2018-07-25 05:30:33 -04:00
|
|
|
# frozen_string_literal: true
|
|
|
|
|
2019-03-28 09:17:42 -04:00
|
|
|
class DeployToken < ApplicationRecord
|
2018-03-19 12:11:12 -04:00
|
|
|
include Expirable
|
|
|
|
include TokenAuthenticatable
|
2018-07-27 05:37:19 -04:00
|
|
|
include PolicyActor
|
2018-09-27 03:22:24 -04:00
|
|
|
include Gitlab::Utils::StrongMemoize
|
2019-07-12 16:49:47 -04:00
|
|
|
add_authentication_token_field :token, encrypted: :optional
|
2018-03-19 12:11:12 -04:00
|
|
|
|
2020-04-21 14:09:31 -04:00
|
|
|
AVAILABLE_SCOPES = %i(read_repository read_registry write_registry
|
|
|
|
read_package_registry write_package_registry).freeze
|
2019-08-31 15:57:00 -04:00
|
|
|
GITLAB_DEPLOY_TOKEN_NAME = 'gitlab-deploy-token'
|
2021-08-04 05:08:21 -04:00
|
|
|
REQUIRED_DEPENDENCY_PROXY_SCOPES = %i[read_registry write_registry].freeze
|
2018-04-06 12:23:45 -04:00
|
|
|
|
2018-04-06 15:48:17 -04:00
|
|
|
default_value_for(:expires_at) { Forever.date }
|
2018-03-19 12:11:12 -04:00
|
|
|
|
2018-04-05 13:22:34 -04:00
|
|
|
has_many :project_deploy_tokens, inverse_of: :deploy_token
|
2018-04-18 09:41:42 -04:00
|
|
|
has_many :projects, through: :project_deploy_tokens
|
2018-03-19 12:11:12 -04:00
|
|
|
|
2020-02-06 07:10:29 -05:00
|
|
|
has_many :group_deploy_tokens, inverse_of: :deploy_token
|
|
|
|
has_many :groups, through: :group_deploy_tokens
|
|
|
|
|
|
|
|
validate :no_groups, unless: :group_type?
|
|
|
|
validate :no_projects, unless: :project_type?
|
2018-04-05 13:22:34 -04:00
|
|
|
validate :ensure_at_least_one_scope
|
2019-07-02 14:56:48 -04:00
|
|
|
validates :username,
|
|
|
|
length: { maximum: 255 },
|
|
|
|
allow_nil: true,
|
|
|
|
format: {
|
|
|
|
with: /\A[a-zA-Z0-9\.\+_-]+\z/,
|
|
|
|
message: "can contain only letters, digits, '_', '-', '+', and '.'"
|
|
|
|
}
|
|
|
|
|
2020-02-06 07:10:29 -05:00
|
|
|
validates :deploy_token_type, presence: true
|
2020-01-29 16:09:22 -05:00
|
|
|
enum deploy_token_type: {
|
|
|
|
group_type: 1,
|
|
|
|
project_type: 2
|
|
|
|
}
|
|
|
|
|
2018-03-19 12:11:12 -04:00
|
|
|
before_save :ensure_token
|
|
|
|
|
2018-04-05 13:22:34 -04:00
|
|
|
accepts_nested_attributes_for :project_deploy_tokens
|
|
|
|
|
2018-04-06 10:30:21 -04:00
|
|
|
scope :active, -> { where("revoked = false AND expires_at >= NOW()") }
|
2018-03-19 12:11:12 -04:00
|
|
|
|
2018-04-20 11:05:16 -04:00
|
|
|
def self.gitlab_deploy_token
|
|
|
|
active.find_by(name: GITLAB_DEPLOY_TOKEN_NAME)
|
|
|
|
end
|
|
|
|
|
2021-08-04 05:08:21 -04:00
|
|
|
def valid_for_dependency_proxy?
|
|
|
|
group_type? &&
|
|
|
|
active? &&
|
|
|
|
REQUIRED_DEPENDENCY_PROXY_SCOPES.all? { |scope| scope.in?(scopes) }
|
|
|
|
end
|
|
|
|
|
2018-04-05 13:22:34 -04:00
|
|
|
def revoke!
|
|
|
|
update!(revoked: true)
|
2018-03-19 12:11:12 -04:00
|
|
|
end
|
2018-03-29 18:56:35 -04:00
|
|
|
|
|
|
|
def active?
|
2018-08-02 13:43:36 -04:00
|
|
|
!revoked && !expired?
|
2018-03-29 18:56:35 -04:00
|
|
|
end
|
|
|
|
|
2020-11-16 16:09:02 -05:00
|
|
|
def deactivated?
|
|
|
|
!active?
|
|
|
|
end
|
|
|
|
|
2018-04-05 13:22:34 -04:00
|
|
|
def scopes
|
2018-04-06 10:30:21 -04:00
|
|
|
AVAILABLE_SCOPES.select { |token_scope| read_attribute(token_scope) }
|
2018-04-05 13:22:34 -04:00
|
|
|
end
|
|
|
|
|
2018-03-29 18:56:35 -04:00
|
|
|
def username
|
2019-07-02 14:56:48 -04:00
|
|
|
super || default_username
|
2018-04-05 09:49:18 -04:00
|
|
|
end
|
|
|
|
|
2018-04-05 13:22:34 -04:00
|
|
|
def has_access_to?(requested_project)
|
2020-02-06 07:10:29 -05:00
|
|
|
return false unless active?
|
|
|
|
return false unless holder
|
|
|
|
|
|
|
|
holder.has_access_to?(requested_project)
|
2018-04-05 13:22:34 -04:00
|
|
|
end
|
|
|
|
|
2021-08-04 05:08:21 -04:00
|
|
|
def has_access_to_group?(requested_group)
|
|
|
|
return false unless active?
|
|
|
|
return false unless group_type?
|
|
|
|
return false unless holder
|
|
|
|
|
|
|
|
holder.has_access_to_group?(requested_group)
|
|
|
|
end
|
|
|
|
|
2018-04-06 10:30:21 -04:00
|
|
|
# This is temporal. Currently we limit DeployToken
|
2020-02-06 07:10:29 -05:00
|
|
|
# to a single project or group, later we're going to
|
|
|
|
# extend that to be for multiple projects and namespaces.
|
2018-04-05 13:22:34 -04:00
|
|
|
def project
|
2018-09-27 03:22:24 -04:00
|
|
|
strong_memoize(:project) do
|
|
|
|
projects.first
|
|
|
|
end
|
2018-04-05 13:22:34 -04:00
|
|
|
end
|
|
|
|
|
2020-10-06 23:08:19 -04:00
|
|
|
def group
|
|
|
|
strong_memoize(:group) do
|
|
|
|
groups.first
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
def accessible_projects
|
|
|
|
if project_type?
|
|
|
|
projects
|
|
|
|
elsif group_type?
|
|
|
|
group.all_projects
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
2020-02-06 07:10:29 -05:00
|
|
|
def holder
|
|
|
|
strong_memoize(:holder) do
|
|
|
|
if project_type?
|
|
|
|
project_deploy_tokens.first
|
|
|
|
elsif group_type?
|
|
|
|
group_deploy_tokens.first
|
|
|
|
end
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
2018-04-06 15:48:17 -04:00
|
|
|
def expires_at
|
|
|
|
expires_at = read_attribute(:expires_at)
|
|
|
|
expires_at != Forever.date ? expires_at : nil
|
|
|
|
end
|
|
|
|
|
|
|
|
def expires_at=(value)
|
|
|
|
write_attribute(:expires_at, value.presence || Forever.date)
|
|
|
|
end
|
|
|
|
|
2018-04-05 13:22:34 -04:00
|
|
|
private
|
|
|
|
|
2018-08-02 13:43:36 -04:00
|
|
|
def expired?
|
|
|
|
return false unless expires_at
|
|
|
|
|
|
|
|
expires_at < Date.today
|
|
|
|
end
|
|
|
|
|
2018-04-05 13:22:34 -04:00
|
|
|
def ensure_at_least_one_scope
|
2020-04-21 14:09:31 -04:00
|
|
|
errors.add(:base, _("Scopes can't be blank")) unless scopes.any?
|
2018-03-29 18:56:35 -04:00
|
|
|
end
|
2019-07-02 14:56:48 -04:00
|
|
|
|
|
|
|
def default_username
|
|
|
|
"gitlab+deploy-token-#{id}" if persisted?
|
|
|
|
end
|
2020-02-06 07:10:29 -05:00
|
|
|
|
|
|
|
def no_groups
|
|
|
|
errors.add(:deploy_token, 'cannot have groups assigned') if group_deploy_tokens.any?
|
|
|
|
end
|
|
|
|
|
|
|
|
def no_projects
|
|
|
|
errors.add(:deploy_token, 'cannot have projects assigned') if project_deploy_tokens.any?
|
|
|
|
end
|
2018-03-19 12:11:12 -04:00
|
|
|
end
|