summaryrefslogtreecommitdiff
path: root/lib
diff options
context:
space:
mode:
authorKamil TrzciƄski <ayufan@ayufan.eu>2018-04-05 15:49:18 +0200
committerMayra Cabrera <mcabrera@gitlab.com>2018-04-06 21:20:16 -0500
commit72220a99d1cdbcf8a914f9e765c43e63eaee2548 (patch)
tree314df7454174092bee8f1ea83d6bda53d760959e /lib
parent171b2625b128e5954ce0a150a4fc923a22164e4e (diff)
downloadgitlab-ce-72220a99d1cdbcf8a914f9e765c43e63eaee2548.tar.gz
Support Deploy Tokens properly without hacking abilities
Diffstat (limited to 'lib')
-rw-r--r--lib/gitlab/auth.rb22
-rw-r--r--lib/gitlab/git_access.rb4
2 files changed, 13 insertions, 13 deletions
diff --git a/lib/gitlab/auth.rb b/lib/gitlab/auth.rb
index 35458f607c6..336cdbab5f0 100644
--- a/lib/gitlab/auth.rb
+++ b/lib/gitlab/auth.rb
@@ -26,7 +26,7 @@ module Gitlab
lfs_token_check(login, password, project) ||
oauth_access_token_check(login, password) ||
personal_access_token_check(password) ||
- deploy_token_check(project, password) ||
+ deploy_token_check(login, password) ||
user_with_password_for_git(login, password) ||
Gitlab::Auth::Result.new
@@ -176,18 +176,18 @@ module Gitlab
# Project is always sent when using read_scope,
# but is not sent when using read_registry scope
# (since jwt is not context aware of the project)
- def deploy_token_check(project, password)
+ def deploy_token_check(login, password)
return unless password.present?
token =
- if project.present?
- DeployToken.active.find_by(project: project, token: password)
- else
- DeployToken.active.find_by(token: password)
- end
-
- if token && valid_scoped_token?(token, available_scopes)
- Gitlab::Auth::Result.new(token, token.project, :deploy_token, abilities_for_scopes(token.scopes))
+ DeployToken.active.find_by(token: password)
+
+ return unless token
+ return unless login != "gitlab+deploy-token-#{token.id}"
+
+ scopes = abilities_for_scopes(token.scopes)
+ if valid_scoped_token?(token, scopes)
+ Gitlab::Auth::Result.new(token, token.project, :deploy_token, scopes)
end
end
@@ -242,7 +242,7 @@ module Gitlab
[
:read_project,
:build_download_code,
- :project_read_container_image,
+ :build_read_container_image,
:build_create_container_image
]
end
diff --git a/lib/gitlab/git_access.rb b/lib/gitlab/git_access.rb
index e3c723ab274..0d1ee73ca1a 100644
--- a/lib/gitlab/git_access.rb
+++ b/lib/gitlab/git_access.rb
@@ -290,10 +290,10 @@ module Gitlab
def can_read_project?
if deploy_key?
deploy_key.has_access_to?(project)
+ elsif deploy_token?
+ deploy_token.has_access_to?(project)
elsif user
user.can?(:read_project, project)
- elsif deploy_token?
- deploy_token.active? && deploy_token.project == project
elsif ci?
true # allow CI (build without a user) for backwards compatibility
end || Guest.can?(:read_project, project)