Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Support
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
G
gitlab-ce
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Issues
0
Issues
0
List
Boards
Labels
Milestones
Merge Requests
1
Merge Requests
1
Analytics
Analytics
Repository
Value Stream
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Create a new issue
Commits
Issue Boards
Open sidebar
nexedi
gitlab-ce
Commits
9fcc3e59
Commit
9fcc3e59
authored
Jun 06, 2017
by
Z.J. van de Weg
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
Fix test failures
parent
0b81b5ac
Changes
5
Show whitespace changes
Inline
Side-by-side
Showing
5 changed files
with
38 additions
and
30 deletions
+38
-30
app/controllers/jwt_controller.rb
app/controllers/jwt_controller.rb
+1
-1
lib/gitlab/auth.rb
lib/gitlab/auth.rb
+23
-16
spec/features/profiles/personal_access_tokens_spec.rb
spec/features/profiles/personal_access_tokens_spec.rb
+5
-1
spec/lib/gitlab/auth_spec.rb
spec/lib/gitlab/auth_spec.rb
+8
-11
spec/requests/jwt_controller_spec.rb
spec/requests/jwt_controller_spec.rb
+1
-1
No files found.
app/controllers/jwt_controller.rb
View file @
9fcc3e59
...
@@ -20,7 +20,7 @@ class JwtController < ApplicationController
...
@@ -20,7 +20,7 @@ class JwtController < ApplicationController
private
private
def
authenticate_project_or_user
def
authenticate_project_or_user
@authentication_result
=
Gitlab
::
Auth
::
Result
.
new
(
nil
,
nil
,
:none
,
Gitlab
::
Auth
.
read_a
pi
_abilities
)
@authentication_result
=
Gitlab
::
Auth
::
Result
.
new
(
nil
,
nil
,
:none
,
Gitlab
::
Auth
.
read_a
uthentication
_abilities
)
authenticate_with_http_basic
do
|
login
,
password
|
authenticate_with_http_basic
do
|
login
,
password
|
@authentication_result
=
Gitlab
::
Auth
.
find_for_git_client
(
login
,
password
,
project:
nil
,
ip:
request
.
ip
)
@authentication_result
=
Gitlab
::
Auth
.
find_for_git_client
(
login
,
password
,
project:
nil
,
ip:
request
.
ip
)
...
...
lib/gitlab/auth.rb
View file @
9fcc3e59
...
@@ -107,7 +107,7 @@ module Gitlab
...
@@ -107,7 +107,7 @@ module Gitlab
raise
Gitlab
::
Auth
::
MissingPersonalTokenError
if
user
.
two_factor_enabled?
raise
Gitlab
::
Auth
::
MissingPersonalTokenError
if
user
.
two_factor_enabled?
Gitlab
::
Auth
::
Result
.
new
(
user
,
nil
,
:gitlab_or_ldap
,
full_a
pi
_abilities
)
Gitlab
::
Auth
::
Result
.
new
(
user
,
nil
,
:gitlab_or_ldap
,
full_a
uthentication
_abilities
)
end
end
def
oauth_access_token_check
(
login
,
password
)
def
oauth_access_token_check
(
login
,
password
)
...
@@ -116,7 +116,7 @@ module Gitlab
...
@@ -116,7 +116,7 @@ module Gitlab
if
valid_oauth_token?
(
token
)
if
valid_oauth_token?
(
token
)
user
=
User
.
find_by
(
id:
token
.
resource_owner_id
)
user
=
User
.
find_by
(
id:
token
.
resource_owner_id
)
Gitlab
::
Auth
::
Result
.
new
(
user
,
nil
,
:oauth
,
full_a
pi
_abilities
)
Gitlab
::
Auth
::
Result
.
new
(
user
,
nil
,
:oauth
,
full_a
uthentication
_abilities
)
end
end
end
end
end
end
...
@@ -126,26 +126,23 @@ module Gitlab
...
@@ -126,26 +126,23 @@ module Gitlab
token
=
PersonalAccessTokensFinder
.
new
(
state:
'active'
).
find_by
(
token:
password
)
token
=
PersonalAccessTokensFinder
.
new
(
state:
'active'
).
find_by
(
token:
password
)
if
token
&&
valid_scoped_token?
(
token
,
scopes:
AVAILABLE_SCOPES
.
map
(
&
:to_s
))
if
token
&&
valid_scoped_token?
(
token
,
AVAILABLE_SCOPES
.
map
(
&
:to_s
))
Gitlab
::
Auth
::
Result
.
new
(
token
.
user
,
nil
,
:personal_token
,
abilities_for_scope
(
token
.
scopes
))
Gitlab
::
Auth
::
Result
.
new
(
token
.
user
,
nil
,
:personal_token
,
abilities_for_scope
(
token
.
scopes
))
end
end
end
end
def
valid_oauth_token?
(
token
)
def
valid_oauth_token?
(
token
)
token
&&
token
.
accessible?
&&
valid_scoped_token?
(
token
)
token
&&
token
.
accessible?
&&
valid_scoped_token?
(
token
,
[
"api"
]
)
end
end
def
valid_scoped_token?
(
token
,
scopes
:
%w[api]
)
def
valid_scoped_token?
(
token
,
scopes
)
AccessTokenValidationService
.
new
(
token
).
include_any_scope?
(
scopes
)
AccessTokenValidationService
.
new
(
token
).
include_any_scope?
(
scopes
)
end
end
def
abilities_for_scope
(
scopes
)
def
abilities_for_scope
(
scopes
)
abilities
=
Set
.
new
scopes
.
map
do
|
scope
|
self
.
public_send
(
:"
#{
scope
}
_scope_authentication_abilities"
)
abilities
.
merge
(
full_api_abilities
)
if
scopes
.
include?
(
"api"
)
end
.
flatten
.
uniq
abilities
<<
:read_container_image
if
scopes
.
include?
(
"read_registry"
)
abilities
.
to_a
end
end
def
lfs_token_check
(
login
,
password
)
def
lfs_token_check
(
login
,
password
)
...
@@ -164,9 +161,9 @@ module Gitlab
...
@@ -164,9 +161,9 @@ module Gitlab
authentication_abilities
=
authentication_abilities
=
if
token_handler
.
user?
if
token_handler
.
user?
full_a
pi
_abilities
full_a
uthentication
_abilities
else
else
read_a
pi
_abilities
read_a
uthentication
_abilities
end
end
if
Devise
.
secure_compare
(
token_handler
.
token
,
password
)
if
Devise
.
secure_compare
(
token_handler
.
token
,
password
)
...
@@ -202,7 +199,7 @@ module Gitlab
...
@@ -202,7 +199,7 @@ module Gitlab
]
]
end
end
def
read_a
pi
_abilities
def
read_a
uthentication
_abilities
[
[
:read_project
,
:read_project
,
:download_code
,
:download_code
,
...
@@ -210,12 +207,22 @@ module Gitlab
...
@@ -210,12 +207,22 @@ module Gitlab
]
]
end
end
def
full_a
pi
_abilities
def
full_a
uthentication
_abilities
read_a
pi
_abilities
+
[
read_a
uthentication
_abilities
+
[
:push_code
,
:push_code
,
:create_container_image
:create_container_image
]
]
end
end
alias_method
:api_scope_authentication_abilities
,
:full_authentication_abilities
def
read_registry_scope_authentication_abilities
[
:read_container_image
]
end
# The currently used auth method doesn't allow any actions for this scope
def
read_user_scope_authentication_abilities
[]
end
end
end
end
end
end
end
spec/features/profiles/personal_access_tokens_spec.rb
View file @
9fcc3e59
...
@@ -17,6 +17,7 @@ describe 'Profile > Personal Access Tokens', feature: true, js: true do
...
@@ -17,6 +17,7 @@ describe 'Profile > Personal Access Tokens', feature: true, js: true do
def
disallow_personal_access_token_saves!
def
disallow_personal_access_token_saves!
allow_any_instance_of
(
PersonalAccessToken
).
to
receive
(
:save
).
and_return
(
false
)
allow_any_instance_of
(
PersonalAccessToken
).
to
receive
(
:save
).
and_return
(
false
)
errors
=
ActiveModel
::
Errors
.
new
(
PersonalAccessToken
.
new
).
tap
{
|
e
|
e
.
add
(
:name
,
"cannot be nil"
)
}
errors
=
ActiveModel
::
Errors
.
new
(
PersonalAccessToken
.
new
).
tap
{
|
e
|
e
.
add
(
:name
,
"cannot be nil"
)
}
allow_any_instance_of
(
PersonalAccessToken
).
to
receive
(
:errors
).
and_return
(
errors
)
allow_any_instance_of
(
PersonalAccessToken
).
to
receive
(
:errors
).
and_return
(
errors
)
end
end
...
@@ -91,8 +92,11 @@ describe 'Profile > Personal Access Tokens', feature: true, js: true do
...
@@ -91,8 +92,11 @@ describe 'Profile > Personal Access Tokens', feature: true, js: true do
context
"when revocation fails"
do
context
"when revocation fails"
do
it
"displays an error message"
do
it
"displays an error message"
do
disallow_personal_access_token_saves!
visit
profile_personal_access_tokens_path
visit
profile_personal_access_tokens_path
allow_any_instance_of
(
PersonalAccessToken
).
to
receive
(
:update!
).
and_return
(
false
)
errors
=
ActiveModel
::
Errors
.
new
(
PersonalAccessToken
.
new
).
tap
{
|
e
|
e
.
add
(
:name
,
"cannot be nil"
)
}
allow_any_instance_of
(
PersonalAccessToken
).
to
receive
(
:errors
).
and_return
(
errors
)
click_on
"Revoke"
click_on
"Revoke"
expect
(
active_personal_access_tokens
).
to
have_text
(
personal_access_token
.
name
)
expect
(
active_personal_access_tokens
).
to
have_text
(
personal_access_token
.
name
)
...
...
spec/lib/gitlab/auth_spec.rb
View file @
9fcc3e59
...
@@ -17,7 +17,11 @@ describe Gitlab::Auth, lib: true do
...
@@ -17,7 +17,11 @@ describe Gitlab::Auth, lib: true do
end
end
it
'OPTIONAL_SCOPES contains all non-default scopes'
do
it
'OPTIONAL_SCOPES contains all non-default scopes'
do
expect
(
subject
::
OPTIONAL_SCOPES
).
to
eq
[
:read_user
,
:openid
]
expect
(
subject
::
OPTIONAL_SCOPES
).
to
eq
%i[read_user read_registry openid]
end
it
'REGISTRY_SCOPES contains all registry related scopes'
do
expect
(
subject
::
REGISTRY_SCOPES
).
to
eq
%i[read_registry]
end
end
end
end
...
@@ -157,18 +161,11 @@ describe Gitlab::Auth, lib: true do
...
@@ -157,18 +161,11 @@ describe Gitlab::Auth, lib: true do
expect
(
gl_auth
.
find_for_git_client
(
''
,
impersonation_token
.
token
,
project:
nil
,
ip:
'ip'
)).
to
eq
(
Gitlab
::
Auth
::
Result
.
new
(
impersonation_token
.
user
,
nil
,
:personal_token
,
full_authentication_abilities
))
expect
(
gl_auth
.
find_for_git_client
(
''
,
impersonation_token
.
token
,
project:
nil
,
ip:
'ip'
)).
to
eq
(
Gitlab
::
Auth
::
Result
.
new
(
impersonation_token
.
user
,
nil
,
:personal_token
,
full_authentication_abilities
))
end
end
it
'
fails for personal access tokens with other scopes
'
do
it
'
limits abilities based on scope
'
do
personal_access_token
=
create
(
:personal_access_token
,
scopes:
[
'read_user'
])
personal_access_token
=
create
(
:personal_access_token
,
scopes:
[
'read_user'
])
expect
(
gl_auth
).
to
receive
(
:rate_limit!
).
with
(
'ip'
,
success:
false
,
login:
''
)
expect
(
gl_auth
).
to
receive
(
:rate_limit!
).
with
(
'ip'
,
success:
true
,
login:
''
)
expect
(
gl_auth
.
find_for_git_client
(
''
,
personal_access_token
.
token
,
project:
nil
,
ip:
'ip'
)).
to
eq
(
Gitlab
::
Auth
::
Result
.
new
(
nil
,
nil
))
expect
(
gl_auth
.
find_for_git_client
(
''
,
personal_access_token
.
token
,
project:
nil
,
ip:
'ip'
)).
to
eq
(
Gitlab
::
Auth
::
Result
.
new
(
personal_access_token
.
user
,
nil
,
:personal_token
,
[]))
end
it
'fails for impersonation token with other scopes'
do
impersonation_token
=
create
(
:personal_access_token
,
scopes:
[
'read_user'
])
expect
(
gl_auth
).
to
receive
(
:rate_limit!
).
with
(
'ip'
,
success:
false
,
login:
''
)
expect
(
gl_auth
.
find_for_git_client
(
''
,
impersonation_token
.
token
,
project:
nil
,
ip:
'ip'
)).
to
eq
(
Gitlab
::
Auth
::
Result
.
new
(
nil
,
nil
))
end
end
it
'fails if password is nil'
do
it
'fails if password is nil'
do
...
...
spec/requests/jwt_controller_spec.rb
View file @
9fcc3e59
...
@@ -102,7 +102,7 @@ describe JwtController do
...
@@ -102,7 +102,7 @@ describe JwtController do
end
end
it
'allows read access'
do
it
'allows read access'
do
expect
(
service
).
to
receive
(
:execute
).
with
(
authentication_abilities:
Gitlab
::
Auth
.
read_a
pi
_abilities
)
expect
(
service
).
to
receive
(
:execute
).
with
(
authentication_abilities:
Gitlab
::
Auth
.
read_a
uthentication
_abilities
)
get
'/jwt/auth'
,
parameters
get
'/jwt/auth'
,
parameters
end
end
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment