diff options
| author | Kamil Trzciński <ayufan@ayufan.eu> | 2018-04-07 09:17:59 +0000 |
|---|---|---|
| committer | Kamil Trzciński <ayufan@ayufan.eu> | 2018-04-07 09:17:59 +0000 |
| commit | dd552d06f6e39d5e6138a33bd7c1bffb2d3dbb1d (patch) | |
| tree | e2cf4b8714c7dbb2bfc08c34e21b14cd5f9fa4e5 /lib | |
| parent | 671e93dc38365f3b05cb3cfe719e64713196be31 (diff) | |
| parent | b38439a3ae3c7ea1675b7037e4882213bdc58fdf (diff) | |
| download | gitlab-ce-dd552d06f6e39d5e6138a33bd7c1bffb2d3dbb1d.tar.gz | |
Merge branch '31591-project-deploy-tokens-to-allow-permanent-access' into 'master'
Create Project Deploy Tokens to allow permanent access to repo and registry
Closes #31591
See merge request gitlab-org/gitlab-ce!17894
Diffstat (limited to 'lib')
| -rw-r--r-- | lib/forever.rb | 13 | ||||
| -rw-r--r-- | lib/gitlab/auth.rb | 22 | ||||
| -rw-r--r-- | lib/gitlab/git_access.rb | 11 |
3 files changed, 44 insertions, 2 deletions
diff --git a/lib/forever.rb b/lib/forever.rb new file mode 100644 index 00000000000..7df17912544 --- /dev/null +++ b/lib/forever.rb @@ -0,0 +1,13 @@ +class Forever + POSTGRESQL_DATE = DateTime.new(3000, 1, 1) + MYSQL_DATE = DateTime.new(2038, 01, 19) + + # MySQL timestamp has a range of '1970-01-01 00:00:01' UTC to '2038-01-19 03:14:07' UTC + def self.date + if Gitlab::Database.postgresql? + POSTGRESQL_DATE + else + MYSQL_DATE + end + end +end diff --git a/lib/gitlab/auth.rb b/lib/gitlab/auth.rb index 6af763faf10..2a44e11efb6 100644 --- a/lib/gitlab/auth.rb +++ b/lib/gitlab/auth.rb @@ -5,7 +5,7 @@ module Gitlab REGISTRY_SCOPES = [:read_registry].freeze # Scopes used for GitLab API access - API_SCOPES = [:api, :read_user, :sudo].freeze + API_SCOPES = [:api, :read_user, :sudo, :read_repository].freeze # Scopes used for OpenID Connect OPENID_SCOPES = [:openid].freeze @@ -26,6 +26,7 @@ module Gitlab lfs_token_check(login, password, project) || oauth_access_token_check(login, password) || personal_access_token_check(password) || + deploy_token_check(login, password) || user_with_password_for_git(login, password) || Gitlab::Auth::Result.new @@ -163,7 +164,8 @@ module Gitlab def abilities_for_scopes(scopes) abilities_by_scope = { api: full_authentication_abilities, - read_registry: [:read_container_image] + read_registry: [:read_container_image], + read_repository: [:download_code] } scopes.flat_map do |scope| @@ -171,6 +173,22 @@ module Gitlab end.uniq end + def deploy_token_check(login, password) + return unless password.present? + + token = + DeployToken.active.find_by(token: password) + + return unless token && login + return if login != token.username + + scopes = abilities_for_scopes(token.scopes) + + if valid_scoped_token?(token, available_scopes) + Gitlab::Auth::Result.new(token, token.project, :deploy_token, scopes) + end + end + def lfs_token_check(login, password, project) deploy_key_matches = login.match(/\Alfs\+deploy-key-(\d+)\z/) diff --git a/lib/gitlab/git_access.rb b/lib/gitlab/git_access.rb index 01f8b22b2b6..0d1ee73ca1a 100644 --- a/lib/gitlab/git_access.rb +++ b/lib/gitlab/git_access.rb @@ -208,6 +208,7 @@ module Gitlab def check_download_access! passed = deploy_key? || + deploy_token? || user_can_download_code? || build_can_download_code? || guest_can_download_code? @@ -274,6 +275,14 @@ module Gitlab actor.is_a?(DeployKey) end + def deploy_token + actor if deploy_token? + end + + def deploy_token? + actor.is_a?(DeployToken) + end + def ci? actor == :ci end @@ -281,6 +290,8 @@ module Gitlab def can_read_project? if deploy_key? deploy_key.has_access_to?(project) + elsif deploy_token? + deploy_token.has_access_to?(project) elsif user user.can?(:read_project, project) elsif ci? |