Commit 0b13cce3 authored by Fabio Pitino's avatar Fabio Pitino

Merge branch...

Merge branch '259665-project-access-tokens-not-working-when-fetching-updates-for-a-previously-checked-out' into 'master'

Fix project access token build authentication error

See merge request gitlab-org/gitlab!47247
parents 0e4e86b0 a838fa8b
...@@ -135,6 +135,10 @@ class ProjectPolicy < BasePolicy ...@@ -135,6 +135,10 @@ class ProjectPolicy < BasePolicy
::Feature.enabled?(:build_service_proxy, @subject) ::Feature.enabled?(:build_service_proxy, @subject)
end end
condition(:project_bot_is_member) do
user.project_bot? & team_member?
end
with_scope :subject with_scope :subject
condition(:packages_disabled) { !@subject.packages_enabled } condition(:packages_disabled) { !@subject.packages_enabled }
...@@ -608,6 +612,8 @@ class ProjectPolicy < BasePolicy ...@@ -608,6 +612,8 @@ class ProjectPolicy < BasePolicy
enable :admin_resource_access_tokens enable :admin_resource_access_tokens
end end
rule { project_bot_is_member & ~blocked }.enable :bot_log_in
private private
def user_is_user? def user_is_user?
......
---
title: Fix project access token build authentication error
merge_request: 47247
author:
type: fixed
...@@ -196,11 +196,9 @@ module Gitlab ...@@ -196,11 +196,9 @@ module Gitlab
return unless token return unless token
return if project && token.user.project_bot? && !project.bots.include?(token.user)
return unless valid_scoped_token?(token, all_available_scopes) return unless valid_scoped_token?(token, all_available_scopes)
if token.user.project_bot? || token.user.can?(:log_in) if token.user.can?(:log_in) || token.user.can?(:bot_log_in, project)
Gitlab::Auth::Result.new(token.user, nil, :personal_access_token, abilities_for_scopes(token.scopes)) Gitlab::Auth::Result.new(token.user, nil, :personal_access_token, abilities_for_scopes(token.scopes))
end end
end end
...@@ -285,7 +283,7 @@ module Gitlab ...@@ -285,7 +283,7 @@ module Gitlab
return unless build.project.builds_enabled? return unless build.project.builds_enabled?
if build.user if build.user
return unless build.user.can?(:log_in) return unless build.user.can?(:log_in) || build.user.can?(:bot_log_in, build.project)
# If user is assigned to build, use restricted credentials of user # If user is assigned to build, use restricted credentials of user
Gitlab::Auth::Result.new(build.user, build.project, :build, build_authentication_abilities) Gitlab::Auth::Result.new(build.user, build.project, :build, build_authentication_abilities)
......
...@@ -364,20 +364,33 @@ RSpec.describe Gitlab::Auth, :use_clean_rails_memory_store_caching do ...@@ -364,20 +364,33 @@ RSpec.describe Gitlab::Auth, :use_clean_rails_memory_store_caching do
let_it_be(:project_access_token) { create(:personal_access_token, user: project_bot_user) } let_it_be(:project_access_token) { create(:personal_access_token, user: project_bot_user) }
context 'with valid project access token' do context 'with valid project access token' do
before_all do before do
project.add_maintainer(project_bot_user) project.add_maintainer(project_bot_user)
end end
it 'succeeds' do it 'successfully authenticates the project bot' do
expect(gl_auth.find_for_git_client(project_bot_user.username, project_access_token.token, project: project, ip: 'ip')) expect(gl_auth.find_for_git_client(project_bot_user.username, project_access_token.token, project: project, ip: 'ip'))
.to eq(Gitlab::Auth::Result.new(project_bot_user, nil, :personal_access_token, described_class.full_authentication_abilities)) .to eq(Gitlab::Auth::Result.new(project_bot_user, nil, :personal_access_token, described_class.full_authentication_abilities))
end end
end end
context 'with invalid project access token' do context 'with invalid project access token' do
it 'fails' do context 'when project bot is not a project member' do
expect(gl_auth.find_for_git_client(project_bot_user.username, project_access_token.token, project: project, ip: 'ip')) it 'fails for a non-project member' do
.to eq(Gitlab::Auth::Result.new(nil, nil, nil, nil)) expect(gl_auth.find_for_git_client(project_bot_user.username, project_access_token.token, project: project, ip: 'ip'))
.to eq(Gitlab::Auth::Result.new(nil, nil, nil, nil))
end
end
context 'when project bot user is blocked' do
before do
project_bot_user.block!
end
it 'fails for a blocked project bot' do
expect(gl_auth.find_for_git_client(project_bot_user.username, project_access_token.token, project: project, ip: 'ip'))
.to eq(Gitlab::Auth::Result.new(nil, nil, nil, nil))
end
end end
end end
end end
......
...@@ -401,6 +401,40 @@ RSpec.describe ProjectPolicy do ...@@ -401,6 +401,40 @@ RSpec.describe ProjectPolicy do
end end
end end
describe 'bot_log_in' do
let(:bot_user) { create(:user, :project_bot) }
let(:project) { private_project }
context 'when bot is in project and is not blocked' do
before do
project.add_maintainer(bot_user)
end
it 'is a valid project bot' do
expect(bot_user.can?(:bot_log_in, project)).to be_truthy
end
end
context 'when project bot is invalid' do
context 'when bot is not in project' do
it 'is not a valid project bot' do
expect(bot_user.can?(:bot_log_in, project)).to be_falsy
end
end
context 'when bot user is blocked' do
before do
project.add_maintainer(bot_user)
bot_user.block!
end
it 'is not a valid project bot' do
expect(bot_user.can?(:bot_log_in, project)).to be_falsy
end
end
end
end
context 'support bot' do context 'support bot' do
let(:current_user) { User.support_bot } let(:current_user) { User.support_bot }
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment