Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Support
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
G
gitlab-ce
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Issues
0
Issues
0
List
Boards
Labels
Milestones
Merge Requests
0
Merge Requests
0
Analytics
Analytics
Repository
Value Stream
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Create a new issue
Commits
Issue Boards
Open sidebar
Jérome Perrin
gitlab-ce
Commits
eefbc837
Commit
eefbc837
authored
Jan 31, 2017
by
Markus Koller
Committed by
Alexis Reigel
Mar 07, 2017
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
Only use API scopes for personal access tokens
parent
93daeee1
Changes
6
Show whitespace changes
Inline
Side-by-side
Showing
6 changed files
with
64 additions
and
3 deletions
+64
-3
app/controllers/profiles/personal_access_tokens_controller.rb
...controllers/profiles/personal_access_tokens_controller.rb
+1
-1
app/models/personal_access_token.rb
app/models/personal_access_token.rb
+10
-0
lib/gitlab/auth.rb
lib/gitlab/auth.rb
+7
-2
spec/initializers/doorkeeper_spec.rb
spec/initializers/doorkeeper_spec.rb
+12
-0
spec/lib/gitlab/auth_spec.rb
spec/lib/gitlab/auth_spec.rb
+18
-0
spec/models/personal_access_token_spec.rb
spec/models/personal_access_token_spec.rb
+16
-0
No files found.
app/controllers/profiles/personal_access_tokens_controller.rb
View file @
eefbc837
...
...
@@ -35,7 +35,7 @@ class Profiles::PersonalAccessTokensController < Profiles::ApplicationController
def
set_index_vars
@personal_access_token
||=
current_user
.
personal_access_tokens
.
build
@scopes
=
Gitlab
::
Auth
::
SCOPES
@scopes
=
Gitlab
::
Auth
::
API_
SCOPES
@active_personal_access_tokens
=
current_user
.
personal_access_tokens
.
active
.
order
(
:expires_at
)
@inactive_personal_access_tokens
=
current_user
.
personal_access_tokens
.
inactive
end
...
...
app/models/personal_access_token.rb
View file @
eefbc837
...
...
@@ -9,6 +9,8 @@ class PersonalAccessToken < ActiveRecord::Base
scope
:active
,
->
{
where
(
revoked:
false
).
where
(
"expires_at >= NOW() OR expires_at IS NULL"
)
}
scope
:inactive
,
->
{
where
(
"revoked = true OR expires_at < NOW()"
)
}
validate
:validate_scopes
def
self
.
generate
(
params
)
personal_access_token
=
self
.
new
(
params
)
personal_access_token
.
ensure_token
...
...
@@ -19,4 +21,12 @@ class PersonalAccessToken < ActiveRecord::Base
self
.
revoked
=
true
self
.
save
end
protected
def
validate_scopes
unless
Set
.
new
(
scopes
.
map
(
&
:to_sym
)).
subset?
(
Set
.
new
(
Gitlab
::
Auth
::
API_SCOPES
))
errors
.
add
:scopes
,
"can only contain API scopes"
end
end
end
lib/gitlab/auth.rb
View file @
eefbc837
...
...
@@ -2,9 +2,14 @@ module Gitlab
module
Auth
MissingPersonalTokenError
=
Class
.
new
(
StandardError
)
SCOPES
=
[
:api
,
:read_user
,
:openid
,
:profile
,
:email
].
freeze
# Scopes used for GitLab API access
API_SCOPES
=
[
:api
,
:read_user
].
freeze
# Scopes used by doorkeeper-openid_connect
OPENID_SCOPES
=
[
:openid
].
freeze
DEFAULT_SCOPES
=
[
:api
].
freeze
OPTIONAL_SCOPES
=
SCOPES
-
DEFAULT_SCOPES
OPTIONAL_SCOPES
=
(
API_SCOPES
+
OPENID_SCOPES
-
DEFAULT_SCOPES
).
freeze
class
<<
self
def
find_for_git_client
(
login
,
password
,
project
:,
ip
:)
...
...
spec/initializers/doorkeeper_spec.rb
0 → 100644
View file @
eefbc837
require
'spec_helper'
require_relative
'../../config/initializers/doorkeeper'
describe
Doorkeeper
.
configuration
do
it
'default_scopes matches Gitlab::Auth::DEFAULT_SCOPES'
do
expect
(
subject
.
default_scopes
).
to
eq
Gitlab
::
Auth
::
DEFAULT_SCOPES
end
it
'optional_scopes matches Gitlab::Auth::OPTIONAL_SCOPES'
do
expect
(
subject
.
optional_scopes
).
to
eq
Gitlab
::
Auth
::
OPTIONAL_SCOPES
end
end
spec/lib/gitlab/auth_spec.rb
View file @
eefbc837
...
...
@@ -3,6 +3,24 @@ require 'spec_helper'
describe
Gitlab
::
Auth
,
lib:
true
do
let
(
:gl_auth
)
{
described_class
}
describe
'constants'
do
it
'API_SCOPES contains all scopes for API access'
do
expect
(
subject
::
API_SCOPES
).
to
eq
[
:api
,
:read_user
]
end
it
'OPENID_SCOPES contains all scopes for OpenID Connect'
do
expect
(
subject
::
OPENID_SCOPES
).
to
eq
[
:openid
]
end
it
'DEFAULT_SCOPES contains all default scopes'
do
expect
(
subject
::
DEFAULT_SCOPES
).
to
eq
[
:api
]
end
it
'OPTIONAL_SCOPES contains all non-default scopes'
do
expect
(
subject
::
OPTIONAL_SCOPES
).
to
eq
[
:read_user
,
:openid
]
end
end
describe
'find_for_git_client'
do
context
'build token'
do
subject
{
gl_auth
.
find_for_git_client
(
'gitlab-ci-token'
,
build
.
token
,
project:
project
,
ip:
'ip'
)
}
...
...
spec/models/personal_access_token_spec.rb
View file @
eefbc837
...
...
@@ -12,4 +12,20 @@ describe PersonalAccessToken, models: true do
expect
(
personal_access_token
).
not_to
be_persisted
end
end
describe
'validate_scopes'
do
it
"allows creating a token with API scopes"
do
personal_access_token
=
build
(
:personal_access_token
)
personal_access_token
.
scopes
=
[
:api
,
:read_user
]
expect
(
personal_access_token
).
to
be_valid
end
it
"rejects creating a token with non-API scopes"
do
personal_access_token
=
build
(
:personal_access_token
)
personal_access_token
.
scopes
=
[
:openid
,
:api
]
expect
(
personal_access_token
).
not_to
be_valid
end
end
end
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment