Skip to content
Snippets Groups Projects
Commit 7379f716 authored by Jessie Young's avatar Jessie Young :heart_exclamation:
Browse files

Merge branch '375489-download-install-gitlab-release-binary-via-private-homebrew-tap' into 'master'

Allow sessionless users to download releases

See merge request !109217



Merged-by: Jessie Young's avatarJessie Young <jessieyoung@gitlab.com>
Approved-by: default avatarAlishan Ladhani <aladhani@gitlab.com>
Approved-by: default avatarShinya Maeda <shinya@gitlab.com>
Approved-by: Jessie Young's avatarJessie Young <jessieyoung@gitlab.com>
Reviewed-by: default avatarAlishan Ladhani <aladhani@gitlab.com>
Co-authored-by: Allen Cook's avatarAllen Cook <acook@gitlab.com>
parents c7ed822a 53d4ed64
No related branches found
No related tags found
1 merge request!109217Allow sessionless users to download releases
Pipeline #753540535 passed
Pipeline: GitLab

#753542522

    Pipeline: GitLab

    #753542510

      ......@@ -9,6 +9,10 @@ class Projects::ReleasesController < Projects::ApplicationController
      before_action :authorize_create_release!, only: :new
      before_action :validate_suffix_path, :fetch_latest_tag, only: :latest_permalink
      prepend_before_action(only: [:downloads]) do
      authenticate_sessionless_user!(:download) if Feature.enabled?(:allow_release_as_web_access_format)
      end
      feature_category :release_orchestration
      urgency :low
      ......
      ---
      name: allow_release_as_web_access_format
      introduced_by_url: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/109217
      rollout_issue_url: https://gitlab.com/gitlab-org/gitlab/-/issues/388471
      milestone: '15.8'
      type: development
      group: group::release
      default_enabled: false
      ......@@ -121,6 +121,7 @@ def find_user_from_personal_access_token
      # It is also used by GraphQL/API requests.
      # And to allow accessing /archive programatically as it was a big pain point
      # for users https://gitlab.com/gitlab-org/gitlab/-/issues/28978.
      # Used for release downloading as well
      def find_user_from_web_access_token(request_format, scopes: [:api])
      return unless access_token && valid_web_access_format?(request_format)
      ......@@ -301,6 +302,8 @@ def valid_web_access_format?(request_format)
      api_request?
      when :archive
      archive_request?
      when :download
      download_request?
      end
      end
      ......@@ -352,6 +355,10 @@ def archive_request?
      current_request.path.include?('/-/archive/')
      end
      def download_request?
      current_request.path.include?('/downloads/')
      end
      def blob_request?
      current_request.path.include?('/raw/')
      end
      ......
      ......@@ -470,7 +470,7 @@ def set_bearer_token(token)
      expect { find_user_from_access_token }.to raise_error(Gitlab::Auth::UnauthorizedError)
      end
      context 'no feed, API or archive requests' do
      context 'no feed, API, archive or download requests' do
      it 'returns nil if the request is not RSS' do
      expect(find_user_from_web_access_token(:rss)).to be_nil
      end
      ......@@ -486,6 +486,10 @@ def set_bearer_token(token)
      it 'returns nil if the request is not ARCHIVE' do
      expect(find_user_from_web_access_token(:archive)).to be_nil
      end
      it 'returns nil if the request is not DOWNLOAD' do
      expect(find_user_from_web_access_token(:download)).to be_nil
      end
      end
      it 'returns the user for RSS requests' do
      ......@@ -506,6 +510,12 @@ def set_bearer_token(token)
      expect(find_user_from_web_access_token(:archive)).to eq(user)
      end
      it 'returns the user for DOWNLOAD requests' do
      set_header('SCRIPT_NAME', '/-/1.0.0/downloads/main.zip')
      expect(find_user_from_web_access_token(:download)).to eq(user)
      end
      context 'for API requests' do
      it 'returns the user' do
      set_header('SCRIPT_NAME', '/api/endpoint')
      ......
      ......@@ -8,17 +8,20 @@
      before do
      project.add_developer(user)
      login_as(user)
      end
      # Added as a request spec because of https://gitlab.com/gitlab-org/gitlab/-/issues/232386
      describe 'GET #downloads' do
      context 'filepath redirection' do
      let_it_be(:release) { create(:release, project: project, tag: 'v11.9.0-rc2' ) }
      let!(:link) { create(:release_link, release: release, name: 'linux-amd64 binaries', filepath: filepath, url: 'https://aws.example.com/s3/project/bin/hello-darwin-amd64') }
      let_it_be(:url) { "#{project_releases_path(project)}/#{release.tag}/downloads/bin/darwin-amd64" }
      let_it_be(:release) { create(:release, project: project, tag: 'v11.9.0-rc2' ) }
      let!(:link) { create(:release_link, release: release, name: 'linux-amd64 binaries', filepath: filepath, url: 'https://aws.example.com/s3/project/bin/hello-darwin-amd64') }
      let_it_be(:url) { "#{project_releases_path(project)}/#{release.tag}/downloads/bin/darwin-amd64" }
      let(:subject) { get url }
      let(:subject) { get url }
      context 'filepath redirection' do
      before do
      login_as(user)
      end
      context 'valid filepath' do
      let(:filepath) { '/bin/darwin-amd64' }
      ......@@ -47,14 +50,45 @@
      end
      end
      context 'invalid filepath' do
      let(:invalid_filepath) { 'bin/darwin-amd64' }
      context 'sessionless download authentication' do
      let(:personal_access_token) { create(:personal_access_token, user: user) }
      let(:filepath) { '/bin/darwin-amd64' }
      subject { get url, params: { private_token: personal_access_token.token } }
      context 'when allow_release_as_web_access_format FF is disabled' do
      before do
      stub_feature_flags(allow_release_as_web_access_format: false)
      end
      it 'will not allow sessionless authentication' do
      expect_next_instance_of(::Projects::ReleasesController) do |controller|
      expect(controller).not_to receive(:authenticate_sessionless_user!)
      end
      subject
      end
      end
      let(:subject) { create(:release_link, name: 'linux-amd64 binaries', filepath: invalid_filepath, url: 'https://aws.example.com/s3/project/bin/hello-darwin-amd64') }
      context 'when allow_release_as_web_access_format FF is enabled' do
      it 'will allow sessionless users to download the file' do
      subject
      it 'cannot create an invalid filepath' do
      expect { subject }.to raise_error(ActiveRecord::RecordInvalid)
      expect(controller.current_user).to eq(user)
      expect(response).to have_gitlab_http_status(:redirect)
      expect(response).to redirect_to(link.url)
      end
      end
      end
      end
      context 'invalid filepath' do
      let(:invalid_filepath) { 'bin/darwin-amd64' }
      let(:subject) { create(:release_link, name: 'linux-amd64 binaries', filepath: invalid_filepath, url: 'https://aws.example.com/s3/project/bin/hello-darwin-amd64') }
      it 'cannot create an invalid filepath' do
      expect { subject }.to raise_error(ActiveRecord::RecordInvalid)
      end
      end
      end
      0% Loading or .
      You are about to add 0 people to the discussion. Proceed with caution.
      Finish editing this message first!
      Please register or to comment