gitlab-org--gitlab-foss/lib/gitlab/auth.rb

module Gitlab
  module Auth
    class MissingPersonalTokenError < StandardError; end

    SCOPES = [:api, :read_user].freeze
    DEFAULT_SCOPES = [:api].freeze
    OPTIONAL_SCOPES = SCOPES - DEFAULT_SCOPES

    class << self
      def find_for_git_client(login, password, project:, ip:)
        raise "Must provide an IP for rate limiting" if ip.nil?

        # `user_with_password_for_git` should be the last check
        # because it's the most expensive, especially when LDAP
        # is enabled.
        result =
          service_request_check(login, password, project) ||
          build_access_token_check(login, password) ||
          lfs_token_check(login, password) ||
          oauth_access_token_check(login, password) ||
          personal_access_token_check(login, password) ||
          user_with_password_for_git(login, password) ||
          Gitlab::Auth::Result.new

        rate_limit!(ip, success: result.success?, login: login)

        result
      end

      def find_with_user_password(login, password)
        user = User.by_login(login)

        # If no user is found, or it's an LDAP server, try LDAP.
        #   LDAP users are only authenticated via LDAP
        if user.nil? || user.ldap_user?
          # Second chance - try LDAP authentication
          return nil unless Gitlab::LDAP::Config.enabled?

          Gitlab::LDAP::Authentication.login(login, password)
        else
          user if user.valid_password?(password)
        end
      end

      def rate_limit!(ip, success:, login:)
        rate_limiter = Gitlab::Auth::IpRateLimiter.new(ip)
        return unless rate_limiter.enabled?

        if success
          # Repeated login 'failures' are normal behavior for some Git clients so
          # it is important to reset the ban counter once the client has proven
          # they are not a 'bad guy'.
          rate_limiter.reset!
        else
          # Register a login failure so that Rack::Attack can block the next
          # request from this IP if needed.
          rate_limiter.register_fail!

          if rate_limiter.banned?
            Rails.logger.info "IP #{ip} failed to login " \
              "as #{login} but has been temporarily banned from Git auth"
          end
        end
      end

      private

      def service_request_check(login, password, project)
        matched_login = /(?<service>^[a-zA-Z]*-ci)-token$/.match(login)

        return unless project && matched_login.present?

        underscored_service = matched_login['service'].underscore

        if Service.available_services_names.include?(underscored_service)
          # We treat underscored_service as a trusted input because it is included
          # in the Service.available_services_names whitelist.
          service = project.public_send("#{underscored_service}_service")

          if service && service.activated? && service.valid_token?(password)
            Gitlab::Auth::Result.new(nil, project, :ci, build_authentication_abilities)
          end
        end
      end

      def user_with_password_for_git(login, password)
        user = find_with_user_password(login, password)
        return unless user

        raise Gitlab::Auth::MissingPersonalTokenError if user.two_factor_enabled?

        Gitlab::Auth::Result.new(user, nil, :gitlab_or_ldap, full_authentication_abilities)
      end

      def oauth_access_token_check(login, password)
        if login == "oauth2" && password.present?
          token = Doorkeeper::AccessToken.by_token(password)
          if valid_oauth_token?(token)
            user = User.find_by(id: token.resource_owner_id)
            Gitlab::Auth::Result.new(user, nil, :oauth, read_authentication_abilities)
          end
        end
      end

      def personal_access_token_check(login, password)
        if login && password
          token = PersonalAccessToken.active.find_by_token(password)
          validation = User.by_login(login)

          if valid_personal_access_token?(token, validation)
            Gitlab::Auth::Result.new(validation, nil, :personal_token, full_authentication_abilities)
          end
        end
      end

      def valid_oauth_token?(token)
        token && token.accessible? && valid_api_token?(token)
      end

      def valid_personal_access_token?(token, user)
        token && token.user == user && valid_api_token?(token)
      end

      def valid_api_token?(token)
        AccessTokenValidationService.new(token).include_any_scope?(['api'])
      end

      def lfs_token_check(login, password)
        deploy_key_matches = login.match(/\Alfs\+deploy-key-(\d+)\z/)

        actor =
          if deploy_key_matches
            DeployKey.find(deploy_key_matches[1])
          else
            User.by_login(login)
          end

        return unless actor

        token_handler = Gitlab::LfsToken.new(actor)

        authentication_abilities =
          if token_handler.user?
            full_authentication_abilities
          else
            read_authentication_abilities
          end

        if Devise.secure_compare(token_handler.token, password)
          Gitlab::Auth::Result.new(actor, nil, token_handler.type, authentication_abilities)
        end
      end

      def build_access_token_check(login, password)
        return unless login == 'gitlab-ci-token'
        return unless password

        build = ::Ci::Build.running.find_by_token(password)
        return unless build
        return unless build.project.builds_enabled?

        if build.user
          # If user is assigned to build, use restricted credentials of user
          Gitlab::Auth::Result.new(build.user, build.project, :build, build_authentication_abilities)
        else
          # Otherwise use generic CI credentials (backward compatibility)
          Gitlab::Auth::Result.new(nil, build.project, :ci, build_authentication_abilities)
        end
      end

      public

      def build_authentication_abilities
        [
          :read_project,
          :build_download_code,
          :build_read_container_image,
          :build_create_container_image
        ]
      end

      def read_authentication_abilities
        [
          :read_project,
          :download_code,
          :read_container_image
        ]
      end

      def full_authentication_abilities
        read_authentication_abilities + [
          :push_code,
          :create_container_image
        ]
      end
    end
  end
end
Refactorn oauth & ldap 2012-09-12 06:23:16 +00:00			`module Gitlab`
Refactor Gitlab::Auth rate limiting 2016-06-03 15:07:40 +00:00			`module Auth`
Better authentication handling, syntax fixes and better actor handling for LFS Tokens 2016-09-06 21:32:39 +00:00			`class MissingPersonalTokenError < StandardError; end`

Enable Style/MutableConstant 2017-02-21 23:32:18 +00:00			`SCOPES = [:api, :read_user].freeze`
			`DEFAULT_SCOPES = [:api].freeze`
Calls to the API are checked for scope. - Move the `Oauth2::AccessTokenValidationService` class to `AccessTokenValidationService`, since it is now being used for personal access token validation as well. - Each API endpoint declares the scopes it accepts (if any). Currently, the top level API module declares the `api` scope, and the `Users` API module declares the `read_user` scope (for GET requests). - Move the `find_user_by_private_token` from the API `Helpers` module to the `APIGuard` module, to avoid littering `Helpers` with more auth-related methods to support `find_user_by_private_token` 2016-11-22 09:04:23 +00:00			`OPTIONAL_SCOPES = SCOPES - DEFAULT_SCOPES`

Make CI/Oauth/rate limiting reusable 2016-04-29 16:58:55 +00:00			`class << self`
Improve Gitlab::Auth method names Auth.find was a very generic name for a very specific method. Auth.find_in_gitlab_or_ldap was inaccurate in GitLab EE where it also looks in Kerberos. 2016-06-10 12:51:16 +00:00			`def find_for_git_client(login, password, project:, ip:)`
Make CI/Oauth/rate limiting reusable 2016-04-29 16:58:55 +00:00			`raise "Must provide an IP for rate limiting" if ip.nil?`

Reduce hits to LDAP on Git HTTP auth by reordering auth mechanisms We accept half a dozen different authentication mechanisms for Git over HTTP. Fairly high in the list we were checking user password, which would also query LDAP. In the case of LFS, OAuth tokens or personal access tokens, we were unnecessarily hitting LDAP when the authentication will not succeed. This was causing some LDAP/AD systems to lock the account. Now, user password authentication is the last mechanism tried since it's the most expensive. 2017-01-24 17:12:49 +00:00			# `user_with_password_for_git` should be the last check
			`# because it's the most expensive, especially when LDAP`
			`# is enabled.`
Refactored authentication code to make it a bit clearer, added test for wrong SSH key. 2016-09-15 16:54:24 +00:00			`result =`
Merge remote-tracking branch 'origin/lfs-support-for-ssh' into per-build-token # Conflicts: # app/controllers/projects/git_http_client_controller.rb # app/helpers/lfs_helper.rb # lib/gitlab/auth.rb # spec/requests/lfs_http_spec.rb 2016-09-15 19:16:38 +00:00			`service_request_check(login, password, project) \|\|`
Refactor Gitlab::Auth to simplify the data flow 2016-09-14 15:28:24 +00:00			`build_access_token_check(login, password) \|\|`
Revert "Revert all changes introduced by https://gitlab.com/gitlab-org/gitlab-ce/merge_requests/6043" This reverts commit 6d43c95b7011ec7ec4600e00bdc8df76bb39813c. 2016-09-19 14:34:32 +00:00			`lfs_token_check(login, password) \|\|`
Reduce hits to LDAP on Git HTTP auth by reordering auth mechanisms We accept half a dozen different authentication mechanisms for Git over HTTP. Fairly high in the list we were checking user password, which would also query LDAP. In the case of LFS, OAuth tokens or personal access tokens, we were unnecessarily hitting LDAP when the authentication will not succeed. This was causing some LDAP/AD systems to lock the account. Now, user password authentication is the last mechanism tried since it's the most expensive. 2017-01-24 17:12:49 +00:00			`oauth_access_token_check(login, password) \|\|`
Refactor Gitlab::Auth to simplify the data flow 2016-09-14 15:28:24 +00:00			`personal_access_token_check(login, password) \|\|`
Reduce hits to LDAP on Git HTTP auth by reordering auth mechanisms We accept half a dozen different authentication mechanisms for Git over HTTP. Fairly high in the list we were checking user password, which would also query LDAP. In the case of LFS, OAuth tokens or personal access tokens, we were unnecessarily hitting LDAP when the authentication will not succeed. This was causing some LDAP/AD systems to lock the account. Now, user password authentication is the last mechanism tried since it's the most expensive. 2017-01-24 17:12:49 +00:00			`user_with_password_for_git(login, password) \|\|`
Properly support Gitlab::Auth::Result 2016-09-19 11:50:28 +00:00			`Gitlab::Auth::Result.new`
Make CI/Oauth/rate limiting reusable 2016-04-29 16:58:55 +00:00
Merge remote-tracking branch 'origin/lfs-support-for-ssh' into per-build-token # Conflicts: # app/controllers/projects/git_http_client_controller.rb # app/helpers/lfs_helper.rb # lib/gitlab/auth.rb # spec/requests/lfs_http_spec.rb 2016-09-15 19:16:38 +00:00			`rate_limit!(ip, success: result.success?, login: login)`
Refactored authentication code to make it a bit clearer, added test for wrong SSH key. 2016-09-15 16:54:24 +00:00
Changes after more review from Rémy 2016-06-03 12:57:34 +00:00			`result`
Make CI/Oauth/rate limiting reusable 2016-04-29 16:58:55 +00:00			`end`

Improve Gitlab::Auth method names Auth.find was a very generic name for a very specific method. Auth.find_in_gitlab_or_ldap was inaccurate in GitLab EE where it also looks in Kerberos. 2016-06-10 12:51:16 +00:00			`def find_with_user_password(login, password)`
Make CI/Oauth/rate limiting reusable 2016-04-29 16:58:55 +00:00			`user = User.by_login(login)`

			`# If no user is found, or it's an LDAP server, try LDAP.`
			`# LDAP users are only authenticated via LDAP`
			`if user.nil? \|\| user.ldap_user?`
			`# Second chance - try LDAP authentication`
			`return nil unless Gitlab::LDAP::Config.enabled?`

			`Gitlab::LDAP::Authentication.login(login, password)`
			`else`
			`user if user.valid_password?(password)`
			`end`
			`end`

Fix tests 2016-06-06 15:40:26 +00:00			`def rate_limit!(ip, success:, login:)`
			`rate_limiter = Gitlab::Auth::IpRateLimiter.new(ip)`
			`return unless rate_limiter.enabled?`

			`if success`
			`# Repeated login 'failures' are normal behavior for some Git clients so`
			`# it is important to reset the ban counter once the client has proven`
			`# they are not a 'bad guy'.`
			`rate_limiter.reset!`
			`else`
			`# Register a login failure so that Rack::Attack can block the next`
			`# request from this IP if needed.`
			`rate_limiter.register_fail!`

			`if rate_limiter.banned?`
			`Rails.logger.info "IP #{ip} failed to login " \`
			`"as #{login} but has been temporarily banned from Git auth"`
			`end`
			`end`
			`end`

Make CI/Oauth/rate limiting reusable 2016-04-29 16:58:55 +00:00			`private`

Merge remote-tracking branch 'origin/lfs-support-for-ssh' into per-build-token # Conflicts: # app/controllers/projects/git_http_client_controller.rb # app/helpers/lfs_helper.rb # lib/gitlab/auth.rb # spec/requests/lfs_http_spec.rb 2016-09-15 19:16:38 +00:00			`def service_request_check(login, password, project)`
Make CI/Oauth/rate limiting reusable 2016-04-29 16:58:55 +00:00			`matched_login = /(?<service>^[a-zA-Z]*-ci)-token$/.match(login)`

Refactor Gitlab::Auth to simplify the data flow 2016-09-14 15:28:24 +00:00			`return unless project && matched_login.present?`
Make CI/Oauth/rate limiting reusable 2016-04-29 16:58:55 +00:00
			`underscored_service = matched_login['service'].underscore`

Use a permissions of user to access all dependent projects from CI jobs (this also includes a container images, and in future LFS files) 2016-08-08 10:01:25 +00:00			`if Service.available_services_names.include?(underscored_service)`
Make CI/Oauth/rate limiting reusable 2016-04-29 16:58:55 +00:00			`# We treat underscored_service as a trusted input because it is included`
			`# in the Service.available_services_names whitelist.`
Use public_send 2016-06-03 15:23:34 +00:00			`service = project.public_send("#{underscored_service}_service")`
Make CI/Oauth/rate limiting reusable 2016-04-29 16:58:55 +00:00
Refactor Gitlab::Auth to simplify the data flow 2016-09-14 15:28:24 +00:00			`if service && service.activated? && service.valid_token?(password)`
Properly support Gitlab::Auth::Result 2016-09-19 11:50:28 +00:00			`Gitlab::Auth::Result.new(nil, project, :ci, build_authentication_abilities)`
Refactor `find_for_git_client` and its related methods. 2016-08-17 22:59:25 +00:00			`end`
			`end`
			`end`

			`def user_with_password_for_git(login, password)`
			`user = find_with_user_password(login, password)`
Refactor Gitlab::Auth to simplify the data flow 2016-09-14 15:28:24 +00:00			`return unless user`

Merge remote-tracking branch 'origin/lfs-support-for-ssh' into per-build-token # Conflicts: # app/controllers/projects/git_http_client_controller.rb # app/helpers/lfs_helper.rb # lib/gitlab/auth.rb # spec/requests/lfs_http_spec.rb 2016-09-15 19:16:38 +00:00			`raise Gitlab::Auth::MissingPersonalTokenError if user.two_factor_enabled?`
Refactor Gitlab::Auth to simplify the data flow 2016-09-14 15:28:24 +00:00
Properly support Gitlab::Auth::Result 2016-09-19 11:50:28 +00:00			`Gitlab::Auth::Result.new(user, nil, :gitlab_or_ldap, full_authentication_abilities)`
Refactor `find_for_git_client` and its related methods. 2016-08-17 22:59:25 +00:00			`end`

Make CI/Oauth/rate limiting reusable 2016-04-29 16:58:55 +00:00			`def oauth_access_token_check(login, password)`
			`if login == "oauth2" && password.present?`
			`token = Doorkeeper::AccessToken.by_token(password)`
Refactor access token validation in `Gitlab::Auth` - Based on @dbalexandre's review - Extract token validity conditions into two separate methods, for personal access tokens and OAuth tokens. 2016-11-24 09:09:12 +00:00			`if valid_oauth_token?(token)`
Refactor `find_for_git_client` method to not use assignment in conditionals and syntax fixes. 2016-08-17 22:21:18 +00:00			`user = User.find_by(id: token.resource_owner_id)`
Properly support Gitlab::Auth::Result 2016-09-19 11:50:28 +00:00			`Gitlab::Auth::Result.new(user, nil, :oauth, read_authentication_abilities)`
Refactor `find_for_git_client` method to not use assignment in conditionals and syntax fixes. 2016-08-17 22:21:18 +00:00			`end`
Make CI/Oauth/rate limiting reusable 2016-04-29 16:58:55 +00:00			`end`
			`end`
Allow Git over HTTP access using Personal Access Tokens 2016-08-11 00:03:32 +00:00
			`def personal_access_token_check(login, password)`
			`if login && password`
Validate access token scopes in `Gitlab::Auth` - This module is used for git-over-http, as well as JWT. - The only valid scope here is `api`, currently. 2016-11-22 09:13:37 +00:00			`token = PersonalAccessToken.active.find_by_token(password)`
Refactor `find_for_git_client` method to not use assignment in conditionals and syntax fixes. 2016-08-17 22:21:18 +00:00			`validation = User.by_login(login)`
Validate access token scopes in `Gitlab::Auth` - This module is used for git-over-http, as well as JWT. - The only valid scope here is `api`, currently. 2016-11-22 09:13:37 +00:00
Refactor access token validation in `Gitlab::Auth` - Based on @dbalexandre's review - Extract token validity conditions into two separate methods, for personal access tokens and OAuth tokens. 2016-11-24 09:09:12 +00:00			`if valid_personal_access_token?(token, validation)`
Validate access token scopes in `Gitlab::Auth` - This module is used for git-over-http, as well as JWT. - The only valid scope here is `api`, currently. 2016-11-22 09:13:37 +00:00			`Gitlab::Auth::Result.new(validation, nil, :personal_token, full_authentication_abilities)`
			`end`
Refactor `find_for_git_client` method to not use assignment in conditionals and syntax fixes. 2016-08-17 22:21:18 +00:00			`end`
			`end`
Added LFS support to SSH - Required on the GitLab Rails side is mostly authentication and API related. 2016-08-25 22:26:20 +00:00
Refactor access token validation in `Gitlab::Auth` - Based on @dbalexandre's review - Extract token validity conditions into two separate methods, for personal access tokens and OAuth tokens. 2016-11-24 09:09:12 +00:00			`def valid_oauth_token?(token)`
Rename the `token_has_scope?` method. `valid_api_token?` is a better name. Scopes are just (potentially) one facet of a "valid" token. 2016-12-05 17:28:19 +00:00			`token && token.accessible? && valid_api_token?(token)`
Refactor access token validation in `Gitlab::Auth` - Based on @dbalexandre's review - Extract token validity conditions into two separate methods, for personal access tokens and OAuth tokens. 2016-11-24 09:09:12 +00:00			`end`

			`def valid_personal_access_token?(token, user)`
Rename the `token_has_scope?` method. `valid_api_token?` is a better name. Scopes are just (potentially) one facet of a "valid" token. 2016-12-05 17:28:19 +00:00			`token && token.user == user && valid_api_token?(token)`
Refactor access token validation in `Gitlab::Auth` - Based on @dbalexandre's review - Extract token validity conditions into two separate methods, for personal access tokens and OAuth tokens. 2016-11-24 09:09:12 +00:00			`end`

Rename the `token_has_scope?` method. `valid_api_token?` is a better name. Scopes are just (potentially) one facet of a "valid" token. 2016-12-05 17:28:19 +00:00			`def valid_api_token?(token)`
Convert AccessTokenValidationService into a class. - Previously, AccessTokenValidationService was a module, and all its public methods accepted a token. It makes sense to convert it to a class which accepts a token during initialization. - Also rename the `sufficient_scope?` method to `include_any_scope?` - Based on feedback from @rymai 2016-12-05 17:25:53 +00:00			`AccessTokenValidationService.new(token).include_any_scope?(['api'])`
Validate access token scopes in `Gitlab::Auth` - This module is used for git-over-http, as well as JWT. - The only valid scope here is `api`, currently. 2016-11-22 09:13:37 +00:00			`end`

Revert "Revert all changes introduced by https://gitlab.com/gitlab-org/gitlab-ce/merge_requests/6043" This reverts commit 6d43c95b7011ec7ec4600e00bdc8df76bb39813c. 2016-09-19 14:34:32 +00:00			`def lfs_token_check(login, password)`
			`deploy_key_matches = login.match(/\Alfs\+deploy-key-(\d+)\z/)`

			`actor =`
			`if deploy_key_matches`
			`DeployKey.find(deploy_key_matches[1])`
			`else`
			`User.by_login(login)`
			`end`

Use early return in lfs_token_check 2016-09-20 07:41:21 +00:00			`return unless actor`
Revert "Revert all changes introduced by https://gitlab.com/gitlab-org/gitlab-ce/merge_requests/6043" This reverts commit 6d43c95b7011ec7ec4600e00bdc8df76bb39813c. 2016-09-19 14:34:32 +00:00
Use early return in lfs_token_check 2016-09-20 07:41:21 +00:00			`token_handler = Gitlab::LfsToken.new(actor)`
Revert "Revert all changes introduced by https://gitlab.com/gitlab-org/gitlab-ce/merge_requests/6043" This reverts commit 6d43c95b7011ec7ec4600e00bdc8df76bb39813c. 2016-09-19 14:34:32 +00:00
Use early return in lfs_token_check 2016-09-20 07:41:21 +00:00			`authentication_abilities =`
			`if token_handler.user?`
			`full_authentication_abilities`
			`else`
			`read_authentication_abilities`
			`end`

Reduce hits to LDAP on Git HTTP auth by reordering auth mechanisms We accept half a dozen different authentication mechanisms for Git over HTTP. Fairly high in the list we were checking user password, which would also query LDAP. In the case of LFS, OAuth tokens or personal access tokens, we were unnecessarily hitting LDAP when the authentication will not succeed. This was causing some LDAP/AD systems to lock the account. Now, user password authentication is the last mechanism tried since it's the most expensive. 2017-01-24 17:12:49 +00:00			`if Devise.secure_compare(token_handler.token, password)`
			`Gitlab::Auth::Result.new(actor, nil, token_handler.type, authentication_abilities)`
			`end`
Revert "Revert all changes introduced by https://gitlab.com/gitlab-org/gitlab-ce/merge_requests/6043" This reverts commit 6d43c95b7011ec7ec4600e00bdc8df76bb39813c. 2016-09-19 14:34:32 +00:00			`end`

Use a permissions of user to access all dependent projects from CI jobs (this also includes a container images, and in future LFS files) 2016-08-08 10:01:25 +00:00			`def build_access_token_check(login, password)`
			`return unless login == 'gitlab-ci-token'`
			`return unless password`

Fix existing authorization specs 2016-09-15 11:49:11 +00:00			`build = ::Ci::Build.running.find_by_token(password)`
Use a permissions of user to access all dependent projects from CI jobs (this also includes a container images, and in future LFS files) 2016-08-08 10:01:25 +00:00			`return unless build`
Fix most of specs 2016-09-15 13:40:53 +00:00			`return unless build.project.builds_enabled?`
Use a permissions of user to access all dependent projects from CI jobs (this also includes a container images, and in future LFS files) 2016-08-08 10:01:25 +00:00
			`if build.user`
			`# If user is assigned to build, use restricted credentials of user`
Properly support Gitlab::Auth::Result 2016-09-19 11:50:28 +00:00			`Gitlab::Auth::Result.new(build.user, build.project, :build, build_authentication_abilities)`
Use a permissions of user to access all dependent projects from CI jobs (this also includes a container images, and in future LFS files) 2016-08-08 10:01:25 +00:00			`else`
			`# Otherwise use generic CI credentials (backward compatibility)`
Properly support Gitlab::Auth::Result 2016-09-19 11:50:28 +00:00			`Gitlab::Auth::Result.new(nil, build.project, :ci, build_authentication_abilities)`
Refactor `find_for_git_client` method to not use assignment in conditionals and syntax fixes. 2016-08-17 22:21:18 +00:00			`end`
			`end`
Make result to return project and capabilities granted 2016-09-13 13:27:05 +00:00
Simplify checking of allowed abilities in git_http_client_controller 2016-09-16 11:34:05 +00:00			`public`

Rename capabilities to authentication_abilities 2016-09-16 07:59:10 +00:00			`def build_authentication_abilities`
Make result to return project and capabilities granted 2016-09-13 13:27:05 +00:00			`[`
			`:read_project,`
Use `build_read_container_image` and use `build_download_code` 2016-09-15 08:34:53 +00:00			`:build_download_code,`
			`:build_read_container_image,`
			`:build_create_container_image`
Make result to return project and capabilities granted 2016-09-13 13:27:05 +00:00			`]`
			`end`

Rename capabilities to authentication_abilities 2016-09-16 07:59:10 +00:00			`def read_authentication_abilities`
Use `build_read_container_image` and use `build_download_code` 2016-09-15 08:34:53 +00:00			`[`
			`:read_project,`
Make result to return project and capabilities granted 2016-09-13 13:27:05 +00:00			`:download_code,`
Refactor Gitlab::Auth to simplify the data flow 2016-09-14 15:28:24 +00:00			`:read_container_image`
			`]`
			`end`

Rename capabilities to authentication_abilities 2016-09-16 07:59:10 +00:00			`def full_authentication_abilities`
			`read_authentication_abilities + [`
Make result to return project and capabilities granted 2016-09-13 13:27:05 +00:00			`:push_code,`
Fix permissions for creating container images 2016-09-19 10:37:46 +00:00			`:create_container_image`
Make result to return project and capabilities granted 2016-09-13 13:27:05 +00:00			`]`
			`end`
Add LDAP support to /api/session 2013-07-16 08:28:19 +00:00			`end`
Refactorn oauth & ldap 2012-09-12 06:23:16 +00:00			`end`
			`end`