Commit 6b381f3f authored by Kamil Trzcinski's avatar Kamil Trzcinski

Use `build_read_container_image` and use `build_download_code`

parent 79e4bb8d
...@@ -11,7 +11,10 @@ class JwtController < ApplicationController ...@@ -11,7 +11,10 @@ class JwtController < ApplicationController
service = SERVICES[params[:service]] service = SERVICES[params[:service]]
return head :not_found unless service return head :not_found unless service
result = service.new(@project, @user, auth_params).execute(capabilities: @capabilities) @@authentication_result ||= Gitlab::Auth.Result.new
result = service.new(@authentication_result.project, @authentication_result.user, auth_params).
execute(capabilities: @authentication_result.capabilities || [])
render json: result, status: result[:http_status] render json: result, status: result[:http_status]
end end
...@@ -20,18 +23,9 @@ class JwtController < ApplicationController ...@@ -20,18 +23,9 @@ class JwtController < ApplicationController
def authenticate_project_or_user def authenticate_project_or_user
authenticate_with_http_basic do |login, password| authenticate_with_http_basic do |login, password|
@auth_result = Gitlab::Auth.find_for_git_client(login, password, ip: request.ip) @authentication_result = Gitlab::Auth.find_for_git_client(login, password, ip: request.ip)
@user = auth_result.user
@project = auth_result.project
@type = auth_result.type
@capabilities = auth_result.capabilities || []
if @user || @project
return # Allow access
end
render_403 render_403 unless @authentication_result.success?
end end
end end
......
...@@ -25,15 +25,15 @@ module LfsHelper ...@@ -25,15 +25,15 @@ module LfsHelper
def lfs_download_access? def lfs_download_access?
return false unless project.lfs_enabled? return false unless project.lfs_enabled?
project.public? || ci? || privileged_user_can_download_code? || restricted_user_can_download_code? project.public? || ci? || user_can_download_code? || build_can_download_code?
end end
def privileged_user_can_download_code? def user_can_download_code?
has_capability?(:download_code) && user && user.can?(:download_code, project) has_capability?(:download_code) && user && user.can?(:download_code, project)
end end
def restricted_user_can_download_code? def build_can_download_code?
has_capability?(:restricted_download_code) && user && user.can?(:restricted_download_code, project) has_capability?(:build_download_code) && user && user.can?(:build_download_code, project)
end end
def lfs_upload_access? def lfs_upload_access?
......
...@@ -65,9 +65,9 @@ class ProjectPolicy < BasePolicy ...@@ -65,9 +65,9 @@ class ProjectPolicy < BasePolicy
end end
# Permissions given when an user is direct member of a group # Permissions given when an user is direct member of a group
def restricted_reporter_access! def team_member_reporter_access!
can! :restricted_download_code can! :build_download_code
can! :restricted_read_container_image can! :build_read_container_image
end end
def developer_access! def developer_access!
...@@ -115,6 +115,8 @@ class ProjectPolicy < BasePolicy ...@@ -115,6 +115,8 @@ class ProjectPolicy < BasePolicy
can! :read_commit_status can! :read_commit_status
can! :read_pipeline can! :read_pipeline
can! :read_container_image can! :read_container_image
can! :build_download_code
can! :build_read_container_image
end end
def owner_access! def owner_access!
...@@ -136,11 +138,11 @@ class ProjectPolicy < BasePolicy ...@@ -136,11 +138,11 @@ class ProjectPolicy < BasePolicy
def team_access!(user) def team_access!(user)
access = project.team.max_member_access(user.id) access = project.team.max_member_access(user.id)
guest_access! if access >= Gitlab::Access::GUEST guest_access! if access >= Gitlab::Access::GUEST
reporter_access! if access >= Gitlab::Access::REPORTER reporter_access! if access >= Gitlab::Access::REPORTER
restricted_reporter_access! if access >= Gitlab::Access::REPORTER team_member_reporter_access! if access >= Gitlab::Access::REPORTER
developer_access! if access >= Gitlab::Access::DEVELOPER developer_access! if access >= Gitlab::Access::DEVELOPER
master_access! if access >= Gitlab::Access::MASTER master_access! if access >= Gitlab::Access::MASTER
end end
def archived_access! def archived_access!
......
...@@ -76,9 +76,9 @@ module Auth ...@@ -76,9 +76,9 @@ module Auth
case requested_action case requested_action
when 'pull' when 'pull'
restricted_user_can_pull?(requested_project) || privileged_user_can_pull?(requested_project) build_can_pull?(requested_project) || user_can_pull?(requested_project)
when 'push' when 'push'
restricted_user_can_push?(requested_project) || privileged_user_can_push?(requested_project) build_can_push?(requested_project) || user_can_push?(requested_project)
else else
false false
end end
...@@ -90,29 +90,28 @@ module Auth ...@@ -90,29 +90,28 @@ module Auth
private private
def restricted_user_can_pull?(requested_project) def build_can_pull?(requested_project)
# Restricted can: # Build can:
# 1. pull from it's own project (for ex. a build) # 1. pull from it's own project (for ex. a build)
# 2. read images from dependent projects if he is a team member # 2. read images from dependent projects if creator of build is a team member
requested_project == project || @capabilities.include?(:build_read_container_image) &&
has_ability?(:restricted_read_container_image, requested_project) (requested_project == project || can?(current_user, :build_read_container_image, requested_project))
end end
def privileged_user_can_pull?(requested_project) def user_can_pull?(requested_project)
has_ability?(:read_container_image, requested_project) @capabilities.include?(:read_container_image) &&
can?(current_user, :read_container_image, requested_project)
end end
def restricted_user_can_push?(requested_project) def build_can_push?(requested_project)
# Restricted can push only to project to from which he originates # Build can push only to project to from which he originates
requested_project == project @capabilities.include?(:build_create_container_image) &&
requested_project == project
end end
def privileged_user_can_push?(requested_project) def user_can_push?(requested_project)
has_ability?(:create_container_image, requested_project) @capabilities.include?(:create_container_image) &&
end can?(current_user, :create_container_image, requested_project)
def has_ability?(ability, requested_project)
@capabilities.include?(ability) && can?(current_user, ability, requested_project)
end end
end end
end end
...@@ -78,7 +78,7 @@ module Gitlab ...@@ -78,7 +78,7 @@ module Gitlab
service = project.public_send("#{underscored_service}_service") service = project.public_send("#{underscored_service}_service")
if service && service.activated? && service.valid_token?(password) if service && service.activated? && service.valid_token?(password)
Result.new(nil, project, :ci, restricted_capabilities) Result.new(nil, project, :ci, build_capabilities)
end end
end end
end end
...@@ -124,25 +124,27 @@ module Gitlab ...@@ -124,25 +124,27 @@ module Gitlab
if build.user if build.user
# If user is assigned to build, use restricted credentials of user # If user is assigned to build, use restricted credentials of user
Result.new(build.user, build.project, :build, restricted_capabilities) Result.new(build.user, build.project, :build, build_capabilities)
else else
# Otherwise use generic CI credentials (backward compatibility) # Otherwise use generic CI credentials (backward compatibility)
Result.new(nil, build.project, :ci, restricted_capabilities) Result.new(nil, build.project, :ci, build_capabilities)
end end
end end
private private
def restricted_capabilities def build_capabilities
[ [
:read_project, :read_project,
:restricted_download_code, :build_download_code,
:restricted_read_container_image :build_read_container_image,
:build_create_container_image
] ]
end end
def read_capabilities def read_capabilities
restricted_capabilities + [ [
:read_project,
:download_code, :download_code,
:read_container_image :read_container_image
] ]
......
...@@ -61,19 +61,19 @@ module Gitlab ...@@ -61,19 +61,19 @@ module Gitlab
end end
def user_download_access_check def user_download_access_check
unless privileged_user_can_download_code? || restricted_user_can_download_code? unless user_can_download_code? || build_can_download_code?
return build_status_object(false, "You are not allowed to download code from this project.") return build_status_object(false, "You are not allowed to download code from this project.")
end end
build_status_object(true) build_status_object(true)
end end
def privileged_user_can_download_code? def user_can_download_code?
capabilities.include?(:download_code) && user_access.can_do_action?(:download_code) capabilities.include?(:download_code) && user_access.can_do_action?(:download_code)
end end
def restricted_user_can_download_code? def build_can_download_code?
capabilities.include?(:restricted_download_code) && user_access.can_do_action?(:restricted_download_code) capabilities.include?(:build_download_code) && user_access.can_do_action?(:build_download_code)
end end
def user_push_access_check(changes) def user_push_access_check(changes)
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment