Commit ce5abaae authored by Rémy Coutable's avatar Rémy Coutable

Merge branch '37789-followup-for-read-registry-change' into 'master'

Clean up read_registry scope changes

Closes #37789

See merge request gitlab-org/gitlab-ce!14307
parents 90aebe85 0013e6c0
...@@ -38,7 +38,7 @@ class Profiles::PersonalAccessTokensController < Profiles::ApplicationController ...@@ -38,7 +38,7 @@ class Profiles::PersonalAccessTokensController < Profiles::ApplicationController
end end
def set_index_vars def set_index_vars
@scopes = Gitlab::Auth::AVAILABLE_SCOPES @scopes = Gitlab::Auth.available_scopes
@personal_access_token = finder.build @personal_access_token = finder.build
@inactive_personal_access_tokens = finder(state: 'inactive').execute @inactive_personal_access_tokens = finder(state: 'inactive').execute
......
...@@ -28,7 +28,7 @@ class PersonalAccessToken < ActiveRecord::Base ...@@ -28,7 +28,7 @@ class PersonalAccessToken < ActiveRecord::Base
protected protected
def validate_scopes def validate_scopes
unless revoked || scopes.all? { |scope| Gitlab::Auth::AVAILABLE_SCOPES.include?(scope.to_sym) } unless revoked || scopes.all? { |scope| Gitlab::Auth.available_scopes.include?(scope.to_sym) }
errors.add :scopes, "can only contain available scopes" errors.add :scopes, "can only contain available scopes"
end end
end end
......
...@@ -58,7 +58,7 @@ Doorkeeper.configure do ...@@ -58,7 +58,7 @@ Doorkeeper.configure do
# For more information go to # For more information go to
# https://github.com/doorkeeper-gem/doorkeeper/wiki/Using-Scopes # https://github.com/doorkeeper-gem/doorkeeper/wiki/Using-Scopes
default_scopes(*Gitlab::Auth::DEFAULT_SCOPES) default_scopes(*Gitlab::Auth::DEFAULT_SCOPES)
optional_scopes(*Gitlab::Auth::OPTIONAL_SCOPES) optional_scopes(*Gitlab::Auth.optional_scopes)
# Change the way client credentials are retrieved from the request object. # Change the way client credentials are retrieved from the request object.
# By default it retrieves first from the `HTTP_AUTHORIZATION` header, then # By default it retrieves first from the `HTTP_AUTHORIZATION` header, then
......
...@@ -2,7 +2,7 @@ module Gitlab ...@@ -2,7 +2,7 @@ module Gitlab
module Auth module Auth
MissingPersonalTokenError = Class.new(StandardError) MissingPersonalTokenError = Class.new(StandardError)
REGISTRY_SCOPES = Gitlab.config.registry.enabled ? [:read_registry].freeze : [].freeze REGISTRY_SCOPES = [:read_registry].freeze
# Scopes used for GitLab API access # Scopes used for GitLab API access
API_SCOPES = [:api, :read_user].freeze API_SCOPES = [:api, :read_user].freeze
...@@ -13,11 +13,6 @@ module Gitlab ...@@ -13,11 +13,6 @@ module Gitlab
# Default scopes for OAuth applications that don't define their own # Default scopes for OAuth applications that don't define their own
DEFAULT_SCOPES = [:api].freeze DEFAULT_SCOPES = [:api].freeze
AVAILABLE_SCOPES = (API_SCOPES + REGISTRY_SCOPES).freeze
# Other available scopes
OPTIONAL_SCOPES = (AVAILABLE_SCOPES + OPENID_SCOPES - DEFAULT_SCOPES).freeze
class << self class << self
include Gitlab::CurrentSettings include Gitlab::CurrentSettings
...@@ -132,7 +127,7 @@ module Gitlab ...@@ -132,7 +127,7 @@ module Gitlab
token = PersonalAccessTokensFinder.new(state: 'active').find_by(token: password) token = PersonalAccessTokensFinder.new(state: 'active').find_by(token: password)
if token && valid_scoped_token?(token, AVAILABLE_SCOPES) if token && valid_scoped_token?(token, available_scopes)
Gitlab::Auth::Result.new(token.user, nil, :personal_token, abilities_for_scope(token.scopes)) Gitlab::Auth::Result.new(token.user, nil, :personal_token, abilities_for_scope(token.scopes))
end end
end end
...@@ -230,6 +225,21 @@ module Gitlab ...@@ -230,6 +225,21 @@ module Gitlab
def read_user_scope_authentication_abilities def read_user_scope_authentication_abilities
[] []
end end
def available_scopes
API_SCOPES + registry_scopes
end
# Other available scopes
def optional_scopes
available_scopes + OPENID_SCOPES - DEFAULT_SCOPES
end
def registry_scopes
return [] unless Gitlab.config.registry.enabled
REGISTRY_SCOPES
end
end end
end end
end end
...@@ -9,8 +9,8 @@ describe Doorkeeper.configuration do ...@@ -9,8 +9,8 @@ describe Doorkeeper.configuration do
end end
describe '#optional_scopes' do describe '#optional_scopes' do
it 'matches Gitlab::Auth::OPTIONAL_SCOPES' do it 'matches Gitlab::Auth.optional_scopes' do
expect(subject.optional_scopes).to eq Gitlab::Auth::OPTIONAL_SCOPES - Gitlab::Auth::REGISTRY_SCOPES expect(subject.optional_scopes).to eq Gitlab::Auth.optional_scopes - Gitlab::Auth::REGISTRY_SCOPES
end end
end end
......
...@@ -16,20 +16,20 @@ describe Gitlab::Auth do ...@@ -16,20 +16,20 @@ describe Gitlab::Auth do
expect(subject::DEFAULT_SCOPES).to eq [:api] expect(subject::DEFAULT_SCOPES).to eq [:api]
end end
it 'OPTIONAL_SCOPES contains all non-default scopes' do it 'optional_scopes contains all non-default scopes' do
stub_container_registry_config(enabled: true) stub_container_registry_config(enabled: true)
expect(subject::OPTIONAL_SCOPES).to eq %i[read_user read_registry openid] expect(subject.optional_scopes).to eq %i[read_user read_registry openid]
end end
context 'REGISTRY_SCOPES' do context 'registry_scopes' do
context 'when registry is disabled' do context 'when registry is disabled' do
before do before do
stub_container_registry_config(enabled: false) stub_container_registry_config(enabled: false)
end end
it 'is empty' do it 'is empty' do
expect(subject::REGISTRY_SCOPES).to eq [] expect(subject.registry_scopes).to eq []
end end
end end
...@@ -39,7 +39,7 @@ describe Gitlab::Auth do ...@@ -39,7 +39,7 @@ describe Gitlab::Auth do
end end
it 'contains all registry related scopes' do it 'contains all registry related scopes' do
expect(subject::REGISTRY_SCOPES).to eq %i[read_registry] expect(subject.registry_scopes).to eq %i[read_registry]
end end
end end
end end
......
...@@ -26,11 +26,9 @@ module StubGitlabCalls ...@@ -26,11 +26,9 @@ module StubGitlabCalls
end end
def stub_container_registry_config(registry_settings) def stub_container_registry_config(registry_settings)
allow(Gitlab.config.registry).to receive_messages(registry_settings)
allow(Auth::ContainerRegistryAuthenticationService) allow(Auth::ContainerRegistryAuthenticationService)
.to receive(:full_access_token).and_return('token') .to receive(:full_access_token).and_return('token')
allow(Gitlab.config.registry).to receive_messages(registry_settings)
load 'lib/gitlab/auth.rb'
end end
def stub_container_registry_tags(repository: :any, tags:) def stub_container_registry_tags(repository: :any, tags:)
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment