Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Support
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
G
gitlab-ce
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Issues
0
Issues
0
List
Boards
Labels
Milestones
Merge Requests
1
Merge Requests
1
Analytics
Analytics
Repository
Value Stream
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Create a new issue
Commits
Issue Boards
Open sidebar
nexedi
gitlab-ce
Commits
62ef67ac
Commit
62ef67ac
authored
Aug 04, 2017
by
Robin Bobbitt
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
Hide read_registry scope when registry is disabled on instance
parent
e6d87021
Changes
8
Hide whitespace changes
Inline
Side-by-side
Showing
8 changed files
with
80 additions
and
13 deletions
+80
-13
app/models/personal_access_token.rb
app/models/personal_access_token.rb
+1
-1
changelogs/unreleased/hide-read-registry-scope-when-registry-disabled.yml
...eased/hide-read-registry-scope-when-registry-disabled.yml
+4
-0
lib/gitlab/auth.rb
lib/gitlab/auth.rb
+1
-1
spec/lib/gitlab/auth_spec.rb
spec/lib/gitlab/auth_spec.rb
+32
-6
spec/models/personal_access_token_spec.rb
spec/models/personal_access_token_spec.rb
+31
-4
spec/requests/jwt_controller_spec.rb
spec/requests/jwt_controller_spec.rb
+4
-0
spec/support/api/scopes/read_user_shared_examples.rb
spec/support/api/scopes/read_user_shared_examples.rb
+4
-0
spec/support/stub_gitlab_calls.rb
spec/support/stub_gitlab_calls.rb
+3
-1
No files found.
app/models/personal_access_token.rb
View file @
62ef67ac
...
...
@@ -28,7 +28,7 @@ class PersonalAccessToken < ActiveRecord::Base
protected
def
validate_scopes
unless
scopes
.
all?
{
|
scope
|
Gitlab
::
Auth
::
AVAILABLE_SCOPES
.
include?
(
scope
.
to_sym
)
}
unless
revoked
||
scopes
.
all?
{
|
scope
|
Gitlab
::
Auth
::
AVAILABLE_SCOPES
.
include?
(
scope
.
to_sym
)
}
errors
.
add
:scopes
,
"can only contain available scopes"
end
end
...
...
changelogs/unreleased/hide-read-registry-scope-when-registry-disabled.yml
0 → 100644
View file @
62ef67ac
---
title
:
Hide read_registry scope when registry is disabled on instance
merge_request
:
13314
author
:
Robin Bobbitt
lib/gitlab/auth.rb
View file @
62ef67ac
...
...
@@ -2,7 +2,7 @@ module Gitlab
module
Auth
MissingPersonalTokenError
=
Class
.
new
(
StandardError
)
REGISTRY_SCOPES
=
[
:read_registry
].
freeze
REGISTRY_SCOPES
=
Gitlab
.
config
.
registry
.
enabled
?
[
:read_registry
].
freeze
:
[
].
freeze
# Scopes used for GitLab API access
API_SCOPES
=
[
:api
,
:read_user
].
freeze
...
...
spec/lib/gitlab/auth_spec.rb
View file @
62ef67ac
...
...
@@ -17,11 +17,31 @@ describe Gitlab::Auth do
end
it
'OPTIONAL_SCOPES contains all non-default scopes'
do
stub_container_registry_config
(
enabled:
true
)
expect
(
subject
::
OPTIONAL_SCOPES
).
to
eq
%i[read_user read_registry openid]
end
it
'REGISTRY_SCOPES contains all registry related scopes'
do
expect
(
subject
::
REGISTRY_SCOPES
).
to
eq
%i[read_registry]
context
'REGISTRY_SCOPES'
do
context
'when registry is disabled'
do
before
do
stub_container_registry_config
(
enabled:
false
)
end
it
'is empty'
do
expect
(
subject
::
REGISTRY_SCOPES
).
to
eq
[]
end
end
context
'when registry is enabled'
do
before
do
stub_container_registry_config
(
enabled:
true
)
end
it
'contains all registry related scopes'
do
expect
(
subject
::
REGISTRY_SCOPES
).
to
eq
%i[read_registry]
end
end
end
end
...
...
@@ -147,11 +167,17 @@ describe Gitlab::Auth do
expect
(
gl_auth
.
find_for_git_client
(
''
,
personal_access_token
.
token
,
project:
nil
,
ip:
'ip'
)).
to
eq
(
Gitlab
::
Auth
::
Result
.
new
(
personal_access_token
.
user
,
nil
,
:personal_token
,
full_authentication_abilities
))
end
it
'succeeds for personal access tokens with the `read_registry` scope'
do
personal_access_token
=
create
(
:personal_access_token
,
scopes:
[
'read_registry'
])
context
'when registry is enabled'
do
before
do
stub_container_registry_config
(
enabled:
true
)
end
it
'succeeds for personal access tokens with the `read_registry` scope'
do
personal_access_token
=
create
(
:personal_access_token
,
scopes:
[
'read_registry'
])
expect
(
gl_auth
).
to
receive
(
:rate_limit!
).
with
(
'ip'
,
success:
true
,
login:
''
)
expect
(
gl_auth
.
find_for_git_client
(
''
,
personal_access_token
.
token
,
project:
nil
,
ip:
'ip'
)).
to
eq
(
Gitlab
::
Auth
::
Result
.
new
(
personal_access_token
.
user
,
nil
,
:personal_token
,
[
:read_container_image
]))
expect
(
gl_auth
).
to
receive
(
:rate_limit!
).
with
(
'ip'
,
success:
true
,
login:
''
)
expect
(
gl_auth
.
find_for_git_client
(
''
,
personal_access_token
.
token
,
project:
nil
,
ip:
'ip'
)).
to
eq
(
Gitlab
::
Auth
::
Result
.
new
(
personal_access_token
.
user
,
nil
,
:personal_token
,
[
:read_container_image
]))
end
end
it
'succeeds if it is an impersonation token'
do
...
...
spec/models/personal_access_token_spec.rb
View file @
62ef67ac
...
...
@@ -41,7 +41,7 @@ describe PersonalAccessToken do
it
'revokes the token'
do
active_personal_access_token
.
revoke!
expect
(
active_personal_access_token
.
revoked?
).
to
be
true
expect
(
active_personal_access_token
).
to
be_revoked
end
end
...
...
@@ -61,10 +61,37 @@ describe PersonalAccessToken do
expect
(
personal_access_token
).
to
be_valid
end
it
"allows creating a token with read_registry scope"
do
personal_access_token
.
scopes
=
[
:read_registry
]
context
'when registry is disabled'
do
before
do
stub_container_registry_config
(
enabled:
false
)
end
expect
(
personal_access_token
).
to
be_valid
it
"rejects creating a token with read_registry scope"
do
personal_access_token
.
scopes
=
[
:read_registry
]
expect
(
personal_access_token
).
not_to
be_valid
expect
(
personal_access_token
.
errors
[
:scopes
].
first
).
to
eq
"can only contain available scopes"
end
it
"allows revoking a token with read_registry scope"
do
personal_access_token
.
scopes
=
[
:read_registry
]
personal_access_token
.
revoke!
expect
(
personal_access_token
).
to
be_revoked
end
end
context
'when registry is enabled'
do
before
do
stub_container_registry_config
(
enabled:
true
)
end
it
"allows creating a token with read_registry scope"
do
personal_access_token
.
scopes
=
[
:read_registry
]
expect
(
personal_access_token
).
to
be_valid
end
end
it
"rejects creating a token with unavailable scopes"
do
...
...
spec/requests/jwt_controller_spec.rb
View file @
62ef67ac
...
...
@@ -49,6 +49,10 @@ describe JwtController do
let
(
:pat
)
{
create
(
:personal_access_token
,
user:
user
,
scopes:
[
'read_registry'
])
}
let
(
:headers
)
{
{
authorization:
credentials
(
'personal_access_token'
,
pat
.
token
)
}
}
before
do
stub_container_registry_config
(
enabled:
true
)
end
subject!
{
get
'/jwt/auth'
,
parameters
,
headers
}
it
'authenticates correctly'
do
...
...
spec/support/api/scopes/read_user_shared_examples.rb
View file @
62ef67ac
...
...
@@ -23,6 +23,10 @@ shared_examples_for 'allows the "read_user" scope' do
context
'when the requesting token does not have any required scope'
do
let
(
:token
)
{
create
(
:personal_access_token
,
scopes:
[
'read_registry'
],
user:
user
)
}
before
do
stub_container_registry_config
(
enabled:
true
)
end
it
'returns a "401" response'
do
get
api_call
.
call
(
path
,
user
,
personal_access_token:
token
)
...
...
spec/support/stub_gitlab_calls.rb
View file @
62ef67ac
...
...
@@ -26,9 +26,11 @@ module StubGitlabCalls
end
def
stub_container_registry_config
(
registry_settings
)
allow
(
Gitlab
.
config
.
registry
).
to
receive_messages
(
registry_settings
)
allow
(
Auth
::
ContainerRegistryAuthenticationService
)
.
to
receive
(
:full_access_token
).
and_return
(
'token'
)
allow
(
Gitlab
.
config
.
registry
).
to
receive_messages
(
registry_settings
)
load
'lib/gitlab/auth.rb'
end
def
stub_container_registry_tags
(
repository: :any
,
tags
:)
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment