| Commit message (Collapse) | Author | Age | Files | Lines |
| |
|
|
|
|
| |
This reverts commit 00acef434031b5dc0bf39576a9e83802c7806842.
|
|
|
| |
This reverts commit 22954f220231281360377922b709efb904559949
|
|
|
|
|
| |
LfsToken::HMACToken#token_valid?() will be examined and if false, look
in redis via LfsToken::LegacyRedisDeviseToken#token_valid?().
|
|
|
|
|
| |
[11.4] Fix Token lookup for Git over HTTP and registry authentication
See merge request gitlab/gitlabhq!2577
|
| |
|
|
|
|
|
| |
This whitelists all existing offenses for the various CodeReuse cops, of
which most are triggered by the CodeReuse/ActiveRecord cop.
|
|
|
|
|
| |
We also try to unify the way we setup OmniAuth, and how we check
if it's enabled or not.
|
| |
|
|
|
|
| |
Which could extend from EE
|
|
|
|
|
| |
* Replace `require` or `require_relative` with `require_dependency`
* Remove unneeded `autoload`
|
| |
|
| |
|
|
|
|
| |
Also, fixes broken specs
|
| |
|
|
|
|
|
|
| |
Also:
- Changes scopes from serializer to use boolean columns
- Fixes broken specs
|
| |
|
|
|
|
|
|
| |
- Remove extra method for authorize_admin_project
- Ensure project presence
- Rename 'read_repo' to 'read_repository' to be more verbose
|
|
|
|
|
|
|
| |
- When using 'read_repo' password and project are sent, so we used both
of them to fetch for the token
- When using 'read_registry' only the password is sent, so we only use
that for fetching the token
|
|
|
|
| |
This will allow to download a repo using the token from the DeployToken
|
| |
|
| |
|
| |
|
|
|
|
| |
including/extending it
|
|\
| |
| |
| |
| |
| |
| | |
Fix pulling and pushing using a personal access token with the sudo scope
Closes #40466
See merge request gitlab-org/gitlab-ce!15571
|
| | |
|
|/ |
|
| |
|
| |
|
| |
|
|
|
|
| |
Closes #37789
|
|\
| |
| |
| |
| | |
Hide read_registry scope when registry is disabled on instance
See merge request !13314
|
| | |
|
|\ \
| | |
| | |
| | |
| | |
| | |
| | | |
Rollback changes made to signing_enabled.
Closes #37202
See merge request !13956
|
| | | |
|
|/ /
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
The initializers including this were doing so at the top level, so every object
loaded after them had a `current_application_settings` method. However, if
someone had rack-attack enabled (which was loaded before these initializers), it
would try to load the API, and fail, because `Gitlab::CurrentSettings` didn't
have that method.
To fix this:
1. Don't include `Gitlab::CurrentSettings` at the top level. We do not need
`Object.new.current_application_settings` to work.
2. Make `Gitlab::CurrentSettings` explicitly `extend self`, as we already use it
like that in several places.
3. Change the initializers to use that new form.
|
|/
|
|
|
| |
An upcoming update to rubocop-gitlab-security added additional
violations.
|
|
|
|
|
| |
full_authentication_abilities. This is fine because
we're going to check with can?(..) anyway
|
|
|
|
|
|
|
|
|
| |
When sign-in is disabled:
- skip password expiration checks
- prevent password reset requests
- don’t show Password tab in User Settings
- don’t allow login with username/password for Git over HTTP requests
- render 404 on requests to Profiles::PasswordsController
|
|
|
|
|
| |
- There's no need to use `API::Scope` for scopes that don't have `if`
conditions, such as in `lib/gitlab/auth.rb`.
|
|
|
|
|
| |
- To represent an authorization scope, such as `api` or `read_user`
- This is a better abstraction than the hash we were previously using.
|
|
|
|
|
|
|
| |
- Use a struct for scopes, so we can call `scope.if` instead of `scope[:if]`
- Refactor the "remove scopes whose :if condition returns false" logic to use a
`select` rather than a `reject`.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
1. Get the spec for `lib/gitlab/auth.rb` passing.
- Make the `request` argument to `AccessTokenValidationService` optional -
`auth.rb` doesn't need to pass in a request.
- Pass in scopes in the format `[{ name: 'api' }]` rather than `['api']`, which
is what `AccessTokenValidationService` now expects.
2. Get the spec for `API::V3::Users` passing
2. Get the spec for `AccessTokenValidationService` passing
|
|
|
|
|
|
| |
If internal auth is disabled and LDAP is not configured on the instance,
present the user with a message to create a personal access token if his
Git over HTTP auth attempt fails.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
This is the first commit doing mainly 3 things:
1. create a new scope and allow users to use it
2. Have the JWTController respond correctly on this
3. Updates documentation to suggest usage of PATs
There is one gotcha, there will be no support for impersonation tokens, as this
seems not needed.
Fixes gitlab-org/gitlab-ce#19219
|
|
|
|
| |
Fixes #32598
|
|
|
|
|
|
|
|
|
|
|
| |
- We currently support fetching code with username = 'oauth2' and
password = <access_token>.
- Trying to _push_ code with the same credentials fails with an authentication
error.
- There's no reason this shouldn't be enabled, especially since we allow the
OAuth client to create deploy keys with push access:
https://docs.gitlab.com/ce/api/deploy_keys.html#add-deploy-key
|
|\ |
|
| |
| |
| |
| |
| |
| | |
Gitlab::Auth and API::APIGuard already check for at least one valid
scope on personal access tokens, so if the scopes are empty the token
will always fail validation.
|