Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Support
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
G
gitlab-ce
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Issues
0
Issues
0
List
Boards
Labels
Milestones
Merge Requests
0
Merge Requests
0
Analytics
Analytics
Repository
Value Stream
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Create a new issue
Commits
Issue Boards
Open sidebar
Léo-Paul Géneau
gitlab-ce
Commits
6b381f3f
Commit
6b381f3f
authored
Sep 15, 2016
by
Kamil Trzcinski
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
Use `build_read_container_image` and use `build_download_code`
parent
79e4bb8d
Changes
6
Show whitespace changes
Inline
Side-by-side
Showing
6 changed files
with
50 additions
and
53 deletions
+50
-53
app/controllers/jwt_controller.rb
app/controllers/jwt_controller.rb
+6
-12
app/helpers/lfs_helper.rb
app/helpers/lfs_helper.rb
+4
-4
app/policies/project_policy.rb
app/policies/project_policy.rb
+10
-8
app/services/auth/container_registry_authentication_service.rb
...ervices/auth/container_registry_authentication_service.rb
+17
-18
lib/gitlab/auth.rb
lib/gitlab/auth.rb
+9
-7
lib/gitlab/git_access.rb
lib/gitlab/git_access.rb
+4
-4
No files found.
app/controllers/jwt_controller.rb
View file @
6b381f3f
...
...
@@ -11,7 +11,10 @@ class JwtController < ApplicationController
service
=
SERVICES
[
params
[
:service
]]
return
head
:not_found
unless
service
result
=
service
.
new
(
@project
,
@user
,
auth_params
).
execute
(
capabilities:
@capabilities
)
@@authentication_result
||=
Gitlab
::
Auth
.
Result
.
new
result
=
service
.
new
(
@authentication_result
.
project
,
@authentication_result
.
user
,
auth_params
).
execute
(
capabilities:
@authentication_result
.
capabilities
||
[])
render
json:
result
,
status:
result
[
:http_status
]
end
...
...
@@ -20,18 +23,9 @@ class JwtController < ApplicationController
def
authenticate_project_or_user
authenticate_with_http_basic
do
|
login
,
password
|
@auth_result
=
Gitlab
::
Auth
.
find_for_git_client
(
login
,
password
,
ip:
request
.
ip
)
@user
=
auth_result
.
user
@project
=
auth_result
.
project
@type
=
auth_result
.
type
@capabilities
=
auth_result
.
capabilities
||
[]
if
@user
||
@project
return
# Allow access
end
@authentication_result
=
Gitlab
::
Auth
.
find_for_git_client
(
login
,
password
,
ip:
request
.
ip
)
render_403
render_403
unless
@authentication_result
.
success?
end
end
...
...
app/helpers/lfs_helper.rb
View file @
6b381f3f
...
...
@@ -25,15 +25,15 @@ module LfsHelper
def
lfs_download_access?
return
false
unless
project
.
lfs_enabled?
project
.
public?
||
ci?
||
privileged_user_can_download_code?
||
restricted_user
_can_download_code?
project
.
public?
||
ci?
||
user_can_download_code?
||
build
_can_download_code?
end
def
privileged_
user_can_download_code?
def
user_can_download_code?
has_capability?
(
:download_code
)
&&
user
&&
user
.
can?
(
:download_code
,
project
)
end
def
restricted_user
_can_download_code?
has_capability?
(
:
restricted_download_code
)
&&
user
&&
user
.
can?
(
:restricte
d_download_code
,
project
)
def
build
_can_download_code?
has_capability?
(
:
build_download_code
)
&&
user
&&
user
.
can?
(
:buil
d_download_code
,
project
)
end
def
lfs_upload_access?
...
...
app/policies/project_policy.rb
View file @
6b381f3f
...
...
@@ -65,9 +65,9 @@ class ProjectPolicy < BasePolicy
end
# Permissions given when an user is direct member of a group
def
restricted
_reporter_access!
can!
:
restricte
d_download_code
can!
:
restricte
d_read_container_image
def
team_member
_reporter_access!
can!
:
buil
d_download_code
can!
:
buil
d_read_container_image
end
def
developer_access!
...
...
@@ -115,6 +115,8 @@ class ProjectPolicy < BasePolicy
can!
:read_commit_status
can!
:read_pipeline
can!
:read_container_image
can!
:build_download_code
can!
:build_read_container_image
end
def
owner_access!
...
...
@@ -138,7 +140,7 @@ class ProjectPolicy < BasePolicy
guest_access!
if
access
>=
Gitlab
::
Access
::
GUEST
reporter_access!
if
access
>=
Gitlab
::
Access
::
REPORTER
restricted
_reporter_access!
if
access
>=
Gitlab
::
Access
::
REPORTER
team_member
_reporter_access!
if
access
>=
Gitlab
::
Access
::
REPORTER
developer_access!
if
access
>=
Gitlab
::
Access
::
DEVELOPER
master_access!
if
access
>=
Gitlab
::
Access
::
MASTER
end
...
...
app/services/auth/container_registry_authentication_service.rb
View file @
6b381f3f
...
...
@@ -76,9 +76,9 @@ module Auth
case
requested_action
when
'pull'
restricted_user_can_pull?
(
requested_project
)
||
privileged_
user_can_pull?
(
requested_project
)
build_can_pull?
(
requested_project
)
||
user_can_pull?
(
requested_project
)
when
'push'
restricted_user_can_push?
(
requested_project
)
||
privileged_
user_can_push?
(
requested_project
)
build_can_push?
(
requested_project
)
||
user_can_push?
(
requested_project
)
else
false
end
...
...
@@ -90,29 +90,28 @@ module Auth
private
def
restricted_user
_can_pull?
(
requested_project
)
#
Restricte
d can:
def
build
_can_pull?
(
requested_project
)
#
Buil
d can:
# 1. pull from it's own project (for ex. a build)
# 2. read images from dependent projects if
he
is a team member
requested_project
==
project
||
has_ability?
(
:restricted_read_container_image
,
requested_project
)
# 2. read images from dependent projects if
creator of build
is a team member
@capabilities
.
include?
(
:build_read_container_image
)
&&
(
requested_project
==
project
||
can?
(
current_user
,
:build_read_container_image
,
requested_project
)
)
end
def
privileged_user_can_pull?
(
requested_project
)
has_ability?
(
:read_container_image
,
requested_project
)
def
user_can_pull?
(
requested_project
)
@capabilities
.
include?
(
:read_container_image
)
&&
can?
(
current_user
,
:read_container_image
,
requested_project
)
end
def
restricted_user_can_push?
(
requested_project
)
# Restricted can push only to project to from which he originates
def
build_can_push?
(
requested_project
)
# Build can push only to project to from which he originates
@capabilities
.
include?
(
:build_create_container_image
)
&&
requested_project
==
project
end
def
privileged_user_can_push?
(
requested_project
)
has_ability?
(
:create_container_image
,
requested_project
)
end
def
has_ability?
(
ability
,
requested_project
)
@capabilities
.
include?
(
ability
)
&&
can?
(
current_user
,
ability
,
requested_project
)
def
user_can_push?
(
requested_project
)
@capabilities
.
include?
(
:create_container_image
)
&&
can?
(
current_user
,
:create_container_image
,
requested_project
)
end
end
end
lib/gitlab/auth.rb
View file @
6b381f3f
...
...
@@ -78,7 +78,7 @@ module Gitlab
service
=
project
.
public_send
(
"
#{
underscored_service
}
_service"
)
if
service
&&
service
.
activated?
&&
service
.
valid_token?
(
password
)
Result
.
new
(
nil
,
project
,
:ci
,
restricte
d_capabilities
)
Result
.
new
(
nil
,
project
,
:ci
,
buil
d_capabilities
)
end
end
end
...
...
@@ -124,25 +124,27 @@ module Gitlab
if
build
.
user
# If user is assigned to build, use restricted credentials of user
Result
.
new
(
build
.
user
,
build
.
project
,
:build
,
restricte
d_capabilities
)
Result
.
new
(
build
.
user
,
build
.
project
,
:build
,
buil
d_capabilities
)
else
# Otherwise use generic CI credentials (backward compatibility)
Result
.
new
(
nil
,
build
.
project
,
:ci
,
restricte
d_capabilities
)
Result
.
new
(
nil
,
build
.
project
,
:ci
,
buil
d_capabilities
)
end
end
private
def
restricte
d_capabilities
def
buil
d_capabilities
[
:read_project
,
:restricted_download_code
,
:restricted_read_container_image
:build_download_code
,
:build_read_container_image
,
:build_create_container_image
]
end
def
read_capabilities
restricted_capabilities
+
[
[
:read_project
,
:download_code
,
:read_container_image
]
...
...
lib/gitlab/git_access.rb
View file @
6b381f3f
...
...
@@ -61,19 +61,19 @@ module Gitlab
end
def
user_download_access_check
unless
privileged_user_can_download_code?
||
restricted_user
_can_download_code?
unless
user_can_download_code?
||
build
_can_download_code?
return
build_status_object
(
false
,
"You are not allowed to download code from this project."
)
end
build_status_object
(
true
)
end
def
privileged_
user_can_download_code?
def
user_can_download_code?
capabilities
.
include?
(
:download_code
)
&&
user_access
.
can_do_action?
(
:download_code
)
end
def
restricted_user
_can_download_code?
capabilities
.
include?
(
:
restricted_download_code
)
&&
user_access
.
can_do_action?
(
:restricte
d_download_code
)
def
build
_can_download_code?
capabilities
.
include?
(
:
build_download_code
)
&&
user_access
.
can_do_action?
(
:buil
d_download_code
)
end
def
user_push_access_check
(
changes
)
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment