Commit 5732ec7b authored by GitLab Release Tools Bot's avatar GitLab Release Tools Bot

Merge branch 'security-remove-take-trigger-ownership-feature-11-11' into '11-11-stable'

Drop feature to take ownership of a trigger token

See merge request gitlab/gitlabhq!3228
parents bf5743b0 dc3189aa
...@@ -4,7 +4,7 @@ class Projects::TriggersController < Projects::ApplicationController ...@@ -4,7 +4,7 @@ class Projects::TriggersController < Projects::ApplicationController
before_action :authorize_admin_build! before_action :authorize_admin_build!
before_action :authorize_manage_trigger!, except: [:index, :create] before_action :authorize_manage_trigger!, except: [:index, :create]
before_action :authorize_admin_trigger!, only: [:edit, :update] before_action :authorize_admin_trigger!, only: [:edit, :update]
before_action :trigger, only: [:take_ownership, :edit, :update, :destroy] before_action :trigger, only: [:edit, :update, :destroy]
layout 'project_settings' layout 'project_settings'
...@@ -24,16 +24,6 @@ class Projects::TriggersController < Projects::ApplicationController ...@@ -24,16 +24,6 @@ class Projects::TriggersController < Projects::ApplicationController
redirect_to project_settings_ci_cd_path(@project, anchor: 'js-pipeline-triggers') redirect_to project_settings_ci_cd_path(@project, anchor: 'js-pipeline-triggers')
end end
def take_ownership
if trigger.update(owner: current_user)
flash[:notice] = _('Trigger was re-assigned.')
else
flash[:alert] = _('You could not take ownership of trigger.')
end
redirect_to project_settings_ci_cd_path(@project, anchor: 'js-pipeline-triggers')
end
def edit def edit
end end
......
...@@ -30,10 +30,7 @@ ...@@ -30,10 +30,7 @@
Never Never
%td.text-right.trigger-actions %td.text-right.trigger-actions
- take_ownership_confirmation = "By taking ownership you will bind this trigger to your user account. With this the trigger will have access to all your projects as if it was you. Are you sure?"
- revoke_trigger_confirmation = "By revoking a trigger you will break any processes making use of it. Are you sure?" - revoke_trigger_confirmation = "By revoking a trigger you will break any processes making use of it. Are you sure?"
- if trigger.owner != current_user && can?(current_user, :manage_trigger, trigger)
= link_to 'Take ownership', take_ownership_project_trigger_path(@project, trigger), data: { confirm: take_ownership_confirmation }, method: :post, class: "btn btn-default btn-sm btn-trigger-take-ownership"
- if can?(current_user, :admin_trigger, trigger) - if can?(current_user, :admin_trigger, trigger)
= link_to edit_project_trigger_path(@project, trigger), method: :get, title: "Edit", class: "btn btn-default btn-sm" do = link_to edit_project_trigger_path(@project, trigger), method: :get, title: "Edit", class: "btn btn-default btn-sm" do
%i.fa.fa-pencil %i.fa.fa-pencil
......
---
title: Drop feature to take ownership of trigger token.
merge_request:
author:
type: security
...@@ -176,11 +176,7 @@ constraints(::Constraints::ProjectUrlConstrainer.new) do ...@@ -176,11 +176,7 @@ constraints(::Constraints::ProjectUrlConstrainer.new) do
resource :variables, only: [:show, :update] resource :variables, only: [:show, :update]
resources :triggers, only: [:index, :create, :edit, :update, :destroy] do resources :triggers, only: [:index, :create, :edit, :update, :destroy]
member do
post :take_ownership
end
end
resource :mirror, only: [:show, :update] do resource :mirror, only: [:show, :update] do
member do member do
......
...@@ -120,35 +120,6 @@ curl --request PUT --header "PRIVATE-TOKEN: <your_access_token>" --form descript ...@@ -120,35 +120,6 @@ curl --request PUT --header "PRIVATE-TOKEN: <your_access_token>" --form descript
} }
``` ```
## Take ownership of a project trigger
Update an owner of a project trigger.
```
POST /projects/:id/triggers/:trigger_id/take_ownership
```
| Attribute | Type | required | Description |
|---------------|---------|----------|--------------------------|
| `id` | integer/string | yes | The ID or [URL-encoded path of the project](README.md#namespaced-path-encoding) owned by the authenticated user |
| `trigger_id` | integer | yes | The trigger id |
```
curl --request POST --header "PRIVATE-TOKEN: <your_access_token>" "https://gitlab.example.com/api/v4/projects/1/triggers/10/take_ownership"
```
```json
{
"id": 10,
"description": "my trigger",
"created_at": "2016-01-07T09:53:58.235Z",
"last_used": null,
"token": "6d056f63e50fe6f8c5f8f4aa10edb7",
"updated_at": "2016-01-07T09:53:58.235Z",
"owner": null
}
```
## Remove a project trigger ## Remove a project trigger
Remove a project's build trigger. Remove a project's build trigger.
......
...@@ -93,17 +93,6 @@ overview of the time the triggers were last used. ...@@ -93,17 +93,6 @@ overview of the time the triggers were last used.
![Triggers page overview](img/triggers_page.png) ![Triggers page overview](img/triggers_page.png)
## Taking ownership of a trigger
> **Note**:
GitLab 9.0 introduced a trigger ownership to solve permission problems.
Each created trigger when run will impersonate their associated user including
their access to projects and their project permissions.
You can take ownership of existing triggers by clicking *Take ownership*.
From now on the trigger will be run as you.
## Revoking a trigger ## Revoking a trigger
You can revoke a trigger any time by going at your project's You can revoke a trigger any time by going at your project's
...@@ -278,8 +267,7 @@ Old triggers, created before GitLab 9.0 will be marked as legacy. ...@@ -278,8 +267,7 @@ Old triggers, created before GitLab 9.0 will be marked as legacy.
Triggers with the legacy label do not have an associated user and only have Triggers with the legacy label do not have an associated user and only have
access to the current project. They are considered deprecated and will be access to the current project. They are considered deprecated and will be
removed with one of the future versions of GitLab. You are advised to removed with one of the future versions of GitLab.
[take ownership](#taking-ownership-of-a-trigger) of any legacy triggers.
[ee-2017]: https://gitlab.com/gitlab-org/gitlab-ee/merge_requests/2017 [ee-2017]: https://gitlab.com/gitlab-org/gitlab-ee/merge_requests/2017
[ee-2346]: https://gitlab.com/gitlab-org/gitlab-ee/merge_requests/2346 [ee-2346]: https://gitlab.com/gitlab-org/gitlab-ee/merge_requests/2346
......
...@@ -91,8 +91,7 @@ to steal the tokens of other jobs. ...@@ -91,8 +91,7 @@ to steal the tokens of other jobs.
Since 9.0 [pipeline triggers][triggers] do support the new permission model. Since 9.0 [pipeline triggers][triggers] do support the new permission model.
The new triggers do impersonate their associated user including their access The new triggers do impersonate their associated user including their access
to projects and their project permissions. To migrate trigger to use new permission to projects and their project permissions.
model use **Take ownership**.
## Before GitLab 8.12 ## Before GitLab 8.12
......
...@@ -112,27 +112,6 @@ module API ...@@ -112,27 +112,6 @@ module API
end end
end end
desc 'Take ownership of trigger' do
success Entities::Trigger
end
params do
requires :trigger_id, type: Integer, desc: 'The trigger ID'
end
post ':id/triggers/:trigger_id/take_ownership' do
authenticate!
authorize! :admin_build, user_project
trigger = user_project.triggers.find(params.delete(:trigger_id))
break not_found!('Trigger') unless trigger
if trigger.update(owner: current_user)
status :ok
present trigger, with: Entities::Trigger, current_user: current_user
else
render_validation_error!(trigger)
end
end
desc 'Delete a trigger' do desc 'Delete a trigger' do
success Entities::Trigger success Entities::Trigger
end end
......
...@@ -10232,9 +10232,6 @@ msgstr "" ...@@ -10232,9 +10232,6 @@ msgstr ""
msgid "Trigger was created successfully." msgid "Trigger was created successfully."
msgstr "" msgstr ""
msgid "Trigger was re-assigned."
msgstr ""
msgid "Trigger was successfully updated." msgid "Trigger was successfully updated."
msgstr "" msgstr ""
...@@ -11065,9 +11062,6 @@ msgstr "" ...@@ -11065,9 +11062,6 @@ msgstr ""
msgid "You could not create a new trigger." msgid "You could not create a new trigger."
msgstr "" msgstr ""
msgid "You could not take ownership of trigger."
msgstr ""
msgid "You do not have any subscriptions yet" msgid "You do not have any subscriptions yet"
msgstr "" msgstr ""
......
...@@ -81,29 +81,6 @@ describe 'Triggers', :js do ...@@ -81,29 +81,6 @@ describe 'Triggers', :js do
end end
end end
describe 'trigger "Take ownership" workflow' do
before do
create(:ci_trigger, owner: user2, project: @project, description: trigger_title)
visit project_settings_ci_cd_path(@project)
end
it 'button "Take ownership" has correct alert' do
expected_alert = 'By taking ownership you will bind this trigger to your user account. With this the trigger will have access to all your projects as if it was you. Are you sure?'
expect(page.find('a.btn-trigger-take-ownership')['data-confirm']).to eq expected_alert
end
it 'take trigger ownership' do
# See if "Take ownership" on trigger works post trigger creation
page.accept_confirm do
first(:link, "Take ownership").send_keys(:return)
end
expect(page.find('.flash-notice')).to have_content 'Trigger was re-assigned.'
expect(page.find('.triggers-list')).to have_content trigger_title
expect(page.find('.triggers-list .trigger-owner')).to have_content user.name
end
end
describe 'trigger "Revoke" workflow' do describe 'trigger "Revoke" workflow' do
before do before do
create(:ci_trigger, owner: user2, project: @project, description: trigger_title) create(:ci_trigger, owner: user2, project: @project, description: trigger_title)
......
...@@ -270,34 +270,6 @@ describe API::Triggers do ...@@ -270,34 +270,6 @@ describe API::Triggers do
end end
end end
describe 'POST /projects/:id/triggers/:trigger_id/take_ownership' do
context 'authenticated user with valid permissions' do
it 'updates owner' do
post api("/projects/#{project.id}/triggers/#{trigger.id}/take_ownership", user)
expect(response).to have_gitlab_http_status(200)
expect(json_response).to include('owner')
expect(trigger.reload.owner).to eq(user)
end
end
context 'authenticated user with invalid permissions' do
it 'does not update owner' do
post api("/projects/#{project.id}/triggers/#{trigger.id}/take_ownership", user2)
expect(response).to have_gitlab_http_status(403)
end
end
context 'unauthenticated user' do
it 'does not update owner' do
post api("/projects/#{project.id}/triggers/#{trigger.id}/take_ownership")
expect(response).to have_gitlab_http_status(401)
end
end
end
describe 'DELETE /projects/:id/triggers/:trigger_id' do describe 'DELETE /projects/:id/triggers/:trigger_id' do
context 'authenticated user with valid permissions' do context 'authenticated user with valid permissions' do
it 'deletes trigger' do it 'deletes trigger' do
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment