Merge branch 'dm-fix-registry-with-sudo-token' into 'master'

Fix pulling and pushing using a personal access token with the sudo scope Closes #40466 See merge request gitlab-org/gitlab-ce!15571

Merge branch 'dm-fix-registry-with-sudo-token' into 'master'
Fix pulling and pushing using a personal access token with the sudo scope Closes #40466 See merge request gitlab-org/gitlab-ce!15571
89c9d2ad · Sean McGivern · fad4ab7d · 453b1780 · 89c9d2ad · 89c9d2ad
3 changed file
--- a/changelogs/unreleased/dm-fix-registry-with-sudo-token.yml
+++ b/changelogs/unreleased/dm-fix-registry-with-sudo-token.yml
+---
+title: Fix pulling and pushing using a personal access token with the sudo scope
+merge_request:
+author:
+type: fixed
--- a/lib/gitlab/auth.rb
+++ b/lib/gitlab/auth.rb
@@ -134,7 +134,7 @@ module Gitlab
        token = PersonalAccessTokensFinder.new(state: 'active').find_by(token: password)

        if token && valid_scoped_token?(token, available_scopes)
-          Gitlab::Auth::Result.new(token.user, nil, :personal_access_token, abilities_for_scope(token.scopes))
+          Gitlab::Auth::Result.new(token.user, nil, :personal_access_token, abilities_for_scopes(token.scopes))
        end
      end

@@ -146,10 +146,15 @@ module Gitlab
        AccessTokenValidationService.new(token).include_any_scope?(scopes)
      end

-      def abilities_for_scope(scopes)
-        scopes.map do |scope|
-          self.public_send(:"#{scope}_scope_authentication_abilities") # rubocop:disable GitlabSecurity/PublicSend
-        end.flatten.uniq
+      def abilities_for_scopes(scopes)
+        abilities_by_scope = {
+          api: full_authentication_abilities,
+          read_registry: [:read_container_image]
+        }
+
+        scopes.flat_map do |scope|
+          abilities_by_scope.fetch(scope.to_sym, [])
+        end.uniq
      end

      def lfs_token_check(login, password, project)
@@ -228,16 +233,6 @@ module Gitlab
          :admin_container_image
        ]
      end
-      alias_method :api_scope_authentication_abilities, :full_authentication_abilities
-
-      def read_registry_scope_authentication_abilities
-        [:read_container_image]
-      end
-
-      # The currently used auth method doesn't allow any actions for this scope
-      def read_user_scope_authentication_abilities
-        []
-      end

      def available_scopes(current_user = nil)
        scopes = API_SCOPES + registry_scopes

--- a/spec/lib/gitlab/auth_spec.rb
+++ b/spec/lib/gitlab/auth_spec.rb
@@ -207,7 +207,7 @@ describe Gitlab::Auth do
      end

      it 'limits abilities based on scope' do
-        personal_access_token = create(:personal_access_token, scopes: ['read_user'])
+        personal_access_token = create(:personal_access_token, scopes: %w[read_user sudo])

        expect(gl_auth).to receive(:rate_limit!).with('ip', success: true, login: '')
        expect(gl_auth.find_for_git_client('', personal_access_token.token, project: nil, ip: 'ip')).to eq(Gitlab::Auth::Result.new(personal_access_token.user, nil, :personal_access_token, []))