Skip to content
体验新版
项目
组织
正在加载...
登录
切换导航
打开侧边栏
李少辉-开发者
gitlab-foss
提交
9fcc3e59
G
gitlab-foss
项目概览
李少辉-开发者
/
gitlab-foss
通知
15
Star
0
Fork
0
代码
文件
提交
分支
Tags
贡献者
分支图
Diff
Issue
0
列表
看板
标记
里程碑
合并请求
0
Wiki
0
Wiki
分析
仓库
DevOps
项目成员
Pages
G
gitlab-foss
项目概览
项目概览
详情
发布
仓库
仓库
文件
提交
分支
标签
贡献者
分支图
比较
Issue
0
Issue
0
列表
看板
标记
里程碑
合并请求
0
合并请求
0
Pages
分析
分析
仓库分析
DevOps
Wiki
0
Wiki
成员
成员
收起侧边栏
关闭侧边栏
动态
分支图
创建新Issue
提交
Issue看板
前往新版Gitcode,体验更适合开发者的 AI 搜索 >>
提交
9fcc3e59
编写于
6月 06, 2017
作者:
Z
Z.J. van de Weg
浏览文件
操作
浏览文件
下载
电子邮件补丁
差异文件
Fix test failures
上级
0b81b5ac
变更
5
显示空白变更内容
内联
并排
Showing
5 changed file
with
38 addition
and
30 deletion
+38
-30
app/controllers/jwt_controller.rb
app/controllers/jwt_controller.rb
+1
-1
lib/gitlab/auth.rb
lib/gitlab/auth.rb
+23
-16
spec/features/profiles/personal_access_tokens_spec.rb
spec/features/profiles/personal_access_tokens_spec.rb
+5
-1
spec/lib/gitlab/auth_spec.rb
spec/lib/gitlab/auth_spec.rb
+8
-11
spec/requests/jwt_controller_spec.rb
spec/requests/jwt_controller_spec.rb
+1
-1
未找到文件。
app/controllers/jwt_controller.rb
浏览文件 @
9fcc3e59
...
@@ -20,7 +20,7 @@ class JwtController < ApplicationController
...
@@ -20,7 +20,7 @@ class JwtController < ApplicationController
private
private
def
authenticate_project_or_user
def
authenticate_project_or_user
@authentication_result
=
Gitlab
::
Auth
::
Result
.
new
(
nil
,
nil
,
:none
,
Gitlab
::
Auth
.
read_a
pi
_abilities
)
@authentication_result
=
Gitlab
::
Auth
::
Result
.
new
(
nil
,
nil
,
:none
,
Gitlab
::
Auth
.
read_a
uthentication
_abilities
)
authenticate_with_http_basic
do
|
login
,
password
|
authenticate_with_http_basic
do
|
login
,
password
|
@authentication_result
=
Gitlab
::
Auth
.
find_for_git_client
(
login
,
password
,
project:
nil
,
ip:
request
.
ip
)
@authentication_result
=
Gitlab
::
Auth
.
find_for_git_client
(
login
,
password
,
project:
nil
,
ip:
request
.
ip
)
...
...
lib/gitlab/auth.rb
浏览文件 @
9fcc3e59
...
@@ -107,7 +107,7 @@ module Gitlab
...
@@ -107,7 +107,7 @@ module Gitlab
raise
Gitlab
::
Auth
::
MissingPersonalTokenError
if
user
.
two_factor_enabled?
raise
Gitlab
::
Auth
::
MissingPersonalTokenError
if
user
.
two_factor_enabled?
Gitlab
::
Auth
::
Result
.
new
(
user
,
nil
,
:gitlab_or_ldap
,
full_a
pi
_abilities
)
Gitlab
::
Auth
::
Result
.
new
(
user
,
nil
,
:gitlab_or_ldap
,
full_a
uthentication
_abilities
)
end
end
def
oauth_access_token_check
(
login
,
password
)
def
oauth_access_token_check
(
login
,
password
)
...
@@ -116,7 +116,7 @@ module Gitlab
...
@@ -116,7 +116,7 @@ module Gitlab
if
valid_oauth_token?
(
token
)
if
valid_oauth_token?
(
token
)
user
=
User
.
find_by
(
id:
token
.
resource_owner_id
)
user
=
User
.
find_by
(
id:
token
.
resource_owner_id
)
Gitlab
::
Auth
::
Result
.
new
(
user
,
nil
,
:oauth
,
full_a
pi
_abilities
)
Gitlab
::
Auth
::
Result
.
new
(
user
,
nil
,
:oauth
,
full_a
uthentication
_abilities
)
end
end
end
end
end
end
...
@@ -126,26 +126,23 @@ module Gitlab
...
@@ -126,26 +126,23 @@ module Gitlab
token
=
PersonalAccessTokensFinder
.
new
(
state:
'active'
).
find_by
(
token:
password
)
token
=
PersonalAccessTokensFinder
.
new
(
state:
'active'
).
find_by
(
token:
password
)
if
token
&&
valid_scoped_token?
(
token
,
scopes:
AVAILABLE_SCOPES
.
map
(
&
:to_s
))
if
token
&&
valid_scoped_token?
(
token
,
AVAILABLE_SCOPES
.
map
(
&
:to_s
))
Gitlab
::
Auth
::
Result
.
new
(
token
.
user
,
nil
,
:personal_token
,
abilities_for_scope
(
token
.
scopes
))
Gitlab
::
Auth
::
Result
.
new
(
token
.
user
,
nil
,
:personal_token
,
abilities_for_scope
(
token
.
scopes
))
end
end
end
end
def
valid_oauth_token?
(
token
)
def
valid_oauth_token?
(
token
)
token
&&
token
.
accessible?
&&
valid_scoped_token?
(
token
)
token
&&
token
.
accessible?
&&
valid_scoped_token?
(
token
,
[
"api"
]
)
end
end
def
valid_scoped_token?
(
token
,
scopes
:
%w[api]
)
def
valid_scoped_token?
(
token
,
scopes
)
AccessTokenValidationService
.
new
(
token
).
include_any_scope?
(
scopes
)
AccessTokenValidationService
.
new
(
token
).
include_any_scope?
(
scopes
)
end
end
def
abilities_for_scope
(
scopes
)
def
abilities_for_scope
(
scopes
)
abilities
=
Set
.
new
scopes
.
map
do
|
scope
|
self
.
public_send
(
:"
#{
scope
}
_scope_authentication_abilities"
)
abilities
.
merge
(
full_api_abilities
)
if
scopes
.
include?
(
"api"
)
end
.
flatten
.
uniq
abilities
<<
:read_container_image
if
scopes
.
include?
(
"read_registry"
)
abilities
.
to_a
end
end
def
lfs_token_check
(
login
,
password
)
def
lfs_token_check
(
login
,
password
)
...
@@ -164,9 +161,9 @@ module Gitlab
...
@@ -164,9 +161,9 @@ module Gitlab
authentication_abilities
=
authentication_abilities
=
if
token_handler
.
user?
if
token_handler
.
user?
full_a
pi
_abilities
full_a
uthentication
_abilities
else
else
read_a
pi
_abilities
read_a
uthentication
_abilities
end
end
if
Devise
.
secure_compare
(
token_handler
.
token
,
password
)
if
Devise
.
secure_compare
(
token_handler
.
token
,
password
)
...
@@ -202,7 +199,7 @@ module Gitlab
...
@@ -202,7 +199,7 @@ module Gitlab
]
]
end
end
def
read_a
pi
_abilities
def
read_a
uthentication
_abilities
[
[
:read_project
,
:read_project
,
:download_code
,
:download_code
,
...
@@ -210,12 +207,22 @@ module Gitlab
...
@@ -210,12 +207,22 @@ module Gitlab
]
]
end
end
def
full_a
pi
_abilities
def
full_a
uthentication
_abilities
read_a
pi
_abilities
+
[
read_a
uthentication
_abilities
+
[
:push_code
,
:push_code
,
:create_container_image
:create_container_image
]
]
end
end
alias_method
:api_scope_authentication_abilities
,
:full_authentication_abilities
def
read_registry_scope_authentication_abilities
[
:read_container_image
]
end
# The currently used auth method doesn't allow any actions for this scope
def
read_user_scope_authentication_abilities
[]
end
end
end
end
end
end
end
spec/features/profiles/personal_access_tokens_spec.rb
浏览文件 @
9fcc3e59
...
@@ -17,6 +17,7 @@ describe 'Profile > Personal Access Tokens', feature: true, js: true do
...
@@ -17,6 +17,7 @@ describe 'Profile > Personal Access Tokens', feature: true, js: true do
def
disallow_personal_access_token_saves!
def
disallow_personal_access_token_saves!
allow_any_instance_of
(
PersonalAccessToken
).
to
receive
(
:save
).
and_return
(
false
)
allow_any_instance_of
(
PersonalAccessToken
).
to
receive
(
:save
).
and_return
(
false
)
errors
=
ActiveModel
::
Errors
.
new
(
PersonalAccessToken
.
new
).
tap
{
|
e
|
e
.
add
(
:name
,
"cannot be nil"
)
}
errors
=
ActiveModel
::
Errors
.
new
(
PersonalAccessToken
.
new
).
tap
{
|
e
|
e
.
add
(
:name
,
"cannot be nil"
)
}
allow_any_instance_of
(
PersonalAccessToken
).
to
receive
(
:errors
).
and_return
(
errors
)
allow_any_instance_of
(
PersonalAccessToken
).
to
receive
(
:errors
).
and_return
(
errors
)
end
end
...
@@ -91,8 +92,11 @@ describe 'Profile > Personal Access Tokens', feature: true, js: true do
...
@@ -91,8 +92,11 @@ describe 'Profile > Personal Access Tokens', feature: true, js: true do
context
"when revocation fails"
do
context
"when revocation fails"
do
it
"displays an error message"
do
it
"displays an error message"
do
disallow_personal_access_token_saves!
visit
profile_personal_access_tokens_path
visit
profile_personal_access_tokens_path
allow_any_instance_of
(
PersonalAccessToken
).
to
receive
(
:update!
).
and_return
(
false
)
errors
=
ActiveModel
::
Errors
.
new
(
PersonalAccessToken
.
new
).
tap
{
|
e
|
e
.
add
(
:name
,
"cannot be nil"
)
}
allow_any_instance_of
(
PersonalAccessToken
).
to
receive
(
:errors
).
and_return
(
errors
)
click_on
"Revoke"
click_on
"Revoke"
expect
(
active_personal_access_tokens
).
to
have_text
(
personal_access_token
.
name
)
expect
(
active_personal_access_tokens
).
to
have_text
(
personal_access_token
.
name
)
...
...
spec/lib/gitlab/auth_spec.rb
浏览文件 @
9fcc3e59
...
@@ -17,7 +17,11 @@ describe Gitlab::Auth, lib: true do
...
@@ -17,7 +17,11 @@ describe Gitlab::Auth, lib: true do
end
end
it
'OPTIONAL_SCOPES contains all non-default scopes'
do
it
'OPTIONAL_SCOPES contains all non-default scopes'
do
expect
(
subject
::
OPTIONAL_SCOPES
).
to
eq
[
:read_user
,
:openid
]
expect
(
subject
::
OPTIONAL_SCOPES
).
to
eq
%i[read_user read_registry openid]
end
it
'REGISTRY_SCOPES contains all registry related scopes'
do
expect
(
subject
::
REGISTRY_SCOPES
).
to
eq
%i[read_registry]
end
end
end
end
...
@@ -157,18 +161,11 @@ describe Gitlab::Auth, lib: true do
...
@@ -157,18 +161,11 @@ describe Gitlab::Auth, lib: true do
expect
(
gl_auth
.
find_for_git_client
(
''
,
impersonation_token
.
token
,
project:
nil
,
ip:
'ip'
)).
to
eq
(
Gitlab
::
Auth
::
Result
.
new
(
impersonation_token
.
user
,
nil
,
:personal_token
,
full_authentication_abilities
))
expect
(
gl_auth
.
find_for_git_client
(
''
,
impersonation_token
.
token
,
project:
nil
,
ip:
'ip'
)).
to
eq
(
Gitlab
::
Auth
::
Result
.
new
(
impersonation_token
.
user
,
nil
,
:personal_token
,
full_authentication_abilities
))
end
end
it
'
fails for personal access tokens with other scopes
'
do
it
'
limits abilities based on scope
'
do
personal_access_token
=
create
(
:personal_access_token
,
scopes:
[
'read_user'
])
personal_access_token
=
create
(
:personal_access_token
,
scopes:
[
'read_user'
])
expect
(
gl_auth
).
to
receive
(
:rate_limit!
).
with
(
'ip'
,
success:
false
,
login:
''
)
expect
(
gl_auth
).
to
receive
(
:rate_limit!
).
with
(
'ip'
,
success:
true
,
login:
''
)
expect
(
gl_auth
.
find_for_git_client
(
''
,
personal_access_token
.
token
,
project:
nil
,
ip:
'ip'
)).
to
eq
(
Gitlab
::
Auth
::
Result
.
new
(
nil
,
nil
))
expect
(
gl_auth
.
find_for_git_client
(
''
,
personal_access_token
.
token
,
project:
nil
,
ip:
'ip'
)).
to
eq
(
Gitlab
::
Auth
::
Result
.
new
(
personal_access_token
.
user
,
nil
,
:personal_token
,
[]))
end
it
'fails for impersonation token with other scopes'
do
impersonation_token
=
create
(
:personal_access_token
,
scopes:
[
'read_user'
])
expect
(
gl_auth
).
to
receive
(
:rate_limit!
).
with
(
'ip'
,
success:
false
,
login:
''
)
expect
(
gl_auth
.
find_for_git_client
(
''
,
impersonation_token
.
token
,
project:
nil
,
ip:
'ip'
)).
to
eq
(
Gitlab
::
Auth
::
Result
.
new
(
nil
,
nil
))
end
end
it
'fails if password is nil'
do
it
'fails if password is nil'
do
...
...
spec/requests/jwt_controller_spec.rb
浏览文件 @
9fcc3e59
...
@@ -102,7 +102,7 @@ describe JwtController do
...
@@ -102,7 +102,7 @@ describe JwtController do
end
end
it
'allows read access'
do
it
'allows read access'
do
expect
(
service
).
to
receive
(
:execute
).
with
(
authentication_abilities:
Gitlab
::
Auth
.
read_a
pi
_abilities
)
expect
(
service
).
to
receive
(
:execute
).
with
(
authentication_abilities:
Gitlab
::
Auth
.
read_a
uthentication
_abilities
)
get
'/jwt/auth'
,
parameters
get
'/jwt/auth'
,
parameters
end
end
...
...
编辑
预览
Markdown
is supported
0%
请重试
或
添加新附件
.
添加附件
取消
You are about to add
0
people
to the discussion. Proceed with caution.
先完成此消息的编辑!
取消
想要评论请
注册
或
登录