Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Support
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
G
gitlab-ce
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Issues
0
Issues
0
List
Boards
Labels
Milestones
Merge Requests
1
Merge Requests
1
Analytics
Analytics
Repository
Value Stream
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Create a new issue
Commits
Issue Boards
Open sidebar
nexedi
gitlab-ce
Commits
453b1780
Commit
453b1780
authored
Nov 23, 2017
by
Douwe Maan
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
Fix pulling and pushing using a personal access token with the sudo scope
parent
7084c096
Changes
3
Show whitespace changes
Inline
Side-by-side
Showing
3 changed files
with
16 additions
and
16 deletions
+16
-16
changelogs/unreleased/dm-fix-registry-with-sudo-token.yml
changelogs/unreleased/dm-fix-registry-with-sudo-token.yml
+5
-0
lib/gitlab/auth.rb
lib/gitlab/auth.rb
+10
-15
spec/lib/gitlab/auth_spec.rb
spec/lib/gitlab/auth_spec.rb
+1
-1
No files found.
changelogs/unreleased/dm-fix-registry-with-sudo-token.yml
0 → 100644
View file @
453b1780
---
title
:
Fix pulling and pushing using a personal access token with the sudo scope
merge_request
:
author
:
type
:
fixed
lib/gitlab/auth.rb
View file @
453b1780
...
@@ -128,7 +128,7 @@ module Gitlab
...
@@ -128,7 +128,7 @@ module Gitlab
token
=
PersonalAccessTokensFinder
.
new
(
state:
'active'
).
find_by
(
token:
password
)
token
=
PersonalAccessTokensFinder
.
new
(
state:
'active'
).
find_by
(
token:
password
)
if
token
&&
valid_scoped_token?
(
token
,
available_scopes
)
if
token
&&
valid_scoped_token?
(
token
,
available_scopes
)
Gitlab
::
Auth
::
Result
.
new
(
token
.
user
,
nil
,
:personal_access_token
,
abilities_for_scope
(
token
.
scopes
))
Gitlab
::
Auth
::
Result
.
new
(
token
.
user
,
nil
,
:personal_access_token
,
abilities_for_scope
s
(
token
.
scopes
))
end
end
end
end
...
@@ -140,10 +140,15 @@ module Gitlab
...
@@ -140,10 +140,15 @@ module Gitlab
AccessTokenValidationService
.
new
(
token
).
include_any_scope?
(
scopes
)
AccessTokenValidationService
.
new
(
token
).
include_any_scope?
(
scopes
)
end
end
def
abilities_for_scope
(
scopes
)
def
abilities_for_scopes
(
scopes
)
scopes
.
map
do
|
scope
|
abilities_by_scope
=
{
self
.
public_send
(
:"
#{
scope
}
_scope_authentication_abilities"
)
# rubocop:disable GitlabSecurity/PublicSend
api:
full_authentication_abilities
,
end
.
flatten
.
uniq
read_registry:
[
:read_container_image
]
}
scopes
.
flat_map
do
|
scope
|
abilities_by_scope
.
fetch
(
scope
.
to_sym
,
[])
end
.
uniq
end
end
def
lfs_token_check
(
login
,
password
,
project
)
def
lfs_token_check
(
login
,
password
,
project
)
...
@@ -222,16 +227,6 @@ module Gitlab
...
@@ -222,16 +227,6 @@ module Gitlab
:admin_container_image
:admin_container_image
]
]
end
end
alias_method
:api_scope_authentication_abilities
,
:full_authentication_abilities
def
read_registry_scope_authentication_abilities
[
:read_container_image
]
end
# The currently used auth method doesn't allow any actions for this scope
def
read_user_scope_authentication_abilities
[]
end
def
available_scopes
(
current_user
=
nil
)
def
available_scopes
(
current_user
=
nil
)
scopes
=
API_SCOPES
+
registry_scopes
scopes
=
API_SCOPES
+
registry_scopes
...
...
spec/lib/gitlab/auth_spec.rb
View file @
453b1780
...
@@ -207,7 +207,7 @@ describe Gitlab::Auth do
...
@@ -207,7 +207,7 @@ describe Gitlab::Auth do
end
end
it
'limits abilities based on scope'
do
it
'limits abilities based on scope'
do
personal_access_token
=
create
(
:personal_access_token
,
scopes:
[
'read_user'
])
personal_access_token
=
create
(
:personal_access_token
,
scopes:
%w[read_user sudo
]
)
expect
(
gl_auth
).
to
receive
(
:rate_limit!
).
with
(
'ip'
,
success:
true
,
login:
''
)
expect
(
gl_auth
).
to
receive
(
:rate_limit!
).
with
(
'ip'
,
success:
true
,
login:
''
)
expect
(
gl_auth
.
find_for_git_client
(
''
,
personal_access_token
.
token
,
project:
nil
,
ip:
'ip'
)).
to
eq
(
Gitlab
::
Auth
::
Result
.
new
(
personal_access_token
.
user
,
nil
,
:personal_access_token
,
[]))
expect
(
gl_auth
.
find_for_git_client
(
''
,
personal_access_token
.
token
,
project:
nil
,
ip:
'ip'
)).
to
eq
(
Gitlab
::
Auth
::
Result
.
new
(
personal_access_token
.
user
,
nil
,
:personal_access_token
,
[]))
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment