From 27bc816a01c0ce1a457996a4f100d76751246b75 Mon Sep 17 00:00:00 2001 From: Brad Rydzewski Date: Mon, 29 Jul 2019 13:58:32 -0700 Subject: [PATCH] inactive accounts cannot activate a repository --- go.mod | 4 ++-- go.sum | 5 ++++ handler/api/acl/acl_test.go | 16 +++++++++---- handler/api/acl/check.go | 3 +++ handler/api/acl/check_test.go | 45 +++++++++++++++++++++++++++++++++-- 5 files changed, 65 insertions(+), 8 deletions(-) diff --git a/go.mod b/go.mod index 73e15806..bd66f9b5 100644 --- a/go.mod +++ b/go.mod @@ -17,9 +17,9 @@ require ( github.com/docker/go-connections v0.3.0 github.com/docker/go-units v0.3.3 github.com/drone/drone-go v1.0.5 - github.com/drone/drone-runtime v1.0.6 + github.com/drone/drone-runtime v1.0.7 github.com/drone/drone-ui v0.0.0-20190530175131-92ba3df1e0a9 - github.com/drone/drone-yaml v1.2.2-0.20190719012529-c50000a465ee + github.com/drone/drone-yaml v1.2.2 github.com/drone/envsubst v1.0.1 github.com/drone/go-license v1.0.2 github.com/drone/go-login v1.0.4-0.20190311170324-2a4df4f242a2 diff --git a/go.sum b/go.sum index 6d47f769..19b20dc6 100644 --- a/go.sum +++ b/go.sum @@ -52,6 +52,9 @@ github.com/drone/drone-runtime v1.0.5 h1:fEdUvKd5+l8BQaPXntjUtSIVLvGWo3Blgb/zrXL github.com/drone/drone-runtime v1.0.5/go.mod h1:+osgwGADc/nyl40J0fdsf8Z09bgcBZXvXXnLOY48zYs= github.com/drone/drone-runtime v1.0.6 h1:7aPvPCZI2uqt3IEmx/BZg+ml10+I5lE74lZ17Y7xy40= github.com/drone/drone-runtime v1.0.6/go.mod h1:+osgwGADc/nyl40J0fdsf8Z09bgcBZXvXXnLOY48zYs= +github.com/drone/drone-runtime v1.0.7-0.20190729202838-87c84080f4a1/go.mod h1:+osgwGADc/nyl40J0fdsf8Z09bgcBZXvXXnLOY48zYs= +github.com/drone/drone-runtime v1.0.7 h1:qviHrNmEdT3aYfQW3NYOuClHw2IU6CECSOfrXe8QLvY= +github.com/drone/drone-runtime v1.0.7/go.mod h1:+osgwGADc/nyl40J0fdsf8Z09bgcBZXvXXnLOY48zYs= github.com/drone/drone-ui v0.0.0-20190318170755-1ca48466a158 h1:u80WYtaGkKWVmxj1BMX9SukAqTxILzGFIKvY5as9zAc= github.com/drone/drone-ui v0.0.0-20190318170755-1ca48466a158/go.mod h1:NBtVWW7NNJpD9+huMD/5TAE1db2nrEh0i35/9Rf1MPI= github.com/drone/drone-ui v0.0.0-20190318215801-d6c3d11a1c3f h1:yMdZ/2BZFKrfMbWlc0cNH2TCXdC8MsSR0pnu3Dq4UH4= @@ -93,6 +96,8 @@ github.com/drone/drone-yaml v1.2.2-0.20190719011530-e8b24d482cda h1:vPXJLgkyScZ0 github.com/drone/drone-yaml v1.2.2-0.20190719011530-e8b24d482cda/go.mod h1:l/ehbHx9TGs4jgzhRnP5d+M9tmRsAmWyBHWAFEOXrk4= github.com/drone/drone-yaml v1.2.2-0.20190719012529-c50000a465ee h1:/zyEkv56+T6JxLkYgYYwZAMLKBgEnHA3fwZXiVI9nuE= github.com/drone/drone-yaml v1.2.2-0.20190719012529-c50000a465ee/go.mod h1:l/ehbHx9TGs4jgzhRnP5d+M9tmRsAmWyBHWAFEOXrk4= +github.com/drone/drone-yaml v1.2.2 h1:Srf8OlAHhR7SXX5Ax01dP5tpZENsrEKyg35E2nNkIew= +github.com/drone/drone-yaml v1.2.2/go.mod h1:QsqliFK8nG04AHFN9tTn9XJomRBQHD4wcejWW1uz/10= github.com/drone/envsubst v1.0.1 h1:NOOStingM2sbBwsIUeQkKUz8ShwCUzmqMxWrpXItfPE= github.com/drone/envsubst v1.0.1/go.mod h1:bkZbnc/2vh1M12Ecn7EYScpI4YGYU0etwLJICOWi8Z0= github.com/drone/go-license v1.0.2 h1:7OwndfYk+Lp/cGHkxe4HUn/Ysrrw3WYH2pnd99yrkok= diff --git a/handler/api/acl/acl_test.go b/handler/api/acl/acl_test.go index 3bb61115..2b7eb04c 100644 --- a/handler/api/acl/acl_test.go +++ b/handler/api/acl/acl_test.go @@ -10,8 +10,8 @@ import ( "net/http/httptest" "testing" - "github.com/drone/drone/handler/api/request" "github.com/drone/drone/core" + "github.com/drone/drone/handler/api/request" "github.com/sirupsen/logrus" ) @@ -22,9 +22,17 @@ func init() { var ( mockUser = &core.User{ - ID: 1, - Login: "octocat", - Admin: false, + ID: 1, + Login: "octocat", + Admin: false, + Active: true, + } + + mockUserInactive = &core.User{ + ID: 1, + Login: "octocat", + Admin: false, + Active: false, } mockRepo = &core.Repository{ diff --git a/handler/api/acl/check.go b/handler/api/acl/check.go index ecaad538..2eaf6f7e 100644 --- a/handler/api/acl/check.go +++ b/handler/api/acl/check.go @@ -123,6 +123,9 @@ func CheckAccess(read, write, admin bool) func(http.Handler) http.Handler { ) switch { + case user.Active == false: + render.Forbidden(w, errors.ErrForbidden) + log.Debugln("api: active account required") case read == true && perm.Read == false: render.NotFound(w, errors.ErrNotFound) log.Debugln("api: read access required") diff --git a/handler/api/acl/check_test.go b/handler/api/acl/check_test.go index 6adef6f6..3221641c 100644 --- a/handler/api/acl/check_test.go +++ b/handler/api/acl/check_test.go @@ -12,9 +12,9 @@ import ( "testing" "time" + "github.com/drone/drone/core" "github.com/drone/drone/handler/api/errors" "github.com/drone/drone/handler/api/request" - "github.com/drone/drone/core" "github.com/google/go-cmp/cmp" "github.com/go-chi/chi" @@ -380,6 +380,47 @@ func TestCheckWriteAccess(t *testing.T) { } } +// this test verifies the the next handler in the middleware +// chain is not processed if the user has write access BUT +// has been inactivated (e.g. blocked). +func TestCheckWriteAccess_InactiveUser(t *testing.T) { + controller := gomock.NewController(t) + defer controller.Finish() + + writeAccess := &core.Perm{ + Synced: time.Now().Unix(), + Read: true, + Write: true, + Admin: false, + } + + w := httptest.NewRecorder() + r := httptest.NewRequest("GET", "/api/repos/octocat/hello-world", nil) + r = r.WithContext( + request.WithPerm( + request.WithUser( + request.WithRepo(noContext, mockRepo), + mockUserInactive, + ), + writeAccess, + ), + ) + + router := chi.NewRouter() + router.Route("/api/repos/{owner}/{name}", func(router chi.Router) { + router.Use(CheckWriteAccess()) + router.Get("/", func(w http.ResponseWriter, r *http.Request) { + t.Error("should not invoke hanlder") + }) + }) + + router.ServeHTTP(w, r) + + if got, want := w.Code, http.StatusForbidden; got != want { + t.Errorf("Want status code %d, got %d", want, got) + } +} + // this test verifies that a 404 not found error is written to // the response if the user lacks write access to the repository. // @@ -526,7 +567,7 @@ func TestCheckAdminAccess_SystemAdmin(t *testing.T) { controller := gomock.NewController(t) defer controller.Finish() - user := &core.User{ID: 1, Admin: true} + user := &core.User{ID: 1, Admin: true, Active: true} w := httptest.NewRecorder() r := httptest.NewRequest("GET", "/api/repos/octocat/hello-world", nil)