diff options
| author | Kamil Trzcinski <ayufan@ayufan.eu> | 2016-08-08 12:01:25 +0200 |
|---|---|---|
| committer | Kamil Trzcinski <ayufan@ayufan.eu> | 2016-09-13 13:30:26 +0200 |
| commit | 505dc808b3c0dc98413506446d368b91b56ff682 (patch) | |
| tree | 1f6d5c7fe805bf5ff11a4f5696d73e11d71ca3a6 /app/services/auth | |
| parent | 45afdbef0de58f6de207b057e47151611d2ad7e6 (diff) | |
| download | gitlab-ce-505dc808b3c0dc98413506446d368b91b56ff682.tar.gz | |
Use a permissions of user to access all dependent projects from CI jobs (this also includes a container images, and in future LFS files)
Diffstat (limited to 'app/services/auth')
| -rw-r--r-- | app/services/auth/container_registry_authentication_service.rb | 40 |
1 files changed, 37 insertions, 3 deletions
diff --git a/app/services/auth/container_registry_authentication_service.rb b/app/services/auth/container_registry_authentication_service.rb index 6072123b851..270d5a11d9e 100644 --- a/app/services/auth/container_registry_authentication_service.rb +++ b/app/services/auth/container_registry_authentication_service.rb @@ -4,7 +4,9 @@ module Auth AUDIENCE = 'container_registry' - def execute + def execute(access_type: access_type) + @access_type = access_type + return error('not found', 404) unless registry.enabled unless current_user || project @@ -74,9 +76,9 @@ module Auth case requested_action when 'pull' - requested_project == project || can?(current_user, :read_container_image, requested_project) + restricted_user_can_pull?(requested_project) || privileged_user_can_pull?(requested_project) when 'push' - requested_project == project || can?(current_user, :create_container_image, requested_project) + restricted_user_can_push?(requested_project) || privileged_user_can_push?(requested_project) else false end @@ -85,5 +87,37 @@ module Auth def registry Gitlab.config.registry end + + private + + def restricted_user_can_pull?(requested_project) + return false unless restricted? + + # Restricted can: + # 1. pull from it's own project (for ex. a build) + # 2. read images from dependent projects if he is a team member + requested_project == project || can?(current_user, :restricted_read_container_image, requested_project) + end + + def privileged_user_can_pull?(requested_project) + full? && can?(current_user, :read_container_image, requested_project) + end + + def restricted_user_can_push?(requested_project) + # Restricted can push only to project to from which he originates + restricted? && requested_project == project + end + + def privileged_user_can_push?(requested_project) + full? && can?(current_user, :create_container_image, requested_project) + end + + def full? + @access_type == :full + end + + def restricted? + @access_type == :restricted + end end end |