Commit fde4c39c authored by Alain Takoudjou's avatar Alain Takoudjou

NXD lib:gitlab:auth Accept Basic auth from project runner_token

From gitlab 8.12 there is new CI job permissions model which only accept login
from ci token for running job. Then the access is revoked after the job is finished.
In Nexedi, when have a lot of URLs which rely on gitlab-ci-token and project-runners-token, so
we need to re-allow access else access to all those URL will be refused.

More info are here: https://docs.gitlab.com/ee/user/project/new_ci_build_permissions_model.html#before-gitlab-8-12
parent 08f7682d
...@@ -179,16 +179,22 @@ module Gitlab ...@@ -179,16 +179,22 @@ module Gitlab
return unless login == 'gitlab-ci-token' return unless login == 'gitlab-ci-token'
return unless password return unless password
build = ::Ci::Build.running.find_by_token(password) # XXX-nxd: we also accept runners_token if enabled on projects
return unless build project = Project.with_builds_enabled.find_by(runners_token: password)
return unless build.project.builds_enabled? if project
Gitlab::Auth::Result.new(nil, project, :ci, build_authentication_abilities)
if build.user
# If user is assigned to build, use restricted credentials of user
Gitlab::Auth::Result.new(build.user, build.project, :build, build_authentication_abilities)
else else
# Otherwise use generic CI credentials (backward compatibility) build = ::Ci::Build.running.find_by_token(password)
Gitlab::Auth::Result.new(nil, build.project, :ci, build_authentication_abilities) return unless build
return unless build.project.builds_enabled?
if build.user
# If user is assigned to build, use restricted credentials of user
Gitlab::Auth::Result.new(build.user, build.project, :build, build_authentication_abilities)
else
# Otherwise use generic CI credentials (backward compatibility)
Gitlab::Auth::Result.new(nil, build.project, :ci, build_authentication_abilities)
end
end end
end end
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment