Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Support
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
G
gitlab-ce
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Issues
0
Issues
0
List
Boards
Labels
Milestones
Merge Requests
1
Merge Requests
1
Analytics
Analytics
Repository
Value Stream
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Create a new issue
Commits
Issue Boards
Open sidebar
nexedi
gitlab-ce
Commits
72220a99
Commit
72220a99
authored
Apr 05, 2018
by
Kamil Trzciński
Committed by
Mayra Cabrera
Apr 06, 2018
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
Support Deploy Tokens properly without hacking abilities
parent
171b2625
Changes
8
Hide whitespace changes
Inline
Side-by-side
Showing
8 changed files
with
43 additions
and
28 deletions
+43
-28
app/models/deploy_token.rb
app/models/deploy_token.rb
+5
-1
app/policies/project_policy.rb
app/policies/project_policy.rb
+2
-2
app/services/auth/container_registry_authentication_service.rb
...ervices/auth/container_registry_authentication_service.rb
+17
-6
lib/gitlab/auth.rb
lib/gitlab/auth.rb
+11
-11
lib/gitlab/git_access.rb
lib/gitlab/git_access.rb
+2
-2
spec/lib/gitlab/auth_spec.rb
spec/lib/gitlab/auth_spec.rb
+3
-3
spec/policies/project_policy_spec.rb
spec/policies/project_policy_spec.rb
+2
-2
spec/services/auth/container_registry_authentication_service_spec.rb
...es/auth/container_registry_authentication_service_spec.rb
+1
-1
No files found.
app/models/deploy_token.rb
View file @
72220a99
...
...
@@ -29,6 +29,10 @@ class DeployToken < ActiveRecord::Base
end
def
username
User
.
ghost
.
username
"gitlab+deploy-token-
#{
id
}
"
end
def
has_access_to?
(
project
)
self
.
project
==
project
end
end
app/policies/project_policy.rb
View file @
72220a99
...
...
@@ -145,7 +145,7 @@ class ProjectPolicy < BasePolicy
# These abilities are not allowed to admins that are not members of the project,
# that's why they are defined separately.
rule
{
guest
&
can?
(
:download_code
)
}.
enable
:build_download_code
rule
{
guest
&
can?
(
:read_container_image
)
}.
enable
:
project
_read_container_image
rule
{
guest
&
can?
(
:read_container_image
)
}.
enable
:
build
_read_container_image
rule
{
can?
(
:reporter_access
)
}.
policy
do
enable
:download_code
...
...
@@ -179,7 +179,7 @@ class ProjectPolicy < BasePolicy
enable
:fork_project
enable
:build_download_code
enable
:
project
_read_container_image
enable
:
build
_read_container_image
enable
:request_access
end
...
...
app/services/auth/container_registry_authentication_service.rb
View file @
72220a99
...
...
@@ -109,7 +109,7 @@ module Auth
case
requested_action
when
'pull'
build_can_pull?
(
requested_project
)
||
user_can_pull?
(
requested_project
)
build_can_pull?
(
requested_project
)
||
user_can_pull?
(
requested_project
)
||
deploy_token_can_pull?
(
requested_project
)
when
'push'
build_can_push?
(
requested_project
)
||
user_can_push?
(
requested_project
)
when
'*'
...
...
@@ -123,22 +123,33 @@ module Auth
Gitlab
.
config
.
registry
end
def
can_user?
(
ability
,
project
)
current_user
.
is_a?
(
User
)
&&
can?
(
current_user
,
ability
,
project
)
end
def
build_can_pull?
(
requested_project
)
# Build can:
# 1. pull from its own project (for ex. a build)
# 2. read images from dependent projects if creator of build is a team member
has_authentication_ability?
(
:
project
_read_container_image
)
&&
(
requested_project
==
project
||
can
?
(
current_user
,
:project
_read_container_image
,
requested_project
))
has_authentication_ability?
(
:
build
_read_container_image
)
&&
(
requested_project
==
project
||
can
_user?
(
:build
_read_container_image
,
requested_project
))
end
def
user_can_admin?
(
requested_project
)
has_authentication_ability?
(
:admin_container_image
)
&&
can
?
(
current_user
,
:admin_container_image
,
requested_project
)
can
_user?
(
:admin_container_image
,
requested_project
)
end
def
user_can_pull?
(
requested_project
)
has_authentication_ability?
(
:read_container_image
)
&&
can?
(
current_user
,
:read_container_image
,
requested_project
)
can_user?
(
:read_container_image
,
requested_project
)
end
def
deploy_token_can_pull?
(
requested_project
)
has_authentication_ability?
(
:read_container_image
)
&&
current_user
.
is_a?
(
DeployToken
)
&&
current_user
.
has_access_to?
(
requested_project
)
end
##
...
...
@@ -154,7 +165,7 @@ module Auth
def
user_can_push?
(
requested_project
)
has_authentication_ability?
(
:create_container_image
)
&&
can?
(
current_user
,
:create_container_image
,
requested_project
)
can
_user
?
(
current_user
,
:create_container_image
,
requested_project
)
end
def
error
(
code
,
status
:,
message:
''
)
...
...
lib/gitlab/auth.rb
View file @
72220a99
...
...
@@ -26,7 +26,7 @@ module Gitlab
lfs_token_check
(
login
,
password
,
project
)
||
oauth_access_token_check
(
login
,
password
)
||
personal_access_token_check
(
password
)
||
deploy_token_check
(
project
,
password
)
||
deploy_token_check
(
login
,
password
)
||
user_with_password_for_git
(
login
,
password
)
||
Gitlab
::
Auth
::
Result
.
new
...
...
@@ -176,18 +176,18 @@ module Gitlab
# Project is always sent when using read_scope,
# but is not sent when using read_registry scope
# (since jwt is not context aware of the project)
def
deploy_token_check
(
project
,
password
)
def
deploy_token_check
(
login
,
password
)
return
unless
password
.
present?
token
=
if
project
.
present?
DeployToken
.
active
.
find_by
(
project:
project
,
token:
password
)
else
DeployToken
.
active
.
find_by
(
token:
password
)
end
if
token
&&
valid_scoped_token?
(
token
,
available_
scopes
)
Gitlab
::
Auth
::
Result
.
new
(
token
,
token
.
project
,
:deploy_token
,
abilities_for_scopes
(
token
.
scopes
)
)
DeployToken
.
active
.
find_by
(
token:
password
)
return
unless
token
return
unless
login
!=
"gitlab+deploy-token-
#{
token
.
id
}
"
scopes
=
abilities_for_scopes
(
token
.
scopes
)
if
valid_scoped_token?
(
token
,
scopes
)
Gitlab
::
Auth
::
Result
.
new
(
token
,
token
.
project
,
:deploy_token
,
scopes
)
end
end
...
...
@@ -242,7 +242,7 @@ module Gitlab
[
:read_project
,
:build_download_code
,
:
project
_read_container_image
,
:
build
_read_container_image
,
:build_create_container_image
]
end
...
...
lib/gitlab/git_access.rb
View file @
72220a99
...
...
@@ -290,10 +290,10 @@ module Gitlab
def
can_read_project?
if
deploy_key?
deploy_key
.
has_access_to?
(
project
)
elsif
deploy_token?
deploy_token
.
has_access_to?
(
project
)
elsif
user
user
.
can?
(
:read_project
,
project
)
elsif
deploy_token?
deploy_token
.
active?
&&
deploy_token
.
project
==
project
elsif
ci?
true
# allow CI (build without a user) for backwards compatibility
end
||
Guest
.
can?
(
:read_project
,
project
)
...
...
spec/lib/gitlab/auth_spec.rb
View file @
72220a99
...
...
@@ -195,7 +195,7 @@ describe Gitlab::Auth do
personal_access_token
=
create
(
:personal_access_token
,
scopes:
[
'read_registry'
])
expect
(
gl_auth
).
to
receive
(
:rate_limit!
).
with
(
'ip'
,
success:
true
,
login:
''
)
expect
(
gl_auth
.
find_for_git_client
(
''
,
personal_access_token
.
token
,
project:
nil
,
ip:
'ip'
)).
to
eq
(
Gitlab
::
Auth
::
Result
.
new
(
personal_access_token
.
user
,
nil
,
:personal_access_token
,
[
:read_project
,
:build_download_code
,
:
project
_read_container_image
]))
expect
(
gl_auth
.
find_for_git_client
(
''
,
personal_access_token
.
token
,
project:
nil
,
ip:
'ip'
)).
to
eq
(
Gitlab
::
Auth
::
Result
.
new
(
personal_access_token
.
user
,
nil
,
:personal_access_token
,
[
:read_project
,
:build_download_code
,
:
build
_read_container_image
]))
end
end
...
...
@@ -310,7 +310,7 @@ describe Gitlab::Auth do
end
it
'succeeds if deploy token does have read_registry as scope'
do
abilities
=
%i(read_project build_download_code
project
_read_container_image)
abilities
=
%i(read_project build_download_code
build
_read_container_image)
auth_success
=
Gitlab
::
Auth
::
Result
.
new
(
deploy_token
,
project
,
:deploy_token
,
abilities
)
expect
(
gl_auth
).
to
receive
(
:rate_limit!
).
with
(
'ip'
,
success:
true
,
login:
''
)
...
...
@@ -477,7 +477,7 @@ describe Gitlab::Auth do
[
:read_project
,
:build_download_code
,
:
project
_read_container_image
,
:
build
_read_container_image
,
:build_create_container_image
]
end
...
...
spec/policies/project_policy_spec.rb
View file @
72220a99
...
...
@@ -28,7 +28,7 @@ describe ProjectPolicy do
end
let
(
:team_member_reporter_permissions
)
do
%i[build_download_code
project
_read_container_image]
%i[build_download_code
build
_read_container_image]
end
let
(
:developer_permissions
)
do
...
...
@@ -54,7 +54,7 @@ describe ProjectPolicy do
let
(
:public_permissions
)
do
%i[
download_code fork_project read_commit_status read_pipeline
read_container_image build_download_code
project
_read_container_image
read_container_image build_download_code
build
_read_container_image
download_wiki_code
]
end
...
...
spec/services/auth/container_registry_authentication_service_spec.rb
View file @
72220a99
...
...
@@ -373,7 +373,7 @@ describe Auth::ContainerRegistryAuthenticationService do
let
(
:current_user
)
{
create
(
:user
)
}
let
(
:authentication_abilities
)
do
[
:
project
_read_container_image
,
:build_create_container_image
]
[
:
build
_read_container_image
,
:build_create_container_image
]
end
before
do
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment