Prevent Deploy Tokens from accessing resources

This commit prevents it from access when the repository is disabled

Prevent Deploy Tokens from accessing resources
This commit prevents it from access when the repository is disabled
cfe87b93 · Shinya Maeda · a9c50d9c · cfe87b93 · cfe87b93 · cfe87b93
Commit cfe87b93 authored Aug 25, 2020 by Shinya Maeda
5 changed files
--- a/app/services/auth/container_registry_authentication_service.rb
+++ b/app/services/auth/container_registry_authentication_service.rb
@@ -132,6 +132,7 @@ module Auth

    def can_access?(requested_project, requested_action)
      return false unless requested_project.container_registry_enabled?
+      return false if requested_project.repository_access_level == ::ProjectFeature::DISABLED

      case requested_action
      when 'pull'

--- a/changelogs/unreleased/security-deploy-token-can-read-disabled-repo.yml
+++ b/changelogs/unreleased/security-deploy-token-can-read-disabled-repo.yml
+---
+title: Prevent Deploy Tokens to read project resources when repository is disabled
+merge_request:
+author:
+type: security
--- a/lib/gitlab/auth.rb
+++ b/lib/gitlab/auth.rb
@@ -234,6 +234,8 @@ module Gitlab

        # Registry access (with jwt) does not have access to project
        return if project && !token.has_access_to?(project)
+        # When repository is disabled, no resources are accessible via Deploy Token
+        return if project&.repository_access_level == ::ProjectFeature::DISABLED

        scopes = abilities_for_scopes(token.scopes)


--- a/spec/lib/gitlab/auth_spec.rb
+++ b/spec/lib/gitlab/auth_spec.rb
@@ -441,7 +441,7 @@ RSpec.describe Gitlab::Auth, :use_clean_rails_memory_store_caching do
        end
      end

-      shared_examples 'deploy token with disabled registry' do
+      shared_examples 'deploy token with disabled feature' do
        context 'when registry disabled' do
          before do
            stub_container_registry_config(enabled: false)
@@ -452,6 +452,15 @@ RSpec.describe Gitlab::Auth, :use_clean_rails_memory_store_caching do
              .to eq(auth_failure)
          end
        end
+
+        context 'when repository is disabled' do
+          let(:project) { create(:project, :repository_disabled) }
+
+          it 'fails when login and token are valid' do
+            expect(gl_auth.find_for_git_client(login, deploy_token.token, project: project, ip: 'ip'))
+              .to eq(auth_failure)
+          end
+        end
      end

      context 'when deploy token and user have the same username' do
@@ -604,7 +613,7 @@ RSpec.describe Gitlab::Auth, :use_clean_rails_memory_store_caching do
          it_behaves_like 'registry token scope'
        end

-        it_behaves_like 'deploy token with disabled registry'
+        it_behaves_like 'deploy token with disabled feature'
      end

      context 'when the deploy token has write_registry as a scope' do
@@ -626,7 +635,7 @@ RSpec.describe Gitlab::Auth, :use_clean_rails_memory_store_caching do
          it_behaves_like 'registry token scope'
        end

-        it_behaves_like 'deploy token with disabled registry'
+        it_behaves_like 'deploy token with disabled feature'
      end
    end
  end

--- a/spec/services/auth/container_registry_authentication_service_spec.rb
+++ b/spec/services/auth/container_registry_authentication_service_spec.rb
@@ -654,6 +654,19 @@ RSpec.describe Auth::ContainerRegistryAuthenticationService do
        it_behaves_like 'not a container repository factory'
      end
    end
+
+    context 'for project that disables repository' do
+      let(:project) { create(:project, :public, :repository_disabled) }
+
+      context 'disallow when pulling' do
+        let(:current_params) do
+          { scopes: ["repository:#{project.full_path}:pull"] }
+        end
+
+        it_behaves_like 'an inaccessible'
+        it_behaves_like 'not a container repository factory'
+      end
+    end
  end

  context 'registry catalog browsing authorized as admin' do