diff options
author | Sean McGivern <sean@mcgivern.me.uk> | 2017-11-24 09:09:38 +0000 |
---|---|---|
committer | Sean McGivern <sean@mcgivern.me.uk> | 2017-11-24 09:09:38 +0000 |
commit | 89c9d2ad6b792885d234f153f2e13ee96639e4f8 (patch) | |
tree | aeafc6639041b20cce6c09aff29b17704adb0dd8 | |
parent | fad4ab7d56ea1deb415adff541212ae901e31fd4 (diff) | |
parent | 453b17809395fda045f5685268cae58c1dceb881 (diff) | |
download | gitlab-ce-89c9d2ad6b792885d234f153f2e13ee96639e4f8.tar.gz |
Merge branch 'dm-fix-registry-with-sudo-token' into 'master'
Fix pulling and pushing using a personal access token with the sudo scope
Closes #40466
See merge request gitlab-org/gitlab-ce!15571
-rw-r--r-- | changelogs/unreleased/dm-fix-registry-with-sudo-token.yml | 5 | ||||
-rw-r--r-- | lib/gitlab/auth.rb | 25 | ||||
-rw-r--r-- | spec/lib/gitlab/auth_spec.rb | 2 |
3 files changed, 16 insertions, 16 deletions
diff --git a/changelogs/unreleased/dm-fix-registry-with-sudo-token.yml b/changelogs/unreleased/dm-fix-registry-with-sudo-token.yml new file mode 100644 index 00000000000..be687fda147 --- /dev/null +++ b/changelogs/unreleased/dm-fix-registry-with-sudo-token.yml @@ -0,0 +1,5 @@ +--- +title: Fix pulling and pushing using a personal access token with the sudo scope +merge_request: +author: +type: fixed diff --git a/lib/gitlab/auth.rb b/lib/gitlab/auth.rb index 9670207a105..65d7fd3ec70 100644 --- a/lib/gitlab/auth.rb +++ b/lib/gitlab/auth.rb @@ -134,7 +134,7 @@ module Gitlab token = PersonalAccessTokensFinder.new(state: 'active').find_by(token: password) if token && valid_scoped_token?(token, available_scopes) - Gitlab::Auth::Result.new(token.user, nil, :personal_access_token, abilities_for_scope(token.scopes)) + Gitlab::Auth::Result.new(token.user, nil, :personal_access_token, abilities_for_scopes(token.scopes)) end end @@ -146,10 +146,15 @@ module Gitlab AccessTokenValidationService.new(token).include_any_scope?(scopes) end - def abilities_for_scope(scopes) - scopes.map do |scope| - self.public_send(:"#{scope}_scope_authentication_abilities") # rubocop:disable GitlabSecurity/PublicSend - end.flatten.uniq + def abilities_for_scopes(scopes) + abilities_by_scope = { + api: full_authentication_abilities, + read_registry: [:read_container_image] + } + + scopes.flat_map do |scope| + abilities_by_scope.fetch(scope.to_sym, []) + end.uniq end def lfs_token_check(login, password, project) @@ -228,16 +233,6 @@ module Gitlab :admin_container_image ] end - alias_method :api_scope_authentication_abilities, :full_authentication_abilities - - def read_registry_scope_authentication_abilities - [:read_container_image] - end - - # The currently used auth method doesn't allow any actions for this scope - def read_user_scope_authentication_abilities - [] - end def available_scopes(current_user = nil) scopes = API_SCOPES + registry_scopes diff --git a/spec/lib/gitlab/auth_spec.rb b/spec/lib/gitlab/auth_spec.rb index 5e822a0026a..a6fbec295b5 100644 --- a/spec/lib/gitlab/auth_spec.rb +++ b/spec/lib/gitlab/auth_spec.rb @@ -207,7 +207,7 @@ describe Gitlab::Auth do end it 'limits abilities based on scope' do - personal_access_token = create(:personal_access_token, scopes: ['read_user']) + personal_access_token = create(:personal_access_token, scopes: %w[read_user sudo]) expect(gl_auth).to receive(:rate_limit!).with('ip', success: true, login: '') expect(gl_auth.find_for_git_client('', personal_access_token.token, project: nil, ip: 'ip')).to eq(Gitlab::Auth::Result.new(personal_access_token.user, nil, :personal_access_token, [])) |