Skip to content
代码片段 群组 项目
提交 aaa6d808 编辑于 作者: Mayra Cabrera's avatar Mayra Cabrera
浏览文件

Implement read_registry for DeployTokens

上级 345ac03b
No related branches found
No related tags found
无相关合并请求
隐藏空白变更内容
行内 左右并排
app/controllers/jwt_controller.rb
+ 11
2
浏览文件 @ aaa6d808
...@@ -23,10 +23,11 @@ def authenticate_project_or_user ...@@ -23,10 +23,11 @@ def authenticate_project_or_user
@authentication_result = Gitlab::Auth::Result.new(nil, nil, :none, Gitlab::Auth.read_authentication_abilities) @authentication_result = Gitlab::Auth::Result.new(nil, nil, :none, Gitlab::Auth.read_authentication_abilities)
authenticate_with_http_basic do |login, password| authenticate_with_http_basic do |login, password|
@authentication_result = Gitlab::Auth.find_for_git_client(login, password, project: nil, ip: request.ip) project = find_project_related(password)
@authentication_result = Gitlab::Auth.find_for_git_client(login, password, project: project, ip: request.ip)
if @authentication_result.failed? || if @authentication_result.failed? ||
(@authentication_result.actor.present? && !@authentication_result.actor.is_a?(User)) (@authentication_result.actor.present? && !user_or_deploy_token)
render_unauthorized render_unauthorized
end end
end end
...@@ -57,4 +58,12 @@ def render_unauthorized ...@@ -57,4 +58,12 @@ def render_unauthorized
def auth_params def auth_params
params.permit(:service, :scope, :account, :client_id) params.permit(:service, :scope, :account, :client_id)
end end
def find_project_related(password)
DeployToken.active.find_by(token: password)&.project
end
def user_or_deploy_token
@authentication_result.actor.is_a?(User) || @authentication_result.actor.is_a?(DeployToken)
end
end end
spec/lib/gitlab/auth_spec.rb
+ 29
8
浏览文件 @ aaa6d808
...@@ -270,14 +270,6 @@ def operation ...@@ -270,14 +270,6 @@ def operation
.to eq(auth_success) .to eq(auth_success)
end end
it 'fails if deploy token does not have read_repo as scope' do
deploy_token = create(:deploy_token, :read_registry, project: project)
expect(gl_auth).to receive(:rate_limit!).with('ip', success: false, login: '')
expect(gl_auth.find_for_git_client('', deploy_token.token, project: project, ip: 'ip'))
.to eq(auth_failure)
end
it 'fails if token is nil' do it 'fails if token is nil' do
expect(gl_auth).to receive(:rate_limit!).with('ip', success: false, login: '') expect(gl_auth).to receive(:rate_limit!).with('ip', success: false, login: '')
expect(gl_auth.find_for_git_client('', nil, project: project, ip: 'ip')) expect(gl_auth.find_for_git_client('', nil, project: project, ip: 'ip'))
...@@ -305,6 +297,35 @@ def operation ...@@ -305,6 +297,35 @@ def operation
expect(gl_auth.find_for_git_client('deploy-token', deploy_token.token, project: project, ip: 'ip')) expect(gl_auth.find_for_git_client('deploy-token', deploy_token.token, project: project, ip: 'ip'))
.to eq(auth_failure) .to eq(auth_failure)
end end
context 'when registry enabled' do
before do
stub_container_registry_config(enabled: true)
end
it 'succeeds if deploy token does have read_registry as scope' do
deploy_token = create(:deploy_token, :read_registry, project: project)
auth_success = Gitlab::Auth::Result.new(deploy_token, project, :deploy_token, [:read_container_image])
expect(gl_auth).to receive(:rate_limit!).with('ip', success: true, login: '')
expect(gl_auth.find_for_git_client('', deploy_token.token, project: project, ip: 'ip'))
.to eq(auth_success)
end
end
context 'when registry disabled' do
before do
stub_container_registry_config(enabled: false)
end
it 'fails if deploy token have read_registry as scope' do
deploy_token = create(:deploy_token, :read_registry, project: project)
expect(gl_auth).to receive(:rate_limit!).with('ip', success: false, login: '')
expect(gl_auth.find_for_git_client('', deploy_token.token, project: project, ip: 'ip'))
.to eq(auth_failure)
end
end
end end
end end
......
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册