Commit e941365f authored by Kamil Trzcinski's avatar Kamil Trzcinski

Rename capabilities to authentication_abilities

parent ac6412d0
......@@ -14,7 +14,7 @@ class JwtController < ApplicationController
@authentication_result ||= Gitlab::Auth::Result.new
result = service.new(@authentication_result.project, @authentication_result.actor, auth_params).
execute(capabilities: @authentication_result.capabilities)
execute(authentication_abilities: @authentication_result.authentication_abilities)
render json: result, status: result[:http_status]
end
......
......@@ -4,7 +4,7 @@ class Projects::GitHttpClientController < Projects::ApplicationController
include ActionController::HttpAuthentication::Basic
include KerberosSpnegoHelper
attr_reader :actor, :capabilities
attr_reader :actor, :authentication_abilities
# Git clients will not know what authenticity token to send along
skip_before_action :verify_authenticity_token
......@@ -125,7 +125,7 @@ class Projects::GitHttpClientController < Projects::ApplicationController
when :oauth
if download_request?
@actor = auth_result.actor
@capabilities = auth_result.capabilities
@authentication_abilities = auth_result.authentication_abilities
else
return false
end
......@@ -133,11 +133,13 @@ class Projects::GitHttpClientController < Projects::ApplicationController
if download_request?
@lfs_deploy_key = true
@actor = auth_result.actor
@capabilities = auth_result.capabilities
@authentication_abilities = auth_result.authentication_abilities
else
return false
end
when :lfs_token, :personal_token, :gitlab_or_ldap, :build
@actor = auth_result.actor
@capabilities = auth_result.capabilities
@authentication_abilities = auth_result.authentication_abilities
else
# Not allowed
return false
......@@ -150,8 +152,8 @@ class Projects::GitHttpClientController < Projects::ApplicationController
@lfs_deploy_key && actor && actor.projects.include?(project)
end
def has_capability?(capability)
@capabilities.include?(capability)
def has_authentication_ability?(capability)
@authentication_abilities.include?(capability)
end
def verify_workhorse_api!
......
......@@ -86,7 +86,7 @@ class Projects::GitHttpController < Projects::GitHttpClientController
end
def access
@access ||= Gitlab::GitAccess.new(user, project, 'http', capabilities: capabilities)
@access ||= Gitlab::GitAccess.new(user, project, 'http', authentication_abilities: authentication_abilities)
end
def access_check
......
......@@ -4,8 +4,8 @@ module Auth
AUDIENCE = 'container_registry'
def execute(capabilities:)
@capabilities = capabilities || []
def execute(authentication_abilities:)
@authentication_abilities = authentication_abilities || []
return error('not found', 404) unless registry.enabled
......@@ -92,23 +92,23 @@ module Auth
# Build can:
# 1. pull from it's own project (for ex. a build)
# 2. read images from dependent projects if creator of build is a team member
@capabilities.include?(:build_read_container_image) &&
@authentication_abilities.include?(:build_read_container_image) &&
(requested_project == project || can?(current_user, :build_read_container_image, requested_project))
end
def user_can_pull?(requested_project)
@capabilities.include?(:read_container_image) &&
@authentication_abilities.include?(:read_container_image) &&
can?(current_user, :read_container_image, requested_project)
end
def build_can_push?(requested_project)
# Build can push only to project to from which he originates
@capabilities.include?(:build_create_container_image) &&
@authentication_abilities.include?(:build_create_container_image) &&
requested_project == project
end
def user_can_push?(requested_project)
@capabilities.include?(:create_container_image) &&
@authentication_abilities.include?(:create_container_image) &&
can?(current_user, :create_container_image, requested_project)
end
end
......
......@@ -36,7 +36,7 @@ module API
end
end
def ssh_capabilities
def ssh_authentication_abilities
[
:read_project,
:download_code,
......@@ -59,9 +59,9 @@ module API
access =
if wiki?
Gitlab::GitAccessWiki.new(actor, project, protocol, capabilities: ssh_capabilities)
Gitlab::GitAccessWiki.new(actor, project, protocol, authentication_abilities: ssh_authentication_abilities)
else
Gitlab::GitAccess.new(actor, project, protocol, capabilities: ssh_capabilities)
Gitlab::GitAccess.new(actor, project, protocol, authentication_abilities: ssh_authentication_abilities)
end
access_status = access.check(params[:action], params[:changes])
......
module Gitlab
module Auth
Result = Struct.new(:actor, :project, :type, :capabilities) do
Result = Struct.new(:actor, :project, :type, :authentication_abilities) do
def success?
actor.present? || type == :ci
end
......@@ -77,7 +77,7 @@ module Gitlab
service = project.public_send("#{underscored_service}_service")
if service && service.activated? && service.valid_token?(password)
Result.new(nil, project, :ci, build_capabilities)
Result.new(nil, project, :ci, build_authentication_abilities)
end
end
end
......@@ -88,7 +88,7 @@ module Gitlab
raise Gitlab::Auth::MissingPersonalTokenError if user.two_factor_enabled?
Result.new(user, nil, :gitlab_or_ldap, full_capabilities)
Result.new(user, nil, :gitlab_or_ldap, full_authentication_abilities)
end
def oauth_access_token_check(login, password)
......@@ -96,7 +96,7 @@ module Gitlab
token = Doorkeeper::AccessToken.by_token(password)
if token && token.accessible?
user = User.find_by(id: token.resource_owner_id)
Result.new(user, nil, :oauth, read_capabilities)
Result.new(user, nil, :oauth, read_authentication_abilities)
end
end
end
......@@ -105,7 +105,7 @@ module Gitlab
if login && password
user = User.find_by_personal_access_token(password)
validation = User.by_login(login)
Result.new(user, nil, :personal_token, full_capabilities) if user.present? && user == validation
Result.new(user, nil, :personal_token, full_authentication_abilities) if user.present? && user == validation
end
end
......@@ -122,7 +122,7 @@ module Gitlab
if actor
token_handler = Gitlab::LfsToken.new(actor)
Result.new(actor, nil, token_handler.type, read_capabilities) if Devise.secure_compare(token_handler.value, password)
Result.new(actor, nil, token_handler.type, read_authentication_abilities) if Devise.secure_compare(token_handler.value, password)
end
end
......@@ -136,14 +136,14 @@ module Gitlab
if build.user
# If user is assigned to build, use restricted credentials of user
Result.new(build.user, build.project, :build, build_capabilities)
Result.new(build.user, build.project, :build, build_authentication_abilities)
else
# Otherwise use generic CI credentials (backward compatibility)
Result.new(nil, build.project, :ci, build_capabilities)
Result.new(nil, build.project, :ci, build_authentication_abilities)
end
end
def build_capabilities
def build_authentication_abilities
[
:read_project,
:build_download_code,
......@@ -152,7 +152,7 @@ module Gitlab
]
end
def read_capabilities
def read_authentication_abilities
[
:read_project,
:download_code,
......@@ -160,8 +160,8 @@ module Gitlab
]
end
def full_capabilities
read_capabilities + [
def full_authentication_abilities
read_authentication_abilities + [
:push_code,
:update_container_image
]
......
......@@ -5,13 +5,13 @@ module Gitlab
DOWNLOAD_COMMANDS = %w{ git-upload-pack git-upload-archive }
PUSH_COMMANDS = %w{ git-receive-pack }
attr_reader :actor, :project, :protocol, :user_access, :capabilities
attr_reader :actor, :project, :protocol, :user_access, :authentication_abilities
def initialize(actor, project, protocol, capabilities:)
def initialize(actor, project, protocol, authentication_abilities:)
@actor = actor
@project = project
@protocol = protocol
@capabilities = capabilities
@authentication_abilities = authentication_abilities
@user_access = UserAccess.new(user, project: project)
end
......@@ -69,15 +69,15 @@ module Gitlab
end
def user_can_download_code?
capabilities.include?(:download_code) && user_access.can_do_action?(:download_code)
authentication_abilities.include?(:download_code) && user_access.can_do_action?(:download_code)
end
def build_can_download_code?
capabilities.include?(:build_download_code) && user_access.can_do_action?(:build_download_code)
authentication_abilities.include?(:build_download_code) && user_access.can_do_action?(:build_download_code)
end
def user_push_access_check(changes)
unless capabilities.include?(:push_code)
unless authentication_abilities.include?(:push_code)
return build_status_object(false, "You are not allowed to upload code for this project.")
end
......
......@@ -16,13 +16,13 @@ describe Gitlab::Auth, lib: true do
end
it 'recognises user-less build' do
expect(subject).to eq(Gitlab::Auth::Result.new(nil, build.project, :ci, build_capabilities))
expect(subject).to eq(Gitlab::Auth::Result.new(nil, build.project, :ci, build_authentication_abilities))
end
it 'recognises user token' do
build.update(user: create(:user))
expect(subject).to eq(Gitlab::Auth::Result.new(build.user, build.project, :build, build_capabilities))
expect(subject).to eq(Gitlab::Auth::Result.new(build.user, build.project, :build, build_authentication_abilities))
end
end
......@@ -48,7 +48,7 @@ describe Gitlab::Auth, lib: true do
ip = 'ip'
expect(gl_auth).to receive(:rate_limit!).with(ip, success: true, login: 'drone-ci-token')
expect(gl_auth.find_for_git_client('drone-ci-token', 'token', project: project, ip: ip)).to eq(Gitlab::Auth::Result.new(nil, project, :ci, build_capabilities))
expect(gl_auth.find_for_git_client('drone-ci-token', 'token', project: project, ip: ip)).to eq(Gitlab::Auth::Result.new(nil, project, :ci, build_authentication_abilities))
end
it 'recognizes master passwords' do
......@@ -56,7 +56,7 @@ describe Gitlab::Auth, lib: true do
ip = 'ip'
expect(gl_auth).to receive(:rate_limit!).with(ip, success: true, login: user.username)
expect(gl_auth.find_for_git_client(user.username, 'password', project: nil, ip: ip)).to eq(Gitlab::Auth::Result.new(user, nil, :gitlab_or_ldap, full_capabilities))
expect(gl_auth.find_for_git_client(user.username, 'password', project: nil, ip: ip)).to eq(Gitlab::Auth::Result.new(user, nil, :gitlab_or_ldap, full_authentication_abilities))
end
it 'recognizes user lfs tokens' do
......@@ -65,7 +65,7 @@ describe Gitlab::Auth, lib: true do
token = Gitlab::LfsToken.new(user).generate
expect(gl_auth).to receive(:rate_limit!).with(ip, success: true, login: user.username)
expect(gl_auth.find_for_git_client(user.username, token, project: nil, ip: ip)).to eq(Gitlab::Auth::Result.new(user, nil, :lfs_token, read_capabilities))
expect(gl_auth.find_for_git_client(user.username, token, project: nil, ip: ip)).to eq(Gitlab::Auth::Result.new(user, nil, :lfs_token, read_authentication_abilities))
end
it 'recognizes deploy key lfs tokens' do
......@@ -74,7 +74,7 @@ describe Gitlab::Auth, lib: true do
token = Gitlab::LfsToken.new(key).generate
expect(gl_auth).to receive(:rate_limit!).with(ip, success: true, login: "lfs+deploy-key-#{key.id}")
expect(gl_auth.find_for_git_client("lfs+deploy-key-#{key.id}", token, project: nil, ip: ip)).to eq(Gitlab::Auth::Result.new(key, nil, :lfs_deploy_token, read_capabilities))
expect(gl_auth.find_for_git_client("lfs+deploy-key-#{key.id}", token, project: nil, ip: ip)).to eq(Gitlab::Auth::Result.new(key, nil, :lfs_deploy_token, read_authentication_abilities))
end
it 'recognizes OAuth tokens' do
......@@ -84,7 +84,7 @@ describe Gitlab::Auth, lib: true do
ip = 'ip'
expect(gl_auth).to receive(:rate_limit!).with(ip, success: true, login: 'oauth2')
expect(gl_auth.find_for_git_client("oauth2", token.token, project: nil, ip: ip)).to eq(Gitlab::Auth::Result.new(user, nil, :oauth, read_capabilities))
expect(gl_auth.find_for_git_client("oauth2", token.token, project: nil, ip: ip)).to eq(Gitlab::Auth::Result.new(user, nil, :oauth, read_authentication_abilities))
end
it 'returns double nil for invalid credentials' do
......@@ -149,7 +149,7 @@ describe Gitlab::Auth, lib: true do
private
def build_capabilities
def build_authentication_abilities
[
:read_project,
:build_download_code,
......@@ -158,7 +158,7 @@ describe Gitlab::Auth, lib: true do
]
end
def read_capabilities
def read_authentication_abilities
[
:read_project,
:download_code,
......@@ -166,8 +166,8 @@ describe Gitlab::Auth, lib: true do
]
end
def full_capabilities
read_capabilities + [
def full_authentication_abilities
read_authentication_abilities + [
:push_code,
:update_container_image
]
......
require 'spec_helper'
describe Gitlab::GitAccess, lib: true do
let(:access) { Gitlab::GitAccess.new(actor, project, 'web', capabilities: capabilities) }
let(:access) { Gitlab::GitAccess.new(actor, project, 'web', authentication_abilities: authentication_abilities) }
let(:project) { create(:project) }
let(:user) { create(:user) }
let(:actor) { user }
let(:capabilities) do
let(:authentication_abilities) do
[
:read_project,
:download_code,
......@@ -22,7 +22,7 @@ describe Gitlab::GitAccess, lib: true do
context 'ssh disabled' do
before do
disable_protocol('ssh')
@acc = Gitlab::GitAccess.new(actor, project, 'ssh', capabilities: capabilities)
@acc = Gitlab::GitAccess.new(actor, project, 'ssh', authentication_abilities: authentication_abilities)
end
it 'blocks ssh git push' do
......@@ -37,7 +37,7 @@ describe Gitlab::GitAccess, lib: true do
context 'http disabled' do
before do
disable_protocol('http')
@acc = Gitlab::GitAccess.new(actor, project, 'http', capabilities: capabilities)
@acc = Gitlab::GitAccess.new(actor, project, 'http', authentication_abilities: authentication_abilities)
end
it 'blocks http push' do
......@@ -119,8 +119,8 @@ describe Gitlab::GitAccess, lib: true do
end
end
describe 'build capabilities permissions' do
let(:capabilities) { build_capabilities }
describe 'build authentication_abilities permissions' do
let(:authentication_abilities) { build_authentication_abilities }
describe 'reporter user' do
before { project.team << [user, :reporter] }
......@@ -350,8 +350,8 @@ describe Gitlab::GitAccess, lib: true do
end
end
describe 'build capabilities permissions' do
let(:capabilities) { build_capabilities }
describe 'build authentication abilities' do
let(:authentication_abilities) { build_authentication_abilities }
it_behaves_like 'can not push code' do
def authorize
......@@ -373,14 +373,14 @@ describe Gitlab::GitAccess, lib: true do
private
def build_capabilities
def build_authentication_abilities
[
:read_project,
:build_download_code
]
end
def full_capabilities
def full_authentication_abilities
[
:read_project,
:download_code,
......
require 'spec_helper'
describe Gitlab::GitAccessWiki, lib: true do
let(:access) { Gitlab::GitAccessWiki.new(user, project, 'web', capabilities: capabilities) }
let(:access) { Gitlab::GitAccessWiki.new(user, project, 'web', authentication_abilities) }
let(:project) { create(:project) }
let(:user) { create(:user) }
let(:capabilities) do
let(:authentication_abilities) do
[
:read_project,
:download_code,
......
......@@ -6,14 +6,14 @@ describe Auth::ContainerRegistryAuthenticationService, services: true do
let(:current_params) { {} }
let(:rsa_key) { OpenSSL::PKey::RSA.generate(512) }
let(:payload) { JWT.decode(subject[:token], rsa_key).first }
let(:capabilities) do
let(:authentication_abilities) do
[
:read_container_image,
:create_container_image
]
end
subject { described_class.new(current_project, current_user, current_params).execute(capabilities: capabilities) }
subject { described_class.new(current_project, current_user, current_params).execute(authentication_abilities: authentication_abilities) }
before do
allow(Gitlab.config.registry).to receive_messages(enabled: true, issuer: 'rspec', key: nil)
......@@ -198,7 +198,7 @@ describe Auth::ContainerRegistryAuthenticationService, services: true do
context 'build authorized as user' do
let(:current_project) { create(:empty_project) }
let(:current_user) { create(:user) }
let(:capabilities) do
let(:authentication_abilities) do
[
:build_read_container_image,
:build_create_container_image
......@@ -255,7 +255,17 @@ describe Auth::ContainerRegistryAuthenticationService, services: true do
context 'when you are admin' do
let(:current_user) { create(:admin) }
it_behaves_like 'pullable for being team member'
context 'when you are not member' do
it_behaves_like 'an inaccessible'
end
context 'when you are member' do
before do
project.team << [current_user, :developer]
end
it_behaves_like 'a pullable'
end
end
end
end
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment