Commit graph

10 commits

Author SHA1 Message Date
Rémy Coutable
ddccd24c13 Remove superfluous lib: true, type: redis, service: true, models: true, services: true, no_db: true, api: true
Signed-off-by: Rémy Coutable <remy@rymai.me>
2017-07-27 14:31:53 +02:00
Timothy Andrew
afbc7520c2 AccessTokenValidationService accepts String or API::Scope scopes.
- There's no need to use `API::Scope` for scopes that don't have `if`
  conditions, such as in `lib/gitlab/auth.rb`.
2017-06-30 07:32:25 +00:00
Timothy Andrew
b8ec1f4201 Extract a Gitlab::Scope class.
- To represent an authorization scope, such as `api` or `read_user`
- This is a better abstraction than the hash we were previously using.
2017-06-29 06:15:57 +00:00
Timothy Andrew
c1fcd730cc Implement review comments from @DouweM for !12300.
- Use a struct for scopes, so we can call `scope.if` instead of `scope[:if]`

- Refactor the "remove scopes whose :if condition returns false" logic to use a
  `select` rather than a `reject`.
2017-06-28 07:17:13 +00:00
Timothy Andrew
4dbfa14e16 Implement review comments from @dbalexandre for !12300. 2017-06-28 07:17:13 +00:00
Timothy Andrew
1b8223dd51 Fix remaining spec failures for !12300.
1. Get the spec for `lib/gitlab/auth.rb` passing.

  - Make the `request` argument to `AccessTokenValidationService` optional -
  `auth.rb` doesn't need to pass in a request.

  - Pass in scopes in the format `[{ name: 'api' }]` rather than `['api']`, which
  is what `AccessTokenValidationService` now expects.

2. Get the spec for `API::V3::Users` passing

2. Get the spec for `AccessTokenValidationService` passing
2017-06-28 07:17:13 +00:00
Timothy Andrew
80c1ebaa83 Allow API scope declarations to be applied conditionally.
- Scope declarations of the form:

    allow_access_with_scope :read_user, if: -> (request) { request.get? }

  will only apply for `GET` requests

- Add a negative test to a `POST` endpoint in the `users` API to test this. Also
  test for this case in the `AccessTokenValidationService` unit tests.
2017-06-28 07:17:13 +00:00
Timothy Andrew
b303948ff5 Convert AccessTokenValidationService into a class.
- Previously, AccessTokenValidationService was a module, and all its  public
methods accepted a token. It makes sense to convert it to a class which accepts
a token during initialization.

- Also rename the `sufficient_scope?` method to `include_any_scope?`

- Based on feedback from @rymai
2016-12-16 16:29:32 +05:30
Timothy Andrew
4d6da770de Implement minor changes from @dbalexandre's review.
- Mainly whitespace changes.

- Require the migration adding the `scope` column to the
  `personal_access_tokens` table to have downtime, since API calls will
  fail if the new code is in place, but the migration hasn't run.

- Minor refactoring - load `@scopes` in a `before_action`, since we're
  doing it in three different places.
2016-12-16 16:29:31 +05:30
Timothy Andrew
7fa06ed55d Calls to the API are checked for scope.
- Move the `Oauth2::AccessTokenValidationService` class to
  `AccessTokenValidationService`, since it is now being used for
  personal access token validation as well.

- Each API endpoint declares the scopes it accepts (if any). Currently,
  the top level API module declares the `api` scope, and the `Users` API
  module declares the `read_user` scope (for GET requests).

- Move the `find_user_by_private_token` from the API `Helpers` module to
  the `APIGuard` module, to avoid littering `Helpers` with more
  auth-related methods to support `find_user_by_private_token`
2016-12-16 16:29:31 +05:30