Create a new issue via: incoming+group/project+AUTH_TOKEN@...

lib/gitlab/email/receiver.rb

@@ -60,6 +60,7 @@ module Gitlab
 
       def process_create_issue
         validate_permission!(message_sender, message_project, :create_issue)
+        validate_authentication_token!(message_sender)
 
         issue = Issues::CreateService.new(
           message_project,
@@ -85,6 +86,11 @@ module Gitlab
         raise UserNotAuthorizedError unless author.can?(permission, project)
       end
 
+      def validate_authentication_token!(author)
+        raise UserNotAuthorizedError unless author.authentication_token ==
+                                              authentication_token
+      end
+
       # Find the first matched user in database from email From: section
       # TODO: Since this address could be forged, we should have some kind of
       #       auth token attached somewhere to verify the identity better.
@@ -97,7 +103,7 @@ module Gitlab
 
       def message_project
         @message_project ||=
-          Project.find_with_namespace(reply_key) if reply_key
+          Project.find_with_namespace(project_namespace) if reply_key
       end
 
       def process_reply(project)
@@ -118,6 +124,14 @@ module Gitlab
         key_from_to_header || key_from_additional_headers
       end
 
+      def authentication_token
+        reply_key[/[^\+]+$/]
+      end
+
+      def project_namespace
+        reply_key[/^[^\+]+/]
+      end
+
       def key_from_to_header
         key = nil
         message.to.each do |address|

spec/fixtures/emails/valid_new_issue.eml

@@ -5,7 +5,7 @@ Received: by mail-ie0-f180.google.com with SMTP id f4so21977375iea.25 for <incom
 Received: by 10.0.0.1 with HTTP; Thu, 13 Jun 2013 14:03:48 -0700
 Date: Thu, 13 Jun 2013 17:03:48 -0400
 From: Jake the Dog <jake@adventuretime.ooo>
-To: incoming+gitlabhq/gitlabhq@appmail.adventuretime.ooo
+To: incoming+gitlabhq/gitlabhq+auth_token@appmail.adventuretime.ooo
 Message-ID: <CADkmRc+rNGAGGbV2iE5p918UVy4UyJqVcXRO2=otppgzduJSg@mail.gmail.com>
 Subject: New Issue by email
 Mime-Version: 1.0

spec/fixtures/emails/valid_new_issue_empty.eml

@@ -5,7 +5,7 @@ Received: by mail-ie0-f180.google.com with SMTP id f4so21977375iea.25 for <incom
 Received: by 10.0.0.1 with HTTP; Thu, 13 Jun 2013 14:03:48 -0700
 Date: Thu, 13 Jun 2013 17:03:48 -0400
 From: Jake the Dog <jake@adventuretime.ooo>
-To: incoming+gitlabhq/gitlabhq@appmail.adventuretime.ooo
+To: incoming+gitlabhq/gitlabhq+auth_token@appmail.adventuretime.ooo
 Message-ID: <CADkmRc+rNGAGGbV2iE5p918UVy4UyJqVcXRO2=otppgzduJSg@mail.gmail.com>
 Subject: New Issue by email
 Mime-Version: 1.0

spec/fixtures/emails/wrong_authentication_token.eml

@@ -0,0 +1,18 @@
+Return-Path: <jake@adventuretime.ooo>
+Received: from iceking.adventuretime.ooo ([unix socket]) by iceking (Cyrus v2.2.13-Debian-2.2.13-19+squeeze3) with LMTPA; Thu, 13 Jun 2013 17:03:50 -0400
+Received: from mail-ie0-x234.google.com (mail-ie0-x234.google.com [IPv6:2607:f8b0:4001:c03::234]) by iceking.adventuretime.ooo (8.14.3/8.14.3/Debian-9.4) with ESMTP id r5DL3nFJ016967 (version=TLSv1/SSLv3 cipher=RC4-SHA bits=128 verify=NOT) for <incoming+gitlabhq/gitlabhq@appmail.adventuretime.ooo>; Thu, 13 Jun 2013 17:03:50 -0400
+Received: by mail-ie0-f180.google.com with SMTP id f4so21977375iea.25 for <incoming+gitlabhq/gitlabhq@appmail.adventuretime.ooo>; Thu, 13 Jun 2013 14:03:48 -0700
+Received: by 10.0.0.1 with HTTP; Thu, 13 Jun 2013 14:03:48 -0700
+Date: Thu, 13 Jun 2013 17:03:48 -0400
+From: Jake the Dog <jake@adventuretime.ooo>
+To: incoming+gitlabhq/gitlabhq+bad_token@appmail.adventuretime.ooo
+Message-ID: <CADkmRc+rNGAGGbV2iE5p918UVy4UyJqVcXRO2=otppgzduJSg@mail.gmail.com>
+Subject: New Issue by email
+Mime-Version: 1.0
+Content-Type: text/plain;
+ charset=ISO-8859-1
+Content-Transfer-Encoding: 7bit
+X-Sieve: CMU Sieve 2.2
+X-Received: by 10.0.0.1 with SMTP id n7mr11234144ipb.85.1371157428600; Thu,
+ 13 Jun 2013 14:03:48 -0700 (PDT)
+X-Scanned-By: MIMEDefang 2.69 on IPv6:2001:470:1d:165::1

spec/lib/gitlab/email/receiver_spec.rb

@@ -171,7 +171,13 @@ describe Gitlab::Email::Receiver, lib: true do
     end
 
     let(:sent_notification) {}
-    let!(:user)     { create(:user, email: 'jake@adventuretime.ooo') }
+    let!(:user) do
+      create(
+        :user,
+        email: 'jake@adventuretime.ooo',
+        authentication_token: 'auth_token'
+      )
+    end
     let(:namespace) { create(:namespace, path: 'gitlabhq') }
     let(:project)   { create(:project, :public, namespace: namespace) }
     let(:email_raw) { fixture_file('emails/valid_new_issue.eml') }
@@ -215,6 +221,18 @@ describe Gitlab::Email::Receiver, lib: true do
           expect { receiver.execute }.to raise_error(Gitlab::Email::Receiver::InvalidIssueError)
         end
       end
+
+      context "when the authentication_token token didn't match" do
+        let!(:email_raw) { fixture_file("emails/wrong_authentication_token.eml") }
+
+        before do
+          project
+        end
+
+        it "raises an UserNotAuthorizedError" do
+          expect { receiver.execute }.to raise_error(Gitlab::Email::Receiver::UserNotAuthorizedError)
+        end
+      end
     end
   end
 end