Merge branch 'dm-fix-registry-with-sudo-token' into 'master'
Fix pulling and pushing using a personal access token with the sudo scope Closes #40466 See merge request gitlab-org/gitlab-ce!15571
This commit is contained in:
commit
89c9d2ad6b
3 changed files with 16 additions and 16 deletions
|
@ -0,0 +1,5 @@
|
||||||
|
---
|
||||||
|
title: Fix pulling and pushing using a personal access token with the sudo scope
|
||||||
|
merge_request:
|
||||||
|
author:
|
||||||
|
type: fixed
|
|
@ -134,7 +134,7 @@ module Gitlab
|
||||||
token = PersonalAccessTokensFinder.new(state: 'active').find_by(token: password)
|
token = PersonalAccessTokensFinder.new(state: 'active').find_by(token: password)
|
||||||
|
|
||||||
if token && valid_scoped_token?(token, available_scopes)
|
if token && valid_scoped_token?(token, available_scopes)
|
||||||
Gitlab::Auth::Result.new(token.user, nil, :personal_access_token, abilities_for_scope(token.scopes))
|
Gitlab::Auth::Result.new(token.user, nil, :personal_access_token, abilities_for_scopes(token.scopes))
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
|
@ -146,10 +146,15 @@ module Gitlab
|
||||||
AccessTokenValidationService.new(token).include_any_scope?(scopes)
|
AccessTokenValidationService.new(token).include_any_scope?(scopes)
|
||||||
end
|
end
|
||||||
|
|
||||||
def abilities_for_scope(scopes)
|
def abilities_for_scopes(scopes)
|
||||||
scopes.map do |scope|
|
abilities_by_scope = {
|
||||||
self.public_send(:"#{scope}_scope_authentication_abilities") # rubocop:disable GitlabSecurity/PublicSend
|
api: full_authentication_abilities,
|
||||||
end.flatten.uniq
|
read_registry: [:read_container_image]
|
||||||
|
}
|
||||||
|
|
||||||
|
scopes.flat_map do |scope|
|
||||||
|
abilities_by_scope.fetch(scope.to_sym, [])
|
||||||
|
end.uniq
|
||||||
end
|
end
|
||||||
|
|
||||||
def lfs_token_check(login, password, project)
|
def lfs_token_check(login, password, project)
|
||||||
|
@ -228,16 +233,6 @@ module Gitlab
|
||||||
:admin_container_image
|
:admin_container_image
|
||||||
]
|
]
|
||||||
end
|
end
|
||||||
alias_method :api_scope_authentication_abilities, :full_authentication_abilities
|
|
||||||
|
|
||||||
def read_registry_scope_authentication_abilities
|
|
||||||
[:read_container_image]
|
|
||||||
end
|
|
||||||
|
|
||||||
# The currently used auth method doesn't allow any actions for this scope
|
|
||||||
def read_user_scope_authentication_abilities
|
|
||||||
[]
|
|
||||||
end
|
|
||||||
|
|
||||||
def available_scopes(current_user = nil)
|
def available_scopes(current_user = nil)
|
||||||
scopes = API_SCOPES + registry_scopes
|
scopes = API_SCOPES + registry_scopes
|
||||||
|
|
|
@ -207,7 +207,7 @@ describe Gitlab::Auth do
|
||||||
end
|
end
|
||||||
|
|
||||||
it 'limits abilities based on scope' do
|
it 'limits abilities based on scope' do
|
||||||
personal_access_token = create(:personal_access_token, scopes: ['read_user'])
|
personal_access_token = create(:personal_access_token, scopes: %w[read_user sudo])
|
||||||
|
|
||||||
expect(gl_auth).to receive(:rate_limit!).with('ip', success: true, login: '')
|
expect(gl_auth).to receive(:rate_limit!).with('ip', success: true, login: '')
|
||||||
expect(gl_auth.find_for_git_client('', personal_access_token.token, project: nil, ip: 'ip')).to eq(Gitlab::Auth::Result.new(personal_access_token.user, nil, :personal_access_token, []))
|
expect(gl_auth.find_for_git_client('', personal_access_token.token, project: nil, ip: 'ip')).to eq(Gitlab::Auth::Result.new(personal_access_token.user, nil, :personal_access_token, []))
|
||||||
|
|
Loading…
Reference in a new issue