diff options
author | Kamil TrzciĆski <ayufan@ayufan.eu> | 2018-04-05 15:49:18 +0200 |
---|---|---|
committer | Mayra Cabrera <mcabrera@gitlab.com> | 2018-04-06 21:20:16 -0500 |
commit | 72220a99d1cdbcf8a914f9e765c43e63eaee2548 (patch) | |
tree | 314df7454174092bee8f1ea83d6bda53d760959e /app/services/auth/container_registry_authentication_service.rb | |
parent | 171b2625b128e5954ce0a150a4fc923a22164e4e (diff) | |
download | gitlab-ce-72220a99d1cdbcf8a914f9e765c43e63eaee2548.tar.gz |
Support Deploy Tokens properly without hacking abilities
Diffstat (limited to 'app/services/auth/container_registry_authentication_service.rb')
-rw-r--r-- | app/services/auth/container_registry_authentication_service.rb | 23 |
1 files changed, 17 insertions, 6 deletions
diff --git a/app/services/auth/container_registry_authentication_service.rb b/app/services/auth/container_registry_authentication_service.rb index d70ac7b1b3d..2ac35f5bd64 100644 --- a/app/services/auth/container_registry_authentication_service.rb +++ b/app/services/auth/container_registry_authentication_service.rb @@ -109,7 +109,7 @@ module Auth case requested_action when 'pull' - build_can_pull?(requested_project) || user_can_pull?(requested_project) + build_can_pull?(requested_project) || user_can_pull?(requested_project) || deploy_token_can_pull?(requested_project) when 'push' build_can_push?(requested_project) || user_can_push?(requested_project) when '*' @@ -123,22 +123,33 @@ module Auth Gitlab.config.registry end + def can_user?(ability, project) + current_user.is_a?(User) && + can?(current_user, ability, project) + end + def build_can_pull?(requested_project) # Build can: # 1. pull from its own project (for ex. a build) # 2. read images from dependent projects if creator of build is a team member - has_authentication_ability?(:project_read_container_image) && - (requested_project == project || can?(current_user, :project_read_container_image, requested_project)) + has_authentication_ability?(:build_read_container_image) && + (requested_project == project || can_user?(:build_read_container_image, requested_project)) end def user_can_admin?(requested_project) has_authentication_ability?(:admin_container_image) && - can?(current_user, :admin_container_image, requested_project) + can_user?(:admin_container_image, requested_project) end def user_can_pull?(requested_project) has_authentication_ability?(:read_container_image) && - can?(current_user, :read_container_image, requested_project) + can_user?(:read_container_image, requested_project) + end + + def deploy_token_can_pull?(requested_project) + has_authentication_ability?(:read_container_image) && + current_user.is_a?(DeployToken) && + current_user.has_access_to?(requested_project) end ## @@ -154,7 +165,7 @@ module Auth def user_can_push?(requested_project) has_authentication_ability?(:create_container_image) && - can?(current_user, :create_container_image, requested_project) + can_user?(current_user, :create_container_image, requested_project) end def error(code, status:, message: '') |