Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Support
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
G
gitlab-ce
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Issues
0
Issues
0
List
Boards
Labels
Milestones
Merge Requests
1
Merge Requests
1
Analytics
Analytics
Repository
Value Stream
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Create a new issue
Commits
Issue Boards
Open sidebar
nexedi
gitlab-ce
Commits
e941365f
Commit
e941365f
authored
Sep 16, 2016
by
Kamil Trzcinski
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
Rename capabilities to authentication_abilities
parent
ac6412d0
Changes
11
Hide whitespace changes
Inline
Side-by-side
Showing
11 changed files
with
74 additions
and
62 deletions
+74
-62
app/controllers/jwt_controller.rb
app/controllers/jwt_controller.rb
+1
-1
app/controllers/projects/git_http_client_controller.rb
app/controllers/projects/git_http_client_controller.rb
+8
-6
app/controllers/projects/git_http_controller.rb
app/controllers/projects/git_http_controller.rb
+1
-1
app/services/auth/container_registry_authentication_service.rb
...ervices/auth/container_registry_authentication_service.rb
+6
-6
lib/api/internal.rb
lib/api/internal.rb
+3
-3
lib/gitlab/auth.rb
lib/gitlab/auth.rb
+12
-12
lib/gitlab/git_access.rb
lib/gitlab/git_access.rb
+6
-6
spec/lib/gitlab/auth_spec.rb
spec/lib/gitlab/auth_spec.rb
+11
-11
spec/lib/gitlab/git_access_spec.rb
spec/lib/gitlab/git_access_spec.rb
+10
-10
spec/lib/gitlab/git_access_wiki_spec.rb
spec/lib/gitlab/git_access_wiki_spec.rb
+2
-2
spec/services/auth/container_registry_authentication_service_spec.rb
...es/auth/container_registry_authentication_service_spec.rb
+14
-4
No files found.
app/controllers/jwt_controller.rb
View file @
e941365f
...
@@ -14,7 +14,7 @@ class JwtController < ApplicationController
...
@@ -14,7 +14,7 @@ class JwtController < ApplicationController
@authentication_result
||=
Gitlab
::
Auth
::
Result
.
new
@authentication_result
||=
Gitlab
::
Auth
::
Result
.
new
result
=
service
.
new
(
@authentication_result
.
project
,
@authentication_result
.
actor
,
auth_params
).
result
=
service
.
new
(
@authentication_result
.
project
,
@authentication_result
.
actor
,
auth_params
).
execute
(
capabilities:
@authentication_result
.
cap
abilities
)
execute
(
authentication_abilities:
@authentication_result
.
authentication_
abilities
)
render
json:
result
,
status:
result
[
:http_status
]
render
json:
result
,
status:
result
[
:http_status
]
end
end
...
...
app/controllers/projects/git_http_client_controller.rb
View file @
e941365f
...
@@ -4,7 +4,7 @@ class Projects::GitHttpClientController < Projects::ApplicationController
...
@@ -4,7 +4,7 @@ class Projects::GitHttpClientController < Projects::ApplicationController
include
ActionController
::
HttpAuthentication
::
Basic
include
ActionController
::
HttpAuthentication
::
Basic
include
KerberosSpnegoHelper
include
KerberosSpnegoHelper
attr_reader
:actor
,
:
cap
abilities
attr_reader
:actor
,
:
authentication_
abilities
# Git clients will not know what authenticity token to send along
# Git clients will not know what authenticity token to send along
skip_before_action
:verify_authenticity_token
skip_before_action
:verify_authenticity_token
...
@@ -125,7 +125,7 @@ class Projects::GitHttpClientController < Projects::ApplicationController
...
@@ -125,7 +125,7 @@ class Projects::GitHttpClientController < Projects::ApplicationController
when
:oauth
when
:oauth
if
download_request?
if
download_request?
@actor
=
auth_result
.
actor
@actor
=
auth_result
.
actor
@
capabilities
=
auth_result
.
cap
abilities
@
authentication_abilities
=
auth_result
.
authentication_
abilities
else
else
return
false
return
false
end
end
...
@@ -133,11 +133,13 @@ class Projects::GitHttpClientController < Projects::ApplicationController
...
@@ -133,11 +133,13 @@ class Projects::GitHttpClientController < Projects::ApplicationController
if
download_request?
if
download_request?
@lfs_deploy_key
=
true
@lfs_deploy_key
=
true
@actor
=
auth_result
.
actor
@actor
=
auth_result
.
actor
@capabilities
=
auth_result
.
capabilities
@authentication_abilities
=
auth_result
.
authentication_abilities
else
return
false
end
end
when
:lfs_token
,
:personal_token
,
:gitlab_or_ldap
,
:build
when
:lfs_token
,
:personal_token
,
:gitlab_or_ldap
,
:build
@actor
=
auth_result
.
actor
@actor
=
auth_result
.
actor
@
capabilities
=
auth_result
.
cap
abilities
@
authentication_abilities
=
auth_result
.
authentication_
abilities
else
else
# Not allowed
# Not allowed
return
false
return
false
...
@@ -150,8 +152,8 @@ class Projects::GitHttpClientController < Projects::ApplicationController
...
@@ -150,8 +152,8 @@ class Projects::GitHttpClientController < Projects::ApplicationController
@lfs_deploy_key
&&
actor
&&
actor
.
projects
.
include?
(
project
)
@lfs_deploy_key
&&
actor
&&
actor
.
projects
.
include?
(
project
)
end
end
def
has_
cap
ability?
(
capability
)
def
has_
authentication_
ability?
(
capability
)
@
cap
abilities
.
include?
(
capability
)
@
authentication_
abilities
.
include?
(
capability
)
end
end
def
verify_workhorse_api!
def
verify_workhorse_api!
...
...
app/controllers/projects/git_http_controller.rb
View file @
e941365f
...
@@ -86,7 +86,7 @@ class Projects::GitHttpController < Projects::GitHttpClientController
...
@@ -86,7 +86,7 @@ class Projects::GitHttpController < Projects::GitHttpClientController
end
end
def
access
def
access
@access
||=
Gitlab
::
GitAccess
.
new
(
user
,
project
,
'http'
,
capabilities:
cap
abilities
)
@access
||=
Gitlab
::
GitAccess
.
new
(
user
,
project
,
'http'
,
authentication_abilities:
authentication_
abilities
)
end
end
def
access_check
def
access_check
...
...
app/services/auth/container_registry_authentication_service.rb
View file @
e941365f
...
@@ -4,8 +4,8 @@ module Auth
...
@@ -4,8 +4,8 @@ module Auth
AUDIENCE
=
'container_registry'
AUDIENCE
=
'container_registry'
def
execute
(
cap
abilities
:)
def
execute
(
authentication_
abilities
:)
@
capabilities
=
cap
abilities
||
[]
@
authentication_abilities
=
authentication_
abilities
||
[]
return
error
(
'not found'
,
404
)
unless
registry
.
enabled
return
error
(
'not found'
,
404
)
unless
registry
.
enabled
...
@@ -92,23 +92,23 @@ module Auth
...
@@ -92,23 +92,23 @@ module Auth
# Build can:
# Build can:
# 1. pull from it's own project (for ex. a build)
# 1. pull from it's own project (for ex. a build)
# 2. read images from dependent projects if creator of build is a team member
# 2. read images from dependent projects if creator of build is a team member
@
cap
abilities
.
include?
(
:build_read_container_image
)
&&
@
authentication_
abilities
.
include?
(
:build_read_container_image
)
&&
(
requested_project
==
project
||
can?
(
current_user
,
:build_read_container_image
,
requested_project
))
(
requested_project
==
project
||
can?
(
current_user
,
:build_read_container_image
,
requested_project
))
end
end
def
user_can_pull?
(
requested_project
)
def
user_can_pull?
(
requested_project
)
@
cap
abilities
.
include?
(
:read_container_image
)
&&
@
authentication_
abilities
.
include?
(
:read_container_image
)
&&
can?
(
current_user
,
:read_container_image
,
requested_project
)
can?
(
current_user
,
:read_container_image
,
requested_project
)
end
end
def
build_can_push?
(
requested_project
)
def
build_can_push?
(
requested_project
)
# Build can push only to project to from which he originates
# Build can push only to project to from which he originates
@
cap
abilities
.
include?
(
:build_create_container_image
)
&&
@
authentication_
abilities
.
include?
(
:build_create_container_image
)
&&
requested_project
==
project
requested_project
==
project
end
end
def
user_can_push?
(
requested_project
)
def
user_can_push?
(
requested_project
)
@
cap
abilities
.
include?
(
:create_container_image
)
&&
@
authentication_
abilities
.
include?
(
:create_container_image
)
&&
can?
(
current_user
,
:create_container_image
,
requested_project
)
can?
(
current_user
,
:create_container_image
,
requested_project
)
end
end
end
end
...
...
lib/api/internal.rb
View file @
e941365f
...
@@ -36,7 +36,7 @@ module API
...
@@ -36,7 +36,7 @@ module API
end
end
end
end
def
ssh_
cap
abilities
def
ssh_
authentication_
abilities
[
[
:read_project
,
:read_project
,
:download_code
,
:download_code
,
...
@@ -59,9 +59,9 @@ module API
...
@@ -59,9 +59,9 @@ module API
access
=
access
=
if
wiki?
if
wiki?
Gitlab
::
GitAccessWiki
.
new
(
actor
,
project
,
protocol
,
capabilities:
ssh_cap
abilities
)
Gitlab
::
GitAccessWiki
.
new
(
actor
,
project
,
protocol
,
authentication_abilities:
ssh_authentication_
abilities
)
else
else
Gitlab
::
GitAccess
.
new
(
actor
,
project
,
protocol
,
capabilities:
ssh_cap
abilities
)
Gitlab
::
GitAccess
.
new
(
actor
,
project
,
protocol
,
authentication_abilities:
ssh_authentication_
abilities
)
end
end
access_status
=
access
.
check
(
params
[
:action
],
params
[
:changes
])
access_status
=
access
.
check
(
params
[
:action
],
params
[
:changes
])
...
...
lib/gitlab/auth.rb
View file @
e941365f
module
Gitlab
module
Gitlab
module
Auth
module
Auth
Result
=
Struct
.
new
(
:actor
,
:project
,
:type
,
:
cap
abilities
)
do
Result
=
Struct
.
new
(
:actor
,
:project
,
:type
,
:
authentication_
abilities
)
do
def
success?
def
success?
actor
.
present?
||
type
==
:ci
actor
.
present?
||
type
==
:ci
end
end
...
@@ -77,7 +77,7 @@ module Gitlab
...
@@ -77,7 +77,7 @@ module Gitlab
service
=
project
.
public_send
(
"
#{
underscored_service
}
_service"
)
service
=
project
.
public_send
(
"
#{
underscored_service
}
_service"
)
if
service
&&
service
.
activated?
&&
service
.
valid_token?
(
password
)
if
service
&&
service
.
activated?
&&
service
.
valid_token?
(
password
)
Result
.
new
(
nil
,
project
,
:ci
,
build_
cap
abilities
)
Result
.
new
(
nil
,
project
,
:ci
,
build_
authentication_
abilities
)
end
end
end
end
end
end
...
@@ -88,7 +88,7 @@ module Gitlab
...
@@ -88,7 +88,7 @@ module Gitlab
raise
Gitlab
::
Auth
::
MissingPersonalTokenError
if
user
.
two_factor_enabled?
raise
Gitlab
::
Auth
::
MissingPersonalTokenError
if
user
.
two_factor_enabled?
Result
.
new
(
user
,
nil
,
:gitlab_or_ldap
,
full_
cap
abilities
)
Result
.
new
(
user
,
nil
,
:gitlab_or_ldap
,
full_
authentication_
abilities
)
end
end
def
oauth_access_token_check
(
login
,
password
)
def
oauth_access_token_check
(
login
,
password
)
...
@@ -96,7 +96,7 @@ module Gitlab
...
@@ -96,7 +96,7 @@ module Gitlab
token
=
Doorkeeper
::
AccessToken
.
by_token
(
password
)
token
=
Doorkeeper
::
AccessToken
.
by_token
(
password
)
if
token
&&
token
.
accessible?
if
token
&&
token
.
accessible?
user
=
User
.
find_by
(
id:
token
.
resource_owner_id
)
user
=
User
.
find_by
(
id:
token
.
resource_owner_id
)
Result
.
new
(
user
,
nil
,
:oauth
,
read_
cap
abilities
)
Result
.
new
(
user
,
nil
,
:oauth
,
read_
authentication_
abilities
)
end
end
end
end
end
end
...
@@ -105,7 +105,7 @@ module Gitlab
...
@@ -105,7 +105,7 @@ module Gitlab
if
login
&&
password
if
login
&&
password
user
=
User
.
find_by_personal_access_token
(
password
)
user
=
User
.
find_by_personal_access_token
(
password
)
validation
=
User
.
by_login
(
login
)
validation
=
User
.
by_login
(
login
)
Result
.
new
(
user
,
nil
,
:personal_token
,
full_
cap
abilities
)
if
user
.
present?
&&
user
==
validation
Result
.
new
(
user
,
nil
,
:personal_token
,
full_
authentication_
abilities
)
if
user
.
present?
&&
user
==
validation
end
end
end
end
...
@@ -122,7 +122,7 @@ module Gitlab
...
@@ -122,7 +122,7 @@ module Gitlab
if
actor
if
actor
token_handler
=
Gitlab
::
LfsToken
.
new
(
actor
)
token_handler
=
Gitlab
::
LfsToken
.
new
(
actor
)
Result
.
new
(
actor
,
nil
,
token_handler
.
type
,
read_
cap
abilities
)
if
Devise
.
secure_compare
(
token_handler
.
value
,
password
)
Result
.
new
(
actor
,
nil
,
token_handler
.
type
,
read_
authentication_
abilities
)
if
Devise
.
secure_compare
(
token_handler
.
value
,
password
)
end
end
end
end
...
@@ -136,14 +136,14 @@ module Gitlab
...
@@ -136,14 +136,14 @@ module Gitlab
if
build
.
user
if
build
.
user
# If user is assigned to build, use restricted credentials of user
# If user is assigned to build, use restricted credentials of user
Result
.
new
(
build
.
user
,
build
.
project
,
:build
,
build_
cap
abilities
)
Result
.
new
(
build
.
user
,
build
.
project
,
:build
,
build_
authentication_
abilities
)
else
else
# Otherwise use generic CI credentials (backward compatibility)
# Otherwise use generic CI credentials (backward compatibility)
Result
.
new
(
nil
,
build
.
project
,
:ci
,
build_
cap
abilities
)
Result
.
new
(
nil
,
build
.
project
,
:ci
,
build_
authentication_
abilities
)
end
end
end
end
def
build_
cap
abilities
def
build_
authentication_
abilities
[
[
:read_project
,
:read_project
,
:build_download_code
,
:build_download_code
,
...
@@ -152,7 +152,7 @@ module Gitlab
...
@@ -152,7 +152,7 @@ module Gitlab
]
]
end
end
def
read_
cap
abilities
def
read_
authentication_
abilities
[
[
:read_project
,
:read_project
,
:download_code
,
:download_code
,
...
@@ -160,8 +160,8 @@ module Gitlab
...
@@ -160,8 +160,8 @@ module Gitlab
]
]
end
end
def
full_
cap
abilities
def
full_
authentication_
abilities
read_
cap
abilities
+
[
read_
authentication_
abilities
+
[
:push_code
,
:push_code
,
:update_container_image
:update_container_image
]
]
...
...
lib/gitlab/git_access.rb
View file @
e941365f
...
@@ -5,13 +5,13 @@ module Gitlab
...
@@ -5,13 +5,13 @@ module Gitlab
DOWNLOAD_COMMANDS
=
%w{ git-upload-pack git-upload-archive }
DOWNLOAD_COMMANDS
=
%w{ git-upload-pack git-upload-archive }
PUSH_COMMANDS
=
%w{ git-receive-pack }
PUSH_COMMANDS
=
%w{ git-receive-pack }
attr_reader
:actor
,
:project
,
:protocol
,
:user_access
,
:
cap
abilities
attr_reader
:actor
,
:project
,
:protocol
,
:user_access
,
:
authentication_
abilities
def
initialize
(
actor
,
project
,
protocol
,
cap
abilities
:)
def
initialize
(
actor
,
project
,
protocol
,
authentication_
abilities
:)
@actor
=
actor
@actor
=
actor
@project
=
project
@project
=
project
@protocol
=
protocol
@protocol
=
protocol
@
capabilities
=
cap
abilities
@
authentication_abilities
=
authentication_
abilities
@user_access
=
UserAccess
.
new
(
user
,
project:
project
)
@user_access
=
UserAccess
.
new
(
user
,
project:
project
)
end
end
...
@@ -69,15 +69,15 @@ module Gitlab
...
@@ -69,15 +69,15 @@ module Gitlab
end
end
def
user_can_download_code?
def
user_can_download_code?
cap
abilities
.
include?
(
:download_code
)
&&
user_access
.
can_do_action?
(
:download_code
)
authentication_
abilities
.
include?
(
:download_code
)
&&
user_access
.
can_do_action?
(
:download_code
)
end
end
def
build_can_download_code?
def
build_can_download_code?
cap
abilities
.
include?
(
:build_download_code
)
&&
user_access
.
can_do_action?
(
:build_download_code
)
authentication_
abilities
.
include?
(
:build_download_code
)
&&
user_access
.
can_do_action?
(
:build_download_code
)
end
end
def
user_push_access_check
(
changes
)
def
user_push_access_check
(
changes
)
unless
cap
abilities
.
include?
(
:push_code
)
unless
authentication_
abilities
.
include?
(
:push_code
)
return
build_status_object
(
false
,
"You are not allowed to upload code for this project."
)
return
build_status_object
(
false
,
"You are not allowed to upload code for this project."
)
end
end
...
...
spec/lib/gitlab/auth_spec.rb
View file @
e941365f
...
@@ -16,13 +16,13 @@ describe Gitlab::Auth, lib: true do
...
@@ -16,13 +16,13 @@ describe Gitlab::Auth, lib: true do
end
end
it
'recognises user-less build'
do
it
'recognises user-less build'
do
expect
(
subject
).
to
eq
(
Gitlab
::
Auth
::
Result
.
new
(
nil
,
build
.
project
,
:ci
,
build_
cap
abilities
))
expect
(
subject
).
to
eq
(
Gitlab
::
Auth
::
Result
.
new
(
nil
,
build
.
project
,
:ci
,
build_
authentication_
abilities
))
end
end
it
'recognises user token'
do
it
'recognises user token'
do
build
.
update
(
user:
create
(
:user
))
build
.
update
(
user:
create
(
:user
))
expect
(
subject
).
to
eq
(
Gitlab
::
Auth
::
Result
.
new
(
build
.
user
,
build
.
project
,
:build
,
build_
cap
abilities
))
expect
(
subject
).
to
eq
(
Gitlab
::
Auth
::
Result
.
new
(
build
.
user
,
build
.
project
,
:build
,
build_
authentication_
abilities
))
end
end
end
end
...
@@ -48,7 +48,7 @@ describe Gitlab::Auth, lib: true do
...
@@ -48,7 +48,7 @@ describe Gitlab::Auth, lib: true do
ip
=
'ip'
ip
=
'ip'
expect
(
gl_auth
).
to
receive
(
:rate_limit!
).
with
(
ip
,
success:
true
,
login:
'drone-ci-token'
)
expect
(
gl_auth
).
to
receive
(
:rate_limit!
).
with
(
ip
,
success:
true
,
login:
'drone-ci-token'
)
expect
(
gl_auth
.
find_for_git_client
(
'drone-ci-token'
,
'token'
,
project:
project
,
ip:
ip
)).
to
eq
(
Gitlab
::
Auth
::
Result
.
new
(
nil
,
project
,
:ci
,
build_
cap
abilities
))
expect
(
gl_auth
.
find_for_git_client
(
'drone-ci-token'
,
'token'
,
project:
project
,
ip:
ip
)).
to
eq
(
Gitlab
::
Auth
::
Result
.
new
(
nil
,
project
,
:ci
,
build_
authentication_
abilities
))
end
end
it
'recognizes master passwords'
do
it
'recognizes master passwords'
do
...
@@ -56,7 +56,7 @@ describe Gitlab::Auth, lib: true do
...
@@ -56,7 +56,7 @@ describe Gitlab::Auth, lib: true do
ip
=
'ip'
ip
=
'ip'
expect
(
gl_auth
).
to
receive
(
:rate_limit!
).
with
(
ip
,
success:
true
,
login:
user
.
username
)
expect
(
gl_auth
).
to
receive
(
:rate_limit!
).
with
(
ip
,
success:
true
,
login:
user
.
username
)
expect
(
gl_auth
.
find_for_git_client
(
user
.
username
,
'password'
,
project:
nil
,
ip:
ip
)).
to
eq
(
Gitlab
::
Auth
::
Result
.
new
(
user
,
nil
,
:gitlab_or_ldap
,
full_
cap
abilities
))
expect
(
gl_auth
.
find_for_git_client
(
user
.
username
,
'password'
,
project:
nil
,
ip:
ip
)).
to
eq
(
Gitlab
::
Auth
::
Result
.
new
(
user
,
nil
,
:gitlab_or_ldap
,
full_
authentication_
abilities
))
end
end
it
'recognizes user lfs tokens'
do
it
'recognizes user lfs tokens'
do
...
@@ -65,7 +65,7 @@ describe Gitlab::Auth, lib: true do
...
@@ -65,7 +65,7 @@ describe Gitlab::Auth, lib: true do
token
=
Gitlab
::
LfsToken
.
new
(
user
).
generate
token
=
Gitlab
::
LfsToken
.
new
(
user
).
generate
expect
(
gl_auth
).
to
receive
(
:rate_limit!
).
with
(
ip
,
success:
true
,
login:
user
.
username
)
expect
(
gl_auth
).
to
receive
(
:rate_limit!
).
with
(
ip
,
success:
true
,
login:
user
.
username
)
expect
(
gl_auth
.
find_for_git_client
(
user
.
username
,
token
,
project:
nil
,
ip:
ip
)).
to
eq
(
Gitlab
::
Auth
::
Result
.
new
(
user
,
nil
,
:lfs_token
,
read_
cap
abilities
))
expect
(
gl_auth
.
find_for_git_client
(
user
.
username
,
token
,
project:
nil
,
ip:
ip
)).
to
eq
(
Gitlab
::
Auth
::
Result
.
new
(
user
,
nil
,
:lfs_token
,
read_
authentication_
abilities
))
end
end
it
'recognizes deploy key lfs tokens'
do
it
'recognizes deploy key lfs tokens'
do
...
@@ -74,7 +74,7 @@ describe Gitlab::Auth, lib: true do
...
@@ -74,7 +74,7 @@ describe Gitlab::Auth, lib: true do
token
=
Gitlab
::
LfsToken
.
new
(
key
).
generate
token
=
Gitlab
::
LfsToken
.
new
(
key
).
generate
expect
(
gl_auth
).
to
receive
(
:rate_limit!
).
with
(
ip
,
success:
true
,
login:
"lfs+deploy-key-
#{
key
.
id
}
"
)
expect
(
gl_auth
).
to
receive
(
:rate_limit!
).
with
(
ip
,
success:
true
,
login:
"lfs+deploy-key-
#{
key
.
id
}
"
)
expect
(
gl_auth
.
find_for_git_client
(
"lfs+deploy-key-
#{
key
.
id
}
"
,
token
,
project:
nil
,
ip:
ip
)).
to
eq
(
Gitlab
::
Auth
::
Result
.
new
(
key
,
nil
,
:lfs_deploy_token
,
read_
cap
abilities
))
expect
(
gl_auth
.
find_for_git_client
(
"lfs+deploy-key-
#{
key
.
id
}
"
,
token
,
project:
nil
,
ip:
ip
)).
to
eq
(
Gitlab
::
Auth
::
Result
.
new
(
key
,
nil
,
:lfs_deploy_token
,
read_
authentication_
abilities
))
end
end
it
'recognizes OAuth tokens'
do
it
'recognizes OAuth tokens'
do
...
@@ -84,7 +84,7 @@ describe Gitlab::Auth, lib: true do
...
@@ -84,7 +84,7 @@ describe Gitlab::Auth, lib: true do
ip
=
'ip'
ip
=
'ip'
expect
(
gl_auth
).
to
receive
(
:rate_limit!
).
with
(
ip
,
success:
true
,
login:
'oauth2'
)
expect
(
gl_auth
).
to
receive
(
:rate_limit!
).
with
(
ip
,
success:
true
,
login:
'oauth2'
)
expect
(
gl_auth
.
find_for_git_client
(
"oauth2"
,
token
.
token
,
project:
nil
,
ip:
ip
)).
to
eq
(
Gitlab
::
Auth
::
Result
.
new
(
user
,
nil
,
:oauth
,
read_
cap
abilities
))
expect
(
gl_auth
.
find_for_git_client
(
"oauth2"
,
token
.
token
,
project:
nil
,
ip:
ip
)).
to
eq
(
Gitlab
::
Auth
::
Result
.
new
(
user
,
nil
,
:oauth
,
read_
authentication_
abilities
))
end
end
it
'returns double nil for invalid credentials'
do
it
'returns double nil for invalid credentials'
do
...
@@ -149,7 +149,7 @@ describe Gitlab::Auth, lib: true do
...
@@ -149,7 +149,7 @@ describe Gitlab::Auth, lib: true do
private
private
def
build_
cap
abilities
def
build_
authentication_
abilities
[
[
:read_project
,
:read_project
,
:build_download_code
,
:build_download_code
,
...
@@ -158,7 +158,7 @@ describe Gitlab::Auth, lib: true do
...
@@ -158,7 +158,7 @@ describe Gitlab::Auth, lib: true do
]
]
end
end
def
read_
cap
abilities
def
read_
authentication_
abilities
[
[
:read_project
,
:read_project
,
:download_code
,
:download_code
,
...
@@ -166,8 +166,8 @@ describe Gitlab::Auth, lib: true do
...
@@ -166,8 +166,8 @@ describe Gitlab::Auth, lib: true do
]
]
end
end
def
full_
cap
abilities
def
full_
authentication_
abilities
read_
cap
abilities
+
[
read_
authentication_
abilities
+
[
:push_code
,
:push_code
,
:update_container_image
:update_container_image
]
]
...
...
spec/lib/gitlab/git_access_spec.rb
View file @
e941365f
require
'spec_helper'
require
'spec_helper'
describe
Gitlab
::
GitAccess
,
lib:
true
do
describe
Gitlab
::
GitAccess
,
lib:
true
do
let
(
:access
)
{
Gitlab
::
GitAccess
.
new
(
actor
,
project
,
'web'
,
capabilities:
cap
abilities
)
}
let
(
:access
)
{
Gitlab
::
GitAccess
.
new
(
actor
,
project
,
'web'
,
authentication_abilities:
authentication_
abilities
)
}
let
(
:project
)
{
create
(
:project
)
}
let
(
:project
)
{
create
(
:project
)
}
let
(
:user
)
{
create
(
:user
)
}
let
(
:user
)
{
create
(
:user
)
}
let
(
:actor
)
{
user
}
let
(
:actor
)
{
user
}
let
(
:
cap
abilities
)
do
let
(
:
authentication_
abilities
)
do
[
[
:read_project
,
:read_project
,
:download_code
,
:download_code
,
...
@@ -22,7 +22,7 @@ describe Gitlab::GitAccess, lib: true do
...
@@ -22,7 +22,7 @@ describe Gitlab::GitAccess, lib: true do
context
'ssh disabled'
do
context
'ssh disabled'
do
before
do
before
do
disable_protocol
(
'ssh'
)
disable_protocol
(
'ssh'
)
@acc
=
Gitlab
::
GitAccess
.
new
(
actor
,
project
,
'ssh'
,
capabilities:
cap
abilities
)
@acc
=
Gitlab
::
GitAccess
.
new
(
actor
,
project
,
'ssh'
,
authentication_abilities:
authentication_
abilities
)
end
end
it
'blocks ssh git push'
do
it
'blocks ssh git push'
do
...
@@ -37,7 +37,7 @@ describe Gitlab::GitAccess, lib: true do
...
@@ -37,7 +37,7 @@ describe Gitlab::GitAccess, lib: true do
context
'http disabled'
do
context
'http disabled'
do
before
do
before
do
disable_protocol
(
'http'
)
disable_protocol
(
'http'
)
@acc
=
Gitlab
::
GitAccess
.
new
(
actor
,
project
,
'http'
,
capabilities:
cap
abilities
)
@acc
=
Gitlab
::
GitAccess
.
new
(
actor
,
project
,
'http'
,
authentication_abilities:
authentication_
abilities
)
end
end
it
'blocks http push'
do
it
'blocks http push'
do
...
@@ -119,8 +119,8 @@ describe Gitlab::GitAccess, lib: true do
...
@@ -119,8 +119,8 @@ describe Gitlab::GitAccess, lib: true do
end
end
end
end
describe
'build
cap
abilities permissions'
do
describe
'build
authentication_
abilities permissions'
do
let
(
:
capabilities
)
{
build_cap
abilities
}
let
(
:
authentication_abilities
)
{
build_authentication_
abilities
}
describe
'reporter user'
do
describe
'reporter user'
do
before
{
project
.
team
<<
[
user
,
:reporter
]
}
before
{
project
.
team
<<
[
user
,
:reporter
]
}
...
@@ -350,8 +350,8 @@ describe Gitlab::GitAccess, lib: true do
...
@@ -350,8 +350,8 @@ describe Gitlab::GitAccess, lib: true do
end
end
end
end
describe
'build
capabilities permission
s'
do
describe
'build
authentication abilitie
s'
do
let
(
:
capabilities
)
{
build_cap
abilities
}
let
(
:
authentication_abilities
)
{
build_authentication_
abilities
}
it_behaves_like
'can not push code'
do
it_behaves_like
'can not push code'
do
def
authorize
def
authorize
...
@@ -373,14 +373,14 @@ describe Gitlab::GitAccess, lib: true do
...
@@ -373,14 +373,14 @@ describe Gitlab::GitAccess, lib: true do
private
private
def
build_
cap
abilities
def
build_
authentication_
abilities
[
[
:read_project
,
:read_project
,
:build_download_code
:build_download_code
]
]
end
end
def
full_
cap
abilities
def
full_
authentication_
abilities
[
[
:read_project
,
:read_project
,
:download_code
,
:download_code
,
...
...
spec/lib/gitlab/git_access_wiki_spec.rb
View file @
e941365f
require
'spec_helper'
require
'spec_helper'
describe
Gitlab
::
GitAccessWiki
,
lib:
true
do
describe
Gitlab
::
GitAccessWiki
,
lib:
true
do
let
(
:access
)
{
Gitlab
::
GitAccessWiki
.
new
(
user
,
project
,
'web'
,
capabilities:
cap
abilities
)
}
let
(
:access
)
{
Gitlab
::
GitAccessWiki
.
new
(
user
,
project
,
'web'
,
authentication_
abilities
)
}
let
(
:project
)
{
create
(
:project
)
}
let
(
:project
)
{
create
(
:project
)
}
let
(
:user
)
{
create
(
:user
)
}
let
(
:user
)
{
create
(
:user
)
}
let
(
:
cap
abilities
)
do
let
(
:
authentication_
abilities
)
do
[
[
:read_project
,
:read_project
,
:download_code
,
:download_code
,
...
...
spec/services/auth/container_registry_authentication_service_spec.rb
View file @
e941365f
...
@@ -6,14 +6,14 @@ describe Auth::ContainerRegistryAuthenticationService, services: true do
...
@@ -6,14 +6,14 @@ describe Auth::ContainerRegistryAuthenticationService, services: true do
let
(
:current_params
)
{
{}
}
let
(
:current_params
)
{
{}
}
let
(
:rsa_key
)
{
OpenSSL
::
PKey
::
RSA
.
generate
(
512
)
}
let
(
:rsa_key
)
{
OpenSSL
::
PKey
::
RSA
.
generate
(
512
)
}
let
(
:payload
)
{
JWT
.
decode
(
subject
[
:token
],
rsa_key
).
first
}
let
(
:payload
)
{
JWT
.
decode
(
subject
[
:token
],
rsa_key
).
first
}
let
(
:
cap
abilities
)
do
let
(
:
authentication_
abilities
)
do
[
[
:read_container_image
,
:read_container_image
,
:create_container_image
:create_container_image
]
]
end
end
subject
{
described_class
.
new
(
current_project
,
current_user
,
current_params
).
execute
(
capabilities:
cap
abilities
)
}
subject
{
described_class
.
new
(
current_project
,
current_user
,
current_params
).
execute
(
authentication_abilities:
authentication_
abilities
)
}
before
do
before
do
allow
(
Gitlab
.
config
.
registry
).
to
receive_messages
(
enabled:
true
,
issuer:
'rspec'
,
key:
nil
)
allow
(
Gitlab
.
config
.
registry
).
to
receive_messages
(
enabled:
true
,
issuer:
'rspec'
,
key:
nil
)
...
@@ -198,7 +198,7 @@ describe Auth::ContainerRegistryAuthenticationService, services: true do
...
@@ -198,7 +198,7 @@ describe Auth::ContainerRegistryAuthenticationService, services: true do
context
'build authorized as user'
do
context
'build authorized as user'
do
let
(
:current_project
)
{
create
(
:empty_project
)
}
let
(
:current_project
)
{
create
(
:empty_project
)
}
let
(
:current_user
)
{
create
(
:user
)
}
let
(
:current_user
)
{
create
(
:user
)
}
let
(
:
cap
abilities
)
do
let
(
:
authentication_
abilities
)
do
[
[
:build_read_container_image
,
:build_read_container_image
,
:build_create_container_image
:build_create_container_image
...
@@ -255,7 +255,17 @@ describe Auth::ContainerRegistryAuthenticationService, services: true do
...
@@ -255,7 +255,17 @@ describe Auth::ContainerRegistryAuthenticationService, services: true do
context
'when you are admin'
do
context
'when you are admin'
do
let
(
:current_user
)
{
create
(
:admin
)
}
let
(
:current_user
)
{
create
(
:admin
)
}
it_behaves_like
'pullable for being team member'
context
'when you are not member'
do
it_behaves_like
'an inaccessible'
end
context
'when you are member'
do
before
do
project
.
team
<<
[
current_user
,
:developer
]
end
it_behaves_like
'a pullable'
end
end
end
end
end
end
end
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment