summaryrefslogtreecommitdiff
path: root/app
diff options
context:
space:
mode:
authorGitLab Bot <gitlab-bot@gitlab.com>2020-04-14 00:09:57 +0000
committerGitLab Bot <gitlab-bot@gitlab.com>2020-04-14 00:09:57 +0000
commit9398d718d92a40a0a917040645a55dea51467a91 (patch)
treece1242c69221f1e6abd701439631cf6e6d1b948d /app
parent602ea42669779ec431bcaeb41fd95e079b1a7021 (diff)
downloadgitlab-ce-9398d718d92a40a0a917040645a55dea51467a91.tar.gz
Add latest changes from gitlab-org/gitlab@master
Diffstat (limited to 'app')
-rw-r--r--app/controllers/groups/settings/ci_cd_controller.rb2
-rw-r--r--app/controllers/projects/settings/ci_cd_controller.rb2
-rw-r--r--app/models/deploy_token.rb4
-rw-r--r--app/services/auth/container_registry_authentication_service.rb9
-rw-r--r--app/services/projects/update_repository_storage_service.rb7
-rw-r--r--app/views/projects/settings/ci_cd/show.html.haml2
-rw-r--r--app/views/shared/deploy_tokens/_form.html.haml5
-rw-r--r--app/workers/project_update_repository_storage_worker.rb10
8 files changed, 25 insertions, 16 deletions
diff --git a/app/controllers/groups/settings/ci_cd_controller.rb b/app/controllers/groups/settings/ci_cd_controller.rb
index 989013df8d4..6b842fc9fe1 100644
--- a/app/controllers/groups/settings/ci_cd_controller.rb
+++ b/app/controllers/groups/settings/ci_cd_controller.rb
@@ -114,7 +114,7 @@ module Groups
end
def deploy_token_params
- params.require(:deploy_token).permit(:name, :expires_at, :read_repository, :read_registry, :username)
+ params.require(:deploy_token).permit(:name, :expires_at, :read_repository, :read_registry, :write_registry, :username)
end
end
end
diff --git a/app/controllers/projects/settings/ci_cd_controller.rb b/app/controllers/projects/settings/ci_cd_controller.rb
index 5feb3e019c2..a0f98d8f1d2 100644
--- a/app/controllers/projects/settings/ci_cd_controller.rb
+++ b/app/controllers/projects/settings/ci_cd_controller.rb
@@ -93,7 +93,7 @@ module Projects
end
def deploy_token_params
- params.require(:deploy_token).permit(:name, :expires_at, :read_repository, :read_registry, :username)
+ params.require(:deploy_token).permit(:name, :expires_at, :read_repository, :read_registry, :write_registry, :username)
end
def run_autodevops_pipeline(service)
diff --git a/app/models/deploy_token.rb b/app/models/deploy_token.rb
index a9844f627b7..69245710f01 100644
--- a/app/models/deploy_token.rb
+++ b/app/models/deploy_token.rb
@@ -7,7 +7,7 @@ class DeployToken < ApplicationRecord
include Gitlab::Utils::StrongMemoize
add_authentication_token_field :token, encrypted: :optional
- AVAILABLE_SCOPES = %i(read_repository read_registry).freeze
+ AVAILABLE_SCOPES = %i(read_repository read_registry write_registry).freeze
GITLAB_DEPLOY_TOKEN_NAME = 'gitlab-deploy-token'
default_value_for(:expires_at) { Forever.date }
@@ -105,7 +105,7 @@ class DeployToken < ApplicationRecord
end
def ensure_at_least_one_scope
- errors.add(:base, _("Scopes can't be blank")) unless read_repository || read_registry
+ errors.add(:base, _("Scopes can't be blank")) unless read_repository || read_registry || write_registry
end
def default_username
diff --git a/app/services/auth/container_registry_authentication_service.rb b/app/services/auth/container_registry_authentication_service.rb
index 629c1cbdc5c..4a699fe3213 100644
--- a/app/services/auth/container_registry_authentication_service.rb
+++ b/app/services/auth/container_registry_authentication_service.rb
@@ -135,7 +135,7 @@ module Auth
when 'pull'
build_can_pull?(requested_project) || user_can_pull?(requested_project) || deploy_token_can_pull?(requested_project)
when 'push'
- build_can_push?(requested_project) || user_can_push?(requested_project)
+ build_can_push?(requested_project) || user_can_push?(requested_project) || deploy_token_can_push?(requested_project)
when 'delete'
build_can_delete?(requested_project) || user_can_admin?(requested_project)
when '*'
@@ -185,6 +185,13 @@ module Auth
current_user.read_registry?
end
+ def deploy_token_can_push?(requested_project)
+ has_authentication_ability?(:create_container_image) &&
+ current_user.is_a?(DeployToken) &&
+ current_user.has_access_to?(requested_project) &&
+ current_user.write_registry?
+ end
+
##
# We still support legacy pipeline triggers which do not have associated
# actor. New permissions model and new triggers are always associated with
diff --git a/app/services/projects/update_repository_storage_service.rb b/app/services/projects/update_repository_storage_service.rb
index 0602089a3ab..2e5de9411d1 100644
--- a/app/services/projects/update_repository_storage_service.rb
+++ b/app/services/projects/update_repository_storage_service.rb
@@ -5,12 +5,15 @@ module Projects
include Gitlab::ShellAdapter
Error = Class.new(StandardError)
+ SameFilesystemError = Class.new(Error)
def initialize(project)
@project = project
end
def execute(new_repository_storage_key)
+ raise SameFilesystemError if same_filesystem?(project.repository.storage, new_repository_storage_key)
+
mirror_repositories(new_repository_storage_key)
mark_old_paths_for_archive
@@ -33,6 +36,10 @@ module Projects
private
+ def same_filesystem?(old_storage, new_storage)
+ Gitlab::GitalyClient.filesystem_id(old_storage) == Gitlab::GitalyClient.filesystem_id(new_storage)
+ end
+
def mirror_repositories(new_repository_storage_key)
mirror_repository(new_repository_storage_key)
diff --git a/app/views/projects/settings/ci_cd/show.html.haml b/app/views/projects/settings/ci_cd/show.html.haml
index ab2f64cdc21..c0f60b5f3b1 100644
--- a/app/views/projects/settings/ci_cd/show.html.haml
+++ b/app/views/projects/settings/ci_cd/show.html.haml
@@ -4,7 +4,7 @@
- expanded = expanded_by_default?
- general_expanded = @project.errors.empty? ? expanded : true
-- deploy_token_description = s_('DeployTokens|Deploy tokens allow read-only access to your repository and registry images.')
+- deploy_token_description = s_('DeployTokens|Deploy tokens allow access to your repository and registry images.')
%section.settings#js-general-pipeline-settings.no-animate{ class: ('expanded' if general_expanded) }
.settings-header
diff --git a/app/views/shared/deploy_tokens/_form.html.haml b/app/views/shared/deploy_tokens/_form.html.haml
index c4e82d8e157..5751ed9cb7a 100644
--- a/app/views/shared/deploy_tokens/_form.html.haml
+++ b/app/views/shared/deploy_tokens/_form.html.haml
@@ -30,5 +30,10 @@
= label_tag ("deploy_token_read_registry"), 'read_registry', class: 'label-bold form-check-label'
.text-secondary= s_('DeployTokens|Allows read-only access to the registry images')
+ %fieldset.form-group.form-check
+ = f.check_box :write_registry, class: 'form-check-input'
+ = label_tag ("deploy_token_write_registry"), 'write_registry', class: 'label-bold form-check-label'
+ .text-secondary= s_('DeployTokens|Allows write access to the registry images')
+
.prepend-top-default
= f.submit s_('DeployTokens|Create deploy token'), class: 'btn btn-success qa-create-deploy-token'
diff --git a/app/workers/project_update_repository_storage_worker.rb b/app/workers/project_update_repository_storage_worker.rb
index bb40107494b..ecee33e6421 100644
--- a/app/workers/project_update_repository_storage_worker.rb
+++ b/app/workers/project_update_repository_storage_worker.rb
@@ -3,21 +3,11 @@
class ProjectUpdateRepositoryStorageWorker # rubocop:disable Scalability/IdempotentWorker
include ApplicationWorker
- SameFilesystemError = Class.new(StandardError)
-
feature_category :gitaly
def perform(project_id, new_repository_storage_key)
project = Project.find(project_id)
- raise SameFilesystemError if same_filesystem?(project.repository.storage, new_repository_storage_key)
-
::Projects::UpdateRepositoryStorageService.new(project).execute(new_repository_storage_key)
end
-
- private
-
- def same_filesystem?(old_storage, new_storage)
- Gitlab::GitalyClient.filesystem_id(old_storage) == Gitlab::GitalyClient.filesystem_id(new_storage)
- end
end