Commit 0013e6c0 authored by Robin Bobbitt's avatar Robin Bobbitt

Clean up read_registry scope changes

Closes #37789
parent ef37de8a
......@@ -38,7 +38,7 @@ class Profiles::PersonalAccessTokensController < Profiles::ApplicationController
end
def set_index_vars
@scopes = Gitlab::Auth::AVAILABLE_SCOPES
@scopes = Gitlab::Auth.available_scopes
@personal_access_token = finder.build
@inactive_personal_access_tokens = finder(state: 'inactive').execute
......
......@@ -28,7 +28,7 @@ class PersonalAccessToken < ActiveRecord::Base
protected
def validate_scopes
unless revoked || scopes.all? { |scope| Gitlab::Auth::AVAILABLE_SCOPES.include?(scope.to_sym) }
unless revoked || scopes.all? { |scope| Gitlab::Auth.available_scopes.include?(scope.to_sym) }
errors.add :scopes, "can only contain available scopes"
end
end
......
......@@ -58,7 +58,7 @@ Doorkeeper.configure do
# For more information go to
# https://github.com/doorkeeper-gem/doorkeeper/wiki/Using-Scopes
default_scopes(*Gitlab::Auth::DEFAULT_SCOPES)
optional_scopes(*Gitlab::Auth::OPTIONAL_SCOPES)
optional_scopes(*Gitlab::Auth.optional_scopes)
# Change the way client credentials are retrieved from the request object.
# By default it retrieves first from the `HTTP_AUTHORIZATION` header, then
......
......@@ -2,7 +2,7 @@ module Gitlab
module Auth
MissingPersonalTokenError = Class.new(StandardError)
REGISTRY_SCOPES = Gitlab.config.registry.enabled ? [:read_registry].freeze : [].freeze
REGISTRY_SCOPES = [:read_registry].freeze
# Scopes used for GitLab API access
API_SCOPES = [:api, :read_user].freeze
......@@ -13,11 +13,6 @@ module Gitlab
# Default scopes for OAuth applications that don't define their own
DEFAULT_SCOPES = [:api].freeze
AVAILABLE_SCOPES = (API_SCOPES + REGISTRY_SCOPES).freeze
# Other available scopes
OPTIONAL_SCOPES = (AVAILABLE_SCOPES + OPENID_SCOPES - DEFAULT_SCOPES).freeze
class << self
include Gitlab::CurrentSettings
......@@ -132,7 +127,7 @@ module Gitlab
token = PersonalAccessTokensFinder.new(state: 'active').find_by(token: password)
if token && valid_scoped_token?(token, AVAILABLE_SCOPES)
if token && valid_scoped_token?(token, available_scopes)
Gitlab::Auth::Result.new(token.user, nil, :personal_token, abilities_for_scope(token.scopes))
end
end
......@@ -230,6 +225,21 @@ module Gitlab
def read_user_scope_authentication_abilities
[]
end
def available_scopes
API_SCOPES + registry_scopes
end
# Other available scopes
def optional_scopes
available_scopes + OPENID_SCOPES - DEFAULT_SCOPES
end
def registry_scopes
return [] unless Gitlab.config.registry.enabled
REGISTRY_SCOPES
end
end
end
end
......@@ -9,8 +9,8 @@ describe Doorkeeper.configuration do
end
describe '#optional_scopes' do
it 'matches Gitlab::Auth::OPTIONAL_SCOPES' do
expect(subject.optional_scopes).to eq Gitlab::Auth::OPTIONAL_SCOPES - Gitlab::Auth::REGISTRY_SCOPES
it 'matches Gitlab::Auth.optional_scopes' do
expect(subject.optional_scopes).to eq Gitlab::Auth.optional_scopes - Gitlab::Auth::REGISTRY_SCOPES
end
end
......
......@@ -16,20 +16,20 @@ describe Gitlab::Auth do
expect(subject::DEFAULT_SCOPES).to eq [:api]
end
it 'OPTIONAL_SCOPES contains all non-default scopes' do
it 'optional_scopes contains all non-default scopes' do
stub_container_registry_config(enabled: true)
expect(subject::OPTIONAL_SCOPES).to eq %i[read_user read_registry openid]
expect(subject.optional_scopes).to eq %i[read_user read_registry openid]
end
context 'REGISTRY_SCOPES' do
context 'registry_scopes' do
context 'when registry is disabled' do
before do
stub_container_registry_config(enabled: false)
end
it 'is empty' do
expect(subject::REGISTRY_SCOPES).to eq []
expect(subject.registry_scopes).to eq []
end
end
......@@ -39,7 +39,7 @@ describe Gitlab::Auth do
end
it 'contains all registry related scopes' do
expect(subject::REGISTRY_SCOPES).to eq %i[read_registry]
expect(subject.registry_scopes).to eq %i[read_registry]
end
end
end
......
......@@ -26,11 +26,9 @@ module StubGitlabCalls
end
def stub_container_registry_config(registry_settings)
allow(Gitlab.config.registry).to receive_messages(registry_settings)
allow(Auth::ContainerRegistryAuthenticationService)
.to receive(:full_access_token).and_return('token')
allow(Gitlab.config.registry).to receive_messages(registry_settings)
load 'lib/gitlab/auth.rb'
end
def stub_container_registry_tags(repository: :any, tags:)
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment