Rename capabilities to authentication_abilities

e941365f · Kamil Trzcinski · ac6412d0 · e941365f · e941365f · e941365f
Commit e941365f authored Sep 16, 2016 by Kamil Trzcinski
11 changed files
--- a/app/controllers/jwt_controller.rb
+++ b/app/controllers/jwt_controller.rb
@@ -14,7 +14,7 @@ class JwtController < ApplicationController
    @authentication_result ||= Gitlab::Auth::Result.new

    result = service.new(@authentication_result.project, @authentication_result.actor, auth_params).
-      execute(capabilities: @authentication_result.capabilities)
+      execute(authentication_abilities: @authentication_result.authentication_abilities)

    render json: result, status: result[:http_status]
  end

--- a/app/controllers/projects/git_http_client_controller.rb
+++ b/app/controllers/projects/git_http_client_controller.rb
@@ -4,7 +4,7 @@ class Projects::GitHttpClientController < Projects::ApplicationController
  include ActionController::HttpAuthentication::Basic
  include KerberosSpnegoHelper

-  attr_reader :actor, :capabilities
+  attr_reader :actor, :authentication_abilities

  # Git clients will not know what authenticity token to send along
  skip_before_action :verify_authenticity_token
@@ -125,7 +125,7 @@ class Projects::GitHttpClientController < Projects::ApplicationController
    when :oauth
      if download_request?
        @actor = auth_result.actor
-        @capabilities = auth_result.capabilities
+        @authentication_abilities = auth_result.authentication_abilities
      else
        return false
      end
@@ -133,11 +133,13 @@ class Projects::GitHttpClientController < Projects::ApplicationController
      if download_request?
        @lfs_deploy_key = true
        @actor = auth_result.actor
-        @capabilities = auth_result.capabilities
+        @authentication_abilities = auth_result.authentication_abilities
+      else
+        return false
      end
    when :lfs_token, :personal_token, :gitlab_or_ldap, :build
      @actor = auth_result.actor
-      @capabilities = auth_result.capabilities
+      @authentication_abilities = auth_result.authentication_abilities
    else
      # Not allowed
      return false
@@ -150,8 +152,8 @@ class Projects::GitHttpClientController < Projects::ApplicationController
    @lfs_deploy_key && actor && actor.projects.include?(project)
  end

-  def has_capability?(capability)
-    @capabilities.include?(capability)
+  def has_authentication_ability?(capability)
+    @authentication_abilities.include?(capability)
  end

  def verify_workhorse_api!

--- a/app/controllers/projects/git_http_controller.rb
+++ b/app/controllers/projects/git_http_controller.rb
@@ -86,7 +86,7 @@ class Projects::GitHttpController < Projects::GitHttpClientController
  end

  def access
-    @access ||= Gitlab::GitAccess.new(user, project, 'http', capabilities: capabilities)
+    @access ||= Gitlab::GitAccess.new(user, project, 'http', authentication_abilities: authentication_abilities)
  end

  def access_check

--- a/app/services/auth/container_registry_authentication_service.rb
+++ b/app/services/auth/container_registry_authentication_service.rb
@@ -4,8 +4,8 @@ module Auth

    AUDIENCE = 'container_registry'

-    def execute(capabilities:)
-      @capabilities = capabilities || []
+    def execute(authentication_abilities:)
+      @authentication_abilities = authentication_abilities || []

      return error('not found', 404) unless registry.enabled

@@ -92,23 +92,23 @@ module Auth
      # Build can:
      # 1. pull from it's own project (for ex. a build)
      # 2. read images from dependent projects if creator of build is a team member
-      @capabilities.include?(:build_read_container_image) &&
+      @authentication_abilities.include?(:build_read_container_image) &&
        (requested_project == project || can?(current_user, :build_read_container_image, requested_project))
    end

    def user_can_pull?(requested_project)
-      @capabilities.include?(:read_container_image) &&
+      @authentication_abilities.include?(:read_container_image) &&
        can?(current_user, :read_container_image, requested_project)
    end

    def build_can_push?(requested_project)
      # Build can push only to project to from which he originates
-      @capabilities.include?(:build_create_container_image) &&
+      @authentication_abilities.include?(:build_create_container_image) &&
        requested_project == project
    end

    def user_can_push?(requested_project)
-      @capabilities.include?(:create_container_image) &&
+      @authentication_abilities.include?(:create_container_image) &&
        can?(current_user, :create_container_image, requested_project)
    end
  end

--- a/lib/api/internal.rb
+++ b/lib/api/internal.rb
@@ -36,7 +36,7 @@ module API
          end
        end

-        def ssh_capabilities
+        def ssh_authentication_abilities
          [
            :read_project,
            :download_code,
@@ -59,9 +59,9 @@ module API

        access =
          if wiki?
-            Gitlab::GitAccessWiki.new(actor, project, protocol, capabilities: ssh_capabilities)
+            Gitlab::GitAccessWiki.new(actor, project, protocol, authentication_abilities: ssh_authentication_abilities)
          else
-            Gitlab::GitAccess.new(actor, project, protocol, capabilities: ssh_capabilities)
+            Gitlab::GitAccess.new(actor, project, protocol, authentication_abilities: ssh_authentication_abilities)
          end

        access_status = access.check(params[:action], params[:changes])

--- a/lib/gitlab/auth.rb
+++ b/lib/gitlab/auth.rb
 module Gitlab
  module Auth
-    Result = Struct.new(:actor, :project, :type, :capabilities) do
+    Result = Struct.new(:actor, :project, :type, :authentication_abilities) do
      def success?
        actor.present? || type == :ci
      end
@@ -77,7 +77,7 @@ module Gitlab
          service = project.public_send("#{underscored_service}_service")

          if service && service.activated? && service.valid_token?(password)
-            Result.new(nil, project, :ci, build_capabilities)
+            Result.new(nil, project, :ci, build_authentication_abilities)
          end
        end
      end
@@ -88,7 +88,7 @@ module Gitlab

        raise Gitlab::Auth::MissingPersonalTokenError if user.two_factor_enabled?

-        Result.new(user, nil, :gitlab_or_ldap, full_capabilities)
+        Result.new(user, nil, :gitlab_or_ldap, full_authentication_abilities)
      end

      def oauth_access_token_check(login, password)
@@ -96,7 +96,7 @@ module Gitlab
          token = Doorkeeper::AccessToken.by_token(password)
          if token && token.accessible?
            user = User.find_by(id: token.resource_owner_id)
-            Result.new(user, nil, :oauth, read_capabilities)
+            Result.new(user, nil, :oauth, read_authentication_abilities)
          end
        end
      end
@@ -105,7 +105,7 @@ module Gitlab
        if login && password
          user = User.find_by_personal_access_token(password)
          validation = User.by_login(login)
-          Result.new(user, nil, :personal_token, full_capabilities) if user.present? && user == validation
+          Result.new(user, nil, :personal_token, full_authentication_abilities) if user.present? && user == validation
        end
      end

@@ -122,7 +122,7 @@ module Gitlab
        if actor
          token_handler = Gitlab::LfsToken.new(actor)

-          Result.new(actor, nil, token_handler.type, read_capabilities) if Devise.secure_compare(token_handler.value, password)
+          Result.new(actor, nil, token_handler.type, read_authentication_abilities) if Devise.secure_compare(token_handler.value, password)
        end
      end

@@ -136,14 +136,14 @@ module Gitlab

        if build.user
          # If user is assigned to build, use restricted credentials of user
-          Result.new(build.user, build.project, :build, build_capabilities)
+          Result.new(build.user, build.project, :build, build_authentication_abilities)
        else
          # Otherwise use generic CI credentials (backward compatibility)
-          Result.new(nil, build.project, :ci, build_capabilities)
+          Result.new(nil, build.project, :ci, build_authentication_abilities)
        end
      end

-      def build_capabilities
+      def build_authentication_abilities
        [
          :read_project,
          :build_download_code,
@@ -152,7 +152,7 @@ module Gitlab
        ]
      end

-      def read_capabilities
+      def read_authentication_abilities
        [
          :read_project,
          :download_code,
@@ -160,8 +160,8 @@ module Gitlab
        ]
      end

-      def full_capabilities
-        read_capabilities + [
+      def full_authentication_abilities
+        read_authentication_abilities + [
          :push_code,
          :update_container_image
        ]

--- a/lib/gitlab/git_access.rb
+++ b/lib/gitlab/git_access.rb
@@ -5,13 +5,13 @@ module Gitlab
    DOWNLOAD_COMMANDS = %w{ git-upload-pack git-upload-archive }
    PUSH_COMMANDS = %w{ git-receive-pack }

-    attr_reader :actor, :project, :protocol, :user_access, :capabilities
+    attr_reader :actor, :project, :protocol, :user_access, :authentication_abilities

-    def initialize(actor, project, protocol, capabilities:)
+    def initialize(actor, project, protocol, authentication_abilities:)
      @actor    = actor
      @project  = project
      @protocol = protocol
-      @capabilities = capabilities
+      @authentication_abilities = authentication_abilities
      @user_access = UserAccess.new(user, project: project)
    end

@@ -69,15 +69,15 @@ module Gitlab
    end

    def user_can_download_code?
-      capabilities.include?(:download_code) && user_access.can_do_action?(:download_code)
+      authentication_abilities.include?(:download_code) && user_access.can_do_action?(:download_code)
    end

    def build_can_download_code?
-      capabilities.include?(:build_download_code) && user_access.can_do_action?(:build_download_code)
+      authentication_abilities.include?(:build_download_code) && user_access.can_do_action?(:build_download_code)
    end

    def user_push_access_check(changes)
-      unless capabilities.include?(:push_code)
+      unless authentication_abilities.include?(:push_code)
        return build_status_object(false, "You are not allowed to upload code for this project.")
      end


--- a/spec/lib/gitlab/auth_spec.rb
+++ b/spec/lib/gitlab/auth_spec.rb
@@ -16,13 +16,13 @@ describe Gitlab::Auth, lib: true do
        end

        it 'recognises user-less build' do
-          expect(subject).to eq(Gitlab::Auth::Result.new(nil, build.project, :ci, build_capabilities))
+          expect(subject).to eq(Gitlab::Auth::Result.new(nil, build.project, :ci, build_authentication_abilities))
        end

        it 'recognises user token' do
          build.update(user: create(:user))

-          expect(subject).to eq(Gitlab::Auth::Result.new(build.user, build.project, :build, build_capabilities))
+          expect(subject).to eq(Gitlab::Auth::Result.new(build.user, build.project, :build, build_authentication_abilities))
        end
      end

@@ -48,7 +48,7 @@ describe Gitlab::Auth, lib: true do
      ip = 'ip'

      expect(gl_auth).to receive(:rate_limit!).with(ip, success: true, login: 'drone-ci-token')
-      expect(gl_auth.find_for_git_client('drone-ci-token', 'token', project: project, ip: ip)).to eq(Gitlab::Auth::Result.new(nil, project, :ci, build_capabilities))
+      expect(gl_auth.find_for_git_client('drone-ci-token', 'token', project: project, ip: ip)).to eq(Gitlab::Auth::Result.new(nil, project, :ci, build_authentication_abilities))
    end

    it 'recognizes master passwords' do
@@ -56,7 +56,7 @@ describe Gitlab::Auth, lib: true do
      ip = 'ip'

      expect(gl_auth).to receive(:rate_limit!).with(ip, success: true, login: user.username)
-      expect(gl_auth.find_for_git_client(user.username, 'password', project: nil, ip: ip)).to eq(Gitlab::Auth::Result.new(user, nil, :gitlab_or_ldap, full_capabilities))
+      expect(gl_auth.find_for_git_client(user.username, 'password', project: nil, ip: ip)).to eq(Gitlab::Auth::Result.new(user, nil, :gitlab_or_ldap, full_authentication_abilities))
    end

    it 'recognizes user lfs tokens' do
@@ -65,7 +65,7 @@ describe Gitlab::Auth, lib: true do
      token = Gitlab::LfsToken.new(user).generate

      expect(gl_auth).to receive(:rate_limit!).with(ip, success: true, login: user.username)
-      expect(gl_auth.find_for_git_client(user.username, token, project: nil, ip: ip)).to eq(Gitlab::Auth::Result.new(user, nil, :lfs_token, read_capabilities))
+      expect(gl_auth.find_for_git_client(user.username, token, project: nil, ip: ip)).to eq(Gitlab::Auth::Result.new(user, nil, :lfs_token, read_authentication_abilities))
    end

    it 'recognizes deploy key lfs tokens' do
@@ -74,7 +74,7 @@ describe Gitlab::Auth, lib: true do
      token = Gitlab::LfsToken.new(key).generate

      expect(gl_auth).to receive(:rate_limit!).with(ip, success: true, login: "lfs+deploy-key-#{key.id}")
-      expect(gl_auth.find_for_git_client("lfs+deploy-key-#{key.id}", token, project: nil, ip: ip)).to eq(Gitlab::Auth::Result.new(key, nil, :lfs_deploy_token, read_capabilities))
+      expect(gl_auth.find_for_git_client("lfs+deploy-key-#{key.id}", token, project: nil, ip: ip)).to eq(Gitlab::Auth::Result.new(key, nil, :lfs_deploy_token, read_authentication_abilities))
    end

    it 'recognizes OAuth tokens' do
@@ -84,7 +84,7 @@ describe Gitlab::Auth, lib: true do
      ip = 'ip'

      expect(gl_auth).to receive(:rate_limit!).with(ip, success: true, login: 'oauth2')
-      expect(gl_auth.find_for_git_client("oauth2", token.token, project: nil, ip: ip)).to eq(Gitlab::Auth::Result.new(user, nil, :oauth, read_capabilities))
+      expect(gl_auth.find_for_git_client("oauth2", token.token, project: nil, ip: ip)).to eq(Gitlab::Auth::Result.new(user, nil, :oauth, read_authentication_abilities))
    end

    it 'returns double nil for invalid credentials' do
@@ -149,7 +149,7 @@ describe Gitlab::Auth, lib: true do

  private

-  def build_capabilities
+  def build_authentication_abilities
    [
      :read_project,
      :build_download_code,
@@ -158,7 +158,7 @@ describe Gitlab::Auth, lib: true do
    ]
  end

-  def read_capabilities
+  def read_authentication_abilities
    [
      :read_project,
      :download_code,
@@ -166,8 +166,8 @@ describe Gitlab::Auth, lib: true do
    ]
  end

-  def full_capabilities
-    read_capabilities + [
+  def full_authentication_abilities
+    read_authentication_abilities + [
      :push_code,
      :update_container_image
    ]

--- a/spec/lib/gitlab/git_access_spec.rb
+++ b/spec/lib/gitlab/git_access_spec.rb
 require 'spec_helper'

 describe Gitlab::GitAccess, lib: true do
-  let(:access) { Gitlab::GitAccess.new(actor, project, 'web', capabilities: capabilities) }
+  let(:access) { Gitlab::GitAccess.new(actor, project, 'web', authentication_abilities: authentication_abilities) }
  let(:project) { create(:project) }
  let(:user) { create(:user) }
  let(:actor) { user }
-  let(:capabilities) do
+  let(:authentication_abilities) do
    [
      :read_project,
      :download_code,
@@ -22,7 +22,7 @@ describe Gitlab::GitAccess, lib: true do
    context 'ssh disabled' do
      before do
        disable_protocol('ssh')
-        @acc = Gitlab::GitAccess.new(actor, project, 'ssh', capabilities: capabilities)
+        @acc = Gitlab::GitAccess.new(actor, project, 'ssh', authentication_abilities: authentication_abilities)
      end

      it 'blocks ssh git push' do
@@ -37,7 +37,7 @@ describe Gitlab::GitAccess, lib: true do
    context 'http disabled' do
      before do
        disable_protocol('http')
-        @acc = Gitlab::GitAccess.new(actor, project, 'http', capabilities: capabilities)
+        @acc = Gitlab::GitAccess.new(actor, project, 'http', authentication_abilities: authentication_abilities)
      end

      it 'blocks http push' do
@@ -119,8 +119,8 @@ describe Gitlab::GitAccess, lib: true do
      end
    end

-    describe 'build capabilities permissions' do
-      let(:capabilities) { build_capabilities }
+    describe 'build authentication_abilities permissions' do
+      let(:authentication_abilities) { build_authentication_abilities }

      describe 'reporter user' do
        before { project.team << [user, :reporter] }
@@ -350,8 +350,8 @@ describe Gitlab::GitAccess, lib: true do
    end
  end

-  describe 'build capabilities permissions' do
-    let(:capabilities) { build_capabilities }
+  describe 'build authentication abilities' do
+    let(:authentication_abilities) { build_authentication_abilities }

    it_behaves_like 'can not push code' do
      def authorize
@@ -373,14 +373,14 @@ describe Gitlab::GitAccess, lib: true do

  private

-  def build_capabilities
+  def build_authentication_abilities
    [
      :read_project,
      :build_download_code
    ]
  end

-  def full_capabilities
+  def full_authentication_abilities
    [
      :read_project,
      :download_code,

--- a/spec/lib/gitlab/git_access_wiki_spec.rb
+++ b/spec/lib/gitlab/git_access_wiki_spec.rb
 require 'spec_helper'

 describe Gitlab::GitAccessWiki, lib: true do
-  let(:access) { Gitlab::GitAccessWiki.new(user, project, 'web', capabilities: capabilities) }
+  let(:access) { Gitlab::GitAccessWiki.new(user, project, 'web', authentication_abilities) }
  let(:project) { create(:project) }
  let(:user) { create(:user) }
-  let(:capabilities) do
+  let(:authentication_abilities) do
    [
      :read_project,
      :download_code,

--- a/spec/services/auth/container_registry_authentication_service_spec.rb
+++ b/spec/services/auth/container_registry_authentication_service_spec.rb
@@ -6,14 +6,14 @@ describe Auth::ContainerRegistryAuthenticationService, services: true do
  let(:current_params) { {} }
  let(:rsa_key) { OpenSSL::PKey::RSA.generate(512) }
  let(:payload) { JWT.decode(subject[:token], rsa_key).first }
-  let(:capabilities) do
+  let(:authentication_abilities) do
    [
      :read_container_image,
      :create_container_image
    ]
  end

-  subject { described_class.new(current_project, current_user, current_params).execute(capabilities: capabilities) }
+  subject { described_class.new(current_project, current_user, current_params).execute(authentication_abilities: authentication_abilities) }

  before do
    allow(Gitlab.config.registry).to receive_messages(enabled: true, issuer: 'rspec', key: nil)
@@ -198,7 +198,7 @@ describe Auth::ContainerRegistryAuthenticationService, services: true do
  context 'build authorized as user' do
    let(:current_project) { create(:empty_project) }
    let(:current_user) { create(:user) }
-    let(:capabilities) do
+    let(:authentication_abilities) do
      [
        :build_read_container_image,
        :build_create_container_image
@@ -255,7 +255,17 @@ describe Auth::ContainerRegistryAuthenticationService, services: true do
          context 'when you are admin' do
            let(:current_user) { create(:admin) }

-            it_behaves_like 'pullable for being team member'
+            context 'when you are not member' do
+              it_behaves_like 'an inaccessible'
+            end
+
+            context 'when you are member' do
+              before do
+                project.team << [current_user, :developer]
+              end
+
+              it_behaves_like 'a pullable'
+            end
          end
        end
      end