Skip to content

Commit

Permalink
Panic with GitLab project repository auth (#1113)
Browse files Browse the repository at this point in the history 
* panic with GitLab project repository auth

* /api/v4/projects/:id can return nil permissions

Signed-off-by: Piers Harding <piers@ompka.net>

* Add GitLab test for group no access

Signed-off-by: Piers Harding <piers@ompka.net>
@piersharding
piersharding authored Mar 25, 2021
1 parent 5788beb commit 73d9f38
Showing 2 changed files with 30 additions and 1 deletion.
7 changes: 6 additions & 1 deletion providers/gitlab.go
View file
Original file line number Diff line number Diff line change
@@ -329,9 +329,14 @@ func (p *GitLabProvider) addProjectsToSession(ctx context.Context, s *sessions.S
if perms == nil {
// use group project access as fallback
perms = projectInfo.Permissions.GroupAccess
// group project access is not set for this user then we give up
if perms == nil {
logger.Errorf("Warning: user %q has no project level access to %s", s.Email, project.Name)
continue
}
}

if perms.AccessLevel >= project.AccessLevel {
if perms != nil && perms.AccessLevel >= project.AccessLevel {
s.Groups = append(s.Groups, fmt.Sprintf("project:%s", project.Name))
} else {
logger.Errorf("Warning: user %q does not have the minimum required access level for project %q", s.Email, project.Name)
24 changes: 24 additions & 0 deletions providers/gitlab_test.go
View file
Original file line number Diff line number Diff line change
@@ -41,6 +41,7 @@ func testGitLabBackend() *httptest.Server {
"groups": ["foo", "bar"]
}
`

projectInfo := `
{
"name": "MyProject",
@@ -56,6 +57,18 @@ func testGitLabBackend() *httptest.Server {
}
`

noAccessProjectInfo := `
{
"name": "NoAccessProject",
"archived": false,
"path_with_namespace": "no_access_group/no_access_project",
"permissions": {
"project_access": null,
"group_access": null,
}
}
`

personalProjectInfo := `
{
"name": "MyPersonalProject",
@@ -105,6 +118,13 @@ func testGitLabBackend() *httptest.Server {
} else {
w.WriteHeader(401)
}
case "/api/v4/projects/no_access_group/no_access_project":
if r.Header["Authorization"][0] == authHeader {
w.WriteHeader(200)
w.Write([]byte(noAccessProjectInfo))
} else {
w.WriteHeader(401)
}
case "/api/v4/projects/my_group/my_archived_project":
if r.Header["Authorization"][0] == authHeader {
w.WriteHeader(200)
@@ -219,6 +239,10 @@ var _ = Describe("Gitlab Provider Tests", func() {
expectedValue: nil,
projects: []string{"my_group/my_project=40"},
}),
Entry("project membership invalid on group project, no access at all", entitiesTableInput{
expectedValue: nil,
projects: []string{"no_access_group/no_access_project=30"},
}),
Entry("project membership valid on personnal project", entitiesTableInput{
expectedValue: []string{"project:my_profile/my_personal_project"},
projects: []string{"my_profile/my_personal_project"},

0 comments on commit 73d9f38

Please sign in to comment.