diff --git a/app/controllers/profiles/personal_access_tokens_controller.rb b/app/controllers/profiles/personal_access_tokens_controller.rb index f748d191ef4d7279b69a3aff45441a20b7df661e..c1cc509a748c7009fd94b3e5bbacc162991848d1 100644 --- a/app/controllers/profiles/personal_access_tokens_controller.rb +++ b/app/controllers/profiles/personal_access_tokens_controller.rb @@ -38,7 +38,7 @@ class Profiles::PersonalAccessTokensController < Profiles::ApplicationController end def set_index_vars - @scopes = Gitlab::Auth::AVAILABLE_SCOPES + @scopes = Gitlab::Auth.available_scopes @personal_access_token = finder.build @inactive_personal_access_tokens = finder(state: 'inactive').execute diff --git a/app/models/personal_access_token.rb b/app/models/personal_access_token.rb index ec0ebe4d3538939c4ff79a3e64dcfcac110c5b88..1f9d712ef84f60dec1242cd14bac25f8efeec6c8 100644 --- a/app/models/personal_access_token.rb +++ b/app/models/personal_access_token.rb @@ -28,7 +28,7 @@ class PersonalAccessToken < ActiveRecord::Base protected def validate_scopes - unless revoked || scopes.all? { |scope| Gitlab::Auth::AVAILABLE_SCOPES.include?(scope.to_sym) } + unless revoked || scopes.all? { |scope| Gitlab::Auth.available_scopes.include?(scope.to_sym) } errors.add :scopes, "can only contain available scopes" end end diff --git a/config/initializers/doorkeeper.rb b/config/initializers/doorkeeper.rb index 40e635bf2cf5e5bb390212f4f213f2dd8210e33a..b89f0419b9196ef32678f77f1fa4aed2f329ed14 100644 --- a/config/initializers/doorkeeper.rb +++ b/config/initializers/doorkeeper.rb @@ -58,7 +58,7 @@ Doorkeeper.configure do # For more information go to # https://github.com/doorkeeper-gem/doorkeeper/wiki/Using-Scopes default_scopes(*Gitlab::Auth::DEFAULT_SCOPES) - optional_scopes(*Gitlab::Auth::OPTIONAL_SCOPES) + optional_scopes(*Gitlab::Auth.optional_scopes) # Change the way client credentials are retrieved from the request object. # By default it retrieves first from the `HTTP_AUTHORIZATION` header, then diff --git a/lib/gitlab/auth.rb b/lib/gitlab/auth.rb index 11ace83c15cd92926c9ac53add5bb281d6e9649d..87aeb76b66ae7243a36ef101d1840b48845ff80c 100644 --- a/lib/gitlab/auth.rb +++ b/lib/gitlab/auth.rb @@ -2,7 +2,7 @@ module Gitlab module Auth MissingPersonalTokenError = Class.new(StandardError) - REGISTRY_SCOPES = Gitlab.config.registry.enabled ? [:read_registry].freeze : [].freeze + REGISTRY_SCOPES = [:read_registry].freeze # Scopes used for GitLab API access API_SCOPES = [:api, :read_user].freeze @@ -13,11 +13,6 @@ module Gitlab # Default scopes for OAuth applications that don't define their own DEFAULT_SCOPES = [:api].freeze - AVAILABLE_SCOPES = (API_SCOPES + REGISTRY_SCOPES).freeze - - # Other available scopes - OPTIONAL_SCOPES = (AVAILABLE_SCOPES + OPENID_SCOPES - DEFAULT_SCOPES).freeze - class << self include Gitlab::CurrentSettings @@ -132,7 +127,7 @@ module Gitlab token = PersonalAccessTokensFinder.new(state: 'active').find_by(token: password) - if token && valid_scoped_token?(token, AVAILABLE_SCOPES) + if token && valid_scoped_token?(token, available_scopes) Gitlab::Auth::Result.new(token.user, nil, :personal_token, abilities_for_scope(token.scopes)) end end @@ -230,6 +225,21 @@ module Gitlab def read_user_scope_authentication_abilities [] end + + def available_scopes + API_SCOPES + registry_scopes + end + + # Other available scopes + def optional_scopes + available_scopes + OPENID_SCOPES - DEFAULT_SCOPES + end + + def registry_scopes + return [] unless Gitlab.config.registry.enabled + + REGISTRY_SCOPES + end end end end diff --git a/spec/initializers/doorkeeper_spec.rb b/spec/initializers/doorkeeper_spec.rb index 37cc08b3038ecb5b4238e2babb600e1392099222..1a78196e33dd18ab326460f0458eaa1c100d25e2 100644 --- a/spec/initializers/doorkeeper_spec.rb +++ b/spec/initializers/doorkeeper_spec.rb @@ -9,8 +9,8 @@ describe Doorkeeper.configuration do end describe '#optional_scopes' do - it 'matches Gitlab::Auth::OPTIONAL_SCOPES' do - expect(subject.optional_scopes).to eq Gitlab::Auth::OPTIONAL_SCOPES - Gitlab::Auth::REGISTRY_SCOPES + it 'matches Gitlab::Auth.optional_scopes' do + expect(subject.optional_scopes).to eq Gitlab::Auth.optional_scopes - Gitlab::Auth::REGISTRY_SCOPES end end diff --git a/spec/lib/gitlab/auth_spec.rb b/spec/lib/gitlab/auth_spec.rb index 4f4a27e4c413caa52ef83bc45afa7357bab096aa..af1db2c3455f228ff228e227befe8fa73bf8ce3d 100644 --- a/spec/lib/gitlab/auth_spec.rb +++ b/spec/lib/gitlab/auth_spec.rb @@ -16,20 +16,20 @@ describe Gitlab::Auth do expect(subject::DEFAULT_SCOPES).to eq [:api] end - it 'OPTIONAL_SCOPES contains all non-default scopes' do + it 'optional_scopes contains all non-default scopes' do stub_container_registry_config(enabled: true) - expect(subject::OPTIONAL_SCOPES).to eq %i[read_user read_registry openid] + expect(subject.optional_scopes).to eq %i[read_user read_registry openid] end - context 'REGISTRY_SCOPES' do + context 'registry_scopes' do context 'when registry is disabled' do before do stub_container_registry_config(enabled: false) end it 'is empty' do - expect(subject::REGISTRY_SCOPES).to eq [] + expect(subject.registry_scopes).to eq [] end end @@ -39,7 +39,7 @@ describe Gitlab::Auth do end it 'contains all registry related scopes' do - expect(subject::REGISTRY_SCOPES).to eq %i[read_registry] + expect(subject.registry_scopes).to eq %i[read_registry] end end end diff --git a/spec/support/stub_gitlab_calls.rb b/spec/support/stub_gitlab_calls.rb index 9695f35bd25beb23ecd1378d54a4f209db747bfc..78a2ff7374601f7d7864257a38d99e0e241af039 100644 --- a/spec/support/stub_gitlab_calls.rb +++ b/spec/support/stub_gitlab_calls.rb @@ -26,11 +26,9 @@ module StubGitlabCalls end def stub_container_registry_config(registry_settings) + allow(Gitlab.config.registry).to receive_messages(registry_settings) allow(Auth::ContainerRegistryAuthenticationService) .to receive(:full_access_token).and_return('token') - - allow(Gitlab.config.registry).to receive_messages(registry_settings) - load 'lib/gitlab/auth.rb' end def stub_container_registry_tags(repository: :any, tags:)