Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Support
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
G
gitlab-ce
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Issues
0
Issues
0
List
Boards
Labels
Milestones
Merge Requests
1
Merge Requests
1
Analytics
Analytics
Repository
Value Stream
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Create a new issue
Commits
Issue Boards
Open sidebar
nexedi
gitlab-ce
Commits
0013e6c0
Commit
0013e6c0
authored
Sep 15, 2017
by
Robin Bobbitt
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
Clean up read_registry scope changes
Closes #37789
parent
ef37de8a
Changes
7
Hide whitespace changes
Inline
Side-by-side
Showing
7 changed files
with
28 additions
and
20 deletions
+28
-20
app/controllers/profiles/personal_access_tokens_controller.rb
...controllers/profiles/personal_access_tokens_controller.rb
+1
-1
app/models/personal_access_token.rb
app/models/personal_access_token.rb
+1
-1
config/initializers/doorkeeper.rb
config/initializers/doorkeeper.rb
+1
-1
lib/gitlab/auth.rb
lib/gitlab/auth.rb
+17
-7
spec/initializers/doorkeeper_spec.rb
spec/initializers/doorkeeper_spec.rb
+2
-2
spec/lib/gitlab/auth_spec.rb
spec/lib/gitlab/auth_spec.rb
+5
-5
spec/support/stub_gitlab_calls.rb
spec/support/stub_gitlab_calls.rb
+1
-3
No files found.
app/controllers/profiles/personal_access_tokens_controller.rb
View file @
0013e6c0
...
@@ -38,7 +38,7 @@ class Profiles::PersonalAccessTokensController < Profiles::ApplicationController
...
@@ -38,7 +38,7 @@ class Profiles::PersonalAccessTokensController < Profiles::ApplicationController
end
end
def
set_index_vars
def
set_index_vars
@scopes
=
Gitlab
::
Auth
::
AVAILABLE_SCOPES
@scopes
=
Gitlab
::
Auth
.
available_scopes
@personal_access_token
=
finder
.
build
@personal_access_token
=
finder
.
build
@inactive_personal_access_tokens
=
finder
(
state:
'inactive'
).
execute
@inactive_personal_access_tokens
=
finder
(
state:
'inactive'
).
execute
...
...
app/models/personal_access_token.rb
View file @
0013e6c0
...
@@ -28,7 +28,7 @@ class PersonalAccessToken < ActiveRecord::Base
...
@@ -28,7 +28,7 @@ class PersonalAccessToken < ActiveRecord::Base
protected
protected
def
validate_scopes
def
validate_scopes
unless
revoked
||
scopes
.
all?
{
|
scope
|
Gitlab
::
Auth
::
AVAILABLE_SCOPES
.
include?
(
scope
.
to_sym
)
}
unless
revoked
||
scopes
.
all?
{
|
scope
|
Gitlab
::
Auth
.
available_scopes
.
include?
(
scope
.
to_sym
)
}
errors
.
add
:scopes
,
"can only contain available scopes"
errors
.
add
:scopes
,
"can only contain available scopes"
end
end
end
end
...
...
config/initializers/doorkeeper.rb
View file @
0013e6c0
...
@@ -58,7 +58,7 @@ Doorkeeper.configure do
...
@@ -58,7 +58,7 @@ Doorkeeper.configure do
# For more information go to
# For more information go to
# https://github.com/doorkeeper-gem/doorkeeper/wiki/Using-Scopes
# https://github.com/doorkeeper-gem/doorkeeper/wiki/Using-Scopes
default_scopes
(
*
Gitlab
::
Auth
::
DEFAULT_SCOPES
)
default_scopes
(
*
Gitlab
::
Auth
::
DEFAULT_SCOPES
)
optional_scopes
(
*
Gitlab
::
Auth
::
OPTIONAL_SCOPES
)
optional_scopes
(
*
Gitlab
::
Auth
.
optional_scopes
)
# Change the way client credentials are retrieved from the request object.
# Change the way client credentials are retrieved from the request object.
# By default it retrieves first from the `HTTP_AUTHORIZATION` header, then
# By default it retrieves first from the `HTTP_AUTHORIZATION` header, then
...
...
lib/gitlab/auth.rb
View file @
0013e6c0
...
@@ -2,7 +2,7 @@ module Gitlab
...
@@ -2,7 +2,7 @@ module Gitlab
module
Auth
module
Auth
MissingPersonalTokenError
=
Class
.
new
(
StandardError
)
MissingPersonalTokenError
=
Class
.
new
(
StandardError
)
REGISTRY_SCOPES
=
Gitlab
.
config
.
registry
.
enabled
?
[
:read_registry
].
freeze
:
[
].
freeze
REGISTRY_SCOPES
=
[
:read_registry
].
freeze
# Scopes used for GitLab API access
# Scopes used for GitLab API access
API_SCOPES
=
[
:api
,
:read_user
].
freeze
API_SCOPES
=
[
:api
,
:read_user
].
freeze
...
@@ -13,11 +13,6 @@ module Gitlab
...
@@ -13,11 +13,6 @@ module Gitlab
# Default scopes for OAuth applications that don't define their own
# Default scopes for OAuth applications that don't define their own
DEFAULT_SCOPES
=
[
:api
].
freeze
DEFAULT_SCOPES
=
[
:api
].
freeze
AVAILABLE_SCOPES
=
(
API_SCOPES
+
REGISTRY_SCOPES
).
freeze
# Other available scopes
OPTIONAL_SCOPES
=
(
AVAILABLE_SCOPES
+
OPENID_SCOPES
-
DEFAULT_SCOPES
).
freeze
class
<<
self
class
<<
self
include
Gitlab
::
CurrentSettings
include
Gitlab
::
CurrentSettings
...
@@ -132,7 +127,7 @@ module Gitlab
...
@@ -132,7 +127,7 @@ module Gitlab
token
=
PersonalAccessTokensFinder
.
new
(
state:
'active'
).
find_by
(
token:
password
)
token
=
PersonalAccessTokensFinder
.
new
(
state:
'active'
).
find_by
(
token:
password
)
if
token
&&
valid_scoped_token?
(
token
,
AVAILABLE_SCOPES
)
if
token
&&
valid_scoped_token?
(
token
,
available_scopes
)
Gitlab
::
Auth
::
Result
.
new
(
token
.
user
,
nil
,
:personal_token
,
abilities_for_scope
(
token
.
scopes
))
Gitlab
::
Auth
::
Result
.
new
(
token
.
user
,
nil
,
:personal_token
,
abilities_for_scope
(
token
.
scopes
))
end
end
end
end
...
@@ -230,6 +225,21 @@ module Gitlab
...
@@ -230,6 +225,21 @@ module Gitlab
def
read_user_scope_authentication_abilities
def
read_user_scope_authentication_abilities
[]
[]
end
end
def
available_scopes
API_SCOPES
+
registry_scopes
end
# Other available scopes
def
optional_scopes
available_scopes
+
OPENID_SCOPES
-
DEFAULT_SCOPES
end
def
registry_scopes
return
[]
unless
Gitlab
.
config
.
registry
.
enabled
REGISTRY_SCOPES
end
end
end
end
end
end
end
spec/initializers/doorkeeper_spec.rb
View file @
0013e6c0
...
@@ -9,8 +9,8 @@ describe Doorkeeper.configuration do
...
@@ -9,8 +9,8 @@ describe Doorkeeper.configuration do
end
end
describe
'#optional_scopes'
do
describe
'#optional_scopes'
do
it
'matches Gitlab::Auth
::OPTIONAL_SCOPES
'
do
it
'matches Gitlab::Auth
.optional_scopes
'
do
expect
(
subject
.
optional_scopes
).
to
eq
Gitlab
::
Auth
::
OPTIONAL_SCOPES
-
Gitlab
::
Auth
::
REGISTRY_SCOPES
expect
(
subject
.
optional_scopes
).
to
eq
Gitlab
::
Auth
.
optional_scopes
-
Gitlab
::
Auth
::
REGISTRY_SCOPES
end
end
end
end
...
...
spec/lib/gitlab/auth_spec.rb
View file @
0013e6c0
...
@@ -16,20 +16,20 @@ describe Gitlab::Auth do
...
@@ -16,20 +16,20 @@ describe Gitlab::Auth do
expect
(
subject
::
DEFAULT_SCOPES
).
to
eq
[
:api
]
expect
(
subject
::
DEFAULT_SCOPES
).
to
eq
[
:api
]
end
end
it
'
OPTIONAL_SCOPES
contains all non-default scopes'
do
it
'
optional_scopes
contains all non-default scopes'
do
stub_container_registry_config
(
enabled:
true
)
stub_container_registry_config
(
enabled:
true
)
expect
(
subject
::
OPTIONAL_SCOPES
).
to
eq
%i[read_user read_registry openid]
expect
(
subject
.
optional_scopes
).
to
eq
%i[read_user read_registry openid]
end
end
context
'
REGISTRY_SCOPES
'
do
context
'
registry_scopes
'
do
context
'when registry is disabled'
do
context
'when registry is disabled'
do
before
do
before
do
stub_container_registry_config
(
enabled:
false
)
stub_container_registry_config
(
enabled:
false
)
end
end
it
'is empty'
do
it
'is empty'
do
expect
(
subject
::
REGISTRY_SCOPES
).
to
eq
[]
expect
(
subject
.
registry_scopes
).
to
eq
[]
end
end
end
end
...
@@ -39,7 +39,7 @@ describe Gitlab::Auth do
...
@@ -39,7 +39,7 @@ describe Gitlab::Auth do
end
end
it
'contains all registry related scopes'
do
it
'contains all registry related scopes'
do
expect
(
subject
::
REGISTRY_SCOPES
).
to
eq
%i[read_registry]
expect
(
subject
.
registry_scopes
).
to
eq
%i[read_registry]
end
end
end
end
end
end
...
...
spec/support/stub_gitlab_calls.rb
View file @
0013e6c0
...
@@ -26,11 +26,9 @@ module StubGitlabCalls
...
@@ -26,11 +26,9 @@ module StubGitlabCalls
end
end
def
stub_container_registry_config
(
registry_settings
)
def
stub_container_registry_config
(
registry_settings
)
allow
(
Gitlab
.
config
.
registry
).
to
receive_messages
(
registry_settings
)
allow
(
Auth
::
ContainerRegistryAuthenticationService
)
allow
(
Auth
::
ContainerRegistryAuthenticationService
)
.
to
receive
(
:full_access_token
).
and_return
(
'token'
)
.
to
receive
(
:full_access_token
).
and_return
(
'token'
)
allow
(
Gitlab
.
config
.
registry
).
to
receive_messages
(
registry_settings
)
load
'lib/gitlab/auth.rb'
end
end
def
stub_container_registry_tags
(
repository: :any
,
tags
:)
def
stub_container_registry_tags
(
repository: :any
,
tags
:)
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment