As mentioned in
https://gitlab.com/gitlab-org/gitlab-ee/issues/9035#note_129093444,
Rails 5 switched ActionDispatch::Request so that it no longer inherits
Rack::Request directly. A middleware that uses Rack::Request to
read the environment may see stale request parameters if
another middleware modifies the environment via ActionDispatch::Request.
To be safe, we should be using ActionDispatch::Request everywhere.
Updates specs to use new rails5 format.
The old format:
`get :show, { some: params }, { some: headers }`
The new format:
`get :show, params: { some: params }, headers: { some: headers }`
Before the push git would make a call to
`/:namespace/:project/git-receive-pack`. This would perform an access
check without a ref. So the `Project#branch_allows_maintainer_push?`
would return false.
This adjusts `Project#branch_allows_maintainer_push?` to return true
when passing no branch name if there are merge requests open that
would allow the user to push.
The actual check then happens when a call to
`/api/v4/internal/allowed` is made from a git hook.
When sign-in is disabled:
- skip password expiration checks
- prevent password reset requests
- don’t show Password tab in User Settings
- don’t allow login with username/password for Git over HTTP requests
- render 404 on requests to Profiles::PasswordsController
If internal auth is disabled and LDAP is not configured on the instance,
present the user with a message to create a personal access token if his
Git over HTTP auth attempt fails.
* The spec has 7 failures at this point
* Specify rendered error messages
* Render the GitAccess message rather than “Access denied”
* Render the Not Found message provided by GitAccess, instead of a custom one
* Expect GitAccess to check the config for whether Git-over-HTTP pull or push is disabled, rather than doing it in the controller
* Add more thorough testing for authentication
* Dried up a lot of tests
* Fixed some broken tests
- We currently support fetching code with username = 'oauth2' and
password = <access_token>.
- Trying to _push_ code with the same credentials fails with an authentication
error.
- There's no reason this shouldn't be enabled, especially since we allow the
OAuth client to create deploy keys with push access:
https://docs.gitlab.com/ce/api/deploy_keys.html#add-deploy-key
Gitlab::Auth.find_with_user_password is currently used in these places:
- resource_owner_from_credentials in config/initializers/doorkeeper.rb,
which is used for the OAuth Resource Owner Password Credentials flow
- the /session API call in lib/api/session.rb, which is used to reveal
the user's current authentication_token
In both cases users should only be authenticated if they're in the
active state.
Horatiu Eugen Vlad
Mark Chao
Stan Hu
blackst0ne
Francisco Javier López
Tiago Botelho
Imre Farkas
Bob Van Landuyt
Jacob Vosmaer (GitLab)
Michael Kozono
Nick Thomas
Mayra Cabrera
Markus Koller
Jacopo
Robert Speicher
Gabriel Mazetto
Rémy Coutable
Sean McGivern
Robin Bobbitt
Paul Charlton
Grzegorz Bizon
Douwe Maan
Sean McGivern
James Lopez
Timothy Andrew
Semyon Pupkov