Commit 611cf13b authored by Alain Takoudjou's avatar Alain Takoudjou

NXD lib:gitlab:auth Accept Basic auth from project runner_token

From gitlab 8.12 there is new CI job permissions model which only accept login
from ci token for running job. Then the access is revoked after the job is finished.
In Nexedi, when have a lot of URLs which rely on gitlab-ci-token and project-runners-token, so
we need to re-allow access else access to all those URL will be refused.

More info are here: https://docs.gitlab.com/ee/user/project/new_ci_build_permissions_model.html#before-gitlab-8-12
parent 94ddf244
......@@ -155,16 +155,22 @@ module Gitlab
return unless login == 'gitlab-ci-token'
return unless password
build = ::Ci::Build.running.find_by_token(password)
return unless build
return unless build.project.builds_enabled?
if build.user
# If user is assigned to build, use restricted credentials of user
Gitlab::Auth::Result.new(build.user, build.project, :build, build_authentication_abilities)
# XXX-nxd: we also accept runners_token if enabled on projects
project = Project.with_builds_enabled.find_by(runners_token: password)
if project
Gitlab::Auth::Result.new(nil, project, :ci, build_authentication_abilities)
else
# Otherwise use generic CI credentials (backward compatibility)
Gitlab::Auth::Result.new(nil, build.project, :ci, build_authentication_abilities)
build = ::Ci::Build.running.find_by_token(password)
return unless build
return unless build.project.builds_enabled?
if build.user
# If user is assigned to build, use restricted credentials of user
Gitlab::Auth::Result.new(build.user, build.project, :build, build_authentication_abilities)
else
# Otherwise use generic CI credentials (backward compatibility)
Gitlab::Auth::Result.new(nil, build.project, :ci, build_authentication_abilities)
end
end
end
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment