diff options
author | Mayra Cabrera <mcabrera@gitlab.com> | 2018-04-05 12:22:34 -0500 |
---|---|---|
committer | Mayra Cabrera <mcabrera@gitlab.com> | 2018-04-06 21:20:16 -0500 |
commit | 8315861c9a50675b4f4f4ca536f0da90f27994f3 (patch) | |
tree | b5f25e5dbd74621ef77d480ba69f4f21d5c00d7d /app | |
parent | 72220a99d1cdbcf8a914f9e765c43e63eaee2548 (diff) | |
download | gitlab-ce-8315861c9a50675b4f4f4ca536f0da90f27994f3.tar.gz |
Include ProjectDeployTokens
Also:
- Changes scopes from serializer to use boolean columns
- Fixes broken specs
Diffstat (limited to 'app')
-rw-r--r-- | app/controllers/projects/deploy_tokens_controller.rb | 2 | ||||
-rw-r--r-- | app/controllers/projects/settings/repository_controller.rb | 2 | ||||
-rw-r--r-- | app/models/deploy_token.rb | 41 | ||||
-rw-r--r-- | app/models/project.rb | 3 | ||||
-rw-r--r-- | app/models/project_deploy_token.rb | 14 | ||||
-rw-r--r-- | app/presenters/projects/settings/deploy_tokens_presenter.rb | 17 | ||||
-rw-r--r-- | app/services/auth/container_registry_authentication_service.rb | 4 | ||||
-rw-r--r-- | app/services/deploy_tokens/create_service.rb | 6 | ||||
-rw-r--r-- | app/views/projects/deploy_tokens/_form.html.haml | 11 | ||||
-rw-r--r-- | app/views/projects/deploy_tokens/_scope_form.html.haml | 4 |
10 files changed, 60 insertions, 44 deletions
diff --git a/app/controllers/projects/deploy_tokens_controller.rb b/app/controllers/projects/deploy_tokens_controller.rb index a7d9590ba19..e3a2e5697b5 100644 --- a/app/controllers/projects/deploy_tokens_controller.rb +++ b/app/controllers/projects/deploy_tokens_controller.rb @@ -21,6 +21,6 @@ class Projects::DeployTokensController < Projects::ApplicationController private def deploy_token_params - params.require(:deploy_token).permit(:name, :expires_at, scopes: []) + params.require(:deploy_token).permit(:name, :expires_at, :read_repository, :read_registry) end end diff --git a/app/controllers/projects/settings/repository_controller.rb b/app/controllers/projects/settings/repository_controller.rb index ab6d8b3b10c..b6b8963948c 100644 --- a/app/controllers/projects/settings/repository_controller.rb +++ b/app/controllers/projects/settings/repository_controller.rb @@ -56,7 +56,7 @@ module Projects def define_deploy_token attributes = @deploy_tokens.attributes_deploy_token - @deploy_token = @project.deploy_tokens.build(attributes) + @deploy_token = DeployToken.new(attributes) @deploy_token.valid? unless attributes.empty? end end diff --git a/app/models/deploy_token.rb b/app/models/deploy_token.rb index c70d1457afb..6639cb17287 100644 --- a/app/models/deploy_token.rb +++ b/app/models/deploy_token.rb @@ -3,36 +3,51 @@ class DeployToken < ActiveRecord::Base include TokenAuthenticatable add_authentication_token_field :token - AVAILABLE_SCOPES = %w(read_repository read_registry).freeze + AVAILABLE_SCOPES = %i(read_repository read_registry).freeze - serialize :scopes, Array # rubocop:disable Cop/ActiveRecordSerialize - - validates :scopes, presence: true - validates :project, presence: true - - belongs_to :project + has_many :project_deploy_tokens, inverse_of: :deploy_token + has_many :projects, through: :project_deploy_tokens + validate :ensure_at_least_one_scope before_save :ensure_token + accepts_nested_attributes_for :project_deploy_tokens + scope :active, -> { where("revoked = false AND (expires_at >= NOW() OR expires_at IS NULL)") } + scope :read_repository, -> { where(read_repository: true) } + scope :read_registry, -> { where(read_registry: true) } - def revoke! - update!(revoked: true) + def self.redis_shared_state_key(user_id) + "gitlab:deploy_token:user_#{user_id}" end - def redis_shared_state_key(user_id) - "gitlab:deploy_token:#{project_id}:#{user_id}" + def revoke! + update!(revoked: true) end def active? !revoked end + def scopes + AVAILABLE_SCOPES.select { |token_scope| send("#{token_scope}") } # rubocop:disable GitlabSecurity/PublicSend + end + def username "gitlab+deploy-token-#{id}" end - def has_access_to?(project) - self.project == project + def has_access_to?(requested_project) + self.projects.first == requested_project + end + + def project + projects.first + end + + private + + def ensure_at_least_one_scope + errors.add(:base, "Scopes can't be blank") unless read_repository || read_registry end end diff --git a/app/models/project.rb b/app/models/project.rb index 3cfb163abf4..3f805dd1fc9 100644 --- a/app/models/project.rb +++ b/app/models/project.rb @@ -222,7 +222,8 @@ class Project < ActiveRecord::Base has_many :environments has_many :deployments has_many :pipeline_schedules, class_name: 'Ci::PipelineSchedule' - has_many :deploy_tokens + has_many :project_deploy_tokens + has_many :deploy_tokens, through: :project_deploy_tokens has_many :active_runners, -> { active }, through: :runner_projects, source: :runner, class_name: 'Ci::Runner' diff --git a/app/models/project_deploy_token.rb b/app/models/project_deploy_token.rb new file mode 100644 index 00000000000..2831b01e378 --- /dev/null +++ b/app/models/project_deploy_token.rb @@ -0,0 +1,14 @@ +class ProjectDeployToken < ActiveRecord::Base + belongs_to :project + belongs_to :deploy_token, inverse_of: :project_deploy_tokens + + validates :deploy_token, presence: true + validates :project, presence: true + validates :deploy_token_id, uniqueness: { scope: [:project_id] } + + accepts_nested_attributes_for :deploy_token + + def redis_shared_state_key(user_id) + "gitlab:deploy_token:#{project_id}:#{user_id}" + end +end diff --git a/app/presenters/projects/settings/deploy_tokens_presenter.rb b/app/presenters/projects/settings/deploy_tokens_presenter.rb index 26bb42e9e7e..f052324a219 100644 --- a/app/presenters/projects/settings/deploy_tokens_presenter.rb +++ b/app/presenters/projects/settings/deploy_tokens_presenter.rb @@ -5,18 +5,10 @@ module Projects presents :deploy_tokens - def available_scopes - DeployToken::AVAILABLE_SCOPES - end - def length deploy_tokens.length end - def scope_description(scope) - scope_descriptions[scope] - end - def each deploy_tokens.each do |deploy_token| yield deploy_token @@ -42,15 +34,8 @@ module Projects private - def scope_descriptions - { - 'read_repository' => s_('DeployTokens|Allows read-only access to the repository'), - 'read_registry' => s_('DeployTokens|Allows read-only access to the registry images') - } - end - def deploy_token_key - @deploy_token_key ||= project.deploy_tokens.new.redis_shared_state_key(current_user.id) + @deploy_token_key ||= DeployToken.redis_shared_state_key(current_user.id) end end end diff --git a/app/services/auth/container_registry_authentication_service.rb b/app/services/auth/container_registry_authentication_service.rb index 2ac35f5bd64..bb3ab856467 100644 --- a/app/services/auth/container_registry_authentication_service.rb +++ b/app/services/auth/container_registry_authentication_service.rb @@ -145,7 +145,7 @@ module Auth has_authentication_ability?(:read_container_image) && can_user?(:read_container_image, requested_project) end - + def deploy_token_can_pull?(requested_project) has_authentication_ability?(:read_container_image) && current_user.is_a?(DeployToken) && @@ -165,7 +165,7 @@ module Auth def user_can_push?(requested_project) has_authentication_ability?(:create_container_image) && - can_user?(current_user, :create_container_image, requested_project) + can_user?(:create_container_image, requested_project) end def error(code, status:, message: '') diff --git a/app/services/deploy_tokens/create_service.rb b/app/services/deploy_tokens/create_service.rb index 0332bb54167..0555d62540c 100644 --- a/app/services/deploy_tokens/create_service.rb +++ b/app/services/deploy_tokens/create_service.rb @@ -1,7 +1,5 @@ module DeployTokens class CreateService < BaseService - REDIS_EXPIRY_TIME = 3.minutes - def execute @project.deploy_tokens.build.tap do |deploy_token| deploy_token.attributes = params @@ -13,7 +11,7 @@ module DeployTokens private def store_deploy_token_info_in_redis(deploy_token) - deploy_token_key = deploy_token.redis_shared_state_key(current_user.id) + deploy_token_key = DeployToken.redis_shared_state_key(current_user.id) if deploy_token.persisted? store_in_redis(deploy_token_key, deploy_token.token) @@ -31,7 +29,7 @@ module DeployTokens def store_in_redis(key, value) Gitlab::Redis::SharedState.with do |redis| - redis.set(key, value, ex: REDIS_EXPIRY_TIME) + redis.set(key, value, ex: 3.minutes) end end end diff --git a/app/views/projects/deploy_tokens/_form.html.haml b/app/views/projects/deploy_tokens/_form.html.haml index 001afcf1944..3e83a2aae46 100644 --- a/app/views/projects/deploy_tokens/_form.html.haml +++ b/app/views/projects/deploy_tokens/_form.html.haml @@ -14,8 +14,15 @@ .form-group = f.label :scopes, class: 'label-light' - - presenter.available_scopes.each do |scope| - = render 'projects/deploy_tokens/scope_form', token: token, scope: scope, presenter: presenter + %fieldset + = f.check_box :read_repository + = label_tag ("deploy_token_read_repository"), 'read_repository' + %span= s_('DeployTokens|Allows read-only access to the repository') + + %fieldset + = f.check_box :read_registry + = label_tag ("deploy_token_read_registry"), 'read_registry' + %span= s_('DeployTokens|Allows read-only access to the registry images') .prepend-top-default = f.submit s_('DeployTokens|Create deploy token'), class: 'btn btn-success' diff --git a/app/views/projects/deploy_tokens/_scope_form.html.haml b/app/views/projects/deploy_tokens/_scope_form.html.haml deleted file mode 100644 index f67701c8ee1..00000000000 --- a/app/views/projects/deploy_tokens/_scope_form.html.haml +++ /dev/null @@ -1,4 +0,0 @@ -%fieldset - = check_box_tag "deploy_token[scopes][]", scope, token.scopes.include?(scope), id: "deploy_token_scopes_#{scope}" - = label_tag ("deploy_token_scopes_#{scope}"), scope - %span= presenter.scope_description(scope) |