Commit 453b1780 authored by Douwe Maan's avatar Douwe Maan

Fix pulling and pushing using a personal access token with the sudo scope

parent 7084c096
---
title: Fix pulling and pushing using a personal access token with the sudo scope
merge_request:
author:
type: fixed
...@@ -128,7 +128,7 @@ module Gitlab ...@@ -128,7 +128,7 @@ module Gitlab
token = PersonalAccessTokensFinder.new(state: 'active').find_by(token: password) token = PersonalAccessTokensFinder.new(state: 'active').find_by(token: password)
if token && valid_scoped_token?(token, available_scopes) if token && valid_scoped_token?(token, available_scopes)
Gitlab::Auth::Result.new(token.user, nil, :personal_access_token, abilities_for_scope(token.scopes)) Gitlab::Auth::Result.new(token.user, nil, :personal_access_token, abilities_for_scopes(token.scopes))
end end
end end
...@@ -140,10 +140,15 @@ module Gitlab ...@@ -140,10 +140,15 @@ module Gitlab
AccessTokenValidationService.new(token).include_any_scope?(scopes) AccessTokenValidationService.new(token).include_any_scope?(scopes)
end end
def abilities_for_scope(scopes) def abilities_for_scopes(scopes)
scopes.map do |scope| abilities_by_scope = {
self.public_send(:"#{scope}_scope_authentication_abilities") # rubocop:disable GitlabSecurity/PublicSend api: full_authentication_abilities,
end.flatten.uniq read_registry: [:read_container_image]
}
scopes.flat_map do |scope|
abilities_by_scope.fetch(scope.to_sym, [])
end.uniq
end end
def lfs_token_check(login, password, project) def lfs_token_check(login, password, project)
...@@ -222,16 +227,6 @@ module Gitlab ...@@ -222,16 +227,6 @@ module Gitlab
:admin_container_image :admin_container_image
] ]
end end
alias_method :api_scope_authentication_abilities, :full_authentication_abilities
def read_registry_scope_authentication_abilities
[:read_container_image]
end
# The currently used auth method doesn't allow any actions for this scope
def read_user_scope_authentication_abilities
[]
end
def available_scopes(current_user = nil) def available_scopes(current_user = nil)
scopes = API_SCOPES + registry_scopes scopes = API_SCOPES + registry_scopes
......
...@@ -207,7 +207,7 @@ describe Gitlab::Auth do ...@@ -207,7 +207,7 @@ describe Gitlab::Auth do
end end
it 'limits abilities based on scope' do it 'limits abilities based on scope' do
personal_access_token = create(:personal_access_token, scopes: ['read_user']) personal_access_token = create(:personal_access_token, scopes: %w[read_user sudo])
expect(gl_auth).to receive(:rate_limit!).with('ip', success: true, login: '') expect(gl_auth).to receive(:rate_limit!).with('ip', success: true, login: '')
expect(gl_auth.find_for_git_client('', personal_access_token.token, project: nil, ip: 'ip')).to eq(Gitlab::Auth::Result.new(personal_access_token.user, nil, :personal_access_token, [])) expect(gl_auth.find_for_git_client('', personal_access_token.token, project: nil, ip: 'ip')).to eq(Gitlab::Auth::Result.new(personal_access_token.user, nil, :personal_access_token, []))
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment