diff options
| author | GitLab Bot <gitlab-bot@gitlab.com> | 2023-12-13 21:16:51 +0300 |
|---|---|---|
| committer | GitLab Bot <gitlab-bot@gitlab.com> | 2023-12-13 21:16:51 +0300 |
| commit | 46e1fdb8bbdaf149371334f1a1757ba4d68fe020 (patch) | |
| tree | c2a0bd6da129d9d41cef38e7a6c0efd2c79de893 /app/services/auth | |
| parent | 57ed4c594d37326f1d27752df575b581c522ab05 (diff) | |
Add latest changes from gitlab-org/gitlab@master
Diffstat (limited to 'app/services/auth')
| -rw-r--r-- | app/services/auth/dependency_proxy_authentication_service.rb | 30 |
1 files changed, 27 insertions, 3 deletions
diff --git a/app/services/auth/dependency_proxy_authentication_service.rb b/app/services/auth/dependency_proxy_authentication_service.rb index 164594d6f6c..29f5a50d809 100644 --- a/app/services/auth/dependency_proxy_authentication_service.rb +++ b/app/services/auth/dependency_proxy_authentication_service.rb @@ -5,10 +5,11 @@ module Auth AUDIENCE = 'dependency_proxy' HMAC_KEY = 'gitlab-dependency-proxy' DEFAULT_EXPIRE_TIME = 1.minute + REQUIRED_ABILITIES = %i[read_container_image create_container_image].freeze def execute(authentication_abilities:) return error('dependency proxy not enabled', 404) unless ::Gitlab.config.dependency_proxy.enabled - return error('access forbidden', 403) unless valid_user_actor? + return error('access forbidden', 403) unless valid_user_actor?(authentication_abilities) { token: authorized_token.encoded } end @@ -33,8 +34,27 @@ module Auth private - def valid_user_actor? - current_user || valid_deploy_token? + def valid_user_actor?(authentication_abilities) + feature_user = deploy_token&.user || current_user + if Feature.enabled?(:packages_dependency_proxy_containers_scope_check, feature_user) + if deploy_token + deploy_token.valid_for_dependency_proxy? + elsif current_user&.project_bot? + group_access_token&.active? && has_required_abilities?(authentication_abilities) + else + current_user + end + else + current_user || valid_deploy_token? + end + end + + def has_required_abilities?(authentication_abilities) + (REQUIRED_ABILITIES & authentication_abilities).size == REQUIRED_ABILITIES.size + end + + def group_access_token + PersonalAccessTokensFinder.new(state: 'active').find_by_token(raw_token) end def valid_deploy_token? @@ -52,5 +72,9 @@ module Auth def deploy_token params[:deploy_token] end + + def raw_token + params[:raw_token] + end end end |