Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Support
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
G
gitlab-ce
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Issues
0
Issues
0
List
Boards
Labels
Milestones
Merge Requests
1
Merge Requests
1
Analytics
Analytics
Repository
Value Stream
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Create a new issue
Commits
Issue Boards
Open sidebar
nexedi
gitlab-ce
Commits
cfe87b93
Commit
cfe87b93
authored
Aug 25, 2020
by
Shinya Maeda
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
Prevent Deploy Tokens from accessing resources
This commit prevents it from access when the repository is disabled
parent
a9c50d9c
Changes
5
Show whitespace changes
Inline
Side-by-side
Showing
5 changed files
with
33 additions
and
3 deletions
+33
-3
app/services/auth/container_registry_authentication_service.rb
...ervices/auth/container_registry_authentication_service.rb
+1
-0
changelogs/unreleased/security-deploy-token-can-read-disabled-repo.yml
...released/security-deploy-token-can-read-disabled-repo.yml
+5
-0
lib/gitlab/auth.rb
lib/gitlab/auth.rb
+2
-0
spec/lib/gitlab/auth_spec.rb
spec/lib/gitlab/auth_spec.rb
+12
-3
spec/services/auth/container_registry_authentication_service_spec.rb
...es/auth/container_registry_authentication_service_spec.rb
+13
-0
No files found.
app/services/auth/container_registry_authentication_service.rb
View file @
cfe87b93
...
...
@@ -132,6 +132,7 @@ module Auth
def
can_access?
(
requested_project
,
requested_action
)
return
false
unless
requested_project
.
container_registry_enabled?
return
false
if
requested_project
.
repository_access_level
==
::
ProjectFeature
::
DISABLED
case
requested_action
when
'pull'
...
...
changelogs/unreleased/security-deploy-token-can-read-disabled-repo.yml
0 → 100644
View file @
cfe87b93
---
title
:
Prevent Deploy Tokens to read project resources when repository is disabled
merge_request
:
author
:
type
:
security
lib/gitlab/auth.rb
View file @
cfe87b93
...
...
@@ -234,6 +234,8 @@ module Gitlab
# Registry access (with jwt) does not have access to project
return
if
project
&&
!
token
.
has_access_to?
(
project
)
# When repository is disabled, no resources are accessible via Deploy Token
return
if
project
&
.
repository_access_level
==
::
ProjectFeature
::
DISABLED
scopes
=
abilities_for_scopes
(
token
.
scopes
)
...
...
spec/lib/gitlab/auth_spec.rb
View file @
cfe87b93
...
...
@@ -441,7 +441,7 @@ RSpec.describe Gitlab::Auth, :use_clean_rails_memory_store_caching do
end
end
shared_examples
'deploy token with disabled
registry
'
do
shared_examples
'deploy token with disabled
feature
'
do
context
'when registry disabled'
do
before
do
stub_container_registry_config
(
enabled:
false
)
...
...
@@ -452,6 +452,15 @@ RSpec.describe Gitlab::Auth, :use_clean_rails_memory_store_caching do
.
to
eq
(
auth_failure
)
end
end
context
'when repository is disabled'
do
let
(
:project
)
{
create
(
:project
,
:repository_disabled
)
}
it
'fails when login and token are valid'
do
expect
(
gl_auth
.
find_for_git_client
(
login
,
deploy_token
.
token
,
project:
project
,
ip:
'ip'
))
.
to
eq
(
auth_failure
)
end
end
end
context
'when deploy token and user have the same username'
do
...
...
@@ -604,7 +613,7 @@ RSpec.describe Gitlab::Auth, :use_clean_rails_memory_store_caching do
it_behaves_like
'registry token scope'
end
it_behaves_like
'deploy token with disabled
registry
'
it_behaves_like
'deploy token with disabled
feature
'
end
context
'when the deploy token has write_registry as a scope'
do
...
...
@@ -626,7 +635,7 @@ RSpec.describe Gitlab::Auth, :use_clean_rails_memory_store_caching do
it_behaves_like
'registry token scope'
end
it_behaves_like
'deploy token with disabled
registry
'
it_behaves_like
'deploy token with disabled
feature
'
end
end
end
...
...
spec/services/auth/container_registry_authentication_service_spec.rb
View file @
cfe87b93
...
...
@@ -654,6 +654,19 @@ RSpec.describe Auth::ContainerRegistryAuthenticationService do
it_behaves_like
'not a container repository factory'
end
end
context
'for project that disables repository'
do
let
(
:project
)
{
create
(
:project
,
:public
,
:repository_disabled
)
}
context
'disallow when pulling'
do
let
(
:current_params
)
do
{
scopes:
[
"repository:
#{
project
.
full_path
}
:pull"
]
}
end
it_behaves_like
'an inaccessible'
it_behaves_like
'not a container repository factory'
end
end
end
context
'registry catalog browsing authorized as admin'
do
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment