Commit 05cc8705 authored by Lin Jen-Shin's avatar Lin Jen-Shin

Improve write access check for deploy key

parent 5b5722e9
...@@ -7,7 +7,7 @@ module Gitlab ...@@ -7,7 +7,7 @@ module Gitlab
ERROR_MESSAGES = { ERROR_MESSAGES = {
upload: 'You are not allowed to upload code for this project.', upload: 'You are not allowed to upload code for this project.',
download: 'You are not allowed to download code from this project.', download: 'You are not allowed to download code from this project.',
deploy_key: 'Deploy keys are not allowed to push code.', deploy_key: 'This deploy key does not have write access to this project.',
no_repo: 'A repository for this project does not exist yet.' no_repo: 'A repository for this project does not exist yet.'
} }
...@@ -46,22 +46,18 @@ module Gitlab ...@@ -46,22 +46,18 @@ module Gitlab
def download_access_check def download_access_check
if user if user
user_download_access_check user_download_access_check
elsif deploy_key.nil? && !Guest.can?(:download_code, project) elsif !Guest.can?(:download_code, project)
raise UnauthorizedError, ERROR_MESSAGES[:download] raise UnauthorizedError, ERROR_MESSAGES[:download]
end end
end end
def push_access_check(changes) def push_access_check(changes)
unless project.repository.exists? if deploy_key
return build_status_object(false, "A repository for this project does not exist yet.")
end
if user
user_push_access_check(changes)
elsif deploy_key
deploy_key_push_access_check(changes) deploy_key_push_access_check(changes)
elsif user
user_push_access_check(changes)
else else
raise UnauthorizedError, ERROR_MESSAGES[deploy_key ? :deploy_key : :upload] raise UnauthorizedError, ERROR_MESSAGES[:upload]
end end
end end
...@@ -88,34 +84,19 @@ module Gitlab ...@@ -88,34 +84,19 @@ module Gitlab
return # Allow access. return # Allow access.
end end
unless project.repository.exists? check_repository_existence!
raise UnauthorizedError, ERROR_MESSAGES[:no_repo] check_change_access!(changes)
end
changes_list = Gitlab::ChangesList.new(changes)
# Iterate over all changes to find if user allowed all of them to be applied
changes_list.each do |change|
status = change_access_check(change)
unless status.allowed?
# If user does not have access to make at least one change - cancel all push
raise UnauthorizedError, status.message
end
end
end end
def deploy_key_push_access_check(changes) def deploy_key_push_access_check(changes)
if actor.can_push? if deploy_key.can_push?
build_status_object(true) check_repository_existence!
check_change_access!(changes)
else else
build_status_object(false, "The deploy key does not have write access to the project.") raise UnauthorizedError, ERROR_MESSAGES[:deploy_key]
end end
end end
def change_access_check(change)
Checks::ChangeAccess.new(change, user_access: user_access, project: project).exec
end
def protocol_allowed? def protocol_allowed?
Gitlab::ProtocolAccess.allowed?(protocol) Gitlab::ProtocolAccess.allowed?(protocol)
end end
...@@ -146,6 +127,27 @@ module Gitlab ...@@ -146,6 +127,27 @@ module Gitlab
end end
end end
def check_repository_existence!
unless project.repository.exists?
raise UnauthorizedError, ERROR_MESSAGES[:no_repo]
end
end
def check_change_access!(changes)
changes_list = Gitlab::ChangesList.new(changes)
# Iterate over all changes to find if user allowed all of them to be applied
changes_list.each do |change|
status = Checks::ChangeAccess.new(change,
user_access: user_access,
project: project).exec
unless status.allowed?
# If user does not have access to make at least one change - cancel all push
raise UnauthorizedError, status.message
end
end
end
def matching_merge_request?(newrev, branch_name) def matching_merge_request?(newrev, branch_name)
Checks::MatchingMergeRequest.new(newrev, branch_name, project).match? Checks::MatchingMergeRequest.new(newrev, branch_name, project).match?
end end
...@@ -154,20 +156,11 @@ module Gitlab ...@@ -154,20 +156,11 @@ module Gitlab
actor if actor.is_a?(DeployKey) actor if actor.is_a?(DeployKey)
end end
def deploy_key_can_read_project?
if deploy_key
return true if project.public?
deploy_key.projects.include?(project)
else
false
end
end
def can_read_project? def can_read_project?
if user if deploy_key
project.public? || deploy_key.projects.include?(project)
elsif user
user_access.can_read_project? user_access.can_read_project?
elsif deploy_key
deploy_key_can_read_project?
else else
Guest.can?(:read_project, project) Guest.can?(:read_project, project)
end end
...@@ -182,8 +175,6 @@ module Gitlab ...@@ -182,8 +175,6 @@ module Gitlab
case actor case actor
when User when User
actor actor
when DeployKey
nil
when Key when Key
actor.user actor.user
end end
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment