diff options
| author | Mayra Cabrera <mcabrera@gitlab.com> | 2018-03-29 16:56:35 -0600 |
|---|---|---|
| committer | Mayra Cabrera <mcabrera@gitlab.com> | 2018-04-06 21:20:16 -0500 |
| commit | 370fc05da7f95bf6621867a71d51493cf3899e25 (patch) | |
| tree | 040f676c8c6ccf04d5ebfdbbe064a844affd63f5 /lib | |
| parent | db18993f652425b72c4b854e18a002e0ec44b196 (diff) | |
| download | gitlab-ce-370fc05da7f95bf6621867a71d51493cf3899e25.tar.gz | |
Implement 'read_repo' for DeployTokens
This will allow to download a repo using the token from the DeployToken
Diffstat (limited to 'lib')
| -rw-r--r-- | lib/gitlab/auth.rb | 16 | ||||
| -rw-r--r-- | lib/gitlab/git_access.rb | 11 |
2 files changed, 25 insertions, 2 deletions
diff --git a/lib/gitlab/auth.rb b/lib/gitlab/auth.rb index 6af763faf10..77fef7d8cac 100644 --- a/lib/gitlab/auth.rb +++ b/lib/gitlab/auth.rb @@ -5,7 +5,7 @@ module Gitlab REGISTRY_SCOPES = [:read_registry].freeze # Scopes used for GitLab API access - API_SCOPES = [:api, :read_user, :sudo].freeze + API_SCOPES = [:api, :read_user, :sudo, :read_repo].freeze # Scopes used for OpenID Connect OPENID_SCOPES = [:openid].freeze @@ -26,6 +26,7 @@ module Gitlab lfs_token_check(login, password, project) || oauth_access_token_check(login, password) || personal_access_token_check(password) || + deploy_token_check(project, password) || user_with_password_for_git(login, password) || Gitlab::Auth::Result.new @@ -163,7 +164,8 @@ module Gitlab def abilities_for_scopes(scopes) abilities_by_scope = { api: full_authentication_abilities, - read_registry: [:read_container_image] + read_registry: [:read_container_image], + read_repo: read_authentication_abilities - [:read_container_image] } scopes.flat_map do |scope| @@ -171,6 +173,16 @@ module Gitlab end.uniq end + def deploy_token_check(project, password) + return unless project.present? && password.present? + + token = DeployToken.active.find_by(project: project, token: password) + + if token && valid_scoped_token?(token, available_scopes) + Gitlab::Auth::Result.new(token, project, :deploy_token, abilities_for_scopes(token.scopes)) + end + end + def lfs_token_check(login, password, project) deploy_key_matches = login.match(/\Alfs\+deploy-key-(\d+)\z/) diff --git a/lib/gitlab/git_access.rb b/lib/gitlab/git_access.rb index 01f8b22b2b6..e3c723ab274 100644 --- a/lib/gitlab/git_access.rb +++ b/lib/gitlab/git_access.rb @@ -208,6 +208,7 @@ module Gitlab def check_download_access! passed = deploy_key? || + deploy_token? || user_can_download_code? || build_can_download_code? || guest_can_download_code? @@ -274,6 +275,14 @@ module Gitlab actor.is_a?(DeployKey) end + def deploy_token + actor if deploy_token? + end + + def deploy_token? + actor.is_a?(DeployToken) + end + def ci? actor == :ci end @@ -283,6 +292,8 @@ module Gitlab deploy_key.has_access_to?(project) elsif user user.can?(:read_project, project) + elsif deploy_token? + deploy_token.active? && deploy_token.project == project elsif ci? true # allow CI (build without a user) for backwards compatibility end || Guest.can?(:read_project, project) |