Commit eefbc837 authored by Markus Koller's avatar Markus Koller Committed by Alexis Reigel

Only use API scopes for personal access tokens

parent 93daeee1
...@@ -35,7 +35,7 @@ class Profiles::PersonalAccessTokensController < Profiles::ApplicationController ...@@ -35,7 +35,7 @@ class Profiles::PersonalAccessTokensController < Profiles::ApplicationController
def set_index_vars def set_index_vars
@personal_access_token ||= current_user.personal_access_tokens.build @personal_access_token ||= current_user.personal_access_tokens.build
@scopes = Gitlab::Auth::SCOPES @scopes = Gitlab::Auth::API_SCOPES
@active_personal_access_tokens = current_user.personal_access_tokens.active.order(:expires_at) @active_personal_access_tokens = current_user.personal_access_tokens.active.order(:expires_at)
@inactive_personal_access_tokens = current_user.personal_access_tokens.inactive @inactive_personal_access_tokens = current_user.personal_access_tokens.inactive
end end
......
...@@ -9,6 +9,8 @@ class PersonalAccessToken < ActiveRecord::Base ...@@ -9,6 +9,8 @@ class PersonalAccessToken < ActiveRecord::Base
scope :active, -> { where(revoked: false).where("expires_at >= NOW() OR expires_at IS NULL") } scope :active, -> { where(revoked: false).where("expires_at >= NOW() OR expires_at IS NULL") }
scope :inactive, -> { where("revoked = true OR expires_at < NOW()") } scope :inactive, -> { where("revoked = true OR expires_at < NOW()") }
validate :validate_scopes
def self.generate(params) def self.generate(params)
personal_access_token = self.new(params) personal_access_token = self.new(params)
personal_access_token.ensure_token personal_access_token.ensure_token
...@@ -19,4 +21,12 @@ class PersonalAccessToken < ActiveRecord::Base ...@@ -19,4 +21,12 @@ class PersonalAccessToken < ActiveRecord::Base
self.revoked = true self.revoked = true
self.save self.save
end end
protected
def validate_scopes
unless Set.new(scopes.map(&:to_sym)).subset?(Set.new(Gitlab::Auth::API_SCOPES))
errors.add :scopes, "can only contain API scopes"
end
end
end end
...@@ -2,9 +2,14 @@ module Gitlab ...@@ -2,9 +2,14 @@ module Gitlab
module Auth module Auth
MissingPersonalTokenError = Class.new(StandardError) MissingPersonalTokenError = Class.new(StandardError)
SCOPES = [:api, :read_user, :openid, :profile, :email].freeze # Scopes used for GitLab API access
API_SCOPES = [:api, :read_user].freeze
# Scopes used by doorkeeper-openid_connect
OPENID_SCOPES = [:openid].freeze
DEFAULT_SCOPES = [:api].freeze DEFAULT_SCOPES = [:api].freeze
OPTIONAL_SCOPES = SCOPES - DEFAULT_SCOPES OPTIONAL_SCOPES = (API_SCOPES + OPENID_SCOPES - DEFAULT_SCOPES).freeze
class << self class << self
def find_for_git_client(login, password, project:, ip:) def find_for_git_client(login, password, project:, ip:)
......
require 'spec_helper'
require_relative '../../config/initializers/doorkeeper'
describe Doorkeeper.configuration do
it 'default_scopes matches Gitlab::Auth::DEFAULT_SCOPES' do
expect(subject.default_scopes).to eq Gitlab::Auth::DEFAULT_SCOPES
end
it 'optional_scopes matches Gitlab::Auth::OPTIONAL_SCOPES' do
expect(subject.optional_scopes).to eq Gitlab::Auth::OPTIONAL_SCOPES
end
end
...@@ -3,6 +3,24 @@ require 'spec_helper' ...@@ -3,6 +3,24 @@ require 'spec_helper'
describe Gitlab::Auth, lib: true do describe Gitlab::Auth, lib: true do
let(:gl_auth) { described_class } let(:gl_auth) { described_class }
describe 'constants' do
it 'API_SCOPES contains all scopes for API access' do
expect(subject::API_SCOPES).to eq [:api, :read_user]
end
it 'OPENID_SCOPES contains all scopes for OpenID Connect' do
expect(subject::OPENID_SCOPES).to eq [:openid]
end
it 'DEFAULT_SCOPES contains all default scopes' do
expect(subject::DEFAULT_SCOPES).to eq [:api]
end
it 'OPTIONAL_SCOPES contains all non-default scopes' do
expect(subject::OPTIONAL_SCOPES).to eq [:read_user, :openid]
end
end
describe 'find_for_git_client' do describe 'find_for_git_client' do
context 'build token' do context 'build token' do
subject { gl_auth.find_for_git_client('gitlab-ci-token', build.token, project: project, ip: 'ip') } subject { gl_auth.find_for_git_client('gitlab-ci-token', build.token, project: project, ip: 'ip') }
......
...@@ -12,4 +12,20 @@ describe PersonalAccessToken, models: true do ...@@ -12,4 +12,20 @@ describe PersonalAccessToken, models: true do
expect(personal_access_token).not_to be_persisted expect(personal_access_token).not_to be_persisted
end end
end end
describe 'validate_scopes' do
it "allows creating a token with API scopes" do
personal_access_token = build(:personal_access_token)
personal_access_token.scopes = [:api, :read_user]
expect(personal_access_token).to be_valid
end
it "rejects creating a token with non-API scopes" do
personal_access_token = build(:personal_access_token)
personal_access_token.scopes = [:openid, :api]
expect(personal_access_token).not_to be_valid
end
end
end end
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment