Skip to content
体验新版
项目
组织
正在加载...
登录
切换导航
打开侧边栏
李少辉-开发者
gitlab-foss
提交
571226f1
G
gitlab-foss
项目概览
李少辉-开发者
/
gitlab-foss
通知
15
Star
0
Fork
0
代码
文件
提交
分支
Tags
贡献者
分支图
Diff
Issue
0
列表
看板
标记
里程碑
合并请求
0
Wiki
0
Wiki
分析
仓库
DevOps
项目成员
Pages
G
gitlab-foss
项目概览
项目概览
详情
发布
仓库
仓库
文件
提交
分支
标签
贡献者
分支图
比较
Issue
0
Issue
0
列表
看板
标记
里程碑
合并请求
0
合并请求
0
Pages
分析
分析
仓库分析
DevOps
Wiki
0
Wiki
成员
成员
收起侧边栏
关闭侧边栏
动态
分支图
创建新Issue
提交
Issue看板
体验新版 GitCode,发现更多精彩内容 >>
提交
571226f1
编写于
9月 13, 2016
作者:
K
Kamil Trzcinski
浏览文件
操作
浏览文件
下载
电子邮件补丁
差异文件
Make result to return project and capabilities granted
上级
505dc808
变更
7
显示空白变更内容
内联
并排
Showing
7 changed file
with
60 addition
and
60 deletion
+60
-60
app/controllers/jwt_controller.rb
app/controllers/jwt_controller.rb
+10
-20
app/controllers/projects/git_http_client_controller.rb
app/controllers/projects/git_http_client_controller.rb
+4
-8
app/controllers/projects/git_http_controller.rb
app/controllers/projects/git_http_controller.rb
+1
-1
app/helpers/lfs_helper.rb
app/helpers/lfs_helper.rb
+3
-3
app/services/auth/container_registry_authentication_service.rb
...ervices/auth/container_registry_authentication_service.rb
+9
-14
lib/gitlab/auth.rb
lib/gitlab/auth.rb
+27
-8
lib/gitlab/git_access.rb
lib/gitlab/git_access.rb
+6
-6
未找到文件。
app/controllers/jwt_controller.rb
浏览文件 @
571226f1
...
...
@@ -11,7 +11,7 @@ class JwtController < ApplicationController
service
=
SERVICES
[
params
[
:service
]]
return
head
:not_found
unless
service
result
=
service
.
new
(
@project
,
@user
,
auth_params
).
execute
(
access_type:
@access_type
)
result
=
service
.
new
(
@project
,
@user
,
auth_params
).
execute
(
capabilities:
@capabilities
)
render
json:
result
,
status:
result
[
:http_status
]
end
...
...
@@ -20,12 +20,16 @@ class JwtController < ApplicationController
def
authenticate_project_or_user
authenticate_with_http_basic
do
|
login
,
password
|
# if it's possible we first try to authenticate project with login and password
@project
,
@user
,
@access_type
=
authenticate_build
(
login
,
password
)
return
if
@project
@auth_result
=
Gitlab
::
Auth
.
find_for_git_client
(
login
,
password
,
ip:
request
.
ip
)
@user
,
@access_type
=
authenticate_user
(
login
,
password
)
return
if
@user
@user
=
auth_result
.
user
@project
=
auth_result
.
project
@type
=
auth_result
.
type
@capabilities
=
auth_result
.
capabilities
||
[]
if
@user
||
@project
return
# Allow access
end
render_403
end
...
...
@@ -34,18 +38,4 @@ class JwtController < ApplicationController
def
auth_params
params
.
permit
(
:service
,
:scope
,
:account
,
:client_id
)
end
def
authenticate_build
(
login
,
password
)
return
unless
login
==
'gitlab-ci-token'
return
unless
password
build
=
Ci
::
Build
.
running
.
find_by
(
token:
password
)
return
build
.
project
,
build
.
user
,
:restricted
if
build
end
def
authenticate_user
(
login
,
password
)
user
=
Gitlab
::
Auth
.
find_with_user_password
(
login
,
password
)
Gitlab
::
Auth
.
rate_limit!
(
request
.
ip
,
success:
user
.
present?
,
login:
login
)
return
user
,
:full
end
end
app/controllers/projects/git_http_client_controller.rb
浏览文件 @
571226f1
...
...
@@ -4,7 +4,7 @@ class Projects::GitHttpClientController < Projects::ApplicationController
include
ActionController
::
HttpAuthentication
::
Basic
include
KerberosSpnegoHelper
attr_reader
:user
,
:
access_type
attr_reader
:user
,
:
capabilities
# Git clients will not know what authenticity token to send along
skip_before_action
:verify_authenticity_token
...
...
@@ -34,7 +34,7 @@ class Projects::GitHttpClientController < Projects::ApplicationController
@user
=
auth_result
.
user
end
@
access_type
=
auth_result
.
access_type
@
capabilities
=
auth_result
.
capabilities
||
[]
if
ci?
||
user
return
# Allow access
...
...
@@ -120,12 +120,8 @@ class Projects::GitHttpClientController < Projects::ApplicationController
@ci
.
present?
end
def
full?
@access_type
==
:full
end
def
restricted?
@access_type
==
:restricted
def
has_capability?
(
capability
)
@capabilities
.
include?
(
capability
)
end
def
verify_workhorse_api!
...
...
app/controllers/projects/git_http_controller.rb
浏览文件 @
571226f1
...
...
@@ -86,7 +86,7 @@ class Projects::GitHttpController < Projects::GitHttpClientController
end
def
access
@access
||=
Gitlab
::
GitAccess
.
new
(
user
,
project
,
'http'
,
access_type:
access_type
)
@access
||=
Gitlab
::
GitAccess
.
new
(
user
,
project
,
'http'
,
capabilities:
capabilities
)
end
def
access_check
...
...
app/helpers/lfs_helper.rb
浏览文件 @
571226f1
...
...
@@ -29,11 +29,11 @@ module LfsHelper
end
def
privileged_user_can_download_code?
full?
&&
user
&&
user
.
can?
(
:download_code
,
project
)
has_capability?
(
:download_code
)
&&
user
&&
user
.
can?
(
:download_code
,
project
)
end
def
restricted_user_can_download_code?
restricted?
&&
user
&&
user
.
can?
(
:restricted_download_code
,
project
)
has_capability?
(
:restricted_download_code
)
&&
user
&&
user
.
can?
(
:restricted_download_code
,
project
)
end
def
lfs_upload_access?
...
...
@@ -43,7 +43,7 @@ module LfsHelper
end
def
privileged_user_can_push_code?
full?
&&
user
&&
user
.
can?
(
:push_code
,
project
)
has_capability?
(
:push_code
)
&&
user
&&
user
.
can?
(
:push_code
,
project
)
end
def
render_lfs_forbidden
...
...
app/services/auth/container_registry_authentication_service.rb
浏览文件 @
571226f1
...
...
@@ -4,8 +4,8 @@ module Auth
AUDIENCE
=
'container_registry'
def
execute
(
access_type:
access_type
)
@
access_type
=
access_type
def
execute
(
capabilities:
capabilities
)
@
capabilities
=
capabilities
return
error
(
'not found'
,
404
)
unless
registry
.
enabled
...
...
@@ -91,33 +91,28 @@ module Auth
private
def
restricted_user_can_pull?
(
requested_project
)
return
false
unless
restricted?
# Restricted can:
# 1. pull from it's own project (for ex. a build)
# 2. read images from dependent projects if he is a team member
requested_project
==
project
||
can?
(
current_user
,
:restricted_read_container_image
,
requested_project
)
requested_project
==
project
||
has_ability?
(
:restricted_read_container_image
,
requested_project
)
end
def
privileged_user_can_pull?
(
requested_project
)
full?
&&
can?
(
current_user
,
:read_container_image
,
requested_project
)
has_ability?
(
:read_container_image
,
requested_project
)
end
def
restricted_user_can_push?
(
requested_project
)
# Restricted can push only to project to from which he originates
re
stricted?
&&
re
quested_project
==
project
requested_project
==
project
end
def
privileged_user_can_push?
(
requested_project
)
full?
&&
can?
(
current_user
,
:create_container_image
,
requested_project
)
end
def
full?
@access_type
==
:full
has_ability?
(
:create_container_image
,
requested_project
)
end
def
restricted?
@
access_type
==
:restricted
def
has_ability?
(
ability
,
requested_project
)
@
capabilities
.
include?
(
ability
)
&&
can?
(
current_user
,
ability
,
requested_project
)
end
end
end
lib/gitlab/auth.rb
浏览文件 @
571226f1
module
Gitlab
module
Auth
Result
=
Struct
.
new
(
:user
,
:type
,
:
access_type
)
Result
=
Struct
.
new
(
:user
,
:type
,
:
project
,
:capabilities
)
class
<<
self
def
find_for_git_client
(
login
,
password
,
project
:,
ip
:)
...
...
@@ -9,7 +9,7 @@ module Gitlab
result
=
Result
.
new
if
valid_ci_request?
(
login
,
password
,
project
)
result
.
type
=
:ci
result
=
Result
.
new
(
nil
,
project
,
:ci
,
restricted_capabilities
)
else
result
=
populate_result
(
login
,
password
)
end
...
...
@@ -81,7 +81,7 @@ module Gitlab
personal_access_token_check
(
login
,
password
)
if
result
result
.
type
=
nil
unless
result
.
user
&&
result
.
type
!=
:ci
result
.
type
=
nil
unless
result
.
capabilities
if
result
.
user
&&
result
.
user
.
two_factor_enabled?
&&
result
.
type
==
:gitlab_or_ldap
result
.
type
=
:missing_personal_token
...
...
@@ -93,7 +93,7 @@ module Gitlab
def
user_with_password_for_git
(
login
,
password
)
user
=
find_with_user_password
(
login
,
password
)
Result
.
new
(
user
,
:gitlab_or_ldap
,
:full
)
if
user
Result
.
new
(
user
,
:gitlab_or_ldap
,
nil
,
full_capabilities
)
if
user
end
def
oauth_access_token_check
(
login
,
password
)
...
...
@@ -101,7 +101,7 @@ module Gitlab
token
=
Doorkeeper
::
AccessToken
.
by_token
(
password
)
if
token
&&
token
.
accessible?
user
=
User
.
find_by
(
id:
token
.
resource_owner_id
)
Result
.
new
(
user
,
:oauth
,
:full
)
Result
.
new
(
user
,
nil
,
:oauth
,
full_capabilities
)
end
end
end
...
...
@@ -110,7 +110,7 @@ module Gitlab
if
login
&&
password
user
=
User
.
find_by_personal_access_token
(
password
)
validation
=
User
.
by_login
(
login
)
Result
.
new
(
user
,
:personal_token
,
:full
)
if
user
==
validation
Result
.
new
(
user
,
nil
,
:personal_token
,
full_capabilities
)
if
user
==
validation
end
end
...
...
@@ -123,12 +123,31 @@ module Gitlab
if
build
.
user
# If user is assigned to build, use restricted credentials of user
Result
.
new
(
build
.
user
,
:build
,
:restricted
)
Result
.
new
(
build
.
user
,
build
.
project
,
:build
,
restricted_capabilities
)
else
# Otherwise use generic CI credentials (backward compatibility)
Result
.
new
(
nil
,
:ci
,
:restricted
)
Result
.
new
(
nil
,
build
.
project
,
:ci
,
restricted_capabilities
)
end
end
private
def
restricted_capabilities
[
:read_project
,
:restricted_download_code
,
:restricted_read_container_image
]
end
def
full_capabilities
restricted_capabilities
+
[
:download_code
,
:push_code
,
:read_container_image
,
:update_container_image
]
end
end
end
end
lib/gitlab/git_access.rb
浏览文件 @
571226f1
...
...
@@ -5,13 +5,13 @@ module Gitlab
DOWNLOAD_COMMANDS
=
%w{ git-upload-pack git-upload-archive }
PUSH_COMMANDS
=
%w{ git-receive-pack }
attr_reader
:actor
,
:project
,
:protocol
,
:user_access
,
:
access_type
attr_reader
:actor
,
:project
,
:protocol
,
:user_access
,
:
capabilities
def
initialize
(
actor
,
project
,
protocol
,
access_type:
access_type
)
def
initialize
(
actor
,
project
,
protocol
,
capabilities:
capabilities
)
@actor
=
actor
@project
=
project
@protocol
=
protocol
@
access_type
=
access_type
@
capabilities
=
capabilities
@user_access
=
UserAccess
.
new
(
user
,
project:
project
)
end
...
...
@@ -69,15 +69,15 @@ module Gitlab
end
def
privileged_user_can_download_code?
access_type
==
:full
&&
user_access
.
can_do_action?
(
:download_code
)
capabilities
.
include?
(
:download_code
)
&&
user_access
.
can_do_action?
(
:download_code
)
end
def
restricted_user_can_download_code?
access_type
==
:restricted
&&
user_access
.
can_do_action?
(
:restricted_download_code
)
capabilities
.
include?
(
:restricted_download_code
)
&&
user_access
.
can_do_action?
(
:restricted_download_code
)
end
def
user_push_access_check
(
changes
)
unless
access_type
==
:full
unless
capabilities
.
include?
(
:push_code
)
return
build_status_object
(
false
,
"You are not allowed to upload code for this project."
)
end
...
...
编辑
预览
Markdown
is supported
0%
请重试
或
添加新附件
.
添加附件
取消
You are about to add
0
people
to the discussion. Proceed with caution.
先完成此消息的编辑!
取消
想要评论请
注册
或
登录