Commit 5e6b9a7d authored by Mayra Cabrera's avatar Mayra Cabrera

Merge branch 'fix/group-bot-build-token-git-access' into 'master'

Add missing Git authentication support for group level bot build tokens

See merge request gitlab-org/gitlab!78595
parents 2a36ac0c 3a1dae66
......@@ -207,7 +207,7 @@ module Gitlab
return unless valid_scoped_token?(token, all_available_scopes)
if project && token.user.project_bot?
return unless token_bot_in_project?(token.user, project) || token_bot_in_group?(token.user, project)
return unless token_bot_in_resource?(token.user, project)
end
if token.user.can_log_in_with_non_expired_password? || token.user.project_bot?
......@@ -229,6 +229,10 @@ module Gitlab
end
# rubocop: enable CodeReuse/ActiveRecord
def token_bot_in_resource?(user, project)
token_bot_in_project?(user, project) || token_bot_in_group?(user, project)
end
def valid_oauth_token?(token)
token && token.accessible? && valid_scoped_token?(token, Doorkeeper.configuration.scopes)
end
......@@ -309,7 +313,7 @@ module Gitlab
return unless build.project.builds_enabled?
if build.user
return unless build.user.can_log_in_with_non_expired_password? || (build.user.project_bot? && build.project.bots&.include?(build.user))
return unless build.user.can_log_in_with_non_expired_password? || (build.user.project_bot? && token_bot_in_resource?(build.user, build.project))
# If user is assigned to build, use restricted credentials of user
Gitlab::Auth::Result.new(build.user, build.project, :build, build_authentication_abilities)
......
......@@ -156,8 +156,9 @@ RSpec.describe Gitlab::Auth, :use_clean_rails_memory_store_caching do
let(:username) { 'gitlab-ci-token' }
context 'for running build' do
let!(:build) { create(:ci_build, :running) }
let(:project) { build.project }
let!(:group) { create(:group) }
let!(:project) { create(:project, group: group) }
let!(:build) { create(:ci_build, :running, project: project) }
it 'recognises user-less build' do
expect(subject).to have_attributes(actor: nil, project: build.project, type: :ci, authentication_abilities: described_class.build_authentication_abilities)
......@@ -169,6 +170,20 @@ RSpec.describe Gitlab::Auth, :use_clean_rails_memory_store_caching do
expect(subject).to have_attributes(actor: build.user, project: build.project, type: :build, authentication_abilities: described_class.build_authentication_abilities)
end
it 'recognises project level bot access token' do
build.update(user: create(:user, :project_bot))
project.add_maintainer(build.user)
expect(subject).to have_attributes(actor: build.user, project: build.project, type: :build, authentication_abilities: described_class.build_authentication_abilities)
end
it 'recognises group level bot access token' do
build.update(user: create(:user, :project_bot))
group.add_maintainer(build.user)
expect(subject).to have_attributes(actor: build.user, project: build.project, type: :build, authentication_abilities: described_class.build_authentication_abilities)
end
it 'fails with blocked user token' do
build.update(user: create(:user, :blocked))
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment