Add latest changes from gitlab-org/gitlab@master

author: GitLab Bot <gitlab-bot@gitlab.com> 2020-04-14 00:09:57 +0000
committer: GitLab Bot <gitlab-bot@gitlab.com> 2020-04-14 00:09:57 +0000
commit: 9398d718d92a40a0a917040645a55dea51467a91 (patch)
tree: ce1242c69221f1e6abd701439631cf6e6d1b948d /app
parent: 602ea42669779ec431bcaeb41fd95e079b1a7021 (diff)
download: gitlab-ce-9398d718d92a40a0a917040645a55dea51467a91.tar.gz
8 files changed, 25 insertions, 16 deletions
diff --git a/app/controllers/groups/settings/ci_cd_controller.rb b/app/controllers/groups/settings/ci_cd_controller.rb
index 989013df8d4..6b842fc9fe1 100644
--- a/app/controllers/groups/settings/ci_cd_controller.rb
+++ b/app/controllers/groups/settings/ci_cd_controller.rb
@@ -114,7 +114,7 @@ module Groups
       end
 
       def deploy_token_params
-        params.require(:deploy_token).permit(:name, :expires_at, :read_repository, :read_registry, :username)
+        params.require(:deploy_token).permit(:name, :expires_at, :read_repository, :read_registry, :write_registry, :username)
       end
     end
   end
diff --git a/app/controllers/projects/settings/ci_cd_controller.rb b/app/controllers/projects/settings/ci_cd_controller.rb
index 5feb3e019c2..a0f98d8f1d2 100644
--- a/app/controllers/projects/settings/ci_cd_controller.rb
+++ b/app/controllers/projects/settings/ci_cd_controller.rb
@@ -93,7 +93,7 @@ module Projects
       end
 
       def deploy_token_params
-        params.require(:deploy_token).permit(:name, :expires_at, :read_repository, :read_registry, :username)
+        params.require(:deploy_token).permit(:name, :expires_at, :read_repository, :read_registry, :write_registry, :username)
       end
 
       def run_autodevops_pipeline(service)
diff --git a/app/models/deploy_token.rb b/app/models/deploy_token.rb
index a9844f627b7..69245710f01 100644
--- a/app/models/deploy_token.rb
+++ b/app/models/deploy_token.rb
@@ -7,7 +7,7 @@ class DeployToken < ApplicationRecord
   include Gitlab::Utils::StrongMemoize
   add_authentication_token_field :token, encrypted: :optional
 
-  AVAILABLE_SCOPES = %i(read_repository read_registry).freeze
+  AVAILABLE_SCOPES = %i(read_repository read_registry write_registry).freeze
   GITLAB_DEPLOY_TOKEN_NAME = 'gitlab-deploy-token'
 
   default_value_for(:expires_at) { Forever.date }
@@ -105,7 +105,7 @@ class DeployToken < ApplicationRecord
   end
 
   def ensure_at_least_one_scope
-    errors.add(:base, _("Scopes can't be blank")) unless read_repository || read_registry
+    errors.add(:base, _("Scopes can't be blank")) unless read_repository || read_registry || write_registry
   end
 
   def default_username
diff --git a/app/services/auth/container_registry_authentication_service.rb b/app/services/auth/container_registry_authentication_service.rb
index 629c1cbdc5c..4a699fe3213 100644
--- a/app/services/auth/container_registry_authentication_service.rb
+++ b/app/services/auth/container_registry_authentication_service.rb
@@ -135,7 +135,7 @@ module Auth
       when 'pull'
         build_can_pull?(requested_project) || user_can_pull?(requested_project) || deploy_token_can_pull?(requested_project)
       when 'push'
-        build_can_push?(requested_project) || user_can_push?(requested_project)
+        build_can_push?(requested_project) || user_can_push?(requested_project) || deploy_token_can_push?(requested_project)
       when 'delete'
         build_can_delete?(requested_project) || user_can_admin?(requested_project)
       when '*'
@@ -185,6 +185,13 @@ module Auth
         current_user.read_registry?
     end
 
+    def deploy_token_can_push?(requested_project)
+      has_authentication_ability?(:create_container_image) &&
+        current_user.is_a?(DeployToken) &&
+        current_user.has_access_to?(requested_project) &&
+        current_user.write_registry?
+    end
+
     ##
     # We still support legacy pipeline triggers which do not have associated
     # actor. New permissions model and new triggers are always associated with
diff --git a/app/services/projects/update_repository_storage_service.rb b/app/services/projects/update_repository_storage_service.rb
index 0602089a3ab..2e5de9411d1 100644
--- a/app/services/projects/update_repository_storage_service.rb
+++ b/app/services/projects/update_repository_storage_service.rb
@@ -5,12 +5,15 @@ module Projects
     include Gitlab::ShellAdapter
 
     Error = Class.new(StandardError)
+    SameFilesystemError = Class.new(Error)
 
     def initialize(project)
       @project = project
     end
 
     def execute(new_repository_storage_key)
+      raise SameFilesystemError if same_filesystem?(project.repository.storage, new_repository_storage_key)
+
       mirror_repositories(new_repository_storage_key)
 
       mark_old_paths_for_archive
@@ -33,6 +36,10 @@ module Projects
 
     private
 
+    def same_filesystem?(old_storage, new_storage)
+      Gitlab::GitalyClient.filesystem_id(old_storage) == Gitlab::GitalyClient.filesystem_id(new_storage)
+    end
+
     def mirror_repositories(new_repository_storage_key)
       mirror_repository(new_repository_storage_key)
 
diff --git a/app/views/projects/settings/ci_cd/show.html.haml b/app/views/projects/settings/ci_cd/show.html.haml
index ab2f64cdc21..c0f60b5f3b1 100644
--- a/app/views/projects/settings/ci_cd/show.html.haml
+++ b/app/views/projects/settings/ci_cd/show.html.haml
@@ -4,7 +4,7 @@
 
 - expanded = expanded_by_default?
 - general_expanded = @project.errors.empty? ? expanded : true
-- deploy_token_description = s_('DeployTokens|Deploy tokens allow read-only access to your repository and registry images.')
+- deploy_token_description = s_('DeployTokens|Deploy tokens allow access to your repository and registry images.')
 
 %section.settings#js-general-pipeline-settings.no-animate{ class: ('expanded' if general_expanded) }
   .settings-header
diff --git a/app/views/shared/deploy_tokens/_form.html.haml b/app/views/shared/deploy_tokens/_form.html.haml
index c4e82d8e157..5751ed9cb7a 100644
--- a/app/views/shared/deploy_tokens/_form.html.haml
+++ b/app/views/shared/deploy_tokens/_form.html.haml
@@ -30,5 +30,10 @@
         = label_tag ("deploy_token_read_registry"), 'read_registry', class: 'label-bold form-check-label'
         .text-secondary= s_('DeployTokens|Allows read-only access to the registry images')
 
+      %fieldset.form-group.form-check
+        = f.check_box :write_registry, class: 'form-check-input'
+        = label_tag ("deploy_token_write_registry"), 'write_registry', class: 'label-bold form-check-label'
+        .text-secondary= s_('DeployTokens|Allows write access to the registry images')
+
   .prepend-top-default
     = f.submit s_('DeployTokens|Create deploy token'), class: 'btn btn-success qa-create-deploy-token'
diff --git a/app/workers/project_update_repository_storage_worker.rb b/app/workers/project_update_repository_storage_worker.rb
index bb40107494b..ecee33e6421 100644
--- a/app/workers/project_update_repository_storage_worker.rb
+++ b/app/workers/project_update_repository_storage_worker.rb
@@ -3,21 +3,11 @@
 class ProjectUpdateRepositoryStorageWorker # rubocop:disable Scalability/IdempotentWorker
   include ApplicationWorker
 
-  SameFilesystemError = Class.new(StandardError)
-
   feature_category :gitaly
 
   def perform(project_id, new_repository_storage_key)
     project = Project.find(project_id)
 
-    raise SameFilesystemError if same_filesystem?(project.repository.storage, new_repository_storage_key)
-
     ::Projects::UpdateRepositoryStorageService.new(project).execute(new_repository_storage_key)
   end
-
-  private
-
-  def same_filesystem?(old_storage, new_storage)
-    Gitlab::GitalyClient.filesystem_id(old_storage) == Gitlab::GitalyClient.filesystem_id(new_storage)
-  end
 end
author	GitLab Bot <gitlab-bot@gitlab.com>	2020-04-14 00:09:57 +0000
committer	GitLab Bot <gitlab-bot@gitlab.com>	2020-04-14 00:09:57 +0000
commit	9398d718d92a40a0a917040645a55dea51467a91 (patch)
tree	ce1242c69221f1e6abd701439631cf6e6d1b948d /app
parent	602ea42669779ec431bcaeb41fd95e079b1a7021 (diff)
download	gitlab-ce-9398d718d92a40a0a917040645a55dea51467a91.tar.gz