re-integrate repository_authentication plugin

pull/1623/head
Philipp Tessenow 10 years ago committed by Christian Ratz
parent d57d09b4c1
commit a7b021d010
  1. 47
      app/controllers/sys_controller.rb
  2. 2
      app/views/settings/_repositories.html.erb
  3. 1
      config/locales/de.yml
  4. 1
      config/locales/en.yml
  5. 2
      config/settings.yml
  6. 35
      lib/open_project/repository_authentication.rb
  7. 228
      spec/controllers/sys_controller_spec.rb

@ -29,6 +29,7 @@
class SysController < ActionController::Base
before_filter :check_enabled
before_filter :require_basic_auth, :only => [ :repo_auth ]
def projects
p = Project.active.has_module(:repository).find(:all, :include => :repository, :order => 'identifier')
@ -70,6 +71,19 @@ class SysController < ActionController::Base
render :nothing => true, :status => 404
end
def repo_auth
@project = Project.find_by_identifier(params[:repository])
if ( %w(GET PROPFIND REPORT OPTIONS).include?(params[:method]) &&
@authenticated_user.allowed_to?(:browse_repository, @project) ) ||
@authenticated_user.allowed_to?(:commit_access, @project)
render :text => "Access granted"
return
end
render :text => "Not allowed", :status => 403 # default to deny
end
protected
def check_enabled
@ -79,4 +93,37 @@ class SysController < ActionController::Base
return false
end
end
private
def require_basic_auth
authenticate_with_http_basic do |username, password|
@authenticated_user = cached_user_login(username, password)
return true if @authenticated_user
end
response.headers["WWW-Authenticate"] = 'Basic realm="Repository Authentication"'
render :text => "Authorization required", :status => 401
false
end
def user_login(username, password)
User.try_to_login(username, password)
end
def cached_user_login(username, password)
unless Setting.repository_authentication_caching_enabled?
return user_login(username, password)
end
user = nil
user_id = Rails.cache.fetch(OpenProject::RepositoryAuthentication::CACHE_PREFIX + Digest::SHA1.hexdigest("#{username}#{password}"),
:expires_in => OpenProject::RepositoryAuthentication::CACHE_EXPIRES_AFTER) do
user = user_login(username, password)
user ? user.id.to_s : '-1'
end
return nil if user_id.blank? or user_id == '-1'
user || User.find_by_id(user_id.to_i)
end
end

@ -48,6 +48,8 @@ See doc/COPYRIGHT.rdoc for more details.
<em><%= l(:text_comma_separated) %></em></p>
<p><%= setting_text_field :repository_log_display_limit, :size => 6 %></p>
<p><%= setting_check_box :repository_authentication_caching_enabled %></p>
</div>
<fieldset class="box tabular settings"><legend><%= l(:text_work_packages_ref_in_commit_messages) %></legend>

@ -1307,6 +1307,7 @@ de:
setting_plain_text_mail: "Nur reinen Text (kein HTML) senden"
setting_protocol: "Protokoll"
setting_repositories_encodings: "Kodierungen der Projektarchive"
setting_repository_authentication_caching_enabled: "Aktiviere Cache für Authentifizierungsversuche von Versionskontrollsoftware"
setting_repository_log_display_limit: "Maximale Anzahl anzuzeigender Revisionen in der Historie einer Datei"
setting_rest_api_enabled: "REST-Schnittstelle aktivieren"
setting_self_registration: "Anmeldung ermöglicht"

@ -1295,6 +1295,7 @@ en:
setting_plain_text_mail: "Plain text mail (no HTML)"
setting_protocol: "Protocol"
setting_repositories_encodings: "Repositories encodings"
setting_repository_authentication_caching_enabled: "Enable caching for authentication request of version control software"
setting_repository_log_display_limit: "Maximum number of revisions displayed on file log"
setting_rest_api_enabled: "Enable REST web service"
setting_self_registration: "Self-registration"

@ -133,6 +133,8 @@ sys_api_enabled:
default: 0
sys_api_key:
default: ''
repository_authentication_caching_enabled:
default: true
commit_ref_keywords:
default: 'refs,references,IssueID'
commit_fix_keywords:

@ -0,0 +1,35 @@
#-- encoding: UTF-8
#-- copyright
# OpenProject is a project management system.
# Copyright (C) 2012-2014 the OpenProject Foundation (OPF)
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License version 3.
#
# OpenProject is a fork of ChiliProject, which is a fork of Redmine. The copyright follows:
# Copyright (C) 2006-2013 Jean-Philippe Lang
# Copyright (C) 2010-2013 the ChiliProject Team
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License
# as published by the Free Software Foundation; either version 2
# of the License, or (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
#
# See doc/COPYRIGHT.rdoc for more details.
#++
module OpenProject
module RepositoryAuthentication
CACHE_PREFIX = "openproject/repository_authentication/login_"
CACHE_EXPIRES_AFTER = 10.minutes
end
end

@ -0,0 +1,228 @@
require 'spec_helper'
module OpenProjectRepositoryAuthenticationSpecs
describe SysController do
let(:commit_role) { FactoryGirl.create(:role, :permissions => [:commit_access,
:browse_repository]) }
let(:browse_role) { FactoryGirl.create(:role, :permissions => [:browse_repository]) }
let(:guest_role) { FactoryGirl.create(:role, :permissions => []) }
let(:valid_user_password) { "Top Secret Password" }
let(:valid_user) { FactoryGirl.create(:user, :login => "johndoe",
:password => valid_user_password,
:password_confirmation => valid_user_password)}
before(:each) do
FactoryGirl.create(:non_member, :permissions => [:browse_repository])
DeletedUser.first # creating it first in order to avoid problems with should_receive
random_project = FactoryGirl.create(:project, :is_public => false)
@member = FactoryGirl.create(:member, :user => valid_user,
:roles => [browse_role],
:project => random_project)
Setting.stub(:sys_api_key).and_return("12345678")
Setting.stub(:sys_api_enabled?).and_return(true)
end
describe :repo_auth, "for valid login, but no access to repo_auth" do
before(:each) do
@key = Setting.sys_api_key
request.env['HTTP_AUTHORIZATION'] = ActionController::HttpAuthentication::Basic.encode_credentials(valid_user.login, valid_user_password)
post "repo_auth", { :key => @key, :repository => "without-access", :method => "GET" }
end
it "should respond 403 not allowed" do
response.code.should == "403"
response.body.should == "Not allowed"
end
end
describe :repo_auth, "for valid login and user has browse repository permission (role reporter) for project" do
before(:each) do
@key = Setting.sys_api_key
@project = FactoryGirl.create(:project, :is_public => false)
@member = FactoryGirl.create(:member, :user => valid_user,
:roles => [browse_role],
:project => @project)
request.env['HTTP_AUTHORIZATION'] = ActionController::HttpAuthentication::Basic.encode_credentials(valid_user.login, valid_user_password)
end
it "should respond 200 okay dokay for GET" do
post "repo_auth", { :key => @key, :repository => @project.identifier, :method => "GET" }
response.code.should == "200"
end
it "should respond 403 not allowed for POST" do
post "repo_auth", { :key => @key, :repository => @project.identifier, :method => "POST" }
response.code.should == "403"
end
end
describe :repo_auth, "for valid login and user has commit access permission (role developer) for project" do
before(:each) do
@key = Setting.sys_api_key
@project = FactoryGirl.create(:project, :is_public => false)
@member = FactoryGirl.create(:member, :user => valid_user,
:roles => [commit_role],
:project => @project )
valid_user.save
request.env['HTTP_AUTHORIZATION'] = ActionController::HttpAuthentication::Basic.encode_credentials(valid_user.login, valid_user_password)
end
it "should respond 200 okay dokay for GET" do
post "repo_auth", { :key => @key, :repository => @project.identifier, :method => "GET" }
response.code.should == "200"
end
it "should respond 200 okay dokay for POST" do
post "repo_auth", { :key => @key, :repository => @project.identifier, :method => "POST" }
response.code.should == "200"
end
end
describe :repo_auth, "for invalid login and user has role manager for project" do
before(:each) do
@key = Setting.sys_api_key
@project = FactoryGirl.create(:project, :is_public => false )
@member = FactoryGirl.create(:member, :user => valid_user,
:roles => [commit_role],
:project => @project)
request.env['HTTP_AUTHORIZATION'] = ActionController::HttpAuthentication::Basic.encode_credentials(valid_user.login, valid_user_password + "made invalid")
post "repo_auth", { :key => @key, :repository => @project.identifier, :method => "GET" }
end
it "should respond 401 auth required" do
response.code.should == "401"
end
end
describe :repo_auth, "for valid login and user is not member for project" do
before(:each) do
@key = Setting.sys_api_key
@project = FactoryGirl.create(:project, :is_public => false)
request.env['HTTP_AUTHORIZATION'] = ActionController::HttpAuthentication::Basic.encode_credentials(valid_user.login, valid_user_password)
post "repo_auth", { :key => @key, :repository => @project.identifier, :method => "GET" }
end
it "should respond 403 not allowed" do
response.code.should == "403"
end
end
describe :repo_auth, "for valid login and project is public" do
before(:each) do
@key = Setting.sys_api_key
@project = FactoryGirl.create(:project, :is_public => true)
random_project = FactoryGirl.create(:project, :is_public => false)
@member = FactoryGirl.create(:member, :user => valid_user,
:roles => [browse_role],
:project => random_project)
request.env['HTTP_AUTHORIZATION'] = ActionController::HttpAuthentication::Basic.encode_credentials(valid_user.login, valid_user_password)
post "repo_auth", { :key => @key, :repository => @project.identifier, :method => "GET" }
end
it "should respond 200 OK" do
response.code.should == "200"
end
end
describe :repo_auth, "for invalid credentials" do
before(:each) do
@key = Setting.sys_api_key
post "repo_auth", { :key => @key, :repository => "any-repo", :method => "GET" }
end
it "should respond 401 auth required" do
response.code.should == "401"
response.body.should == "Authorization required"
end
end
describe :repo_auth, "for invalid api key" do
before(:each) do
@key = "invalid"
end
it "should respond 403 for valid username/password" do
request.env['HTTP_AUTHORIZATION'] = ActionController::HttpAuthentication::Basic.encode_credentials(valid_user.login, valid_user_password)
post "repo_auth", { :key => @key, :repository => "any-repo", :method => "GET" }
response.code.should == "403"
response.body.should == "Access denied. Repository management WS is disabled or key is invalid."
end
it "should respond 403 for invalid username/password" do
request.env['HTTP_AUTHORIZATION'] = ActionController::HttpAuthentication::Basic.encode_credentials("invalid", "invalid")
post "repo_auth", { :key => @key, :repository => "any-repo", :method => "GET" }
response.code.should == "403"
response.body.should == "Access denied. Repository management WS is disabled or key is invalid."
end
end
before(:each) do
Rails.cache.clear
Rails.cache.stub(:kind_of?).with(anything).and_return(false)
end
describe :cached_user_login do
let(:cache_key) { OpenProject::RepositoryAuthentication::CACHE_PREFIX +
Digest::SHA1.hexdigest("#{valid_user.login}#{valid_user_password}") }
let(:cache_expiry) { OpenProject::RepositoryAuthentication::CACHE_EXPIRES_AFTER }
it "should call user_login only once when called twice" do
controller.should_receive(:user_login).once.and_return(valid_user)
2.times { controller.send(:cached_user_login, valid_user.login, valid_user_password) }
end
it "should return the same as user_login for valid creds" do
controller.send(:cached_user_login, valid_user.login, valid_user_password).should ==
controller.send(:user_login, valid_user.login, valid_user_password)
end
it "should return the same as user_login for invalid creds" do
controller.send(:cached_user_login, "invalid", "invalid").should ==
controller.send(:user_login, "invalid", "invalid")
end
it "should use cache" do
# allow the cache to return something reasonable for
# other requests, while ensuring that it is not queried
# with the cache key in question
# unfortunately, and_call_original currently fails
Rails.cache.stub(:fetch) do |*args|
args.first.should_not == cache_key
name = args.first.split("/").last
Marshal.dump(Setting.send(:find_or_default, name).value)
end
#Rails.cache.should_receive(:fetch).with(anything).and_call_original
Rails.cache.should_receive(:fetch).with(cache_key, :expires_in => cache_expiry) \
.and_return(Marshal.dump(valid_user.id.to_s))
controller.send(:cached_user_login, valid_user.login, valid_user_password)
end
describe "with caching disabled" do
before do
Setting.stub(:repository_authentication_caching_enabled?).and_return false
end
it 'should not use a cache' do
# allow the cache to return something reasonable for
# other requests, while ensuring that it is not queried
# with the cache key in question
#
# unfortunately, and_call_original currently fails
Rails.cache.stub(:fetch) do |*args|
args.first.should_not == cache_key
name = args.first.split("/").last
Marshal.dump(Setting.send(:find_or_default, name).value)
end
controller.send(:cached_user_login, valid_user.login, valid_user_password)
end
end
end
end
end
Loading…
Cancel
Save