diff options
| author | Kamil TrzciĆski <ayufan@ayufan.eu> | 2018-04-05 15:49:18 +0200 |
|---|---|---|
| committer | Mayra Cabrera <mcabrera@gitlab.com> | 2018-04-06 21:20:16 -0500 |
| commit | 72220a99d1cdbcf8a914f9e765c43e63eaee2548 (patch) | |
| tree | 314df7454174092bee8f1ea83d6bda53d760959e /lib | |
| parent | 171b2625b128e5954ce0a150a4fc923a22164e4e (diff) | |
| download | gitlab-ce-72220a99d1cdbcf8a914f9e765c43e63eaee2548.tar.gz | |
Support Deploy Tokens properly without hacking abilities
Diffstat (limited to 'lib')
| -rw-r--r-- | lib/gitlab/auth.rb | 22 | ||||
| -rw-r--r-- | lib/gitlab/git_access.rb | 4 |
2 files changed, 13 insertions, 13 deletions
diff --git a/lib/gitlab/auth.rb b/lib/gitlab/auth.rb index 35458f607c6..336cdbab5f0 100644 --- a/lib/gitlab/auth.rb +++ b/lib/gitlab/auth.rb @@ -26,7 +26,7 @@ module Gitlab lfs_token_check(login, password, project) || oauth_access_token_check(login, password) || personal_access_token_check(password) || - deploy_token_check(project, password) || + deploy_token_check(login, password) || user_with_password_for_git(login, password) || Gitlab::Auth::Result.new @@ -176,18 +176,18 @@ module Gitlab # Project is always sent when using read_scope, # but is not sent when using read_registry scope # (since jwt is not context aware of the project) - def deploy_token_check(project, password) + def deploy_token_check(login, password) return unless password.present? token = - if project.present? - DeployToken.active.find_by(project: project, token: password) - else - DeployToken.active.find_by(token: password) - end - - if token && valid_scoped_token?(token, available_scopes) - Gitlab::Auth::Result.new(token, token.project, :deploy_token, abilities_for_scopes(token.scopes)) + DeployToken.active.find_by(token: password) + + return unless token + return unless login != "gitlab+deploy-token-#{token.id}" + + scopes = abilities_for_scopes(token.scopes) + if valid_scoped_token?(token, scopes) + Gitlab::Auth::Result.new(token, token.project, :deploy_token, scopes) end end @@ -242,7 +242,7 @@ module Gitlab [ :read_project, :build_download_code, - :project_read_container_image, + :build_read_container_image, :build_create_container_image ] end diff --git a/lib/gitlab/git_access.rb b/lib/gitlab/git_access.rb index e3c723ab274..0d1ee73ca1a 100644 --- a/lib/gitlab/git_access.rb +++ b/lib/gitlab/git_access.rb @@ -290,10 +290,10 @@ module Gitlab def can_read_project? if deploy_key? deploy_key.has_access_to?(project) + elsif deploy_token? + deploy_token.has_access_to?(project) elsif user user.can?(:read_project, project) - elsif deploy_token? - deploy_token.active? && deploy_token.project == project elsif ci? true # allow CI (build without a user) for backwards compatibility end || Guest.can?(:read_project, project) |