Merge branch 'post-merge-improve-of-ci-permissions' into 'master'

Post-merge improve of CI permissions

Improves code from !6409

See merge request !6432

4 files changed, 12 insertions, 9 deletions

diff --git a/app/controllers/jwt_controller.rb b/app/controllers/jwt_controller.rb
index 06d96774754..34d5d99558e 100644
--- a/app/controllers/jwt_controller.rb
+++ b/app/controllers/jwt_controller.rb
@@ -11,10 +11,8 @@ class JwtController < ApplicationController
     service = SERVICES[params[:service]]
     return head :not_found unless service
 
-    @authentication_result ||= Gitlab::Auth::Result.new
-
     result = service.new(@authentication_result.project, @authentication_result.actor, auth_params).
-      execute(authentication_abilities: @authentication_result.authentication_abilities)
+      execute(authentication_abilities: @authentication_result.authentication_abilities || [])
 
     render json: result, status: result[:http_status]
   end
@@ -22,6 +20,8 @@ class JwtController < ApplicationController
   private
 
   def authenticate_project_or_user
+    @authentication_result = Gitlab::Auth::Result.new
+
     authenticate_with_http_basic do |login, password|
       @authentication_result = Gitlab::Auth.find_for_git_client(login, password, project: nil, ip: request.ip)
 
diff --git a/app/controllers/projects/git_http_client_controller.rb b/app/controllers/projects/git_http_client_controller.rb
index cbfd3cab3dd..383e184d796 100644
--- a/app/controllers/projects/git_http_client_controller.rb
+++ b/app/controllers/projects/git_http_client_controller.rb
@@ -32,11 +32,11 @@ class Projects::GitHttpClientController < Projects::ApplicationController
         return # Allow access
       end
     elsif allow_kerberos_spnego_auth? && spnego_provided?
-      user = find_kerberos_user
+      kerberos_user = find_kerberos_user
 
-      if user
+      if kerberos_user
         @authentication_result = Gitlab::Auth::Result.new(
-          user, nil, :kerberos, Gitlab::Auth.full_authentication_abilities)
+          kerberos_user, nil, :kerberos, Gitlab::Auth.full_authentication_abilities)
 
         send_final_spnego_response
         return # Allow access
diff --git a/app/models/ci/build.rb b/app/models/ci/build.rb
index dd984aef318..cb87b43f6be 100644
--- a/app/models/ci/build.rb
+++ b/app/models/ci/build.rb
@@ -493,8 +493,11 @@ module Ci
     end
 
     def hide_secrets(trace)
-      trace = Ci::MaskSecret.mask(trace, project.runners_token) if project
-      trace = Ci::MaskSecret.mask(trace, token)
+      return unless trace
+
+      trace = trace.dup
+      Ci::MaskSecret.mask!(trace, project.runners_token) if project
+      Ci::MaskSecret.mask!(trace, token)
       trace
     end
   end
diff --git a/app/services/auth/container_registry_authentication_service.rb b/app/services/auth/container_registry_authentication_service.rb
index 98da6563947..38ac6631228 100644
--- a/app/services/auth/container_registry_authentication_service.rb
+++ b/app/services/auth/container_registry_authentication_service.rb
@@ -5,7 +5,7 @@ module Auth
     AUDIENCE = 'container_registry'
 
     def execute(authentication_abilities:)
-      @authentication_abilities = authentication_abilities || []
+      @authentication_abilities = authentication_abilities
 
       return error('not found', 404) unless registry.enabled