api/deploy: support git-based deployment only if the token is internal

Ensuring that the request comes from Gandalf.
tsuru · Mar 10, 2016 · a6397ca · a6397ca
1 parent bd2272a
commit a6397ca
Show file tree

Hide file tree

Showing 2 changed files with 32 additions and 1 deletion.
diff --git a/api/deploy.go b/api/deploy.go
@@ -71,6 +71,7 @@ func deploy(w http.ResponseWriter, r *http.Request, t auth.Token) error {
 		}
 		userName = r.PostFormValue("user")
 	} else {
+		commit = ""
 		userName = t.GetUserName()
 	}
 	instance, err := app.GetByName(appName)

diff --git a/api/deploy_test.go b/api/deploy_test.go
@@ -237,6 +237,36 @@ func (s *DeploySuite) TestDeployUploadFile(c *check.C) {
 }
 
 func (s *DeploySuite) TestDeployWithCommit(c *check.C) {
+	token, err := nativeScheme.AppLogin(app.InternalAppName)
+	c.Assert(err, check.IsNil)
+	user, _ := s.token.User()
+	a := app.App{
+		Name:      "otherapp",
+		Platform:  "python",
+		TeamOwner: s.team.Name,
+		Plan:      app.Plan{Router: "fake"},
+	}
+	err = app.CreateApp(&a, user)
+	c.Assert(err, check.IsNil)
+	defer app.Delete(&a, nil)
+	url := fmt.Sprintf("/apps/%s/repository/clone?:appname=%s", a.Name, a.Name)
+	request, err := http.NewRequest("POST", url, strings.NewReader("archive-url=http://something.tar.gz&user=fulano&commit=123"))
+	c.Assert(err, check.IsNil)
+	request.Header.Set("Content-Type", "application/x-www-form-urlencoded")
+	recorder := httptest.NewRecorder()
+	request.Header.Set("Authorization", "bearer "+token.GetValue())
+	server := RunServer(true)
+	server.ServeHTTP(recorder, request)
+	c.Assert(recorder.Code, check.Equals, http.StatusOK)
+	c.Assert(recorder.Header().Get("Content-Type"), check.Equals, "text")
+	c.Assert(recorder.Code, check.Equals, http.StatusOK)
+	c.Assert(recorder.Body.String(), check.Equals, "Archive deploy called\nOK\n")
+	deploys, err := s.conn.Deploys().Find(bson.M{"commit": "123"}).Count()
+	c.Assert(err, check.IsNil)
+	c.Assert(deploys, check.Equals, 1)
+}
+
+func (s *DeploySuite) TestDeployWithCommitUserToken(c *check.C) {
 	user, _ := s.token.User()
 	a := app.App{
 		Name:      "otherapp",
@@ -261,7 +291,7 @@ func (s *DeploySuite) TestDeployWithCommit(c *check.C) {
 	c.Assert(recorder.Body.String(), check.Equals, "Archive deploy called\nOK\n")
 	deploys, err := s.conn.Deploys().Find(bson.M{"commit": "123"}).Count()
 	c.Assert(err, check.IsNil)
-	c.Assert(deploys, check.Equals, 1)
+	c.Assert(deploys, check.Equals, 0)
 }
 
 func (s *DeploySuite) TestDeployDockerImage(c *check.C) {