Commit cfe87b93 authored by Shinya Maeda's avatar Shinya Maeda

Prevent Deploy Tokens from accessing resources

This commit prevents it from access when the repository is disabled
parent a9c50d9c
...@@ -132,6 +132,7 @@ module Auth ...@@ -132,6 +132,7 @@ module Auth
def can_access?(requested_project, requested_action) def can_access?(requested_project, requested_action)
return false unless requested_project.container_registry_enabled? return false unless requested_project.container_registry_enabled?
return false if requested_project.repository_access_level == ::ProjectFeature::DISABLED
case requested_action case requested_action
when 'pull' when 'pull'
......
---
title: Prevent Deploy Tokens to read project resources when repository is disabled
merge_request:
author:
type: security
...@@ -234,6 +234,8 @@ module Gitlab ...@@ -234,6 +234,8 @@ module Gitlab
# Registry access (with jwt) does not have access to project # Registry access (with jwt) does not have access to project
return if project && !token.has_access_to?(project) return if project && !token.has_access_to?(project)
# When repository is disabled, no resources are accessible via Deploy Token
return if project&.repository_access_level == ::ProjectFeature::DISABLED
scopes = abilities_for_scopes(token.scopes) scopes = abilities_for_scopes(token.scopes)
......
...@@ -441,7 +441,7 @@ RSpec.describe Gitlab::Auth, :use_clean_rails_memory_store_caching do ...@@ -441,7 +441,7 @@ RSpec.describe Gitlab::Auth, :use_clean_rails_memory_store_caching do
end end
end end
shared_examples 'deploy token with disabled registry' do shared_examples 'deploy token with disabled feature' do
context 'when registry disabled' do context 'when registry disabled' do
before do before do
stub_container_registry_config(enabled: false) stub_container_registry_config(enabled: false)
...@@ -452,6 +452,15 @@ RSpec.describe Gitlab::Auth, :use_clean_rails_memory_store_caching do ...@@ -452,6 +452,15 @@ RSpec.describe Gitlab::Auth, :use_clean_rails_memory_store_caching do
.to eq(auth_failure) .to eq(auth_failure)
end end
end end
context 'when repository is disabled' do
let(:project) { create(:project, :repository_disabled) }
it 'fails when login and token are valid' do
expect(gl_auth.find_for_git_client(login, deploy_token.token, project: project, ip: 'ip'))
.to eq(auth_failure)
end
end
end end
context 'when deploy token and user have the same username' do context 'when deploy token and user have the same username' do
...@@ -604,7 +613,7 @@ RSpec.describe Gitlab::Auth, :use_clean_rails_memory_store_caching do ...@@ -604,7 +613,7 @@ RSpec.describe Gitlab::Auth, :use_clean_rails_memory_store_caching do
it_behaves_like 'registry token scope' it_behaves_like 'registry token scope'
end end
it_behaves_like 'deploy token with disabled registry' it_behaves_like 'deploy token with disabled feature'
end end
context 'when the deploy token has write_registry as a scope' do context 'when the deploy token has write_registry as a scope' do
...@@ -626,7 +635,7 @@ RSpec.describe Gitlab::Auth, :use_clean_rails_memory_store_caching do ...@@ -626,7 +635,7 @@ RSpec.describe Gitlab::Auth, :use_clean_rails_memory_store_caching do
it_behaves_like 'registry token scope' it_behaves_like 'registry token scope'
end end
it_behaves_like 'deploy token with disabled registry' it_behaves_like 'deploy token with disabled feature'
end end
end end
end end
......
...@@ -654,6 +654,19 @@ RSpec.describe Auth::ContainerRegistryAuthenticationService do ...@@ -654,6 +654,19 @@ RSpec.describe Auth::ContainerRegistryAuthenticationService do
it_behaves_like 'not a container repository factory' it_behaves_like 'not a container repository factory'
end end
end end
context 'for project that disables repository' do
let(:project) { create(:project, :public, :repository_disabled) }
context 'disallow when pulling' do
let(:current_params) do
{ scopes: ["repository:#{project.full_path}:pull"] }
end
it_behaves_like 'an inaccessible'
it_behaves_like 'not a container repository factory'
end
end
end end
context 'registry catalog browsing authorized as admin' do context 'registry catalog browsing authorized as admin' do
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment