diff --git a/lib/gitlab/email/receiver.rb b/lib/gitlab/email/receiver.rb
index e02554eb47305a0e31a335b4a84371af70426e02..17293b94b6bc4e8f7a3ebb2e0995aa28262799a0 100644
--- a/lib/gitlab/email/receiver.rb
+++ b/lib/gitlab/email/receiver.rb
@@ -60,6 +60,7 @@ module Gitlab
def process_create_issue
validate_permission!(message_sender, message_project, :create_issue)
+ validate_authentication_token!(message_sender)
issue = Issues::CreateService.new(
message_project,
@@ -85,6 +86,11 @@ module Gitlab
raise UserNotAuthorizedError unless author.can?(permission, project)
end
+ def validate_authentication_token!(author)
+ raise UserNotAuthorizedError unless author.authentication_token ==
+ authentication_token
+ end
+
# Find the first matched user in database from email From: section
# TODO: Since this address could be forged, we should have some kind of
# auth token attached somewhere to verify the identity better.
@@ -97,7 +103,7 @@ module Gitlab
def message_project
@message_project ||=
- Project.find_with_namespace(reply_key) if reply_key
+ Project.find_with_namespace(project_namespace) if reply_key
end
def process_reply(project)
@@ -118,6 +124,14 @@ module Gitlab
key_from_to_header || key_from_additional_headers
end
+ def authentication_token
+ reply_key[/[^\+]+$/]
+ end
+
+ def project_namespace
+ reply_key[/^[^\+]+/]
+ end
+
def key_from_to_header
key = nil
message.to.each do |address|
diff --git a/spec/fixtures/emails/valid_new_issue.eml b/spec/fixtures/emails/valid_new_issue.eml
index a7e34b9846d4e48353afcbbef8bdfe11a1601f99..3cf53a656a5424da3b1bf464b8f4fbbe153196c2 100644
--- a/spec/fixtures/emails/valid_new_issue.eml
+++ b/spec/fixtures/emails/valid_new_issue.eml
@@ -5,7 +5,7 @@ Received: by mail-ie0-f180.google.com with SMTP id f4so21977375iea.25 for <incom
Received: by 10.0.0.1 with HTTP; Thu, 13 Jun 2013 14:03:48 -0700
Date: Thu, 13 Jun 2013 17:03:48 -0400
From: Jake the Dog <jake@adventuretime.ooo>
-To: incoming+gitlabhq/gitlabhq@appmail.adventuretime.ooo
+To: incoming+gitlabhq/gitlabhq+auth_token@appmail.adventuretime.ooo
Message-ID: <CADkmRc+rNGAGGbV2iE5p918UVy4UyJqVcXRO2=otppgzduJSg@mail.gmail.com>
Subject: New Issue by email
Mime-Version: 1.0
diff --git a/spec/fixtures/emails/valid_new_issue_empty.eml b/spec/fixtures/emails/valid_new_issue_empty.eml
index 2173508d6f87d73ed49ea33dbcd301f31aec38e4..fc1d52a3f42941253e12659345512187d9108d7a 100644
--- a/spec/fixtures/emails/valid_new_issue_empty.eml
+++ b/spec/fixtures/emails/valid_new_issue_empty.eml
@@ -5,7 +5,7 @@ Received: by mail-ie0-f180.google.com with SMTP id f4so21977375iea.25 for <incom
Received: by 10.0.0.1 with HTTP; Thu, 13 Jun 2013 14:03:48 -0700
Date: Thu, 13 Jun 2013 17:03:48 -0400
From: Jake the Dog <jake@adventuretime.ooo>
-To: incoming+gitlabhq/gitlabhq@appmail.adventuretime.ooo
+To: incoming+gitlabhq/gitlabhq+auth_token@appmail.adventuretime.ooo
Message-ID: <CADkmRc+rNGAGGbV2iE5p918UVy4UyJqVcXRO2=otppgzduJSg@mail.gmail.com>
Subject: New Issue by email
Mime-Version: 1.0
diff --git a/spec/fixtures/emails/wrong_authentication_token.eml b/spec/fixtures/emails/wrong_authentication_token.eml
new file mode 100644
index 0000000000000000000000000000000000000000..0994c2f7775ca673b8493e58a16ee23a43b9b8ec
--- /dev/null
+++ b/spec/fixtures/emails/wrong_authentication_token.eml
@@ -0,0 +1,18 @@
+Return-Path: <jake@adventuretime.ooo>
+Received: from iceking.adventuretime.ooo ([unix socket]) by iceking (Cyrus v2.2.13-Debian-2.2.13-19+squeeze3) with LMTPA; Thu, 13 Jun 2013 17:03:50 -0400
+Received: from mail-ie0-x234.google.com (mail-ie0-x234.google.com [IPv6:2607:f8b0:4001:c03::234]) by iceking.adventuretime.ooo (8.14.3/8.14.3/Debian-9.4) with ESMTP id r5DL3nFJ016967 (version=TLSv1/SSLv3 cipher=RC4-SHA bits=128 verify=NOT) for <incoming+gitlabhq/gitlabhq@appmail.adventuretime.ooo>; Thu, 13 Jun 2013 17:03:50 -0400
+Received: by mail-ie0-f180.google.com with SMTP id f4so21977375iea.25 for <incoming+gitlabhq/gitlabhq@appmail.adventuretime.ooo>; Thu, 13 Jun 2013 14:03:48 -0700
+Received: by 10.0.0.1 with HTTP; Thu, 13 Jun 2013 14:03:48 -0700
+Date: Thu, 13 Jun 2013 17:03:48 -0400
+From: Jake the Dog <jake@adventuretime.ooo>
+To: incoming+gitlabhq/gitlabhq+bad_token@appmail.adventuretime.ooo
+Message-ID: <CADkmRc+rNGAGGbV2iE5p918UVy4UyJqVcXRO2=otppgzduJSg@mail.gmail.com>
+Subject: New Issue by email
+Mime-Version: 1.0
+Content-Type: text/plain;
+ charset=ISO-8859-1
+Content-Transfer-Encoding: 7bit
+X-Sieve: CMU Sieve 2.2
+X-Received: by 10.0.0.1 with SMTP id n7mr11234144ipb.85.1371157428600; Thu,
+ 13 Jun 2013 14:03:48 -0700 (PDT)
+X-Scanned-By: MIMEDefang 2.69 on IPv6:2001:470:1d:165::1
diff --git a/spec/lib/gitlab/email/receiver_spec.rb b/spec/lib/gitlab/email/receiver_spec.rb
index 4336f0f9e530dc48afa17c83a4fc587035919290..d1b52b9d086c0e76097fbc194c113805e60758de 100644
--- a/spec/lib/gitlab/email/receiver_spec.rb
+++ b/spec/lib/gitlab/email/receiver_spec.rb
@@ -171,7 +171,13 @@ describe Gitlab::Email::Receiver, lib: true do
end
let(:sent_notification) {}
- let!(:user) { create(:user, email: 'jake@adventuretime.ooo') }
+ let!(:user) do
+ create(
+ :user,
+ email: 'jake@adventuretime.ooo',
+ authentication_token: 'auth_token'
+ )
+ end
let(:namespace) { create(:namespace, path: 'gitlabhq') }
let(:project) { create(:project, :public, namespace: namespace) }
let(:email_raw) { fixture_file('emails/valid_new_issue.eml') }
@@ -215,6 +221,18 @@ describe Gitlab::Email::Receiver, lib: true do
expect { receiver.execute }.to raise_error(Gitlab::Email::Receiver::InvalidIssueError)
end
end
+
+ context "when the authentication_token token didn't match" do
+ let!(:email_raw) { fixture_file("emails/wrong_authentication_token.eml") }
+
+ before do
+ project
+ end
+
+ it "raises an UserNotAuthorizedError" do
+ expect { receiver.execute }.to raise_error(Gitlab::Email::Receiver::UserNotAuthorizedError)
+ end
+ end
end
end
end