

  183.               before do
    184. 

  184.                 application = Doorkeeper::Application.create!(name: "MyApp", redirect_uri: "https://app.com", owner: user)
    185. 

  185.                 @token = Doorkeeper::AccessToken.create!(application_id: application.id, resource_owner_id: user.id)
    186. 

  186.               end
    187. 

  187. 

  188.               it "downloads get status 200" do
    189. 

  189.                 clone_get "#{project.path_with_namespace}.git", user: 'oauth2', password: @token.token
    190. 

  190. 

  191.                 expect(response.status).to eq(200)
    192. 

  192.               end
    193. 

  193. 

  194.               it "uploads get status 401 (no project existence information leak)" do
    195. 

  195.                 push_get "#{project.path_with_namespace}.git", user: 'oauth2', password: @token.token
    196. 

  196. 

  197.                 expect(response.status).to eq(401)
    198. 

  198.               end
    199. 

  199.             end
    200. 

  200. 

  201.             context "when blank password attempts follow a valid login" do
    202. 

  202.               def attempt_login(include_password)
    203. 

  203.                 password = include_password ? user.password : ""
    204. 

  204.                 clone_get path, user: user.username, password: password
    205. 

  205.                 response.status
    206. 

  206.               end
    207. 

  207. 

  208.               it "repeated attempts followed by successful attempt" do
    209. 

  209.                 options = Gitlab.config.rack_attack.git_basic_auth
    210. 

  210.                 maxretry = options[:maxretry] - 1
    211. 

  211.                 ip = '1.2.3.4'
    212. 

  212. 

  213.                 allow_any_instance_of(Rack::Request).to receive(:ip).and_return(ip)
    214. 

  214.                 Rack::Attack::Allow2Ban.reset(ip, options)
    215. 

  215. 

  216.                 maxretry.times.each do
    217. 

  217.                   expect(attempt_login(false)).to eq(401)
    218. 

  218.                 end
    219. 

  219. 

  220.                 expect(attempt_login(true)).to eq(200)
    221. 

  221.                 expect(Rack::Attack::Allow2Ban.banned?(ip)).to be_falsey
    222. 

  222. 

  223.                 maxretry.times.each do
    224. 

  224.                   expect(attempt_login(false)).to eq(401)
    225. 

  225.                 end
    226. 

  226. 

  227.                 Rack::Attack::Allow2Ban.reset(ip, options)
    228. 

  228.               end
    229. 

  229.             end
    230. 

  230.           end
    231. 

  231. 

  232.           context "when the user doesn't have access to the project" do
    233. 

  233.             it "downloads get status 404" do
    234. 

  234.               download(path, user: user.username, password: user.password) do |response|
    235. 

  235.                 expect(response.status).to eq(404)
    236. 

  236.               end
    237. 

  237.             end
    238. 

  238. 

  239.             it "uploads get status 200 (because Git hooks do the real check)" do
    240. 

  240.               upload(path, user: user.username, password: user.password) do |response|
    241. 

  241.                 expect(response.status).to eq(200)
    242. 

  242.               end
    243. 

  243.             end
    244. 

  244.           end
    245. 

  245.         end
    246. 

  246.       end
    247. 

  247. 

  248.       context "when a gitlab ci token is provided" do
    249. 

  249.         let(:token) { 123 }
    250. 

  250.         let(:project) { FactoryGirl.create :empty_project }
    251. 

  251. 

  252.         before do
    253. 

  253.           project.update_attributes(runners_token: token, builds_enabled: true)
    254. 

  254.         end
    255. 

  255. 

  256.         it "downloads get status 200" do
    257. 

  257.           clone_get "#{project.path_with_namespace}.git", user: 'gitlab-ci-token', password: token
    258. 

  258. 

  259.           expect(response.status).to eq(200)
    260. 

  260.         end
    261. 

  261. 

  262.         it "uploads get status 401 (no project existence information leak)" do
    263. 

  263.           push_get "#{project.path_with_namespace}.git", user: 'gitlab-ci-token', password: token
    264. 

  264. 

  265.           expect(response.status).to eq(401)
    266. 

  266.         end
    267. 

  267.       end
    268. 

  268.     end
    269. 

  269.   end
    270. 

  270. 

  271.   context "when the project path doesn't end in .git" do
    272. 

  272.     context "GET info/refs" do
    273. 

  273.       let(:path) { "/#{project.path_with_namespace}/info/refs" }
    274. 

  274. 

  275.       context "when no params are added" do
    276. 

  276.         before { get path }
    277. 

  277. 

  278.         it "redirects to the .git suffix version" do
    279. 

  279.           expect(response).to redirect_to("/#{project.path_with_namespace}.git/info/refs")
    280. 

  280.         end
    281. 

  281.       end
    282. 

  282. 

  283.       context "when the upload-pack service is requested" do
    284. 

  284.         let(:params) { { service: 'git-upload-pack' } }
    285. 

  285.         before { get path, params }
    286. 

  286. 

  287.         it "redirects to the .git suffix version" do
    288. 

  288.           expect(response).to redirect_to("/#{project.path_with_namespace}.git/info/refs?service=#{params[:service]}")
    289. 

  289.         end
    290. 

  290.       end
    291. 

  291. 

  292.       context "when the receive-pack service is requested" do
    293. 

  293.         let(:params) { { service: 'git-receive-pack' } }
    294. 

  294.         before { get path, params }
    295. 

  295. 

  296.         it "redirects to the .git suffix version" do
    297. 

  297.           expect(response).to redirect_to("/#{project.path_with_namespace}.git/info/refs?service=#{params[:service]}")
    298. 

  298.         end
    299. 

  299.       end
    300. 

  300. 

  301.       context "when the params are anything else" do
    302. 

  302.         let(:params) { { service: 'git-implode-pack' } }
    303. 

  303.         before { get path, params }
    304. 

  304. 

  305.         it "redirects to the sign-in page" do
    306. 

  306.           expect(response).to redirect_to(new_user_session_path)
    307. 

  307.         end
    308. 

  308.       end
    309. 

  309.     end
    310. 

  310. 

  311.     context "POST git-upload-pack" do
    312. 

  312.       it "fails to find a route" do
    313. 

  313.         expect { clone_post(project.path_with_namespace) }.to raise_error(ActionController::RoutingError)
    314. 

  314.       end
    315. 

  315.     end
    316. 

  316. 

  317.     context "POST git-receive-pack" do
    318. 

  318.       it "failes to find a route" do
    319. 

  319.         expect { push_post(project.path_with_namespace) }.to raise_error(ActionController::RoutingError)
    320. 

  320.       end
    321. 

  321.     end
    322. 

  322.   end
    323. 

  323. 

  324.   context "retrieving an info/refs file" do
    325. 

  325.     before { project.update_attribute(:visibility_level, Project::PUBLIC) }
    326. 

  326. 

  327.     context "when the file exists" do
    328. 

  328.       before do
    329. 

  329.         # Provide a dummy file in its place
    330. 

  330.         allow_any_instance_of(Repository).to receive(:blob_at).and_call_original
    331. 

  331.         allow_any_instance_of(Repository).to receive(:blob_at).with('5937ac0a7beb003549fc5fd26fc247adbce4a52e', 'info/refs') do
    332. 

  332.           Gitlab::Git::Blob.find(project.repository, 'master', '.gitignore')
    333. 

  333.         end
    334. 

  334. 

  335.         get "/#{project.path_with_namespace}/blob/master/info/refs"
    336. 

  336.       end
    337. 

  337. 

  338.       it "returns the file" do
    339. 

  339.         expect(response.status).to eq(200)
    340. 

  340.       end
    341. 

  341.     end
    342. 

  342. 

  343.     context "when the file does not exist" do
    344. 

  344.       before { get "/#{project.path_with_namespace}/blob/master/info/refs" }
    345. 

  345. 

  346.       it "returns not found" do
    347. 

  347.         expect(response.status).to eq(404)
    348. 

  348.       end
    349. 

  349.     end
    350. 

  350.   end
    351. 

  351. 

  352.   def clone_get(project, options={})
    353. 

  353.     get "/#{project}/info/refs", { service: 'git-upload-pack' }, auth_env(*options.values_at(:user, :password))
    354. 

  354.   end
    355. 

  355. 

  356.   def clone_post(project, options={})
    357. 

  357.     post "/#{project}/git-upload-pack", {}, auth_env(*options.values_at(:user, :password))
    358. 

  358.   end
    359. 

  359. 

  360.   def push_get(project, options={})
    361. 

  361.     get "/#{project}/info/refs", { service: 'git-receive-pack' }, auth_env(*options.values_at(:user, :password))
    362. 

  362.   end
    363. 

  363. 

  364.   def push_post(project, options={})
    365. 

  365.     post "/#{project}/git-receive-pack", {}, auth_env(*options.values_at(:user, :password))
    366. 

  366.   end
    367. 

  367. 

  368.   def download(project, user: nil, password: nil)
    369. 

  369.     args = [project, { user: user, password: password }]
    370. 

  370. 

  371.     clone_get(*args)
    372. 

  372.     yield response
    373. 

  373. 

  374.     clone_post(*args)
    375. 

  375.     yield response
    376. 

  376.   end
    377. 

  377. 

  378.   def upload(project, user: nil, password: nil)
    379. 

  379.     args = [project, { user: user, password: password }]
    380. 

  380. 

  381.     push_get(*args)
    382. 

  382.     yield response
    383. 

  383. 

  384.     push_post(*args)
    385. 

  385.     yield response
    386. 

  386.   end
    387. 

  387. 

  388.   def auth_env(user, password)
    389. 

  389.     if user && password
    390. 

  390.       { 'HTTP_AUTHORIZATION' => ActionController::HttpAuthentication::Basic.encode_credentials(user, password) }
    391. 

  391.     else
    392. 

  392.       {}
    393. 

  393.     end
    394. 

  394.   end
    395. 

  395. end
    396. 

  396.