Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Support
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
G
gitlab-ce
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Issues
0
Issues
0
List
Boards
Labels
Milestones
Merge Requests
0
Merge Requests
0
Analytics
Analytics
Repository
Value Stream
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Create a new issue
Commits
Issue Boards
Open sidebar
Boxiang Sun
gitlab-ce
Commits
aaa6d808
Commit
aaa6d808
authored
Mar 31, 2018
by
Mayra Cabrera
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
Implement read_registry for DeployTokens
parent
345ac03b
Changes
2
Hide whitespace changes
Inline
Side-by-side
Showing
2 changed files
with
40 additions
and
10 deletions
+40
-10
app/controllers/jwt_controller.rb
app/controllers/jwt_controller.rb
+11
-2
spec/lib/gitlab/auth_spec.rb
spec/lib/gitlab/auth_spec.rb
+29
-8
No files found.
app/controllers/jwt_controller.rb
View file @
aaa6d808
...
@@ -23,10 +23,11 @@ class JwtController < ApplicationController
...
@@ -23,10 +23,11 @@ class JwtController < ApplicationController
@authentication_result
=
Gitlab
::
Auth
::
Result
.
new
(
nil
,
nil
,
:none
,
Gitlab
::
Auth
.
read_authentication_abilities
)
@authentication_result
=
Gitlab
::
Auth
::
Result
.
new
(
nil
,
nil
,
:none
,
Gitlab
::
Auth
.
read_authentication_abilities
)
authenticate_with_http_basic
do
|
login
,
password
|
authenticate_with_http_basic
do
|
login
,
password
|
@authentication_result
=
Gitlab
::
Auth
.
find_for_git_client
(
login
,
password
,
project:
nil
,
ip:
request
.
ip
)
project
=
find_project_related
(
password
)
@authentication_result
=
Gitlab
::
Auth
.
find_for_git_client
(
login
,
password
,
project:
project
,
ip:
request
.
ip
)
if
@authentication_result
.
failed?
||
if
@authentication_result
.
failed?
||
(
@authentication_result
.
actor
.
present?
&&
!
@authentication_result
.
actor
.
is_a?
(
User
)
)
(
@authentication_result
.
actor
.
present?
&&
!
user_or_deploy_token
)
render_unauthorized
render_unauthorized
end
end
end
end
...
@@ -57,4 +58,12 @@ class JwtController < ApplicationController
...
@@ -57,4 +58,12 @@ class JwtController < ApplicationController
def
auth_params
def
auth_params
params
.
permit
(
:service
,
:scope
,
:account
,
:client_id
)
params
.
permit
(
:service
,
:scope
,
:account
,
:client_id
)
end
end
def
find_project_related
(
password
)
DeployToken
.
active
.
find_by
(
token:
password
)
&
.
project
end
def
user_or_deploy_token
@authentication_result
.
actor
.
is_a?
(
User
)
||
@authentication_result
.
actor
.
is_a?
(
DeployToken
)
end
end
end
spec/lib/gitlab/auth_spec.rb
View file @
aaa6d808
...
@@ -270,14 +270,6 @@ describe Gitlab::Auth do
...
@@ -270,14 +270,6 @@ describe Gitlab::Auth do
.
to
eq
(
auth_success
)
.
to
eq
(
auth_success
)
end
end
it
'fails if deploy token does not have read_repo as scope'
do
deploy_token
=
create
(
:deploy_token
,
:read_registry
,
project:
project
)
expect
(
gl_auth
).
to
receive
(
:rate_limit!
).
with
(
'ip'
,
success:
false
,
login:
''
)
expect
(
gl_auth
.
find_for_git_client
(
''
,
deploy_token
.
token
,
project:
project
,
ip:
'ip'
))
.
to
eq
(
auth_failure
)
end
it
'fails if token is nil'
do
it
'fails if token is nil'
do
expect
(
gl_auth
).
to
receive
(
:rate_limit!
).
with
(
'ip'
,
success:
false
,
login:
''
)
expect
(
gl_auth
).
to
receive
(
:rate_limit!
).
with
(
'ip'
,
success:
false
,
login:
''
)
expect
(
gl_auth
.
find_for_git_client
(
''
,
nil
,
project:
project
,
ip:
'ip'
))
expect
(
gl_auth
.
find_for_git_client
(
''
,
nil
,
project:
project
,
ip:
'ip'
))
...
@@ -305,6 +297,35 @@ describe Gitlab::Auth do
...
@@ -305,6 +297,35 @@ describe Gitlab::Auth do
expect
(
gl_auth
.
find_for_git_client
(
'deploy-token'
,
deploy_token
.
token
,
project:
project
,
ip:
'ip'
))
expect
(
gl_auth
.
find_for_git_client
(
'deploy-token'
,
deploy_token
.
token
,
project:
project
,
ip:
'ip'
))
.
to
eq
(
auth_failure
)
.
to
eq
(
auth_failure
)
end
end
context
'when registry enabled'
do
before
do
stub_container_registry_config
(
enabled:
true
)
end
it
'succeeds if deploy token does have read_registry as scope'
do
deploy_token
=
create
(
:deploy_token
,
:read_registry
,
project:
project
)
auth_success
=
Gitlab
::
Auth
::
Result
.
new
(
deploy_token
,
project
,
:deploy_token
,
[
:read_container_image
])
expect
(
gl_auth
).
to
receive
(
:rate_limit!
).
with
(
'ip'
,
success:
true
,
login:
''
)
expect
(
gl_auth
.
find_for_git_client
(
''
,
deploy_token
.
token
,
project:
project
,
ip:
'ip'
))
.
to
eq
(
auth_success
)
end
end
context
'when registry disabled'
do
before
do
stub_container_registry_config
(
enabled:
false
)
end
it
'fails if deploy token have read_registry as scope'
do
deploy_token
=
create
(
:deploy_token
,
:read_registry
,
project:
project
)
expect
(
gl_auth
).
to
receive
(
:rate_limit!
).
with
(
'ip'
,
success:
false
,
login:
''
)
expect
(
gl_auth
.
find_for_git_client
(
''
,
deploy_token
.
token
,
project:
project
,
ip:
'ip'
))
.
to
eq
(
auth_failure
)
end
end
end
end
end
end
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment